managing the audit function 3rd edition - john wiley & sons

Table of ContentsManaging the Audit Function—A Corporate Audit Department Procedures Guide, Third Edition........1

Foreword..............................................................................................................................................................1

Preface..................................................................................................................................................................1Standing at the Rubicon!.........................................................................................................................1

Part I: Fundamentals of the Internal Auditing Function................................................................................1Chapter List..............................................................................................................................................1

..........................................................................................................................................................1

Chapter 1: Background......................................................................................................................................11.1 Introduction.......................................................................................................................................11.2 History of Auditing [1]......................................................................................................................11.3 History of Internal Auditing...............................................................................................................41.4 Auditing Government Agencies........................................................................................................81.5 History of Information Systems Auditing.........................................................................................8

a. Birth of Information Systems Auditing........................................................................................9b. Commercialization of Computers................................................................................................9c. AUDITAPE: Breakthrough for Information Systems Auditors.................................................10d. Equity Funding Scandal: Abuse of Information Technology....................................................11e. Systems, Auditability, and Control Research Study—Institute of Internal Auditors.................12f. Electronic Data Processing Auditors Association......................................................................13g. Emerging Technologies..............................................................................................................14

1.6 History of Federal Regulations Related to Auditing........................................................................19a. Income Tax Law (Sixteenth Amendment): 1913.......................................................................19b. Securities and Exchange Commission Acts: 1933, 1934...........................................................20c. Foreign Corrupt Practices Act: 1977..........................................................................................20d. Copyright Laws: 1976 et al........................................................................................................21e. Sarbanes-Oxley Act: 2002..........................................................................................................21

1.7 Professional Organizations Related to Internal Auditing................................................................21a. Institute of Internal Auditors......................................................................................................22b. Information Systems Audit and Control Association.................................................................22c. American Institute of Certified Public Accountants...................................................................23d. American Accounting Association.............................................................................................24e. Financial Executives International.............................................................................................24f. Association of Government Accountants...................................................................................25g. Association of Certified Fraud Examiners.................................................................................25

Endnotes.................................................................................................................................................26

Chapter 2: Auditing Standards and Responsibilities......................................................................................1Overview.................................................................................................................................................12.1 Introduction........................................................................................................................................12.2 Ethics.................................................................................................................................................1

a. Institute of Internal Auditors (IIA) [2].........................................................................................2b. Information Systems Audit and Control Association (ISACA) [3].............................................3

2.3 Professional Auditing Standards........................................................................................................4a. Institute of Internal Auditors........................................................................................................4b. Information Systems Audit and Control Association [5].............................................................6c. American Institute of Certified Public Accountants.....................................................................8

2.4 Systems Development Life Cycle Standards.....................................................................................92.5 Professional Development...............................................................................................................12

toc

i

Table of ContentsChapter 2: Auditing Standards and Responsibilities

2.6 Responsibilities of a Corporate Auditor..........................................................................................12a. Nature.........................................................................................................................................13b. Objective and Scope...................................................................................................................13c. Responsibility and Authority......................................................................................................13d. Independence..............................................................................................................................13e. Regulatory Issues........................................................................................................................14

Endnotes.................................................................................................................................................15

Chapter 3: Internal Control System.................................................................................................................1Overview.................................................................................................................................................13.1 Definition...........................................................................................................................................13.2 Fundamental Assumptions in Establishing an Internal Control System............................................2

a. Business Reasons for a Strong Internal Control System..............................................................3b. Legal Reasons for a Strong Internal Control System...................................................................3c. Basic Assumptions for the Internal Control System....................................................................4d. Evolution of Attacks and Intruders' Technical Knowledge.........................................................4e. Cost-Benefit Analysis of Controls................................................................................................5

3.3 Effective Internal Control Models.....................................................................................................5a. The COSO Model (AICPA, AAA, FEI, IIA, and IMA)..............................................................5b. The CobiT Model (ISACA).........................................................................................................7c. The SAC and eSAC Reports (IIA)...............................................................................................8d. SysTrust (AICPA and CICA).......................................................................................................9e. Conclusion: Comparing and Contrasting the Models.................................................................13

3.4 Regulations......................................................................................................................................15a. Securities and Exchange Commission (1933, 1934)..................................................................15b. Foreign Corrupt Practices Act (1977)........................................................................................16c. Copyright Laws (1976 et al.)......................................................................................................16d. Environmental Laws (Various)..................................................................................................16e. Sarbanes-Oxley Act (2002)........................................................................................................17

3.5 Policies [7].......................................................................................................................................17a. Systems Development Life Cycle Policy...................................................................................18b. Systems Usage Policy (End Users)............................................................................................19c. Security Policy............................................................................................................................19d. Password Policy.........................................................................................................................19e. E-Mail Policy..............................................................................................................................20f. Business Recovery Policy...........................................................................................................20g. Privacy Policy.............................................................................................................................21

3.6 Risk Assessment..............................................................................................................................22a. Risk Assessment: Internal Perspective.......................................................................................23b. Risk Assessment: External Perspective......................................................................................24

3.7 Control Strategies............................................................................................................................28a. Fourfold Perspective of Controls Model....................................................................................28b. Information Systems and Controls Model..................................................................................30c. An Internal Audit Function.........................................................................................................34d. Corporate Governance................................................................................................................34e. Logs and Auditability.................................................................................................................38f. Segregation of Duties..................................................................................................................38g. Investigation Procedures............................................................................................................38

3.8 Malicious Activities.........................................................................................................................39a. Crime and Misappropriation of Assets.......................................................................................39b. Unauthorized Access and Authentication..................................................................................41

toc

ii

Table of ContentsChapter 3: Internal Control System

3.9 Specific Controls/Caatts..................................................................................................................43a. Monitoring Systems....................................................................................................................43b. Firewalls.....................................................................................................................................43c. Generalized Audit Software.......................................................................................................43d. Other Potential Controls/CAATTs.............................................................................................44

References..............................................................................................................................................45Endnotes.................................................................................................................................................45

Part II: Management and Administration.......................................................................................................1Chapter List..............................................................................................................................................1

..........................................................................................................................................................1

Chapter 4: Department Organization...............................................................................................................1Overview.................................................................................................................................................14.1 Introduction........................................................................................................................................1

a. Strategic Objectives......................................................................................................................1b. Essence of Internal Auditing........................................................................................................2c. Quality Assurance Reviews of Internal Audit..............................................................................3d. Outsourcing Internal Audits.........................................................................................................3e. Control Self-Assessment..............................................................................................................5f. Integrating the Auditing Process...................................................................................................6

4.2 Corporate Audit Charter....................................................................................................................64.3 Company Organization......................................................................................................................8

a. Audit Department Organization...................................................................................................9b. Job Classifications and Descriptions..........................................................................................10

4.4 Audit Department Policies...............................................................................................................24a. Confidentiality............................................................................................................................24b. Orientation (Training)................................................................................................................25c. Days Off for Extensive Travel Policy........................................................................................26d. Professional Certification Policy................................................................................................26

Endnote..................................................................................................................................................26

Chapter 5: Personnel, Administration, and Recruiting..................................................................................1Overview.................................................................................................................................................15.1 Introduction........................................................................................................................................1

a. Sources of Personnel....................................................................................................................1b. Recruitment Aids..........................................................................................................................3c. Management Development Programs..........................................................................................5d. Certifications................................................................................................................................6

5.2 Personal Development.......................................................................................................................6a. Introduction..................................................................................................................................6b. Objectives.....................................................................................................................................7c. Coordinator of Education.............................................................................................................7d. Corporate Audit Training Model..................................................................................................7e. Core Program................................................................................................................................8f. Advanced Program........................................................................................................................9g. Record-Keeping............................................................................................................................9

5.3 Personnel Files.................................................................................................................................11a. Corporate Audit Department Background Information Form....................................................13b. Corporate Audit Department Interest Questionnaire..................................................................13

5.4 Periodic Performance Evaluation Review.......................................................................................13

toc

iii

Table of ContentsChapter 5: Personnel, Administration, and Recruiting

a. Performance Evaluation Review Guidelines for Preparation of Report.....................................165.5 Annual Staff Meeting/Conference...................................................................................................19

a. Group Discussions......................................................................................................................195.6 New Staff Orientation......................................................................................................................21Endnotes.................................................................................................................................................24

Part III: Technical Procedures..........................................................................................................................1Chapter List..............................................................................................................................................1

..........................................................................................................................................................1

Chapter 6: Audit Planning.................................................................................................................................1Overview.................................................................................................................................................16.1 Corporate Audit Planning, Scheduling, and Staffing.........................................................................1

a. Three-Year Operating Plan...........................................................................................................2b. Risk Analysis................................................................................................................................3c. Annual Budget and Plan...............................................................................................................4d. Six-Month Audit Plan..................................................................................................................5e. Three-Month Audit Schedule.......................................................................................................5f. Two-Month Staff Schedule...........................................................................................................5

6.2 Internal Controls................................................................................................................................56.3 Materiality..........................................................................................................................................66.4 Types of Audits..................................................................................................................................8

a. High-Level Review of Procedures...............................................................................................8b. Financial Audit.............................................................................................................................8c. Operational/Managerial Audit......................................................................................................9d. Compliance Audit.......................................................................................................................10e. Contract Audit............................................................................................................................10f. Desk Review...............................................................................................................................11(g) Follow-Up Audits.....................................................................................................................11h. Information Systems Audits [3].................................................................................................11i. E-Commerce Audits....................................................................................................................15j. International Audits.....................................................................................................................15

6.5 Time Reporting................................................................................................................................16a. Form: Corporate Audit Time Report..........................................................................................16b. Report for the Period Ending......................................................................................................16c. Auditor's Name/Employee Number...........................................................................................16d. Job Number................................................................................................................................17e. Audit Codes................................................................................................................................17f. Task Codes..................................................................................................................................18g. Hours..........................................................................................................................................18h. Productive Time.........................................................................................................................18i. Nonproductive Time...................................................................................................................18j. Summarizing Time......................................................................................................................19

6.6 Expense Reporting...........................................................................................................................19a. Travel Expenses..........................................................................................................................20

Endnotes.................................................................................................................................................20

Chapter 7: Audit Performance..........................................................................................................................1Overview.................................................................................................................................................17.1 Corporate Audit Performance Process Matrix...................................................................................1

a. Assignment Log and Checklist.....................................................................................................2

toc

iv

Table of ContentsChapter 7: Audit Performance

b. Description of Notice to Auditee..................................................................................................3c. Preliminary Survey.......................................................................................................................4d. Planning Memo............................................................................................................................7e. Audit Status Report....................................................................................................................11f. Developing Audit Recommendations.........................................................................................11

7.2 Workpapers......................................................................................................................................17a. Control........................................................................................................................................17b. Retention....................................................................................................................................18c. Headings.....................................................................................................................................18d. Permanent Files: Contents and Format......................................................................................19e. Current Files: Contents and Format............................................................................................20f. General Organization..................................................................................................................20g. Detailed Workpaper Section Organization.................................................................................20h. Indexing and Cross Referencing................................................................................................21i. Referencing.................................................................................................................................23j. Standard Tick Marks...................................................................................................................23

7.3 Audit Objectives..............................................................................................................................24Cash................................................................................................................................................24

Endnote..................................................................................................................................................26

Chapter 8: Audit Reporting...............................................................................................................................1Overview.................................................................................................................................................18.1 Corporate Audit Report Process........................................................................................................1

a. Draft Reports................................................................................................................................2b. Draft to Auditee............................................................................................................................3c. Inclusion of Auditee Comments...................................................................................................4d. Issue Final Report to Management...............................................................................................7e. Open Audit Results and Comments............................................................................................14

8.2 Report to Management.....................................................................................................................158.3 Report to Audit Committee..............................................................................................................18

Part IV: Long-Term Effectiveness....................................................................................................................1Chapter List..............................................................................................................................................1

..........................................................................................................................................................1

Chapter 9: Managing the Effectiveness of the Audit Department.................................................................1Overview.................................................................................................................................................19.1 Introduction........................................................................................................................................19.2 Corporate Governance [1]..................................................................................................................19.3 Quality Assurance..............................................................................................................................4

a. Objective.......................................................................................................................................5b. Responsibility...............................................................................................................................5c. Method..........................................................................................................................................5d. Reports..........................................................................................................................................9e. Summary of Review.....................................................................................................................9f. Quality Assurance Checklist.......................................................................................................10

9.4 Continuous Improvement Systems for Internal Auditors................................................................10a. Balanced Scorecard [5]...............................................................................................................10b. Value-Based Metrics..................................................................................................................12c. Activity-Based Costing...............................................................................................................12d. Total Quality Management.........................................................................................................13

toc

v

Table of ContentsChapter 9: Managing the Effectiveness of the Audit Department

e. ISO 9000 Family [7]...................................................................................................................13f. Baldrige National Quality Program/Baldrige Award [8]............................................................14g. Conclusions................................................................................................................................14

9.5 Marketing the Audit Function..........................................................................................................15a. What Is Marketing?....................................................................................................................15b. Understanding the Customers....................................................................................................16c. Getting the Audit Message Out..................................................................................................16d. Human Resources.......................................................................................................................16e. Summary.....................................................................................................................................17

Endnotes.................................................................................................................................................17

Index.....................................................................................................................................................................1A..............................................................................................................................................................1

Index.....................................................................................................................................................................1C..............................................................................................................................................................1

Index.....................................................................................................................................................................1E..............................................................................................................................................................1

Index.....................................................................................................................................................................1F..............................................................................................................................................................1

Index.....................................................................................................................................................................1G..............................................................................................................................................................1

Index.....................................................................................................................................................................1I...............................................................................................................................................................1

Index.....................................................................................................................................................................1S..............................................................................................................................................................1

List of Tables.......................................................................................................................................................1Chapter 6: Audit Planning......................................................................................................................1Chapter 7: Audit Performance................................................................................................................1

List of Exhibits....................................................................................................................................................1Chapter 2: Auditing Standards and Responsibilities..............................................................................1Chapter 3: Internal Control System........................................................................................................1Chapter 4: Department Organization......................................................................................................1Chapter 5: Personnel, Administration, and Recruiting...........................................................................1Chapter 6: Audit Planning......................................................................................................................1Chapter 7: Audit Performance................................................................................................................2Chapter 8: Audit Reporting.....................................................................................................................2

toc

vi

Managing the Audit Function—A Corporate AuditDepartment Procedures Guide, Third EditionMichael P. CangemiTommie Singleton

John Wiley & Sons, Inc.This text is printed on acid-free paper.

Copyright © 2003 by John Wiley & Sons, Inc.

All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or byany means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted underSection 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of thePublisher, or authorization through payment of the appropriate per-copy fee to the Copyright ClearanceCenter, Inc., 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400, fax 978-750-4470, or on the web atwww.copyright.com. Requests to the Publisher for permission should be addressed to the PermissionsDepartment, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, 201-748-6011, fax201-748-6008, e-mail: <[email protected]>.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts inpreparing this book, they make no representations or warranties with respect to the accuracy or completenessof the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for aparticular purpose. No warranty may be created or extended by sales representatives or written sales materials.The advice and strategies contained herein may not be suitable for your situation. You should consult with aprofessional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or anyother commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services, or technical support, please contact our CustomerCare Department within the United States at 800-762-2974, outside the United States at 317-572-3993, or fax317-572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may notbe available in electronic books.

For more information about Wiley products, visit our web site at www.wiley.com.

Library of Congress Cataloging-in-Publication Data:

Cangemi, Michael P., 1948- Managing the audit function : a corporate audit department procedures guide/by Michael P. Cangemi, Tommie Singleton.&"isbn">ISBN 0-471-28119-0 (pbk. : alk. paper)

Managing the Audit Function—A Corporate Audit Department Procedures Guide, Third Edition 1

http://www.copyright.com

mailto:[email protected]

http://www.wiley.com

1. Auditing, Internal—Handbooks, manuals, etc. 2. Corporations— Auditing—Handbooks, manuals, etc. I. Singleton, Tommie. II. Title.

HF5668.25 .C37 2003657' .458—dc21 2002153133Printed in the United States of America10 9 8 7 6 5 4 3 2 1 Dedicated to our mutual friend Belden Menkus for always providing encouragement and confidence in us.

ABOUT THE AUTHORS Michael P. Cangemi is President and Chief Executive Officer and Director of Etienne Aigner Group Inc., a leading designer of women's footwear, handbags, and accessories, with sales of approximately $160 million and 700 employees. Before joining Etienne Aigner, he was Partner and National Director of EDP Auditing and Internal Audit Services for BDO Seidman. Prior to this, Mr. Cangemi served as General Auditor and Corporate Vice President at Phelps Dodge Corporation.Mr. Cangemi has served as Director of the New York Region Computer Audit Program at Ernst & Young. He is currently serving as Editor in Chief of IS Control Journal and he is on the editorial advisory boards of the Managerial Auditing Journal (London) and the Journal of Information Systems Security. In addition, Mr. Cangemi currently serves as Chairman of the Edison Chamber of Commerce and member of the Finance Committee of the Board of Solaris Health System℠.Mr. Cangemi is a Certified Public Accountant and a Certified Information Systems Auditor. He is a member of the Financial Executives Institute, AICPA, The Institute of Internal Auditors (IIA), and the N.Y. State Society of CPAs. Mr. Cangemi is a past President of the IS Audit & Control Association (ISACA)—International, and the IS Audit & Control Foundation (ISACF), as well as past President and Director of the ISACA—New York Chapter and the IIA—New York Chapter. After serving seven years as a director of ISACA and ISACF, he was voted lifetime honorary membership. He has served as a Trustee of the IIA Research Foundation and the Pace University Lubin School Accounting Advisory Board.Mr. Cangemi has published many articles that have appeared in publications including Internal Auditing, Datamation, New Accountant, Computers in Accounting, The Practical Accountant, and The Internal Auditor, in which he was recognized with the Outstanding Contributor Award in 1988. His contributions to books include a chapter in the Handbook of EDP Auditing. In 1991, he co-authored Auditing in an EDP Environment with Peter Reed. Among other honors, he is a recipient of the Joseph J. Wasserman Memorial Award for Outstanding Achievement in the Field of EDP Auditing, and the Eugene M. Frank Award from the ISACA. He is listed in Who's Who in America and Who's Who Worldwide. In addition, he has given numerous presentations across the United States and abroad on a variety of topics related to audit and information systems control.Mr. Cangemi received his Bachelor of Business Administration in Accountancy Practice degree from Pace University. In 2000, the Cangemi Library was established at the University of Mississippi's National EDP Auditing Archival Center to house his donation of over 250 books on Auditing and EDP Auditing. For more information, visit www.Rutgers.edu/accounting/raw/isaca/cangemi.Mr. Cangemi and his wife, Maria, and two children, Michael Jason and Marc Ignatius, have residences in both Edison, New Jersey, and Beach Haven, New Jersey. Tommie Singleton is professor of Accounting and Computer Information Systems (CIS) at the University of North Alabama (UNA). Before becoming an academic, he was an accounting officer at Tennessee Valley Authority (TVA), and president of a small value-added dealer of microcomputers—a company that wrote and sold accounting software.Since becoming an academic in 1994 at UNA, Dr. Singleton has been eminent scholar (1996–1997), Chair—Department of CIS (1999), Chair—Department of Accounting and Business Law (1999–2002), and Director for Development of the Forensic Accounting Program (2002-present). He teaches systems and auditing courses at both the undergraduate and graduate level, and has developed many distance education courses for UNA. He was awarded "Innovative User of Technology Award" in 1998–1999 by the Alabama Society of CPAs. Currently, Dr. Singleton serves on several boards of local, regional, and national accounting organizations, and the review board for The New Accountant High School Recruiting Journal.Dr. Singleton has earned several accounting certifications: Certified Public Accountant (CPA), Certified Information Systems Auditor (CISA), Certified Information Technology Professional (CITP), and Certified Management Accountant (CMA). He is a member of the American Institute of Certified Public Accountants (AICPA), Alabama Society of CPAs, Institute of Management Accountants (IMA), Information Systems Audit & Control Association, Academy of Accounting Historians, Decision Sciences Institute, and other professional organizations. He is also a past president of the Muscle Shoals chapter of the IMA. In addition, he serves as Web-master for several accounting organizations and the College of Business at UNA. Dr. Singleton has been employed as a consultant for auditing and systems projects for the government and private companies.Dr. Singleton has published numerous articles related to auditing and systems in publications such as EDP Auditor Journal, Information Systems Control Journal, The Cooperative Accountant, Journal of Corporate Accounting and Finance, EDPACS, and the Journal of Business, Industry and Economics (JOBIE).Over the last few years, Dr. Singleton has led several seminar sessions on systems and auditing subjects, many for CPE credit. He also has made numerous presentations at local, regional, national, and international meetings on systems and auditing subjects.Dr. Singleton received his Bachelor of Science in Accounting (1977) and MBA (1979) from the University of North Alabama. In 1995, he received his Ph.D. in Accounting from the University of Mississippi. During his dissertation phase at Mississippi, he established the National EDP Auditing Archival Center, which today houses the largest collection of systems auditing materials in the United States.Tommie and his wife Rebecca reside in Muscle Shoals, AL. They have three grown children: Shayne, Krissie, and AJ.

2 Managing the Audit Function—A Corporate Audit Department Procedures Guide, Third Edition

2 Managing the Audit Function—A Corporate Audit Department Procedures Guide, Third Edition

http://www.Rutgers.edu/accounting/raw/isaca/cangemi

ForewordAt the turn of the century, copper mining companies such as Phelps Dodge Corporation were the darlings ofWall Street. They were growth plays at the dawn of the new age of electricity and communications. Thedemand for wiring throughout the country seemed endless. By the early 1900s, Phelps Dodge Corporation hadalready achieved a proud heritage. Formed in the early 1800s as a trading company, it wisely invested itsprofits in the copper mining business.

By the late 1970s when I joined Phelps Dodge Corporation as Chief Financial Officer, much had changed. Iwas asked by my good friend, then Chairman and CEO, George B. Munroe, to assist him and the Company inmeeting the challenges ahead. The Management Information Systems (MIS) operating areas and the InternalAudit function were to receive special attention.

George and I found that the audit resource should be more consistently applied across company operations,and that the reputation of the audit function and the results of its efforts could be improved.

Michael Cangemi joined Phelps Dodge as Director of Internal Audit. My background as a Public Accountantand Chairman of BDO Seidman CPAs helped me to recognize the need for a strong internal audit function.Internal auditing is a difficult function to develop in a company. To allow it to contribute to the company, theinternal audit management must be empowered with wide-ranging authority. The director of audit mustpossess integrity, initiative, and excellent communication skills.

Michael Cangemi had the personal traits we were looking for. In addition, he had a program to ensure that allaudit personnel would be trained in the areas of information technology and the application of the technologyto the audit function. Based on his work as Director, Computer Audit at the New York Office of ArthurYoung & Company (now Ernst & Young LLP), Michael decided to integrate EDP audit and financial audit.His audit personnel team was designed to be capable of advancing with the Company into the informationage.

Over the next two years, Michael proceeded, with the help of his audit team, to produce an audit methodologythat resulted in a most successful audit function at Phelps Dodge Corporation. This book outlines themethodology that was implemented, and much more.

After those two years, Michael was promoted to General Auditor of Phelps Dodge Corporation. This was ahigh honor in a company that had a very lean corporate management structure. At the age of 33, he was one ofthe youngest officers in the history of the company. More importantly, he had gained the respect of the seniormanagement team and the board of directors.

Procedures properly implemented produce the guideposts necessary to ensure that a function such as auditstays on course. Developing budgets for each audit assignment, preparing status reports, and planningdocuments are essential to efficient audit performance. Audit reports containing a summary report limited totwo pages that give the scope of the report, key background information, and a conclusion and summary offindings in a concise bulleted format were created for directors. Detailed reports were prepared for use bythose responsible for implementation.

Michael was fond of saying that "good people using good procedures will produce an audit product with areliable, high-quality level." This was the result at Phelps Dodge Corporation.

Personnel development was a very high priority of the new audit program. Audit conferences were serioustraining and key team-building events.

The audit group was also assigned to activities such as contract, acquisition, and disposition audits. Contractaudits alone have saved the company millions of dollars a year in contracting fees.

Foreword 1

Once Michael had the audit function organized and had built a team that was capable of proper succession, hemoved on to become a successful corporate vice president with responsibility for all of the company'sinformation systems and benefit plans as well as internal audit.

You can take the methodology outlined in this book and improve your own company's audit program or use itas a basis for forming a new, modern audit program. Any chapter in this book provides ideas that are worththe price of the entire publication.

L. WILLIAM SEIDMAN, CPA

November 1995Washington, DC

2 Foreword

2 Foreword

PrefaceStanding at the Rubicon!

The Emperor Julius Caesar had to cross a river to launch a civil war against General Pompey in the year 49B.C. The description of that act has become a metaphor meaning standing at a point at which there is noturning back or new beginnings. The world of internal auditing is now at the Rubicon!

The first edition of this book was published in 1991. At that point, internal auditing outsourcing was on therise. Could this trend have been a symptom of the decline in corporate governance and the rise of aggressiveaccounting to boost earnings? Enron Corp., at times, outsourced their internal audit functions. WorldCom,Inc.'s accounting issues were discovered by an internal auditor.

The theme of this book is very simple. Quality internal auditors utilizing tested and proven procedures in aproactive way will produce beneficial tangible results.

Auditing is as exciting as the world in which we audit. In fact, anticipating and preparing for the changes thatconstantly take place in the business world makes auditing even more challenging. Coexisting with othermanagement and partnering in the company's mission, while maintaining a healthy dose of skepticism,provides a significant interpersonal and intellectual challenge. However, many auditors have attempted to livein a slow-paced, reactive world.

As a profession, internal auditing has been evolving for less than one hundred years. The profession continuedto grow steadily through the 1950s and into the 1960s. The business community was changing dramatically,with technological leaps and global expansion leading the way. Internal control, as it was known, wasdestined to change to address the issues and complexities of the modern day.

The first wake-up call came in 1977 with the passage of the Foreign Corrupt Practices Act. Passed to addressthe practices of paying bribes in foreign countries, the law had requirements that adequate systems of internalcontrol be maintained. Internal audit's role in management rose to new heights. The internal auditingprofessionals reacted swiftly and implemented new programs to strengthen internal controls and checks andbalances. Those internal audit departments that were capable and proactive produced solid returns oninvestments for their organizations. Many branched out into operational audit areas that were heretofore onlydiscussed. All audit functions addressed information technology in one way or another. Auditors met atconferences and shared information and best practices in a way that should be the envy of all professionalgroups.

In the 1990s, internal control was redefined. The Committee of Sponsoring Organizations (COSO) issued itslandmark definitional study of internal control. The product amounted to a five-volume publication which has,for the first time ever, attempted to define all of the intricacies and the subtleties of internal control andachieve agreement among leading professional organizations.

The 1990s also saw the profession of internal auditing as a candidate function for outsourcing. Is internalauditing a core capability? Can professionals from outside the organization perform studies of internal controlwithout a thorough understanding of the personality of the organization? The debate on outsourcing is aninteresting challenge for the profession of internal auditing.

During these decades, internal auditing groups that were proactive and worked hard to create excellentinternal audit programs, have continued to satisfy their management. They searched for new requirements,responsibilities, and ways to contribute to their organization. The first thing that all successful auditorganizations have done is to organize themselves. It has always been my hope that this book would helpaudit departments improve their organization and operations so that they can improve their overallperformance.

Preface 1

As noted above, internal auditing is a very challenging profession, and once the fundamentals of an auditorganization are established through the development of a policies and procedures manual, the auditdepartment can focus more of its energies on the delivery of internal audit services.

This third edition of Managing the Audit Function greatly expands on the prior edition. In addition to ageneral update, a new chapter on internal controls has been added. This chapter defines internal control, riskassessment, control strategies and malicious activities. The subject should be studied and understood not justby internal auditors but all managers and board members as well. The recent developments with accountingirregularities demonstrates a clear need for an education on the complex subject of internal control! Inaddition, a section on the history of audit was greatly expanded and integrated into the background materials.

As the finishing touches were being made to this edition of Managing the Audit Function, the U.S. Congresspassed the Sarbanes-Oxley Act of 2002. This act makes reporting on internal control a requirement for publiccompanies registered with the Securities and Exchange Commission (SEC). The law requires annual reportsto contain an assessment of the effectiveness of internal control over financial reporting. In addition, itrequires the adoption of standards for independent auditors to attest to management's report on internalcontrol. Separately, the act requires a company's CEO and CFO to certify quarterly and annual reports. Thesedevelopments will focus senior management's attention on ensuring the adequacy and effectiveness of theirinternal audit department to assist management with these requirements. Senior management can use thisbook as a primer on the elements of a modern internal audit function.

As the original author, there is little doubt that I am fascinated with auditing in general, and specifically theinternal auditing profession! I first observed internal and external auditing as a member of the operations staffof a brokerage house in my college years. I then spent a number of years in public practice at Ernst & Youngbefore joining a large corporation as Director, Internal Audit. After rising to General Auditor, I moved out ofinternal auditing and into a financial officer position. Internal auditing continued to report to me during thisperiod, and I attended all audit committee meetings. I then rejoined the public practice at BDO Seidman asNational Director of EDP Auditing and Internal Audit Services. I joined Aigner Group, Inc. in a seniormanagement position and after eight years as CFO, I am currently the President and Chief Executive Officerof the company.

I have seen internal control and auditing from a number of interesting vantage points. My current positionaffords me one of the best views from the standpoint of how internal auditing should fit in to and contribute toan organization. All corporate managers have a desire to run a well-controlled operation. We need to be ableto rely on the integrity of the data and results of our operations. However, I am now further convinced of theneed for the audit department to be proactive and seek out ways to contribute positively to the corporatemission.

As pointed out in this book, the audit function does not have the same performance measurements available tothem as do other line functions within the organization. I am also now more aware than ever of the need forcost justification for every dollar spent, especially dollars that are not spent in the direct pursuit of revenue.Internal audit departments must have the disciplines and measurements proposed in this book. These issueshave come more clearly into view, and as a result of my current position, I am certain that the methodologiessuggested in this book are essential principles of internal audit management.

To add new dimensions and perspective to this methodology, I asked Tommie Singleton to join with me onthis third edition. After a career in industry, Tommie Singleton went back to school and devoted himself toaccounting and auditing all the way to the PhD level. We met while working on publishing segments of hisdissertation on the history of IS auditing in the IS Control Journal, where I am to this day the Editor-in-Chief.

Dr. Singleton is Professor of Accounting and Computer Information Systems at the University of NorthAlabama. He added tremendously to this book as co-author, giving his insights and knowledge on thecomplex subject of internal control and sharing his vast acumen on our profession's history.

2 Preface

2 Preface

We are both very active with professional associations, which keeps us at the forefront of developmentsaffecting internal auditing. We owe a debt of gratitude to our colleagues at the IIA and ISACA who keep usconnected to this interesting world of auditing. We are also very busy with our "real" jobs and rely heavily onour co-workers. We would especially like to thank Deb Urquhart, my Executive Assistant, for her untiringefforts and dedication to this book project.

I would also like to thank my associates at ISACA, Susan Caldwell, Jennifer Blader and Jane Seago, who careso much about the profession's response to technological developments and who work to make IS ControlJournal a significant contributor to the expansion of the professional literature. Finally, last but certainly notleast, I'd like to thank Sheck Cho, our editor, who guided me through editions one, two, and now three and isalways there for support and encouragement.

MICHAEL P. CANGEMI

November 2002Edison, New Jersey

Preface 3

Preface 3

4 Preface

4 Preface

Part I: Fundamentals of the Internal AuditingFunction

Chapter List

Chapter 1: BackgroundChapter 2: Auditing Standards and ResponsibilitiesChapter 3: Internal Control System

Part I: Fundamentals of the Internal Auditing Function 1

2 Part I: Fundamentals of the Internal Auditing Function

2 Part I: Fundamentals of the Internal Auditing Function

Chapter 1: Background

1.1 Introduction

It is the goal of this manual to provide a broad scope of information in assisting you in developing yourauditing function into a well-respected contributor to the company's mission and a world-class auditdepartment.

This manual will serve to document approved departmental procedures. It will be the basis for establishingmethods to ensure the highest level of performance and quality in the department. These procedures should beevaluated and updated on an ongoing basis to keep pace with changing conditions.

This book has been set up in the format of a procedures manual. Beginning with Chapter 2, each page has aheading consisting of the company name, the title of the manual (Corporate Audit Department ProceduresManual, if appropriate), the section number, the revision number (if you choose to keep track of the number ofchanges made in a particular section), and the date of the revision. Much of the text has been written so that itcan be considered boilerplate and be used with your modifications to easily create your own manual.

The manual is based on a methodology employed very successfully at Phelps Dodge Corporation.Subsequently, the methodology was used as a basis for audit management workshops and consulting projects.Through these processes, the material contained in the methodology was analyzed and improved over a10-year period. The methodology is broken down into four main components: Part One: Fundamentals of theInternal Auditing Function (Chapter 1, "Background"; Chapter 2, "Auditing Standards and Responsibilities";Chapter 3, "Internal Control System"), Part Two: Management and Administration (Chapter 4, "DepartmentOrganization"; Chapter 5, "Personnel Administration and Recruiting"), Part Three: Technical Procedures(Chapter 6, "Audit Planning"; Chapter 7, "Audit Performance"; Chapter 8, "Audit Reporting"), and Part Four:Long-Term Effectiveness (Chapter 9, "Managing the Effectiveness of the Audit Department"). Otherprograms can be added to your manual. The technical chapters all begin with a matrix that outlines the varioustasks or functions addressed in that chapter.

In order to achieve the above goals, a brief overview of historical events affecting the audit is beneficial. Thusthis chapter is written to familiarize auditors with historical events that directly relate to audits, audit planning,and in particular the management of a world-class audit function. This section will review the history ofauditing before information systems (IS), the history of IS auditing, the history of federal regulations relatedto auditing, and professional organizations related to auditing. An understanding of these events andorganizations should provide substantial benefits in managing your auditing function.

1.2 History of Auditing [1]

The ancient history of accounting and auditing left sparse documentation, but possibly did predate theinvention of writing, circa 8,500 B.C. The earliest surviving records in double-entry form are those of theMedici family of Florence, Italy, from 1397.

The "modern" era of accounting dates from the year 1494, when a monk named Luca Pacioli published thefirst book on accounting. He became known as the "Father of Accounting" because of the widespreaddissemination of his book and its information. However, Pacioli was a typical monk of the fifteenthcentury—educated in a wide variety of disciplines, and served as tutor and mentor to the wealthy. In fact, thebook itself contains more than accounting, including arithmetic. All Pacioli really did was to explain existing

Chapter 1: Background 1

accounting principles.

Auditing, too, is one of the oldest professions. Writing was invented in part to satisfy the need for audits.Zenon papyri record the application of audits on the Egyptian estate of the Greek ruler Ptolemy PhiladelphusII as early as 2,500 years ago. Early Greek and Roman writers such as Aristophanes, Caesar, and Cicero makemention of accountants, auditors, and auditing accounts and audit rooms. As early as the Middle Ages, a formof internal auditing existed among the manor houses of England where the lord served as manager of the auditfunction.

The earliest external audit by an independent public accountant was in 1720 by Charles Snell as a result of theSouth Sea Bubble scandal in England. The total market value of the South Sea Company, chartered in 1710,eventually exceeded the value of all money in England. Thus when the company crashed, it was an extremelysignificant public event in the English economy. Fictitious entries were discovered in the books. This eventset a precedent in the history of auditing. In fact, many, if not most, major auditing events, improvements, andstandards tend to follow public exposure of scandals and/or fraud.

Later, the industrial revolution in England resulted in factory systems that were financed by stockholders. Thissituation necessitated the need for auditors, both internal and external. To protect the public, the BritishCompanies Act of 1844 provided for mandatory audits. Soon afterward, in 1853, organizations of charteredaccountants were formed in Scotland. Then in 1880, five organizations were melded into the unified Instituteof Chartered Accountants in England and Wales. By 1881, it had a membership of more than 1,000 members.

The same industrial revolution was occurring across the Atlantic in the United States. By the late nineteenthcentury, British auditors were being sent to audit American companies. For example, the British firm PriceWaterhouse was sending over auditors as early as 1873. Soon, New York offices existed for British firmsPrice Waterhouse, Peat Marwick & Company, and Arthur Young & Company. Thus it was the British whobuilt the infrastructure for professional auditing in the United States.

One of the first key events in the history of the U.S. audit profession was the establishment of what was theforerunner of the American Institute of Certified Public Accountants (AICPA) in 1887. In 1896, New Yorklaw provided for the issuance of CPA certificates to those who could pass a qualifying examination. Initially,experienced practitioners were "grandfathered" in by being granted CPA certificates without having to takethe examination. Eventually, all states passed CPA laws. At first, each state prepared its own CPAexamination, but in 1917 the American Institute of Accountants began preparing a uniform CPA examinationthat could be used by all states.

Another early event of note is the 1913 passage of the Sixteenth Amendment legalizing income taxes. [2] Oneprovision of the law required all companies to maintain adequate accounting records. Thus, even small firmsthat did not need accounting for management control purposes suddenly had to have accounting records.

The audits of the late 1800s and early 1900s were largely devoted to the accuracy of bookkeeping detail. Inmost cases, all vouchers were examined and all footings verified. Hence, items omitted from the records wereoverlooked by the auditors, and the result was an auditing profession that was viewed by outsiders as moreclerical than professional.

This view was to change between 1900 and 1917, because bankers became more important as sources offinancing and because practice began to catch up with the auditing literature. The change in philosophymirrored the recommendations in the leading auditing book of the time, which was written by RobertMontgomery. Bankers were less concerned with clerical accuracy than with balance-sheet quality. Thus, asbankers became major users of audited financial statements, the objective of the audit became more concernedwith the valuation of assets on the balance sheet.

This new direction culminated in the 1917 issuance of Uniform Accounting, a joint publication of the

2 Chapter 1: Background


American Institute and the Federal Trade Commission, which also had the endorsement of the FederalReserve Board. This publication was reissued, with minor changes, in 1918 under the title Approved Methodsfor the Preparation of Balance-Sheet Statements. This document was the first formal declaration of generallyaccepted accounting principles and auditing standards. It outlined a complete audit program, instructions forauditing specific account balances, and a standardized audit report. In 1929, another revision included moreemphasis on the income statement and internal controls. Still another revision in 1936 placed equal emphasison the balance sheet and income statement. The 1917 document and its revisions became the bible of theauditing profession for more than two decades.

The recent history of external auditing is more events-oriented. In other words, little has occurred in recentyears that was not brought about by some catastrophic event such as a lawsuit, financial disaster, or a majorfraud case. One of the earliest important auditing cases was that of Ultramares Corporation v. Touche, Niven& Company (1931). Ultramares had loaned money to Fred Stern and Company in 1924 on the basis offinancial statements prepared by Touche. On those statements, accounts receivable had been overstated.Subsequently, in 1925, Fred Stern and Company filed for bankruptcy. A lower court found Touche guilty ofnegligence, but the firm was declared not liable to Ultramares because there was no privity of contractbetween the auditor and Ultramares. The New York Court of Appeals agreed that third parties could not holdan auditor liable for ordinary negligence, only for fraud. However, gross negligence could be construed asfraud, which opened up the auditor to lawsuits even though there was no way of knowing who was going torely on the misleading financial statements. Thus, the auditor became subject to almost infinite third-partyliability. This liability was further expanded at the federal level in the securities acts of 1933 and 1934.

By the time of the 1929 stock market crash, external auditing had become a somewhat standardizedprofession, but not a particularly large profession. Since bankers were the primary users of financialstatements, the only companies needing audits were those that depended on banks for capital. Companies thatdepended on stockholder financing were not required to have audits. Consequently, even companies listed onthe New York Stock Exchange often did not issue audited financial statements. That was to change because ofIvar Kreuger—one of the greatest swindlers the world has ever seen.

The most widely held securities in the United States—and the world—during the 1920s were the stocks andbonds of Kreuger & Toll, Inc., a Swedish match conglomerate. The company was founded and headed by IvarKreuger, supposedly the richest man in the world. Kreuger's securities were popular because they sold insmall denominations and paid high dividends and interest (often 20% annually). Financial reporting as weknow it today was in its infancy; stockholders based their investment decisions solely on dividend payments.Kreuger's dividends were paid, however, out of capital, not profits. Kreuger was essentially operating a giantpyramid scheme, which was hidden from the investing public by Kreuger's insistence that financial statementsnot be audited. He advocated that financial secrecy was paramount to corporate success. In Kreuger's defense,some amount of secrecy was needed because he was often dealing with foreign kings and dictators aboutgovernment monopolies and taxes on wooden matches. Subsequently, it was discovered that many of hiscompanies' assets were in the form of intangible monopolies.

The stock market crash of 1929 made it more difficult for Kreuger to sell new securities to fuel his pyramidscheme. Thus, he committed suicide in March 1932. Within three weeks, his companies were in bankruptcy asit became apparent that there were few assets to support the unaudited financial statements that had beenissued over the years. The bankruptcy was the largest on record up to that time and resulted in numerouschanges in financial reporting.

Newspaper articles kept U.S. citizens aware of the extent of Kreuger's fraud at the same time that Congresswas considering passage of the federal securities laws. Thus, the timing of the bankruptcy and thecorresponding media coverage made it politically expedient to pass laws that would make similar schemesdifficult in the future. A single event, the corruption of Ivar Kreuger, had shaken investors' confidence andprovided the media event of the decade.



As a result, the Securities Act of 1933 was passed, and the New York Stock Exchange issued rules mandatingaudits of listed companies. Even a movement toward uniformity in accounting principles can be laid at thefeet of Kreuger. Auditors thus owe much of their livelihood to the fraud perpetrated by Ivar Kreuger. In fact,some might say that because of the resulting improvements to financial reporting, Kreuger did more good thanharm for the financial community. A person of his ilk was needed to show the world that auditors arenecessary and can make a contribution to a regulated securities market.

The 1936 version of the American Institute's 1917 joint pronouncement with the Federal Trade Commissionon auditing standards suggested that auditors might want to observe inventories and confirm receivables, butthere was no requirement for these procedures. Many auditors had long opposed observing inventories underthe theory that CPAs were not skilled appraisers and that a statement that they had physically inspectedinventories might be construed as a guarantee of the inventory valuation. This lack of a requirement forinventory observations and receivable confirmations proved to be an embarrassment to the profession whenthe McKesson & Robbins scandal surfaced in 1938. The senior management of McKesson & Robbins hadused a facade of false documents to conceal the fact that $19 million in inventory and receivables werenonexistent. A Securities and Exchange Commission (SEC) investigation concluded that Price Waterhouse &Company had adhered to generally accepted auditing procedures as recommended in the 1936 Institutepronouncement. The auditors had obtained management assurances as to the value of the inventories and hadtest-checked the inventories to purchase orders (which were fabricated to conceal the fraud). But the SECconcluded that although general accepted procedures had been followed, those procedures were inadequate.

As a result, in 1939 the American Institute issued Statement on Auditing Procedure (SAP) No. 1 that requiredauditors to observe inventories and confirm receivables. The McKesson & Robbins case was a turning pointin auditing history. No longer was the auditor responsible for auditing the accounts of management;responsibility was extended to an audit of the business itself. And the profession began to issue promulgatedstatements and standards related to the specific procedures and standards of audits.

Other cases have influenced auditors in recent years, but none to the extent of the frauds associated withUltramares, Kreuger, and McKesson & Robbins. Continental Vending Machine Corporation (1968) wasunusual in that it marked the first instance of an external auditor being criminally convicted for fraud. Theoverriding conclusion of all of this activity is that the (external) auditing profession has long been reactiverather than proactive. On the whole, the recent history of auditing has been centered on reacting to adverseevents affecting the profession.

[1]Special thanks to Dr. Dale Flesher for the use of his article, "A History of Accounting and Auditing BeforeEDP," The EDP Auditor Journal, Vol. III, 1993, pp. 38–47. Most of this section came from this article.

[2]Interestingly enough, a similar law was passed during the Civil War but was later ruled to beunconstitutional by the U.S. Supreme Court.

1.3 History of Internal Auditing

Some types of internal audits date back thousands of years. As mentioned earlier, the Greeks, Romans, andEgyptians were conducting audits before the birth of Christ. Interestingly, the scope of these early audits wasin many ways akin to that of modern internal audits; both included an examination of the correctness ofaccounting records and an evaluation of the propriety of activities reflected in the accounts. Emphasis was onimproving management control over the activities of the organization. Such broad emphasis was not toreappear on a wide scale until after World War II. [3]



In the United States, there was little need for internal auditing in the colonial period because there was little inthe way of large industry. In fact, accounting textbooks of the period never referred to the subjects of internalauditing or internal control. In government, however, the need for an audit function was recognized. The firstU.S. Congress in 1789 approved an act that included a provision for the appointment of a secretary of thetreasury, a comptroller, and an auditor. The auditor's job, basically a clerical function, was to receive allpublic accounts, examine them, and certify the balances.

Despite the aforementioned early references, railroad companies are usually credited with being the firstmodern employers of internal auditors. It was during the latter part of the nineteenth century that these firstreal internal auditors became commonplace. The title applied to these employees was traveling auditors, andtheir duty was to visit the railroads' ticket agents and determine that all the accounting for all monies wasproperly handled.

Other early industries to use internal auditors included the large Krupp Company in Germany. Kruppapparently employed some type of internal audit staff at least as early as 1875 since there is a company auditmanual dated January 17, 1875, which includes the following provisions:

The auditors are to determine whether laws, contracts, policies and procedures have been properlyobserved and if all business transactions were conducted in accordance with established policies andwith success. In this connection, the auditors are to make suggestions for the improvement of existingfacilities and procedures, criticisms of contracts with suggestions for improvement, etc.

•

Although the roots of internal auditing do date back into the nineteenth century, real expansion did not occuruntil the early part of the twentieth century with the growth of the large corporate form of business. The majorfactor in the emergence of internal auditing was the extended span of control faced by management inbusiness employing thousands of people and conducting operations in many locations. Defalcations andimproperly maintained accounting records were major problems, and the growth in the volume of transactionsresulted in a substantial bill for public accounting services for the organization that tried to maintain controlby continuing the traditional form of audit by the public accountant.

The objectives of early internal auditors were primarily built around the protection of assets. The NationalIndustrial Conference Board's study of internal auditing explained the early motives as follows:

Protection of company assets and detection of fraud were the principal objectives. Consequently, theauditors concentrated most of their attention on examinations of financial records and on theverification of assets that were most easily misappropriated. A popular idea among managementpeople a generation ago was that the main purpose of an auditing program was to serve as apsychological deterrent against wrongdoing by other employees.

•

That same study recognized the internal auditor of yesteryear did not perform the same duties as themodern-day internal auditor. In addition, there was no need for the pioneer internal auditor to perform all ofthe functions that are handled by today's internal auditors.

In less complicated times, of course, management frequently maintained control over companyoperations by personal supervision. There were not so many levels of authority separating policymakers from production workers, and demands on senior executives' time were neither so numerousnor so urgent.

•

Prior to 1941, internal auditing (IA) was essentially a clerical function with no organization and no standardsof conduct. Because of the nature of accounting record keeping at the time (i.e., manual), auditors wereneeded to check the records after they were created for accuracy—for errors in postings or footings. Auditorswere also concerned with the possibility of fraud. Thus, the internal auditor was a verifier, or a "cop," toprotect organizational assets.



The old concept of internal auditing can be compared to a form of insurance: The major objective was todiscover fraud more quickly than it could be discovered by a public accountant during an annual audit. Thatis, the internal auditor was performing a function similar to a police officer or detective. The modern conceptof internal auditing is that of an arm of management. Today, internal auditors are an integral link in themanagement process and are just as concerned with waste and inefficiency as with fraud. Part of thedevelopment probably can be attributed to the change in technology. As accounting became mechanized andcomputerized, records became subject to automatic checking procedures. Thus, the need to check everytransaction declined, giving internal auditors time to reach beyond the historical clerical limits.

The year 1941 marked a turning point in the development of internal auditing as two significant eventsoccurred. One of those events was the publication of the first major book on the subject—Victor Z. Brink'sInternal Auditing. Also in 1941, 24 individuals joined together to form The Institute of Internal Auditors(IIA).

During the 1940s, internal auditors began to expand their audits to encompass more than the traditionalfinancial audit. The shift to a war economy in the early 1940s was the primary cause for the expansion ofinternal audit scope. Management became more concerned with production scheduling, shortages of materialsand laborers, and compliance with regulations. Also, cost reporting became more important than externalreporting. As a result, internal auditors began directing their efforts toward assisting management in whateverway possible. Following the war, the benefit of the auditor's assistance was so obvious to management thatthere was no consideration of reducing the auditor's scope to prewar levels.

The term operations or operational auditing was adopted to describe the expanded activity. In March 1948,Arthur H. Kent's work, "Audits of Operations," published in The Internal Auditor, was the first article todescribe the expanded-scope audit. In that piece, Kent made frequent mention of an operations audit. Otherauthors had discussed the subject, but had referred to non-accounting matters, instead of operational subjects.The first technical paper to use the phrase operational auditing in the title was published in The InternalAuditor in June 1954 and written by Frederic E. Mints.

By the mid-1950s, others were using the term in speeches, articles, and technical publications. At about thesame time, accounting became more mechanized and computerized, and records became subject to automaticchecking procedures once performed by internal auditors. That trend was reflected in the 1957 Statement ofResponsibilities of Internal Auditing, published by the IIA.

The growth in the internal auditor's scope of responsibility can be observed through a comparison of the 1947Statement of Responsibilities of the Internal Auditor and the 1957 revision of the same document. The 1947version stated that internal auditing dealt primarily with accounting and financial matters but may alsoproperly deal with matters of an operational nature. That emphasis was to change in just one decade. The IIAdescribed the broad role of internal auditing with its 1957 Statement of Responsibilities of the InternalAuditor. Whereas the 1947 Statement said that an auditor might also deal with operating matters, the 1957Statement stated that the auditor should be concerned with any phase of business activity. The 1957 Statementincluded these internal auditor (IA) duties:

Reviewing and appraising the soundness, adequacy, and application of accounting, financial, andoperating controls

•

Ascertaining the extent of compliance with established policies, plans, and procedures• Ascertaining the extent to which organizational assets are accounted for, and safeguarded from, lossesof all kinds

•

Ascertaining the reliability of accounting and other data developed within the organization• Appraising the quality of performance in carrying out assigned responsibilities•

As previously mentioned, there were two significant events in 1941—the publication of the first major bookon internal auditing and the founding of the IIA. Interestingly, the latter event was related to the former.Victor Z. Brink's doctoral dissertation was published in January 1941 by Ronald Press. At the same time, John



B. Thurston, internal auditor for the North American Company in New York, had been contemplatingestablishing an organization for internal auditors. Thurston and Robert B. Milne had served together on aninternal auditing subcommittee formed jointly by the Edison Electric Institute and the American GasAssociation. These two had decided that further progress in bringing internal auditing to its proper level ofrecognition would be difficult in the two organizations. Instead, what was needed was an independentorganization for internal auditors. When Brink's book came to the attention of Thurston, the two men gottogether and found they had a mutual interest in furthering the role of internal auditing.

Only 11 members were present at the first annual meeting of the IIA. Thurston was elected as its firstpresident. Membership grew quickly. The original 24 increased to 104 by the end of the first year, to 1,018 atthe end of five years, and to 3,700 by 1957, with 20% of the latter figure located outside the United States.

The new group was quick to begin its activities to further the development of its members. A director ofresearch approved in January 1942 the first book published under the IIA auspices, and it was issued in March1943. A journal, The Internal Auditor, was begun in September 1944. Membership was divided into localchapters beginning in December 1942, when the New York chapter was formed. The Detroit, Chicago, LosAngeles, and Philadelphia chapters followed in 1943. Additional chapters were formed the following year inDayton, Cleveland, and Toronto, the first outside the United States. By the end of 1947, 19 chapters operatedthroughout North America. The first chapters outside North America were formed in London and Manila in1948 to begin the trend toward true internationalization.

Other developments would further focus IA on operational audits. In 1963, the National Industrial ConferenceBoard studied 177 organizations' objectives for their internal auditing programs. The Board concluded withfive primary objectives:

Determine the adequacy of the system of internal control1. Investigate compliance with organizational policies and procedures2. Verify the existence of assets, ensure that proper safeguards for assets are maintained, and prevent ordiscover fraud

3.

Check on the reliability of the accounting and reporting system4. Report findings to management and recommend corrective action where necessary5.

In 1975, the IIA found that 95% of all respondents to a survey conducted operational audits for purposes ofjudging efficiency, effectiveness, and economy. The same study found that 51% of the total audit time wasspent on operational auditing activities. Thus the shift from financial to operational had become profound andpermanent. The modern work of the internal auditor had become auditing for efficiency and effectivenessmore than financial propriety. The internal auditor had also become an integral part of the management team.

Another dramatic change in the IA function in the United States occurred in 1987 with the TreadwayCommission report. The Commission was organized by five accounting organizations—IIA, AICPA,American Accounting Association (AAA), Institute of Management Accountants (IMA), and FinancialExecutives International (FEI)—known as the Committee of Sponsoring Organizations (COSO). Thecommission was formed to study the cause of fraudulent financial reporting. The committee concluded: (1) aninternal audit function should exist in every public corporation, and (2) there should be a corporate auditcommittee composed of non-management directors of the corporation. These conclusions not only enhancedthe IA profession but also brought fraud to the forefront of IA functions, like it had been before 1941.

Also in the 1990s, one trend caused a change in the way the IA function was carried out. Outsourcing becamea popular way for organizations to employ the IA function. The role of the IA function was served by publicaccounting and other providers. The IIA Standards and Statement have evolved further and now have thecornerstone of risk assessment.



The internal auditing function has undergone significant changes in the last century. The main objective of theIA function has moved from that of fraud detection to assisting management in making decisions beginningwith a risk assessment. The IA staff of today is considered a good training ground for management-levelpersonnel, but many organizations have out-sourced the entire IA function.

[3]Some of the material from this section was taken from The Institute of Internal Auditors: 50 Years ofProgress, by Dale L. Flesher, IIA. Copyright 1991 by The Institute of Internal Auditors, Inc., 247 MaitlandAvenue, Altamonte Springs, FL 32701-4201. Reprinted with permission.

1.4 Auditing Government Agencies

Various governmental audit agencies throughout the world have played a role in the movement toward themodernization of internal audit procedures. In the United States, the General Accounting Office (GAO) hasplayed a major part in broadening the role of the auditor. The GAO's publication, Standards for Audit ofGovernmental Organizations, Programs, Activities and Functions (commonly called the "Yellow Book"because of the color of its cover) explains the metamorphosis in the following manner:

This demand for information has widened the scope of governmental auditing so that such auditing nolonger is a function concerned primarily with financial operations. Instead, governmental auditingnow is also concerned with whether governmental organizations are achieving the purposes for whichprograms are authorized and funds are made available, are doing so economically and efficiently,and are complying with applicable laws and regulations.

•

Basically, the recommended standards encompass those standards that have been adopted by the AICPA foruse in audits to express an opinion on the fairness of financial statements. Governmental audits, however, go astep beyond those standards that are applicable to audits of financial statements. The scope of a governmentalaudit (e.g., an audit of or for a government agency) is composed of three elements:

Financial compliance,1. Economy and efficiency, and2. Program results.3.

The typical definition of a financial audit would not include elements 2 and 3. These are operational auditingtechniques.

1.5 History of Information Systems Auditing

The technology revolution in accounting and auditing began in the summer of 1954 with the first operationalbusiness computer. Information technology (IT) changed the way accounting data was stored, retrieved, andhandled. These new systems led to radically different audit trails, if one at all. The revolution became adynamic evolution as the computer industry sustained continuous, rapid technical innovations.

In addition to the introduction of computers to the business world, other IT-related events have also had aprofound effect on the auditing profession and the way audits are conducted. These events included: (1) thecommercialization of computers; (2) the introduction of AUDI-TAPE; (3) the Equity Funding scandal; (4) the



emergence of Information Systems Audit and Control Association (ISACA); (5) the Systems, Auditability,and Control (SAC) studies by the Institute of Internal Auditors (IIA); and (6) constant emerging technologies.

Information technology affected, and continues to affect, auditing. It became necessary to add new standards,affecting the body of auditing standards. The audit process itself has become different from traditional auditsprior to 1954 (e.g., audit tools and techniques). It was possible for an auditor to retire in the 1950s having usedsimilar audit programs throughout one's career. That will never happen again! The effects of IT on auditinghave culminated in a set of knowledge, skills, and standards necessary to conduct the contemporary audit thatwere nonexistent in 1954.

a. Birth of Information Systems Auditing

The introduction of computer technology into accounting systems disrupted the routine auditors had been ableto establish to properly audit accounting systems. General Electric is attributed with the first operationalelectronic accounting system, a UNIVAC computer, in the summer of 1954. Because of the new knowledgenecessary to understand computers and electronic data processing (EDP), the auditing profession struggled todevelop a new set of tools, techniques, and systems knowledge—and the training and standards to accompanythem.

A seminal event occurred very early in the history of business computers. This notable example of earlyinnovation was an article, "Using a Computer to Reconcile Inventory Counts to Books," published in N.A.C.A.Bulletin (National Association of Cost Accountants) in June 1956. In the article, the author, Frank Howell,member of the Auditor General's staff for the United States Air Force (USAF) in Washington, D.C., describedhow an organization used the computer to reconcile inventory counts to books. The computer wasprogrammed to print out major differences between counts and inventory records while automaticallyadjusting the books to the count for minor differences. The program even evaluated the effectiveness ofinventory operations in various departments and determined which supervisors were doing the best job ofcounting inventory. Taking into account the length of publication cycles, this technique was being used asearly as 1955, that is, at the beginning of IT history. Some nascent articles and discussions deliberated thepossibility of using information technology (i.e., the computer) as an audit tool, but Howell at the USAF wasactually using technology as an audit tool. At the time, this idea was radical and innovative. Thus, one earlyeffect of information technology was to provide the very tools auditors would need to adequately auditaccounting data. This effect became perpetual as future technologies would also be used as tools in audits ofEDP systems.

Not all creative tools and techniques were delivered using emerging technologies. As early as 1961, the U.S.Air Force adapted traditional separation of duties between programmers, systems designers, and keypunchoperators. Other traditional auditing principles would be similarly altered to accommodate the effects of IT onauditing.

In the beginning, IT itself provided an inherent protection. From 1955 to the mid-1960s, the computer worldincluded only mainframes. During this time, few people had the knowledge and expertise to program acomputer. This situation prevented most accountants from preparing programs to audit through the system. Italso provided its own form of security, because few people knew enough to violate the systems.

b. Commercialization of Computers

Beginning in 1963, the escalation of computer usage in accounting systems caused auditors to think abouthow they were going to deal with this new technology. Several organizations had begun to manufacturecomputers to be used in business during the late 1950s and early 1960s. Some manufacturers, such as Singerand General Electric, soon exited the computer market. Others, such as Burroughs and IBM, became majorsuppliers of business computers. Up until then, all of the computers were mainframes. The cost of thesemachines made it prohibitive for most companies to purchase one.



The use of computers in accounting began to escalate in 1963 with the introduction of a new, lower-costcomputer by IBM—the IBM 360. The plan at IBM was to introduce smaller machines at more affordablecosts to businesses. The IBM 360 accomplished this objective, and a rapid increase in sales of commercial-usecomputers ensued. This increase in computer sales was instrumental in creating a greater need for EDPauditing concepts in businesses and a need for auditors skilled and knowledgeable about EDP. And the spiralof better IT, cheaper IT, and smaller-size IT was off and running.

c. AUDITAPE: Breakthrough for Information Systems Auditors

From the beginning, external auditors had a difficult time in auditing through the computer. First, the majorityof auditors audited around the computer ignoring, for the most part, the effect of EDP on the audit. In the1960s, those auditors who audited through the system had to rely on expensive, time-consuming, andcontinuously changing custom audit programs. For example, Keagle Davis undertook a study at Touche Rossthat showed that their programmers had written 150 to 250 customized audit programs in 1967 alone. While75% of these were effective, 80% required major programming changes the next year because of changes inthe computer system or changes in audit needs.

Meanwhile, the number and variety of financial accounting systems and clients with computers greatlyincreased in the last half of the 1960s. The need for skills required to handle the audit of computerized datasignificantly increased beyond those of an EDP technician. Together, these needs drove the development ofgeneralized audit software (GAS).

A series of events and projects at Haskins & Sells (H&S) led to the initial GAS package. In the late 1950s,Kenneth Stringer began to develop a statistical sampling plan. In 1962, H&S formerly adopted the plan,Probability Proportional to Size Sampling (PPS). PPS was a precursor to AUDITAPE, but it was not the onlymotivation, or even the primary motivation, in developing AUDITAPE. Stringer and the management at H&Swere also motivated by the fact that the more clients computerized their accounting, the more dependentauditors would become on computer expertise. The growth of computerized accounting systems would createan environment in which auditors would be unable to perform the audit steps once done manually. That is,access to data was gradually slipping away from auditors.

The introduction of AUDITAPE in October 1967 by Haskins & Sells at the American Accounting Association(AAA) annual meeting in Portland, Oregon, was a key event for external auditors in particular (at that time),and internal auditors (later). Practitioners were excited when they saw the potential of AUDITAPE becauseexternal auditors who were not highly technical could now run the computer and use it as an audit tool. Veryfew auditors had yet acquired a high level of technical skills in 1967.

As a direct response to the introduction of AUDITAPE, several GAS packages were developed from 1968 tothe early 1970s. Every Big Eight public accounting firm developed its own proprietary GAS package duringthis time. Independent organizations, such as Computer Audit Systems, Inc. (Joseph Wasserman, CARSsoftware) and, in the late 1970s, P.J. Corum (later Pansophic, Panaudit software), also developed GASpackages.

The development and use of GAS was a breakthrough in audit tools. In 1967, very few audit tools existed, andthere was a meager use of the tools that did exist. AUDITAPE was the impetus that led to the developmentand use of audit tools, specifically GAS, in EDP audits. AUDITAPE also affected other aspects of auditing.Although statistical sampling preceded AUDITAPE by several years, AUDITAPE affected the use ofstatistical sampling as much as it affected anything. Thus, AUDITAPE was born from a need to audit throughthe computers (information technology) in a simple, efficient, and effective manner. Information technology'seffect on access to data by external auditors (i.e., difficult to examine) drove the need for better audit tools. Tothis day, GAS is perhaps the most valuable tool an auditor has to audit data embedded in IT.

The AICPA added its contribution to EDP audits, even though it was without official standards or guidance.In 1968, Robert Trueblood of Touche Ross, president of the AICPA, pursued the theme of computers in



accounting during his term. Trueblood used his influence to have the AICPA hire Gordon Davis to both assistCPAs in the use of computers and codify EDP auditing. Dr. Davis, a professor at the University of Minnesota,accepted the responsibility and took a leave of absence to be de facto chairman of the committee appointed bythe AICPA. Each of the Big Eight firms was invited by the AICPA to participate on the committee in thedevelopment of this project, and seven firms provided representatives. The major result of the project was abook entitled Auditing & EDP. This popular book went through many printings and a revision in 1983. Itincluded examples of how to document an EDP audit and a sample questionnaire for processing internalcontrol review.

The Auditing & EDP project led to several changes in the auditing profession. Although the book itself didnot present the official position of the AICPA (i.e., it was not promulgated standards), it did present a numberof audit and control concepts and procedures as an unofficial document. Perhaps the most important chapterwas one dedicated to explaining when and how to audit around the computer. In the 1960s, auditors couldofficially audit input and output and still be in compliance with AICPA standards. If auditors did choose toaudit around the computer, the chapter recommended that an evaluation of internal control be made to bothreview and test the system. Auditors could not simply ignore the presence of EDP in the accounting system.This recommendation was essentially the context of Statement on Auditing Standards (SAS) No. 3: TheEffects of EDP on the Auditor's Study and Evaluation of Internal Control, promulgated six years later inDecember 1974.

Another result of the Auditing and EDP Task Force was the establishment of a permanent EDP auditingcommittee within the AICPA. The committee's efforts eventually led to the issuance of several audit guidesand SAS No. 3.

d. Equity Funding Scandal: Abuse of Information Technology

Oddly enough, the abuse of information technology—to falsify accounting data and hide a fraud—was one ofinformation technology's most significant influences on auditing. The Equity Funding financial fraud scandaljolted both the accounting profession and management—including audit management—from a stodgy,traditional audit ideology. Managers who believed that the computer was a black box and it did not reallymatter what went on inside began to change their minds. Audit managers who believed the computer was afad or a fancy calculator began to take more seriously the implications of using EDP in accounting. Theatmosphere, in general, was ripe for change.

Managers at Equity Funding Corporation of America used a series of frauds beginning in 1964 to show falseprofits, thus increasing the company's stock price. The primary fraud was the use of phony insurance policies.Equity Funding used several tactics to perpetrate the fraud. One was to use different external auditors in orderto confound the audit process and prevent detection of the fraud. The company used another deceptive tacticduring confirmation of receivables. When the external auditing firm tried to confirm receivables (policies) byphone, the Equity Funding switchboard operator simply patched them through to Equity Funding employeesin the building. That is, EF employees were in on the fraud and actually provided external auditors with falseinformation. The most amazing fact of the case is that it went undetected for so long. Many people inside thecompany knew about the fraud, and yet the fraud was a better-kept secret than some of our military secrets ofthe time. The fraud was exposed when a disgruntled ex-employee blew the whistle. In March 1973, the SECsuspended trading of Equity Funding stock.

The subsequent audit by Touche Ross was definitely not traditional. First, the auditors were trying to provethat the insurance policies did not exist. Second, it was a fraud audit, not a financial audit. Touche Rossauditors used the opportunity to apply a variety of new techniques to satisfy audit requirements in terms ofinformation and how the system reports and files data. The audit took two years to complete. Touche Rossfound about $2 billion of phony insurance policies—two-thirds of the policies Equity Funding claimed tohave in force.



For the most part, the external auditors before Touche Ross failed to follow up on numerous clues thatindicated something was wrong. The use of audit software could have detected the fact that the policy file wasfraudulent. For example, all bogus policies were coded to department "99." The auditors also did not reviewsystem flowcharts or program code but treated the computer as a black box. Not only did the external auditorsoverlook the clues, but the SEC could be accused of the same thing. An SEC staff member wrote memos 15months prior to Equity Funding's collapse reporting rumors of irregularities. The SEC, however, dropped theinvestigation shortly after receiving the memos.

The popular press treated the fraud as a computer fraud, but it really was not—it was a management fraud.Still, the fact is that Equity Funding management probably could not have perpetrated the fraud without theuse of computers. The public's perception of the part that the computer played in the fraud caused a new waveof interest in audit procedures where computers were a component of the accounting system. The prevailingbelief at this time was that traditional audits (those that audited around the computer) were sufficient to detectthe existence of material and significant frauds, such as the Equity Funding fraud. Others, primarily EDPauditors, had espoused the need for auditing through the computer. These people were now receiving attentionfrom accountants, auditors, and management.

This financial fraud affected a wide range of constituencies. These included insurance regulators, bankregulators, postal inspectors, the FBI, and the U.S. Attorney's office. At least 12 different federal and stateagencies were involved in the aftermath of exposure of the scandal. Equity Funding did more for the rise ofEDP auditing (i.e., more EDP auditor jobs) than any other single event. For example, Harold Weiss wascredited with providing the only major EDP auditing training during the late 1960s and early 1970s. He saidthat his activity increased so significantly after Equity Funding that he had trouble filling all of the requests.He also said most of the managers that had previously told him "no" to his requests of EDP audits or the useof EDP audit techniques were now calling and asking for his help to institute computer controls and EDPaudit techniques.

The Equity Funding scandal had a domino effect in the auditing community. The attitude of isolating thecomputer system from the EDP auditors, held by some corporate management, changed after Equity Funding.In addition, auditing procedures were being challenged; some of the customary policies and procedures thathad been acceptable began to be questioned. Equity Funding highlighted the need for audit standards thatapply directly to EDP auditing (these were non-existent at the time). Security became an increasinglysignificant issue for all auditors—up until Equity Funding, auditors were absorbed with accounting-relatedissues in EDP.

Auditing literature was also affected. An analysis of citations prior to 1973 show an insignificant amount ofresearch and publications on EDP auditing issues by such organizations as the AICPA, Big Eight firms, andIIA. From 1955 through 1970 (16 years), the AICPA published only 21 articles, two chapters in a book, andAuditing & EDP, according to Accountants' Index published by the American Institute of Accountants. TheIIA published 10 articles and no books in the same period. State societies published 25 articles. None of theseinstitutions averaged two articles per year. The more active Big Eight published about 40 articles (someoverlap with the AICPA publications in The Journal of Accountancy and state society publications).

Between 1973 and 1977, however, numerous activities followed Equity Funding: publications, standards,research, and seminars. Even IBM changed; management at IBM decided to make a substantive effort tochange the image of the computer from a villain to a hero. A comparison of the EDP auditing profession priorto 1973 and immediately thereafter leads to the conclusion that the Equity Funding scandal was the singlemost important event in EDP audit history.

e. Systems, Auditability, and Control Research Study—Institute ofInternal Auditors

By 1973, IBM had established a close working relationship with the public accounting community. In 1965,IBM helped establish a users group, Accountant Computer Users Technical Exchange (ACUTE), in New



York City. After Equity Funding, IBM established a liaison position to cooperate with the public accountingcommunity.

As a result of these relationships, IBM instituted auditability and security programs for its computers and forauditors, a two-way communication line intended to benefit both parties. For example, every IBM computerhad a technical guide on the security and auditability features of that particular computer. Auditors benefitedfrom these guides when conducting their audits. Also, IBM invited accountants to training, even if they didnot own an IBM computer (IBM normally required training attendees to be owners of IBM equipment). Whileother computer manufacturers were offering only technically oriented training, IBM offered training that wasless technical, and thus more useful to accountants. In return, feedback from auditors led to improvements inthe security and auditability features of IBM computers, and the referrals from accountants led to sales.Auditors were assisting IBM, to some degree, in becoming the leading manufacturer of computers.

Members of the IIA staff had been planning a large-scale research project into information systems andauditing called Systems, Auditability, and Control (SAC). In 1973, the IIA formally approached the IBMliaison, Sam Albert, about the possibility of IBM's financial support for the SAC research. Albert eagerlyagreed to pursue possible financial support from IBM and was able to convince IBM management to invest inthe project. Albert unilaterally decided it was in the best interests of IBM to be the sole sponsor of the project,and he secured a financial commitment of $500,000 from IBM.

In 1975, no entity had been able to define EDP auditing precisely and communicate that definition nationally.State-of-the-art tools, techniques, and procedures also suffered from a lack of exposure and codification. TheSAC study had the ambitious goal of making a definitive evaluation of EDP auditing. In 1977, SAC waspublished. Due to this effort, SAC managed to define EDP auditing because SAC provided some prescriptionof how to approach EDP auditing. In addition, SAC codified tools and techniques into a benchmark orstandard. That is, SAC established what effective EDP audit shops were doing, especially best practices.Others believed SAC legitimized the need for an EDP auditing staff and function. SAC's contributions madean impact, moving EDP auditing forward significantly.

SAC was a landmark study in changing the audit profession and controlling computer systems. The IIA andIBM gave away hundreds and thousands of copies for free. The prestige of IBM, the notoriety of theindividual members of the Advisory Committee, and the IIA lent credibility to SAC. At least up until themid-1980s, SAC was probably the most widely publicized, read, accepted, and applied publication thatencapsulated a comprehensive set of principles for EDP auditing. SAC has been updated several times sinceits initial publication (in 1991, 1994, and eSAC 2001). It is currently referred to as eSAC (Electronic SystemsAssurance and Control), and available online from the IIA.

f. Electronic Data Processing Auditors Association

By the late 1960s, many EDP auditors were ready for an organization dedicated to EDP auditing. At that time,there was no authoritative source for EDP audits that would provide information, standards, tools, andtechniques. From the efforts of a handful of interested auditors in Southern California, the Electronic DataProcessing Auditors Association (EDPAA) was organized in 1969. Its first conference was held in January1973, just before the exposure of the Equity Funding scandal, and its first regular publication, The EDPAuditor, began in May of the same year.

In 1977, the EDPAA's Foundation (EDPAF) published its first edition of Control Objectives, a compilation ofguidelines, procedures, best practices, and standards for conducting EDP audits. It was intended to provide anormative model for EDP auditors in performing their duties. The publication was revised and updatedfrequently in the subsequent years (1980, 1983, 1990, and 1992). Between 1992 and 1996, Control Objectivesunderwent a major revision. Since 1996, the document goes by the title CobiT (Control Objectives forInformation and Related Technology). CobiT was revised in 1998 and 2000 (third edition), and is available onCD-ROM and online. CobiT has become an authoritative, up-to-date, international set of generally accepted



IT control objectives for day-to-day use by business managers, users of IT, and IS auditors.

In June 1978, the EDP Auditors Foundation (EDPAF) introduced its certification program—CertifiedInformation Systems Auditor (CISA). Because of information technology, some internal and external auditorswanted a separate certification for auditors of Information Technology; the CISA provided the vehicle. Thefirst CISA exam was given in 1981 and offered in two languages. In 2002, more than 10,000 candidatesaround the world took the CISA exam in their choice of nine languages: English, Dutch, French, German,Italian, Japanese, Spanish, Chinese, or Korean. The introduction of the CISA certification program brought astandard for IS auditors that came to be respected throughout the auditing profession. Today, more than27,000 professionals in dozens of countries have become certified through the CISA program.

By 1984, the international growth of the EDPAA began to accelerate. Many international chapters werechartered beginning about this time. For example, in 1985, Region 10—encompassing Japan, Hong Kong,Singapore, Malaysia, India, and the Philippines—was activated. The EDPAA began to translate keydocuments into foreign languages. When Control Objectives was translated into Japanese in 1986, it soonbecame a best seller—selling more than 10,000 copies. By 1988, the CISA exam and other documents werealso translated into foreign languages. In 1989, the EDPAF issued its 10 worldwide General Standards for ISAuditing, and its first two worldwide Statements on IS Auditing Standards. In 1991, the EDPAA elected itsfirst international president living outside North America—Deepak Sarup. The Information System, Audit andControl Association (ISACA) has become the only true international professional auditing organization, withinternational members, international chapters, and international standards (applicable on an internationalscale)—all within a single entity.

In June 1994, the EDPAA formally changed its name to Information Systems Audit and Control Association(ISACA). Over the years, EDPAA/ISACA has held training seminars, sponsored technical journals, andassumed sponsorship of Computer Audit, Control and Security conferences (CACS) begun by Harold Weissin the 1960s. The activities of EDPAA/ISACA have contributed to the emergence of the large number of ISauditing experts today.

ISACA is known today for its CobiT project, its services, CISA certification, training, information—topicssuch as corporate governance and Global Knowledge Network (Global Information Repository)—and itcontinues to publish its technical journal, Information Systems Control Journal. ISACA has more than 26,000members internationally in more than 100 countries.

g. Emerging Technologies

Technology continued to change at a rapid pace until the introduction of the microcomputer in the late 1970s.At that time, information technology became portable and distributed, carrying with it new control problems.While the pioneers did blaze a trail for others to follow (in the mainframe area), all the trails seemed to changeby 1979, and the walls around the data center were no longer secure. In addition, EDP auditing had evenevolved into a separate function in many organizations, or at least a separate position in IA: audit manager/ISaudit.

The breadth of IT also began to compound the knowledge and expertise needed to perform audits and auditprojects. The 1980s saw many new technologies incorporated into accounting systems. Some had been in theprocess of developing, but the proliferation of IT in the 1980s and 1990s drove the need for better IS productsas well as new technology. The emerging technologies included microcomputers or personal computers (PCs),database management systems, electronic data interchange (EDI), bar coding, artificial neural systems (ANS)or neural networks, expert systems (ES), decision support systems (DSS) and group decision support systems(GDSS), executive information systems (EIS), online analytical processing (OLAP), enterprise resourceplanning (ERP), and—most important of all—the Internet and World Wide Web (WWW). In addition,changes in telecommunication technologies affected nearly all accounting information systems.



i. Microcomputers and Networks

Microcomputers date back to 1975 with a group of young experts (e.g., Bill Gates) who built the firstmicrocomputer called the Altair. Several attempts to mass market microcomputers followed fromthen-maverick companies such as Apple and Commodore, and traditional companies like Radio Shack. In1977, Apple introduced its Apple II, followed in 1979 with Radio Shack's TRS-80. Also in 1977, Xeroxdeveloped a microcomputer with a mouse, graphical display, and other "windows"-like features. It was notuntil 1979 when VisiCalc (an electronic spreadsheet) hit the market, however, that micros really began to sell.In the fall of 1981, IBM began to sell its version of the microcomputer—the personal computer (PC).

Early in the 1980s, IS auditors were becoming concerned about the controls in microcomputer systems (e.g.,spreadsheets used in accounting and financial accounting packages). Microcomputer software advances(financial accounting) had led to many installations on PCs. The widespread use of PCs dispersed the ISfunction within organizations. One result of micros was a loss of control of the security of computingactivities. That is, computer processing, which had once at least been centralized at the mainframe computerin a single room, was now distributed throughout much of the organization.

Information system auditors quickly determined the need for new tools to audit the data that were resident onmicrocomputer systems. Yet the micro also provided IS auditors with the opportunity to develop new tools totake advantage of the power of micros for audit purposes. This potential led to the birth of the need formicro-based computer-assisted audit tools (CAATs), a major turning point because these tools enabled ISauditors to start doing their own micro work, instead of needing an IS expert as a go-between. Thus, thegrowth of PC-based CAATs was, in fact, driven by IS auditors. The PC was a greater tool for auditors than forjust spreadsheets and word processing. The automation of work papers and micro-driven analytical tools weremajor innovations.

The 1980s also saw the growth of networked PCs. With networks, several applications and numerous usershave access to the same data and resources. During transmission along network lines, data often were exposedto loss or theft (e.g., sniffers, hackers). Maintaining the security of the users connected to the network andtheir physical location (nodes) was also difficult because users could be frequently added or moved on anetwork. That is, the network a manager brings up in the morning may not be the same one brought upyesterday. This volatility creates havoc for the network manager and can be a nightmare for IS auditors—it isvirtually impossible to audit an environment when the environment keeps changing, and doing it so often.

These two developments (PCs and networks) have resulted in information systems that have become moredifficult to audit. Technology continues to change and expand rapidly. Meanwhile, the structure of theorganizational system has drastically changed (exactly where are the data and controls?), and the locus ofcontrol for data processing continues to expand. However, microcomputers (and CAATs developed for them)have also provided a powerful tool that IS auditors can use to improve or facilitate the audit process.

ii. Database Management Systems

Use of relational databases grew in the early 1980s. The expanding base of PCs created a new market forapplication software, such as databases. Data integrity problems existed because several different applications(and users) had access to the same information. Databases (and PCs) eliminated much of the traditionalseparation of duties that had been established for mainframe systems. Information System auditing had toaddress these issues.

The introduction of products such as the series of DBASE products, ACCESS, FoxBase, and so on, gave endusers the ability to perform tasks previously restricted to the IS group: that is, they could develop their ownapplications. With much of IS programming suffering from large backlogs, end users saw a way to achievetheir goals much quicker. Because of this situation, databases were popular with users. This phenomenondrove end-user computing (EUC). EUC, too, expanded the scope and exposures of information systems, againleading to changes in IS auditing.



The proliferation of databases as the foundation of Accounting Information Systems (AIS) caused bothproblems and a simplification. Systems such as DB2 (from IBM) and Oracle began to dominate the market inthe 1990s. The good news is that if an IS auditor understands database management systems concepts andtechnical issues, there is a good chance the organizational data resides within one. The basic concepts amongdatabase systems are fairly common. Also, the two most popular packages dominate IS in the largerbusinesses.

iii. Electronic Data Interchange and Electronic Commerce

EDI technology provided users with many benefits in the delivery and production of products and services.The use of EDI, however, exposes data during telecommunications between the two systems. Because ofincompatible EDI systems, some organizations use a third party to provide EDI services and introduce anothersource of exposure. Therefore, EDI (computerized) audit trails have become even more difficult to follow.

Universal product code (UPC) bar coding was first used in 1973 in grocery stores. Bar coding increased inputaccuracy and permitted fast data capture. Bar coding and scanning had advantages to management beyondinventory control. For example, Toys 'R Us uses bar coding and scanning for sales analysis: to know the hottoy first and order the entire supply!

Quick response systems integrate EDI, bar coding, and just-in-time (JIT) inventory management. The basicelement of the JIT philosophy is to carry only enough inventory to meet customers' orders for a short timeframe (ideally one day). Wal-Mart has fine-tuned its quick response system so well that its system has becomeone of its major competitive advantages. For example, the elimination of local warehouse storage at branchlocations reduced costs enough to pay for the quick response system in about six months.

The security of data has not only escaped the confines of the IS central location within an organization, but itis now virtually open to exposure to anyone in the external environment who has enough knowledge andcriminal intent to disrupt the information traveling over phone lines and networks. The increase in users ofEDI has expanded the risks to transmission of data. Encryption and virtual private networks (VPN) becamesome of the controls used for these risks and exposures.

iv. Artificial Intelligence and Decision Support Systems

Other major innovations in information technology provide additional opportunities for its use, sometimes asa competitive edge, by management in the area of artificial intelligence (AI), decision support systems (DSS),and group decision support systems (GDSS). Artificial neural systems (ANS) are a special type of AI systems.ANS emulate the functioning of the human brain in model building and decision-making. Neural nets appearto be well suited to problems of pattern recognition, classification, nonlinear feature detection, and nonlinearforecasting.

One good example of an emerging technology and how it affects IS auditing is executive information systems(EIS). EIS are computerized systems that support top management in their strategic decision-making. An EISmust be easy to use by relatively unskilled users. Because internal auditing is supposed to review thereliability and integrity of financial and operating information, the emergence of new EIS has had an impacton internal auditors. Information system auditors should define the control risks and internal controls ofEIS—as well as all other information technologies. Internal controls should be "seamless" to ensure theflexibility necessary. Thus, IS auditors can contribute to the development of EIS in a variety of ways—butespecially in defining controls, auditability, and security for the systems.

All of these emerging technologies led to constantly changing systems, with new information technologiesbeing implemented frequently. Many times, systems are changed with input from IS auditors regarding audit,control, and security. Management and staff are often so enthralled with the features of the new IT that it canbe easy to overlook important control and auditing attributes. But if IS auditors do participate in the systems



development, the controls, auditability, and security probably will be adequate. CISA guidelines suggest that aCISA be involved in every systems development life cycle (SDLC) project.

v. Telecommunications

In the mid-1960s, modems and acoustical couplers began to appear. Again, it was the growth of the PC thatpropelled the use of this technology. The 1980s saw global competition begin to affect many moreorganizations, driving a need for telecommunications. With this expansion of telecommunications came risksand exposures. One problem that arose with telecommunications was computer crime. For example,vandals—hackers and crackers—began to steal or corrupt data from long distance. With the legal system notready to handle these types of crimes, many organizations could do nothing even if they caught the criminal.The nature of telecommunications and information technology makes it difficult, if not impossible, to identifycomputer criminals. Using viruses, hackers also vandalized information systems.

During the last decade, the impact of viruses has grown and is now considered dramatic. [4] Viruses enteredthe public limelight in the fall of 1987. But the military had been aware of viruses since 1978 (according tothe head of information security at SRI International, Donn Parker). Modern accounting systems, especiallydue to the expansion of telecommunications, are vulnerable to the detrimental effects of viruses. Most auditorsare convinced viruses present a real threat to IS security and control that must be addressed by IS auditors. Itis estimated that viruses cost companies $12.3 billion in 2001.

vi. Expanded Interfacing/Scope of Accounting Systems

Other advances caused significant changes in existing accounting information systems (AIS). One majorchange was enterprise resource planning (ERP), in which AIS was interfaced with all, or most, of the othersystems in the organization. For example, in common ERP systems, human resource systems are interfacedwith the payroll system, and sales systems are interfaced with the accounts receivable system. In recent years,ERP is being expanded to include customer relationship management (CRM), supply chain management(SCM), and other functions. In addition, data needs resulted in software such as online analytical processing(OLAP), data warehousing, data mining, and a host of extraction software to create value and draw benefitsfrom AIS and operational data captured over time in systems.

vii. The Internet and the World Wide Web

The most dramatic of advances has been the proliferation of the Internet and the World Wide Web (WWW).With it have come new security problems, new risks, and new challenges for auditing. Suddenly, data isexposed to the entire world! Organizations want to use the 24/7 access to increase sales, improve customerrelations, and achieve other business objectives. The increased risk of fraud and damage is considerable.

The growth of commerce over the Internet has been phenomenal. It has been estimated that between 2002 and2005, the number of consumers using online account management will more than double, reaching 45% of theU.S. adult population. On the retail sales side business-to-consumer (B2C), electronic commerce, ore-commerce, sales grew 92% from 1999 to 2000, with a total of $29 billion. On the wholesale sidebusiness-to-business (B2B), e-commerce transactions increased 17% from 1999 to 2000, with a total of $213billion. In the service sector, sales increased 48% from 1999 to 2000, with a total of $37 billion. Retail salesfor 4Q 2001 were up 13% over 2000 at $10 billion. It is estimated that sales for the year of 2001 were $32.6billion, an increase of 19% from 2001.

The Internet and WWW have changed commerce worldwide in both the nature of transactions and AIS.Electronic commerce makes it possible to better compete on a global scale and find the best suppliers withoutregard to geographic location. It also facilitates more efficient and flexible internal operations, better (closer)relationships with suppliers, and improved customer service, with better response to customer needs andexpectations. Indeed, e-commerce has become a critical success factor for modern business, strategic needs,and economical development. Firms are changing their organizational and commercial processes to take full



advantage of the opportunities that e-commerce offers.

Yet the electronic systems and infrastructure commensurate with effective e-commerce present significantexposures and risks related to abuse, misuse, and failure. Risks extend to all connected parties: merchants,customers, finance entities, and service providers. Risks from attacks range from hackers who are on acyberspace joy ride to crackers who are out to kill, steal, and destroy. The risks also include viruses andintelligent agents (e.g., distributed denial of service (dDoS) agents). To a lesser extent, it includes thoseobjects whose intent is to clog bandwidth: urban legends, hoax viruses, and chain letters. Those responsiblefor information security (InfoSec), operational audits, and internal controls have a very difficult taskmanaging the risks associated with the Internet. In general, the most common adverse consequences includethe following types of exposures:

Financial loss as a result of a fraud• Destruction of important financial records• Compromise of valuable confidential information to an unauthorized party• Loss of business opportunities through a disruption of service• Unauthorized use of resources• Loss of confidentiality or customer relationship•

Some of these consequences can be minimized through appropriate practices of internal control within theorganization. For example, in order to minimize possible losses because of disruption of service, contingencyplanning and physical security measures could be taken. However, the risks may not always be minimizedthrough the traditional security and/or preventative methods.

In addition, security threats have become a ubiquitous problem and an ever-evolving challenge for thoseresponsible for information systems. There is a seemingly endless barrage of attacks from computer criminalswith the intent to destroy systems, data, and information assets. Mailing lists such as those from BugTraq,CERT, and SANS Institute put out a continuous stream of warnings about emerging risks, from new viruses tovulnerabilities in operating systems and browsers. The costs of these security problems appear to outweigheven those of Internet fraud. The Computer Security Institute and FBI conducted a study of organizations thatexperienced security breaches. Respondents who could put a dollar amount on the cost of a security breachaveraged more than $2 million in financial losses.

The rate of the growth of the Internet and e-commerce may have slowed, but the scope of this exposure isapproaching 100% because it affects both suppliers (hosts/servers) and users (clients). Whether it is webservers (hosts), e-commerce systems, extranets, or just access to the Internet (clients/browsers), firms areexposed to a plethora of possible attacks if they are connected in any way to the Internet. Obviously, thosefirms with servers (hosts) have a much greater risk. Theoretically, data can be accessed by anyone.

In order to respond to these and other critical factors within the implementation strategy of electroniccommerce, the role and responsibility of the IA is crucial in establishing auditing procedures and ISspecifications that will, at least, minimize risks.

viii. Paradoxical Evolution of Information Technology

The effects of emerging technologies have been paradoxical. On one hand, emerging technologies havecreated a more difficult system to audit effectively. On the other hand, auditors have managed to use emergingtechnologies as audit tools and thus become more effective and efficient. The microcomputer innovation inthe early 1980s epitomizes this phenomenon.

An example of hindrances caused by emerging technologies is distributed data. Emerging technologies,especially the Internet, decentralized the control points. No longer could an auditor go to a single location andaudit the major control points of an EDP system—usually a mainframe in a single, glass-enclosed room. Thisdistribution and multiplication of control points exasperated the audit process. Coupled with the scope change



was new technology. Not only did the control points move away from a central location and expand innumbers, but they became different because the technology changed. Thus general controls and applicationcontrols were significantly different.

One current, actual example of using emerging technologies is the use of laptops and customized generalizedaudit software to audit credit unions long distance using telecommunications, never interrupting dailyoperations (Weber, 1994). One developing example is embedded audit modules: For example, an artificialneural system (ANS) could be developed to "sit" in the IS and warn auditors of transactions or events that are"outliers"—that is, fraud or irregularity is suspected. This type of warning system is possible because ANScan "learn" to recognize errors and possible fraud by exposing the system to actual errors and frauds. This toolwould amount to 100%, real-time, on-line verification. Today several computer-assisted audit tools (CAATs)already exist that perform a 100% verification.

Despite the existence of IDEA, ACL, Panaudit Plus and other micro-based CAATs, these tools are apparentlygreatly underutilized at present. This situation is attributed to serious cost constraints within audits, theexpertise to use them effectively, combined with a misconception that CAATs are cost effective only for largeaudits.

One thing the future holds for certain is more rapid change in information technology. One source says:

The task will require ingenuity, special training, and, of course, experience to be efficientlyaccomplished. Unlike the auditors of the early 1900s, today's auditor is faced with a dynamicsituation in which time is of the essence. The increased volume of data being handled, the speed withwhich these data are processed and the centralization of accounting functions have by no meansreached their zenith, nor will the pace in technology diminish. The modern-day auditor must not onlymeet the challenge quickly, but parallel its future growth. To do otherwise will render the role heplays ineffective, if not futile.

•

Sound familiar? This statement was written decades ago (USAF, 1966)! The challenge is to use the lessons ofthe past to solve problems of the present and future.

[4]See Journal of Corporate Accounting & Finance, Vol. 13, Issue 4, 2002, pp. 29–39, for more on viruses."Stop Fraud Cold With Powerful Internal Controls" by Tommie Singleton.

1.6 History of Federal Regulations Related to Auditing

A review of relevant federal regulations follows to provide the IA department and its members a generalunderstanding of these laws. Each regulation has had an impact on audits.

a. Income Tax Law (Sixteenth Amendment): 1913

One of the first major regulations that was passed by the U.S. Congress was the Sixteenth Amendment in1913. This law legalized income taxes and had a direct impact on internal auditing. One provision of the lawrequired all companies to maintain adequate accounting records. Thus, even small firms that did not needaccounting for management or financing purposes suddenly had to maintain accounting records for incometax purposes. This change meant a need for more accountants and internal auditors—who had to review traveland business expenses for income tax returns and who would respond if the Internal Revenue Service solicitedaudit reports during their examinations.



b. Securities and Exchange Commission Acts: 1933, 1934

The main impact of the Securities Act of 1933 and the Securities Exchange Act of 1934 was on publicaccounting. In fact, some have referred to this legislation as the "full employment acts for external auditors."The purpose of the acts was to make accountants liable for purchases of securities containing materialmisstatements in the portions of the registration statement for which the CPA is responsible. The registrationhad to include audited financial statements. Essentially, plaintiffs must only establish that they sufferedinvestment losses and that the relevant financial statements contain material errors or omissions. If a plaintiffestablishes those elements of proof, the defendant auditor assumes the burden of proving that its employeesused "due diligence" in performing the audit. This purpose was a result of the Ivar Kreuger scandal mentionedpreviously.

The Supreme Court has made it clear that the plaintiff must prove more than mere negligence to imposeliability on the CPA. Plaintiffs must prove scienter [5] ("a mental state embracing intent to deceive,manipulate, or defraud")—Section 10(b), Rule 10(b)-5 of the 1934 SEC Act. Most criminal cases broughtagainst CPAs involve this section.

Perhaps the most significant fact about the SEC acts is the legal authority it gives the SEC for settingaccounting and standards. The SEC has in effect delegated that authority to the Financial AccountingStandards Board (FASB). Because of its membership makeup and the influence the AICPA tends to have inthe rule-making process, the SEC has basically delegated rule making to the accounting profession, allowingit to monitor and police itself generally. The SEC does issue Staff Accounting Bulletins that are authoritativefor publicly traded companies.

For IA, the SEC acts provide impetus for financial accounting responsibilities for publicly traded companies.The acts also require all corporations that report to the SEC to maintain a system of internal control that isevaluated as part of the annual external audit. The responsibility for this system of internal control generallyfalls on the IA function.

c. Foreign Corrupt Practices Act: 1977

Although the primary purpose of the Foreign Corrupt Practices Act (FCPA) in 1977 was supposedly toeliminate payments by U.S. corporations to foreign officials, the secondary purpose of enhanced internalcontrols is more important to internal auditors. Organizations were required to have sufficient internal controlsso that any illegal payments would be uncovered by the accounting system or internal controls. Thus, if acorporation was guilty of making an illegal payment, management could not (supposedly) escape convictionby claiming a lack of knowledge. If a corporation tried that approach, then it would be guilty of having asystem of internal controls that could not uncover illegal payments; that is, the organization would be out ofcompliance with a federal law.

FCPA required two things that affect auditing and IA:

SEC registrants must establish and maintain adequate books, records, and accounts.1. SEC registrants must maintain an internal control system that provides reasonable assurance theorganization's objectives are being met:

Transactions are executed in accordance with management's general or specific authorization.a. Transactions are recorded as necessary to prepare financial statements (i.e., GAAP), and tomaintain accountability.

b.

Access to assets is permitted only in accordance with management authorization.c. Recorded assets are compared with existing assets at reasonable intervals.d. Internal controls are capable of detecting illegal foreign payments.e.

2.



Penalties for violations include fines (up to $2 million), imprisonment (up to five years), and, in some cases,both. [6]

d. Copyright Laws: 1976 et al.

Also affecting internal auditing is the series of copyright laws beginning in 1976, relating to intellectualproperty. The acts have the following implications for IA:

U.S. intellectual property is protected.• The acts have been amended numerous times.• Management is legally responsible for violations of the organization, even if executives did not knowof any illegal activities.

•

The U.S. government has continually sought international agreement on terms for protection ofintellectual property globally, but without complete success (especially in areas of the Far East andMiddle East).

•

e. Sarbanes-Oxley Act: 2002

The Sarbanes-Oxley Act passed by the U.S. Congress in the summer of 2002 will have a dramatic effect onboth external and internal auditing. Section 301 (Public Company Audit Committee) requires an auditcommittee for listed companies and describes the functions and oversight the audit committee should haveover the audit processes. The new law requires the committee to have a great deal of interaction with majorfacets of audit, including IA auditors. It also requires members of the committee to be independent. Section302 (Corporate Responsibility for Financial Reports) calls for the certification of financial reports submittedto the SEC by the principal executive officer and principal financial officer. Section 406 (Code of Ethics forSenior Financial Officers) requires a code of ethics for certain executive officers and requires disclosureswhen a code does not exist. Section 407 (Disclosure of Audit Committee Financial Expert) adds furtherrequirements of the audit committee, specifically that at least one member should have financial accountingexpertise.

But it is Section 404 (Management Assessment of Internal Controls) that will have the greatest impact oninternal auditing. This section requires an annual report to management of the internal controls and theireffectiveness. Internal audit is clearly in the optimum position to deliver this required service, and the law istherefore good news for the IA profession. Fulfilling this regulation is an excellent motivation to have an IAdepartment in house. The scope of this section was amplified by the NYSE when it actually required, for thefirst time, an internal audit function for all NYSE-listed companies (Section 303A.7(c)). (See also Sections3.4(e) and 9.2 for more on the Sarbanes-Oxley Act.)

[5]Per case: Ernst & Ernst v. Hochfelder (First Securities Co. of Chicago) 1976.

[6]See full text of FCPA at www.usdoj.gov/criminal/fraud/fepa/fepastat.htm.

1.7 Professional Organizations Related to Internal Auditing

Several organizations furnish professional services, certification, and continuing education that relate to IA.The following list summarizes some of these major organizations. A summary of each organization—mostlyderived from information at their web site—follows.

Organization Certification Web Site



http://www.usdoj.gov/criminal/fraud/fepa/fepastat.htm

Institute of Internal Auditors (IIA) CIA, CGAP,CFSA, CCSA www.theiia.org

Information Systems Audit and Control Association (ISACA) CISA www.isaca.orgAmerican Institute of Certified Public Accountants (AICPA) CPA, CITP www.aicpa.orgAmerican Accounting Association (AAA) n.a. www.aaa-edu.orgFinancial Executives International (FEI) n.a. www.fei.orgAssociation of Government Accountants (AGA) CGFM www.agacgfm.orgAssociation of Certified Fraud Examiners (ACFE) CFE www.cfenet.com

a. Institute of Internal Auditors

The Institute of Internal Auditors247 Maitland AvenueAltamonte Springs, FL 32701-4201Phone: (407) 830-7600Fax: (407) 831-5171E-mail: <[email protected]>Web: www.theiia.org

The IIA focuses on the internal audit function. Its certification is the Certified Internal Auditor (CIA).

Established in 1941, the IIA serves more than 75,000 members in internal auditing, governance and internalcontrol, IT audit, education, and security from more than 100 countries. The world's leader in certification,education, research, and technological guidance for the profession, the IIA serves as the profession's watchdogand resource on significant internal auditing issues around the globe.

Presenting important conferences and seminars for professional development, producing leading-edgeeducational products, certifying qualified auditing professionals, providing quality assurance reviews andbenchmarking, and conducting valuable research projects through the IIA Research Foundation are just a fewof the Institute's many activities.

The IIA also provides internal audit practitioners, executive management, boards of directors and auditcommittees with standards, guidance, and information on best practices in internal auditing. It is a dynamicinternational organization that meets the needs of a worldwide body of internal auditors. The history ofinternal auditing has been synonymous with that of the IIA and its motto, "Progress Through Sharing."

In December 2000, the IIA's Internal Auditing Standards Board approved the issuance of new standards, inthe first major revision to the "Red Book" since it was introduced a quarter century ago (i.e., Standards for theProfessional Practice of Internal Auditing (SPPIA)).

b. Information Systems Audit and Control Association

Information Systems Audit and Control Association3701 Algonquin Road, Suite 1010Rolling Meadows, IL 60008Phone: (847) 253-1545Fax: (847) 253-1443Web: www.isaca.org

The Electronic Data Processing Auditing Association (EDPAA) was formed in 1969 and later changed itsname to Information Systems Audit and Control Association (ISACA). It is dedicated to the profession of IS



http://www.theiia.org

http://www.isaca.org

http://www.aicpa.org

http://www.aaa-edu.org

http://www.fei.org

http://www.agacgfm.org

http://www.cfenet.com




auditing. Its certification is CISA (Certified Information Systems Auditor).

With more than 26,000 members in over 100 countries, ISACA is a recognized global leader in ITgovernance, control and assurance. The organization sponsors international conferences, administers theglobally respected CISA designation earned by more than 27,000 professionals worldwide, and developsglobally applicable information systems auditing and control standards. An affiliated foundation undertakesleading-edge research in support of the profession. The IT Governance Institute, established by the associationand foundation in 1998, offers symposia, original research, presentations at both ISACA and non-ISACAconferences, and electronic resources to assist enterprise leaders in their responsibility to make IT successfulin supporting the enterprise's mission and goals.

ISACA's vision is to be the recognized global leader in IT governance, control, and assurance.

ISACA's mission is to support enterprise objectives through the development, provision, and promotion ofresearch, standards, competencies, and practices for the effective governance, control, and assurance ofinformation, systems, and technology.

ISACA members residing in more than 160 chapters throughout more than 100 countries around the worldunite through:

One set of standards used as guidance for IS audit and control activities worldwide• A respected certification program that is recognized internationally in the IS audit, control, andsecurity fields

•

A professional development program on critical managerial and technical topics• Award-winning technical publications providing the latest research, case studies, and how-toinformation, and

•

A code of professional ethics to guide members' professional activities and conduct•

c. American Institute of Certified Public Accountants

American Institute of Certified Public Accountants1211 Avenue of the AmericasNew York, NY 10036-8775Phone: (212) 596-6200Fax: (212) 596-6213Web: www.aicpa.org

The AICPA is the professional organization that represents external auditors. The AICPA oversees theCertified Public Accountant (CPA) designation that is actually administered and awarded by individual states(the examination is common to all states).

It has a strict code of ethics that it enforces. Internal auditors must be familiar with their duties, GenerallyAccepted Accounting Principles (GAAP), and other financial reporting criteria in order to perform their dutieseffectively.

The AICPA and its predecessors have a history dating back to 1887, when the American Association of PublicAccountants was formed. In 1916, the American Association was succeeded by the Institute of PublicAccountants, whose membership numbered 1,150. The name was changed to the American Institute ofAccountants in 1917 and remained so until 1957, when the name was again changed to the American Instituteof Certified Public Accountants. Separately, the American Society of Certified Public Accountants wasformed in 1921 and acted as a federation of state societies. The Society was merged into the Institute in 1936




and, at that time, the Institute agreed to restrict its future members to CPAs.

d. American Accounting Association

American Accounting Association5717 Bessie DriveSarasota, FL 34233-2399Phone: (941) 921-7747Fax: (941) 923-4093E-mail: <[email protected]>Web: www.aaa-edu.org

The American Accounting Association is dedicated to accounting education with most of its membershipcomprised of accounting academics; in fact, it has fewer practitioners as a percentage over time. There is noseparate certification associated with the AAA.

The AAA promotes worldwide excellence in accounting education, research, and practice. Founded in 1916as the American Association of University Instructors in Accounting, its present name was adopted in 1936.

The AAA provides a wealth of resources for IA in doing research and in communicating education needs backto the classrooms. Interaction between IA and AAA should lead to a synergistic relationship.

e. Financial Executives International

Financial Executives International10 Madison AvenueP.O. Box 1938Morristown, NJ 07962-1938Phone: (973) 898-4600Fax: (973) 898-4649Web: www.fei.org

FEI represents the financial profession and community. It has no separate certification.

FEI was founded in 1931. Over time the role of the financial executive expanded and it adopted its broaderpresent name in 1962. On November 6, 2000, the Financial Executives Institute became what is now FinancialExecutives International.

FEI is the preeminent professional association for senior financial executives representing 15,000 individuals.Membership driven, FEI provides peer networking opportunities, emerging issues alerts, personal andprofessional development, and advocacy services to chief financial officers, controllers, treasurers, taxexecutives, finance and accounting professors in academia. FEI does this principally through its strongInternet community, its 85 chapters and its 9 technical committees. Membership is limited to individualsholding senior management positions, but the organization allows many other finance professionals to join ifthey meet certain criteria. Other typical titles held by FEI members include assistant controller, subsidiaryCFO or controller, assistant treasurer, and director of tax. FEI also has a special rate and status for academics.

As the global economy developed, FEI was the driving force in forming the International Association ofFinancial Executives Institutes in 1969. FEI proactively helped design the CFO Act and has a history ofsupporting legislation that enhances the business climate. Its largest chapters are in Boston, Santa ClaraValley, New York, and Chicago. In total, FEI has 85 chapters across the United States and Canada. FEICanada was established in 1973 to serve the needs of its Canadian members and consists of 11 chapters.




http://www.aaa-edu.org

http://www.fei.org

Vision:

FEI will continue to be the association for the corporate finance profession.

f. Association of Government Accountants

Association of Government Accountants2208 Mount Vernon AvenueAlexandria, VA 22301Phone: (703) 684-6931(800) AGA-7211Fax: (703) 548-9367Web: www.agacgfm.org

The Association of Government Accountants specializes in public financial management. AGA sponsors theCGFM (Certified Government Financial Manager) certification.

Since 1950, the AGA has been&"para">AGA has been instrumental in developing accounting and auditingstandards and in generating new concepts for the effective organization and administration of financialmanagement functions, including the passage of the Inspector General Act of 1978 and the Chief FinancialOfficer's Act of 1990. AGA conducts independent research and analysis of all aspects of government financialmanagement. These studies have led AGA to be recognized as a leading advocate for improving the qualityand effectiveness of government fiscal administration.

Since its inception in 1994, the CGFM has become the standard by which government financial managementprofessionals are measured. Its education, experience and ethics requirements have served to elevate the mostseasoned financial professionals. More than 13,000 individuals have received the designation so far.

g. Association of Certified Fraud Examiners

Association of Certified Fraud ExaminersThe Gregor Building716 West AvenueAustin, Texas 78701Phone: (512) 478-9070(800) 245-3321 (USA & Canada only)Fax: (512) 478-9297Web: www.cfenet.com

The Association of Certified Fraud Examiners (ACFE) specializes in anti-fraud activities and white-collarcrime detection, and sponsors the CFE (Certified Fraud Examiner) certification.

ACFE, established in 1988, is based in Austin, Texas. The 26,000-member professional organization isdedicated to educating qualified individuals (Certified Fraud Examiners), who are trained in the highlyspecialized aspects of detecting, investigating, and deterring fraud and white-collar crime. Each member ofthe association designated a Certified Fraud Examiner has earned certification after an extensive applicationprocess and upon passing the uniform CFE examination.

Certified Fraud Examiners come from various professions, including auditors, accountants, fraudinvestigators, loss prevention specialists, attorneys, educators, and criminologists. CFEs gather evidence, takestatements, write reports, and assist in investigating fraud in its varied forms. CFEs are employed by most



http://www.agacgfm.org

http://www.cfenet.com

major corporations and government agencies, and others provide consulting and investigative services.

The association sponsors approximately 100 local chapters worldwide. CFEs in more than 100 countries onfour continents have investigated more than 1 million suspected cases of civil and criminal fraud.

Endnotes

1. Special thanks to Dr. Dale Flesher for the use of his article, "A History of Accounting and Auditing BeforeEDP," The EDP Auditor Journal, Vol. III, 1993, pp. 38–47. Most of this section came from this article.

2. Interestingly enough, a similar law was passed during the Civil War but was later ruled to beunconstitutional by the U.S. Supreme Court.

3. Some of the material from this section was taken from The Institute of Internal Auditors: 50 Years ofProgress, by Dale L. Flesher, IIA. Copyright 1991 by The Institute of Internal Auditors, Inc., 247 MaitlandAvenue, Altamonte Springs, FL 32701-4201. Reprinted with permission.

4. See Journal of Corporate Accounting & Finance, Vol. 13, Issue 4, 2002, pp. 29–39, for more on viruses."Stop Fraud Cold With Powerful Internal Controls" by Tommie Singleton.

5. Per case: Ernst & Ernst v. Hochfelder (First Securities Co. of Chicago) 1976.

6. See full text of FCPA at www.usdoj.gov/criminal/fraud/fepa/fepastat.htm.



http://www.usdoj.gov/criminal/fraud/fepa/fepastat.htm

Chapter 2: Auditing Standards andResponsibilities

Overview

SAM POLE COMPANY Corporate AuditDepartment ProceduresManualNO: 2.1 REV NO: DATE:

TITLE: Introduction PAGES:

2.1 Introduction

The internal audit function is guided by auditing standards, guidelines, principles, and the responsibilities forauditors both individually and professionally. Individually, internal auditors have an ethical responsibility toperform their duties with integrity. Professionally, there are standards that must be considered.


TITLE: Ethics PAGES:

2.2 Ethics

Every company should have its own ethics officer, who answers to the chief executive officer (CEO) or, betteryet, chairman of the board. Companies should consider ethics training and an ethics system for reportingsuspicious activities or events (e.g., a toll-free phone line that goes to a special group responsible for corporateethics). Companies may even hire ethics consultants when necessary (e.g., for developing internationalethics).

Managers and business professionals alike should use ethical principles to evaluate their activities, behaviors,and decisions. One area of concern for organizations today is the potential harm or risks from the use ofinformation technologies. Because the work of auditors is inexorably melded with technology, ethics relatedto information technology (IT) should at least be considered while conducting reviews and audits. Ethicalprinciples for responsible use of IT include:

Proportionality. The good achieved by technology must outweigh any harm or risk in its use.• Informed Consent. Those affected by the technology should understand and accept the risksassociated with that use.

•

Justice. The benefits and burdens of the technology should be distributed fairly.• Minimized Risk. To the extent that any risk is judged acceptable by the preceding three guidelines,technology should be implemented to eliminate all unnecessary risk.

•

The Association of Information Technology Professionals (AITP) provides the following guidelines forbecoming a responsible end user [1]:

Chapter 2: Auditing Standards and Responsibilities 1

Act with integrity, avoid conflicts of interest, and ensure your employer is aware of any potentialconflicts.

•

Protect the privacy and confidentiality of any information you are entrusted with.• Do not misrepresent or withhold information that is germane to a situation.• Do not attempt to use the resources of an employer for personal gain or for any purpose withoutproper approval.

•

Do not exploit the weakness of a computer system for personal gain or personal satisfaction.• Set high standards for your work. Accept responsibility for your work.• Advance the health, privacy, and general welfare of the public.•

The above ethics principles can be used to govern ethical conduct by managers and users. However, morespecific standards of conduct are needed to govern ethical use of information technology. One of thehallmarks of any profession is having and following a basic set of ethical standards. For auditors, it mattershow "doing what is right" is defined and by whom. Exactly what constitutes the ethical standards for internalauditing as a profession? A code of ethics is necessary and appropriate for the profession of internal auditing,founded as it is on the trust placed on its objective assurance about risk management, control, and governance.

a. Institute of Internal Auditors (IIA) [2]

The Institute of Internal Auditors has a Code of Ethics that applies to its members and Certified InternalAuditors (CIA). It extends beyond the definition of internal auditing to include two essential components:

Principles that are relevant to the profession and practice of internal auditing.1. Rules of conduct that describe behavior norms expected of internal auditors. These rules are an aid tointerpreting the principles into practical applications and are intended to guide the ethical conduct ofinternal auditors.

2.

i. Purpose

The purpose of this Code is to promote an ethical culture in the profession of internal auditing.

ii. Applicability

This Code of Ethics applies to both individuals and entities that provide internal auditing services. For the IIA,"internal auditors" refer to IIA members, recipients of IIA professional certification (CIA, CGAP, CCSA, andCFSA), and candidates for those certifications. For internal auditors, breaches of the Code will be evaluated,and enforcement administered according to the IIA's bylaws and administrative guidelines.

iii. Principles of the IIA Code of Ethics

Internal auditors are expected to apply and uphold these principles:

Integrity. The integrity of internal auditors establishes trust and thus provides the basis for reliance ontheir judgment.

•

Objectivity. Internal auditors exhibit the highest level of professional objectivity in gathering,evaluating, and communicating information about the activity or process being examined. Internalauditors make a balanced assessment of all the relevant circumstances and are not unduly influencedby their own interests or by others in forming judgments.

•

Confidentiality. Internal auditors respect the value and ownership of information they receive and donot disclose information without appropriate authority, unless there is a legal or professionalobligation to do so.

•

Competency. Internal auditors apply the knowledge, skills, and experience needed in the performanceof internal auditing services.

•

2 Chapter 2: Auditing Standards and Responsibilities


iv. Rules of Conduct

The rules of conduct include:

Integrity. Internal auditors (a) shall perform their work with honesty, diligence, and responsibility, (b)shall observe the law and make disclosures expected by the law and the profession, (c) shall notknowingly be a party to any illegal activity, or engage in acts that are discreditable to the professionof internal auditing or the organization, and (d) shall respect and contribute to the legitimate andethical objectives to the organization.

•

Objectivity. Internal auditors (a) shall not participate in any activity or relationship that may impair orbe presumed to impair their unbiased assessment; this participation includes those activities orrelationships that may be in conflict with the interests of the organization, (b) shall not acceptanything that may impair or be presumed to impair their professional judgment, and (c) shall discloseall material facts known to them that, if not disclosed, may distort the reporting of activities underreview.

•

Confidentiality. Internal auditors (a) shall be prudent in the use and protection of informationacquired in the course of their duties, and (b) shall not use information for any personal gain or in anymanner that would be contrary to the law or detrimental to the legitimate and ethical objectives of theorganization.

•

Competency. Internal auditors (a) shall engage only in those services for which they have thenecessary knowledge, skills, and experience, (b) shall perform internal auditing services inaccordance with the Standards for the Professional Practice of Internal Auditing, and (c) shallcontinually improve their proficiency and the effectiveness and quality of their services.

•

b. Information Systems Audit and Control Association (ISACA) [3]

The Information Systems Audit and Control Association (ISACA) also has a Code of Professional Ethics.

i. Purpose

The purpose of the ISACA Code is to guide the professional and personal conduct of members of theassociation and/or holders of the professional certifications from ISACA.

ii. Applicability

The Code applies to members of ISACA and/or holders of Certified Information Systems Auditor (CISA)and/or the Certified Information Security Manager (CISM) certifications. Failure to comply with the Code canresult in an investigation into one's conduct and, ultimately, in disciplinary measures.

iii. Rules of Conduct

This Code says members and CISAs [4] shall:

Support the implementation of, and encourage compliance with, appropriate standards, procedures,and controls for information systems.

•

Serve in the interest of relevant parties in a diligent, loyal and honest manner, and shall not knowinglybe a party to any illegal or improper activities.

•

Maintain the privacy and confidentiality of information obtained in the course of their duties unlessdisclosure is required by legal authority. Such information shall not be used for personal benefit orreleased to inappropriate parties.

•

Perform their duties in an independent and objective manner and avoid activities that impair, or mayappear to impair, their independence or objectivity.

•



Maintain competency in their respective fields of auditing and information systems control.• Agree to undertake only those activities that they can reasonably expect to complete with professionalcompetence.

•

Perform their duties with due professional care.• Inform the appropriate parties of the results of information systems audits and/or control workperformed, revealing all material facts known to them, which if not revealed could either distortreports of operations or conceal unlawful practices.

•

Support the education of clients, colleagues, the general public, management, and boards of directorsin enhancing their understanding of information systems auditing and control.

•

Maintain high standards of conduct and character and not engage in acts discreditable to theprofession.

•


TITLE: Professional Auditing Standards PAGES:[1]According to the Code of Ethics and Standards of Conduct by AITP from its web site at www.aitp.org.

[2]The majority of this section comes from the IIA's Code of Ethics web page atwww.theiia.org/ecm/guidance.cfm?doc_id=92 (or www.theiia.org and search for "ethics"). Please check theweb page for any changes. The document used in this manual was adopted by the IIA Board of Directors onJune 17, 2000.

[3]The majority of this section comes from the ISACA's Code of Professional Ethics web page atwww.isaca.org/codeofethics.htm (or www.isaca.org and search for "ethics"). Check the web page for anychanges. The document used in this manual was adopted by ISACA on July 1, 2001. It also is under review atthe time this chapter was written for changes related to the CISM certification.

[4]At the time of this writing, ISACA is revising the Code of Professional Ethics to accommodate its newcertification—CISM. Please visit the web page, www.isaca.org/codeofethics.htm, for possible changeseffective since this writing.

2.3 Professional Auditing Standards

Like ethics, standards exist from authoritative sources that impose certain requirements and/or structures tothe tasks and duties of the internal auditor. These standards come from professional accounting organizationsand proven systems theory. There is great deal of overlap from accounting organizations regarding auditingstandards; for example, independence, planning, and competence.

a. Institute of Internal Auditors

The IIA's authoritative standards document that is applicable to IA is known as the Standards for theProfessional Practice of Internal Auditing (SPPIA). The purpose of SPPIA is to:

Delineate basic principles that represent the practice of internal auditing as it should be• Provide a framework for performing and promoting a broad range of value-added internal auditactivities

•

Establish the basis for the measurement of internal audit performance•



http://www.aitp.org

http://www.theiia.org/ecm/guidance.cfm?doc_id=92


http://www.isaca.org/codeofethics.htm



Foster improved organizational processes and operations•

In December 2000, the IIA's Internal Auditing Standards Board approved the issuance of new standards in thefirst major revision of the so-called "Red Book" since it was introduced a quarter century earlier. Mandatoryimplementation date for these Standards was January 1, 2002. The Standards consist of Attribute Standards(the 1000 series), Performance Standards (the 2000 series), and Implementation Standards (nnnn.Xn). Whilethere is one set of the two former standards, the later may be multiple sets—a set for each of the major typesof internal audit activity. Implementation Standards related to assurance include an "A" in the number (e.g.,1130.A1), and standards related to consulting include a "C" in the number (e.g., 1130.C1).

The following is a brief summary of the main categories of the Attribute Standards and PerformanceStandards from the most recent version of the SPPIA:

Attribute Standards

1000—Purpose, Authority, and Responsibility• The purpose, authority, and responsibility of the internal audit activity should be formally defined in acharter, consistent with the Standards, and approved by the board.

•

1100—Independence and Objectivity• The internal audit activity should be independent, and internal auditors should be objective inperforming their work.

•

1200—Proficiency and Due Professional Care• Engagements should be performed with proficiency and due professional care.• 1300—Quality Assurance and Improvement Program• The chief audit executive should develop and maintain a quality assurance and improvement programthat covers all aspects of the internal audit activity and continuously monitor its effectiveness. Theprogram should be designed to help the internal auditing activity add value and improve theorganization's operations and to provide assurance that the internal audit activity is in conformity withthe Standards and the Code of Ethics.

•

Performance Standards

2000—Managing the Internal Audit Activity• The chief audit executive should effectively manage the internal audit activity to ensure it adds valueto the organization.

•

2100—Nature of Work• The internal audit activity evaluates and contributes to the improvement of risk management, control,and governance systems.

•

2200—Engagement Planning• Internal auditors should develop and record a plan for each engagement.• 2300—Performing the Engagement• Internal auditors should identify, analyze, evaluate, and record sufficient information to achieve theengagement's objectives.

•

2400—Communicating Results• Internal auditors should communicate the engagement results promptly.• 2500—Monitoring Progress• The chief audit executive should establish and maintain a system to monitor the disposition of resultscommunicated to management.

•

2600—Management's Acceptance of Risks• When the chief audit executive believes that senior management has accepted a level of residual riskthat is unacceptable to the organization, the chief audit executive should discuss the matter with seniormanagement. If the decision regarding residual risk is not resolved, the chief audit executive and

•



senior management should report the matter to the board for resolution.

b. Information Systems Audit and Control Association [5]

The concept of a professional association of computer auditors originated in Los Angeles, California, in thelate 1960s with a small group of auditors who were working in the area of computerized systems. The entitywas named the Electronic Data Processing Auditors Association, and the name changed later to InformationSystems Audit and Control Association (See Section 1.5(f) for a detailed history of EDPAA/ISACA).

Computer-based systems are pervasive tools used by management in almost all organizations. Such systemsaffect control over many of the assets—including the very valuable corporate data—and operations of anorganization. Development and support of such systems may require a significant portion of an organization'stotal resources. When these conditions exist, the auditor's mission may include auditing the development,maintenance, and operation of the systems. The work of auditors, both internal and external, is governed bystandards developed by a number of professional organizations, each of which seeks to assure the quality ofauditing work being performed.

The Information Systems Audit and Control Foundation (ISACF) has determined that the specialized natureof information systems (IS) auditing work, and the skills necessary to perform such audits, require thedevelopment and promulgation of auditing standards that apply specifically to IS auditing.

For the purposes of these standards, IS auditing is defined as any audit that encompasses the review andevaluation of all aspects (or any portion) of automated information processing systems, including relatednon-automated processes, and the interfaces between them. IS auditors review and evaluate the development,maintenance, and operation of components of automated systems (or such systems as a whole) and theirinterfaces with the non-automated areas of the organization's operations. The objectives of such auditinggenerally are to assess the extent to which such systems or components produce reliable and accurateinformation and to determine if such information is in conformity with management's requirements and anyapplicable statutory provisions.

ISACF has developed its Standards in order to inform (1) IS auditors of the minimum level of acceptableperformance required to meet the professional responsibilities set out in the ISACA Code of ProfessionalEthics, and (2) management and other interested parties of the profession's expectations concerning the workof practitioners. The framework for the IS Standards, Guidelines, and Procedures for IS Auditing (Standards)provides multiple levels of guidance. First, Standards define mandatory requirements for IS auditing andreporting. Second, Guidelines provide guidance in applying IS Auditing Standards. The IS auditor shouldconsider them in determining how to achieve implementation of the Standards, use professional judgment intheir application, and be prepared to justify any departure. Last, Procedures provide examples of proceduresan IS auditor might follow in an audit engagement. Procedures should not be considered inclusive of anyproper procedures and tests or exclusive of other procedures and tests that are reasonably directed to obtainthe same results. In determining the appropriateness of any specific procedure, group of procedures or test, ISauditors should apply their own professional judgment to the specific circumstances presented by theparticular information systems or technology environment. The procedure documents provide information onhow to meet the standards when performing IS auditing work, but do not set requirements.

The Standards, and their concomitant number, are divided into three areas: Standard Category, the Standard,and Guideline (see Exhibit 2.1). There are eight Standard Categories and 12 overall IS Auditing Standards. ISAuditing Standards are brief mandatory requirements for CISA holders' reports on the audit and its findings.IS Auditing Guidelines and Procedures are detailed guidance on how to follow those Standards in mostsituations. There will be times however, when the auditor will not follow that guidance. In such a case, it willbe the auditor's responsibility to justify the way in which the work is done. The Procedure examples show thesteps performed by an IS auditor and are more informative than IS Auditing Guidelines. The examples areconstructed to follow the IS Auditing Standards and the IS Auditing Guidelines and provide information onfollowing the IS Auditing Standards. To some extent, they also establish best practices for procedures to be



followed. For ISACA, these Standards are effective for all information systems audits with periods ofcoverage beginning July 25, 1997.

Exhibit 2.1: ISACA Auditing Standards Guidelines[6]

Standard Category Standard Guideline010—Audit Charter .010—Responsibility, Authority, and

Accountability.010—Audit Charter

.020—Outsourcing020—Independence .010—Professional Independence

.020—Organizational Relationship

.010—Nonaudit Role Impact

030—Professional Ethics andStandards

.010—Code of Professional Ethics

.020—Due Professional Care

.010—Irregularities and IllegalActs

.010—Audit Considerations forIrregularities

.020—Due Professional Care040—Competence .010—Skills and Knowledge

.020—Continuing ProfessionalEducation

050—Planning .010—Audit Planning .010—Materiality

.020—Planning

.030—Risk Assessment

.040—Effect of Third Parties060—Performance of AuditWork

.010—Supervision

.020—Evidence

.010—Audit Documentation

.020—Application SystemsReview

.030—Audit Evidence

.040—Audit Sampling

.050—IT Governance

.060—Pervasive IS Controls

.070—Use of CAATS

.080—Use of EXPERTS

.NNN—etc.070—Reporting .010—Report Content and Form .010—Reporting080—Follow-Up Activities .010—Follow-Up

Source: ISACA, from web site www.isaca.org/stand1.htm. Reprinted with permission.



http://www.isaca.org/stand1.htm

The eight categories and a brief summary description of each follow:

010—Audit Charter• The responsibility, authority, and accountability of the information systems audit function are to beappropriately documented in an audit charter or engagement letter.

•

020—Independence• In all matters related to auditing, the information systems auditor is to be independent of the auditee inattitude and appearance. The information systems audit function is to be sufficiently independent ofthe area being audited to permit objective completion of the audit.

•

030—Professional Ethics and Standards• The information systems auditor is to adhere to the Code of Professional Ethics of the InformationSystems Audit and Control Association.

•

040—Competence• The information systems auditor is to be technically competent, having the skills and knowledgenecessary to perform the auditor's work. The information systems auditor is to maintain technicalcompetence through appropriate continuing professional education.

•

050—Planning• The information systems auditor is to plan the information systems audit work to address the auditobjectives and to comply with applicable professional auditing standards.

•

060—Performance of Audit Work• Information systems audit staff are to be appropriately supervised to provide assurance that auditobjectives are accomplished and applicable professional auditing standards are met. During the courseof the audit, the information systems auditor is to obtain sufficient, reliable, relevant, and usefulevidence to achieve the audit objectives effectively. The audit findings and conclusions are to besupported by appropriate analysis and interpretation of this evidence.

•

070—Reporting• The information systems auditor is to provide a report, in an appropriate form, to intended recipientsupon the completion of audit work. The audit report is to state the scope, objectives, period ofcoverage, and the nature and extent of the audit work performed. The report is to identify theorganization, the intended recipients, and any restrictions on circulation. Audit findings, conclusions,and recommendations and any reservations or qualifications that the auditor has with respect to theaudit are to be stated in the report.

•

080—Follow-Up Activities• The information systems auditor is to request and evaluate appropriate information on previousrelevant findings, conclusions, and recommendations to determine whether appropriate actions havebeen implemented in a timely manner.

•

The first three digits in a document number represent one of the eight standards categories. IS AuditingStandards begin with 0 and Standards for IS Control Professionals begin with "5." The standards numbers arethe second three numbers in the document (12 standards to date). The third set of three digits in a documentnumber is the number of the guideline. Procedures are listed separately and numbered consecutively by issuedate. For example, document 050.010.030 is a guideline (see Exhibit 2.1). It provides guidance in the fifthstandard category (050), Planning. The Guidance applies to the first standard in that category (010), AuditPlanning. It is the third guideline listed under Audit Planning (030). Procedures are numbered consecutivelyas they are issued, beginning with "1." Refer to the latest index of IS auditing standards, guidelines, andprocedures for a complete listing of those documents available online from ISACA's web site.

c. American Institute of Certified Public Accountants

The AICPA has long-established Generally Accepted Auditing Standards (GAAS) that are related to internalauditing—it is at least tangential when external auditors come to the IA's firm to conduct financial audits. Thebasic Standards fall into three categories: General Standards, Standards of Field Work, and Reporting



Standards. The first two groups are similar to many of the standards from the IIA and ISACA. The AICPAalso issues Statements of Auditing Standards from time to time.

General Standards

The auditor must have adequate technical training and proficiency.1. The auditor must have independence of mental attitude.2. The auditor must exercise due professional care in the performance of the audit and the preparation ofthe report.

3.

Standards of Field Work

Audit work must be adequately planned.1. The auditor must gain a sufficient understanding of the internal control structure.2. The auditor must obtain sufficient, competent evidence.3.

Reporting Standards

The auditor must state in the report whether financial statements were prepared in accordance withgenerally accepted accounting principles (GAAP).

1.

The report must identify those circumstances in which GAAP were not applied.2. The report must identify any items that do not have adequate informative disclosures.3. The report shall contain an expression of the auditor's opinion on the financial statements as a whole.4.


TITLE: Systems Development Life Cycle Standards PAGES:[5]Much of this section was taken from ISACA's web page on Standards located at:www.isaca.org/stand1.htm.

[6]The list illustrates the Standards for Information Systems Auditing issued by ISACA, and is notcomprehensive. For the complete list, see www.isaca.org/stand1.htm.

2.4 Systems Development Life Cycle Standards

While the standards from the IIA, ISACA, and AICPA are obviously relevant to the IA function, it is also truethat proven systems development life cycle (SDLC) standards are relevant. For instance, the ISACA standard060.020.020 (IS Auditing Guideline: Applications Systems Review) states in section 2.1.1 "PlanningConsiderations" in part:

The IS auditor should gain an understanding of ... the risks and exposures associated with theorganization's objectives and its information systems.

•

Further, section 2.1.3 states in part:

Application level risks at the system and data level include such things as: system integrity risksrelating to the incomplete, inaccurate, untimely, or unauthorized processing of data, and system

•





maintainability risks relating to the inability to update the system when required in a manner thatcontinues to provide for system availability, security, and integrity.

All of the above portions of the Standards are directly related to the proper use of SDLC techniques. Forexample, if system updates are done online (LAN or Internet) rather than taken offline, updated, tested, thenrestored to live access, risks are greater according to SDLC standards. Many a system has been updated onlineonly to cause extra costs or other loss due to the extra or unnecessary problems this process created. The sameis true for the phrase from section 2.1.3 "integrity risks relating to incomplete . . . ." By not following SDLCprocedures in systems changes or purchases, the result can be these very risks.

The SDLC procedures for new systems include these steps: Identify the process, understand what needs to bedone, consider alternative solutions, select the best solution, test the solution, activate or implement thesolution, and maintain the solution.

Another key SDLC standard is the use of a cross-functional team in developing any major system, whethernew or a major change. The team should include: systems professionals (analyst, programmers, etc.), endusers, management, and auditors or accountants (limited to design functions, focusing on applicationcontrols). Another effective technique is to include different levels of the organization within the differentfunctions. That is, consider using a manager from IS, a mid-level person, and someone from the operationallevel of IS. The same would be true for users/operations, and audit/accounting (see Exhibit 2.2 for a matrixview of this technique). Part of the responsibility of this team or steering committee is to ensure anappropriate linkage between the project and the strategic objectives of the firm.

Exhibit 2.2: SDLC Steering Committee/Cross-Functional Team Matrix

Departments = > IA IS Dept. 1 Dept. 2Executive Management =>1 =>1 =>1 =>1Middle Management =>1 =>1 =>1 =>1Operations Personnel =>1 =>1 =>1 =>1

The SDLC has two pre-requisite documents and steps: a preliminary feasibility study and projectauthorization. The specific phases of the SDLC cycle are described in the following, and pictured in Exhibit2.3—which includes a list of the documents or reports that are involved with the phases:

Phase 1—Systems Planning• Systems planning has proven to be cost effective, although it is tempting for the IS technicians toskip—usually due to time pressures. It includes both the strategic systems planning (long-termplanning) and project planning (short-term planning). A dynamic strategic systems plan is certainlybetter than no plan at all. Project planning includes identifying users' needs, preparing proposals,evaluating proposals, prioritizing individual projects, and scheduling work. It includes a projectproposal and project schedule document. One proven effective approach to systems planning is to usea steering committee to manage the process. The members of this group follow a similar makeup asthe "matrix" view of cross-functional teams, and that depicted in Exhibit 2.2.

•

Phase 2—Systems Analysis• This phase includes surveys, if necessary, and other fact-gathering steps. The step is documented bythe system analysis report.

•

Phase 3—Conceptual Design• In this phase, the team will develop alternative systems that satisfy the system requirements identifiedduring system analysis. This phase includes a data flow diagram (DFD), in general terms.

•

Phase 4—Systems Evaluation and Selection• This process seeks to identify the optimal solution from among the alternatives. It includes afeasibility study, cost-benefit analysis, and the system selection report (documentation).

•



Phase 5—Detailed Design• This phase will produce a detailed description of the proposed system that satisfies systemrequirements identified during systems analysis and is in accordance with conceptual design. It willinclude some sort of testing, such as a simulation or walkthrough. It involves numerous reports andsome of the most important documentation of the processes and system. Examples include: detaileddesign report, DFD (detail), entity-relationship (ER) diagram, relational model, normalized data, datadictionary, and other documentation.

•

Phase 6—Systems Implementation• At this point, the database structures are created and populated with data, applications are coded andtested (prior to going live), equipment is purchased and installed, employees are trained, the system isdocumented, and the new system is installed. Once the final tests have been conducted, the system isplaced in active use. This phase then would provide a post-implementation review, programflowcharts, program documentation, and the user acceptance report. It also should include a budgetvariance analysis. The post-implementation review and budget analysis are critical follow-upprocesses that will be valuable to management decisions and future projects.

•

Phase 7—Maintenance• The maintenance phase is the longest in time, and therefore the efficiency and effectiveness of thisphase are highly dependent on the documentation of the previous steps. Because about 80% of thetotal cost of the system will occur during this phase, there is plenty of opportunity for cost savingsbased on activities such as the data dictionary [7] developed in the detailed design phase. During thisphase, the system is changed to accommodate changes in user needs. A minimum of four controls areneeded in maintenance: formal authorization for changes, technical specifications (documentation),retesting (offline first), and updating of the documentation (especially the data dictionary).

•

Exhibit 2.3: SDLC Guidelines

A materially flawed financial application will eventually misstate the financial data, which will then beincorrectly, and materially, reported in the financial statements. Therefore, the accuracy and integrity of theseinformation systems directly affects the accuracy of the client's financial data. Some of the questions internalauditors should ask include:

How can audit verify that SDLC activities are being applied consistently?• How can audit verify that systems are free from material errors and fraud using SDLC principles?•

How can audit verify that the purchase or development of a system is justified?• How can audit verify that system documentation is adequate and complete?• How can audit verify that a library control is effective for original source code (or original copies andlicenses of commercial software) and data (backups)? That is, what controls exist to protect originalsoftware and backup data? (See page 109 for a description of library control.)

•




TITLE: Professional Development PAGES:[7]A data dictionary will include all of the fields in all of the files used by the system with details on thecharacteristics of the field and places it is used in the applications.

2.5 Professional Development

One of the critical success factors in internal audit (IA) is professional development. Not only do accountingand auditing rules change, but other relevant matters also change. For instance, technology and systems areconstantly evolving at a rapid pace; they not only house the accounting information, but are also excellenttools to use in audits. Management issues, such as conflict resolution and leadership, are vital to IA. Life-longlearning, professional development, is a necessity. (See Section 5.2 on personal development for details onprofessional development.)

Certification is an important element in a successful, effective internal audit department. Major benefits arethat certification is a sign of professionalism, an adequate level of knowledge (for the area under certification),and a willingness to submit to a professional code of ethics. Another benefit of certification is the mandatoryContinuing Professional Education (CPE) credits that must be earned each year in order to maintain one'scertification. (See Section 5.1(c) i for more on certification.)

This manual also recommends an annual staff meeting or conference for training and education of the staffauditors, in addition to other educational options. (See Section 5.5 for details.)

Most of all, the ISACF Standards state that IS auditors are to be technically competent, having the skills andknowledge necessary to perform auditor's work (040.010—Competence/ Skills and Knowledge) and alsospecify that IS auditors are to maintain their technical competence through appropriate CPE(040.020—Continuing Professional Education). The IIA Code of Ethics states the same requirement forcompetence in its "Principles" and "Rules of Conduct" sections. Therefore, professional development is a keyto quality audits and an effective IA function.


TITLE: Responsibilities of a Corporate Auditor PAGES:

2.6 Responsibilities of a Corporate Auditor

In addition to the various standards to be followed, the corporate auditor and the IA function haveresponsibilities that must be fulfilled for IA to have successful results.



a. Nature

Internal auditing is an independent appraisal activity within an organization for the review of operations as aservice to management. It improves managerial control by measuring and evaluating the effectiveness of othercontrols, and by maintaining a vigilant watch over risks.

b. Objective and Scope

The objective of internal auditing is to assist all members of the organization in the effective discharge ofresponsibilities by furnishing them with analyses, appraisals, recommendations, and pertinent commentsconcerning the activities reviewed. The internal auditor is concerned with any phase of business activitywhere he/she may provide service to the organization. This scope involves going beyond the accounting andfinancial records to obtain a full understanding of the operations under review. The attainment of this overallobjective involves such activities as:

Reviewing and appraising the correctness, adequacy, and application of accounting, financial, andother operating controls and promoting effective control at reasonable cost

•

Ascertaining the extent of compliance with established policies, plans, and procedures• Ascertaining the extent to which company assets are accounted for and safeguarded from losses of allkinds

•

Ascertaining the reliability of management data developed within the organization• Ascertaining the quality of performance in carrying out assigned responsibilities• Recommending operational improvements•

c. Responsibility and Authority

The responsibilities of corporate auditing within Sam Pole Company are clearly established by managementpolicy. The related authority provides the corporate auditor full access to all of the organization's records,properties, and personnel relevant to the subject under review. The corporate auditor should be free to reviewand appraise policies, plans, procedures, and records. The internal auditor's responsibilities should be:

To inform and advise management and to discharge this responsibility in a manner that is consistentwith the codes of ethics of the IIA and the ISACA (IS audits)

•

To coordinate his/her activities with others so as to best achieve audit objectives and the objectives ofthe organization

•

Corporate auditors have neither direct responsibility for, nor authority over, any of the activities that theyreview. Therefore, the corporate audit review and appraisal do not in any way relieve other persons in theorganization of the responsibilities assigned to them.

d. Independence

Independence is essential to the effectiveness of corporate auditing. This independence is obtained primarilythrough organizational status and objectivity:

The organizational status of the corporate auditing function and the support accorded to it bymanagement are major determinants of its range and value. The head of the corporate auditingfunction should be responsible to an officer whose authority is sufficient to assure both a broad rangeof audit coverage and the adequate consideration of and effective action on the audit findings andrecommendations.

•

Objectivity is essential to the audit function. Therefore, corporate auditors should not develop and installprocedures, prepare records, or engage in any other activity that would normally be the subject of a review



and could reasonably be construed to compromise one's independence. Auditors' objectivity need not beadversely affected by their determination and recommendation of standards or controls to be applied in thedevelopment of the systems and procedures under review.

It is common to read in the financial section of a newspaper or other publication that a public accounting firmhas been sued or censored. Why? Usually because the firm allegedly did not follow Generally AcceptedAuditing Standards (GAAS), or the firm did not issue an accurate audit report on the financial statements, orthe firm did not ensure adequate disclosures (e.g., certain information required by the Securities and ExchangeCommission (SEC) or other regulatory body that could influence shareholders and/or the general public infinancial planning decisions).

Although similar situations specifically addressed to the internal audit profession are rare, the possibility doesexist. The SEC and other regulatory entities are looking in that direction due to the improved image of theprofession and the greater reliance upon internal auditors' work by management and the public accountants.

Don't be alarmed! Unlike the public accountants, internal auditors do not have the same contractual orfiduciary obligations. We do have similar responsibilities. Therefore, we must perform our audits with thesame extreme care as the external auditors, and in accordance with GAAS.

The Director of Auditing reports directly to the Audit Committee of the Board of Directors of Sam PoleCompany for the purposes of audit scope. The Director's responsibility to the Committee, the entire Board ofDirectors, and management is to inform them promptly of significant situations disclosed by audits so thatthey can meet their obligations to the shareholders, regulatory bodies, and the general public.

e. Regulatory Issues

Due care is required in reporting comments related to regulatory bodies and federal laws. Relevant lawsinclude income tax, SEC, copyright laws and the Foreign Corrupt Practices Act.

In 1913, the Income Tax Act was passed (Sixteenth Amendment), and it affects internal auditors. Forexample, the Internal Revenue Service can and does request copies of audit reports during their examinationsof tax returns. The company's reporting should be objective and factual to reduce further extensive tests ofexpense reports. If improved controls for reporting of travel and other business expenses are recommended, itis essential that the situations are clearly described and the number of instances noted be reflected in thedetailed section of the audit report. Also, any corrective action taken should be indicated. Otherwise, theauditee will normally do so in the response to the audit report.

The Securities Act of 1933 and Securities Exchange Act of 1934 require all corporations that report to theSEC, which was created by the acts, to maintain a system of internal control that is evaluated as part of theannual external audit. The Foreign Corrupt Practices Act, passed in 1977, requires, under penalty of law, thatmanagements ensure good systems of internal control in their companies. Copyright laws (1977 et al.) protectintellectual property, which usually affects audit programs—that is, audit steps need to be included to audit forunlicensed software and other potential violations of this law. (See Section 1.6 for a history of federalregulations related to auditing.)

The company's legal responsibilities can be attained if due care is used, GAAS are followed, situations arepromptly and carefully reported, and confidentiality is maintained.



Endnotes

1. According to the Code of Ethics and Standards of Conduct by AITP from its web site at www.aitp.org.

2. The majority of this section comes from the IIA's Code of Ethics web page atwww.theiia.org/ecm/guidance.cfm?doc_id=92 (or www.theiia.org and search for "ethics"). Please check theweb page for any changes. The document used in this manual was adopted by the IIA Board of Directors onJune 17, 2000.

3. The majority of this section comes from the ISACA's Code of Professional Ethics web page atwww.isaca.org/codeofethics.htm (or www.isaca.org and search for "ethics"). Check the web page for anychanges. The document used in this manual was adopted by ISACA on July 1, 2001. It also is under review atthe time this chapter was written for changes related to the CISM certification.

4. At the time of this writing, ISACA is revising the Code of Professional Ethics to accommodate its newcertification—CISM. Please visit the web page, www.isaca.org/codeofethics.htm, for possible changeseffective since this writing.

5. Much of this section was taken from ISACA's web page on Standards located at:www.isaca.org/stand1.htm.

6. A data dictionary will include all of the fields in all of the files used by the system with details on thecharacteristics of the field and places it is used in the applications.



http://www.aitp.org

http://www.theiia.org/ecm/guidance.cfm?doc_id=92






Chapter 3: Internal Control System

Overview


TITLE: Definition PAGES:

3.1 Definition

Executives and auditors alike understand the importance of a strong internal control system in relation tofinancial audits and reliable financial reports. But a sound internal control system also has the potential toenhance corporate strategies and thus provides internal auditors with the opportunity to express their value asbusiness partners. Corporate objectives generally include the provision for reliable, timely information ineffective decision-making. There is a need to protect assets, to communicate internally, and to analyze eventsand transactions. A strong internal control system can enhance all of these strategic objectives and assist inoperational control.

Exactly what is an internal control system? The Information Systems Control & Audit Association (ISACA)defines it as:

The policies, procedures, practices and organizational structures, designed to provide reasonableassurance that business objectives will be achieved and that undesired events will be prevented, ordetected and corrected.

•

This definition demonstrates the link between the internal control system and business objectives. Accordingto the Committee on Sponsoring Organizations (COSO), internal control is:

A process, effected by an entity's board of directors, management and other personnel, designed toprovide reasonable assurance regarding the achievement of objectives in (1) the effectiveness andefficiency of operations, (2) the reliability of financial reporting and (3) the compliance of applicablelaws and regulations.

•

According to the Institute of Internal Auditors (IIA), the control system is:

The attitude and actions of management and the board regarding the significance of control withinthe organization. The control environment provides the discipline and structure for the achievementof the primary objectives of the system of internal control. The control environment includes thefollowing elements: integrity and ethical values, management's philosophy and operating style,organizational structure, assignment of authority and responsibility, human resource policies andpractices, and competence of personnel.

•

The bottom line is that an effective internal control system is a critical success factor for any organization inthe long term, and that internal auditors should ensure they are inexorably melded with corporate strategies.Internal controls have become more than accounting guidelines. They are indispensable tools for theever-increasing risks, exposures, and threats to accounting systems, data, and assets. Therefore, this manualwill use the following definition for internal control system, and provides the basis for the discussion in thischapter:

Chapter 3: Internal Control System 1

Internal control system is the policies, practices, procedures, and tools designed to: (1) safeguardcorporate assets, (2) ensure accuracy and reliability of data captured and information products, (3)promote efficiency, (4) measure compliance with corporate policies, (5) measure compliance withregulations, and (6) manage the negative events and effects from fraud, crime, and deleteriousactivities.

•

It goes without saying that corporate data, and the files that contain them, are an asset and do have value. Thesame is true for systems and the value is proportionate to the degree the organization is dependent oninformation systems (IS) or information technologies (IT) in delivering products or services. Thus thesafeguarding of corporate assets includes the data and systems of the organization—even system availability.

This chapter will attempt to provide information to strengthen the internal control system. There is adiscussion of related management policies, related regulations, risk assessment, some control activities, theemployment of proven resources (i.e., computer-assisted audit tools and techniques), related fraud and crime,various applicable models, and some specific examples of tools and documents for internal auditors.


TITLE: Assumptions in Establishing an Internal ControlSystem

PAGES:

3.2 Fundamental Assumptions in Establishing an InternalControl System

Federal law and business wisdom require management to exert a conscientious effort to maintain an effectivesystem of internal controls and to build a strong internal control system. Management, with the aid of theinternal audit IA function, should identify what needs protecting (i.e., assets), what risks exist to compromisethose assets, and the extent of those risks (probability and impact cost). With those factors in mind,management, along with the assistance of the IA function, then should see that appropriate policies andstrategies are developed concerning organizational structure (i.e., segregation of duties); physical, general, andapplication controls; and transaction processes. One key to safeguarding assets is personal accountability,whether it is enforcing policy violations by employees or tracking down and prosecuting crackers and hackers.It also extends to management to make sure controls are operating effectively as designed. That accountabilitymeans management must make sure error logs, monitoring reports, and so on, are being read and responded totimely.

Management should employ the skills and abilities of professionals in designing internal controls and auditingtheir effectiveness. That includes technicians in the IS function and audit professionals in the IA function. Ifthe company is conducting business over the Internet, that would include IS professionals such as CertifiedInformation System Security Professional (CISSP), Certified Information Technology Professional (CITP), orCertified Information Systems Auditor (CISA) who understand both computer technologies and security. Forthe IA function it would include Certified Internal Auditor (CIA) or CISA. Internal control professionalsshould also be involved in all new systems development—CIA, CISA, or CITP. The specific tools andtechniques used to develop specific controls should be used in conjunction with the expertise of IA personnel.Management should also encourage the use of proven resources, such as the Internal controls modelsidentified herein. Most of all, management should pursue an effective audit committee in which members arequalified and independent (i.e., effective corporate governance).

2 Chapter 3: Internal Control System


An important step in building an effective internal control system is to make sure the organization hasadequate relevant policies, accompanied by an effective monitoring and reporting system to make suremanagement's objectives are being met. Another step, sometimes chronologically preceding policydevelopment, is for the organization to identify the risks to which it is subject and the corresponding loss ifthat risk came to pass; that is, a thorough risk assessment. Also, the organization should use proven resourcesto determine and implement the actual controls necessary to manage the risks. Exhibit 3.1 depicts a model ofan effective internal control system to illustrate these elements, and most of the detail processes described inthis chapter. Some basic assumptions constrain the implementation and effectiveness of any internal controlsystem, no matter how well it may be designed. It is also important to think about the evolution of intruders inorder to design effective controls. Controls are affected by laws and regulations.

Exhibit 3.1: Internal Control Environment Model

But first, reasons will be given for a strong internal control system. There are business reasons, legal reasons,and audit reasons.

a. Business Reasons for a Strong Internal Control System

The business reasons have to do with management objectives. Sound internal controls enhance corporatestrategies by maximizing the reliability and timeliness of information in making effective decisions.Management, in general, desires to safeguard assets thoroughly, to communicate efficiently and effectivelyinternally, to analyze events and transactions timely, and to promote operational efficiencies universally.Strong internal controls have the potential to help meet these objectives. For example, the Committee onSponsoring Organizations (COSO) says this about internal controls:

... a process, effected by an entity's board of directors, management and other personnel, designed toprovide reasonable assurance regarding the achievement of objectives in (1) the effectiveness andefficiency of operations, (2) the reliability of financial reporting and (3) the compliance of applicablelaws and regulations.

•

b. Legal Reasons for a Strong Internal Control System

The last statement brings up the second point about compliance with applicable laws and regulations. Controlshelp to assure such compliance, especially for laws regarding the system and intellectual property. (See"Regulations" in this chapter for more details.)



c. Basic Assumptions for the Internal Control System

The first basic assumption is that of management responsibility. The responsibility for an effective internalcontrol system is not that of internal auditors, external auditors, management accountants, or any other groupexcept management.

The second assumption is that of reasonable assurance. There is no such thing as a perfect internal controlsystem. Controls can generally be compromised under the right conditions. No computer system is imperviousto attacks or malicious activities. In addition, controls have a cost and following the cost-benefit concept usedin accounting, it must be applied even to controls. After all, if it costs $1 million to implement a control andthe risk assessment shows a risk of loss of $200,000, then the control does not pass the cost-benefit test. Theresult is an exposure—a weakness in the control system. Internal control does not guarantee that an entity willmeet management objectives, or even that the firm will survive. Rather, internal controls are designed toprovide management with reasonable assurance regarding the achievement of these objectives.

The third assumption is independence from the method of data processing. That is, the control objectivesshould be designed without regard for the specific type of data processing. Certain control objectives may bepeculiar to information systems or information technologies, but generally, a strong control objective shouldbe just as applicable to a paper-based system as a computer-based system. The specific controls will vary withdifferent technologies, but the objectives should be process independent.

The fourth assumption deals with limitations, of which there are several. First, there will always be apossibility of error in any accounting system. There will always be the possibility of circumvention of controlsby a determined and talented attacker. There is certainly always the possibility of management override ofcontrols. Last, there is the simple passing of time—conditions change. With changing conditions, effectivecontrols may become obsolete or ineffective and thus need constant re-evaluation (raison d'être for theinternal audit function!).

d. Evolution of Attacks and Intruders' Technical Knowledge

Attacks have grown from simplistic to complicated, while simultaneously the technical knowledge needed byintruders has gone from a high level to a very low level. For example, in the 1980s, attacks were mostlypassword guessing ("war dialers"), password cracking, some self-replicating code, and exploiting knownvulnerabilities—all of which required a high level of technical skills at the time. Then, there was not thewidespread communication of vulnerabilities and hacker tools that we have in the twenty-firstcentury—making it much easier today to do these kinds of attacks.

Then attacks became a little more sophisticated, such as hijacking sessions, back doors, sweepers, sniffers,and stealth diagnostics. The technical knowledge became moderate instead of the high level of technical skillsneeded earlier. In fact, the term "hacker" really evolves from a complimentary term applied to those who hada lot of technical knowledge, knowing the administrative types of functions, commands, and intricacies ofoperating systems.

By 1995, attacks became even more sophisticated. They included packet spoofing, use of intelligent agents,denial of service, and a combination of the two—distributed denial of service. Yet the level of knowledgediminished. In fact, there is such an abundance of malicious code, and so easy to obtain, that by the end of thetwentieth century, many intruders were called "script kiddies"—so named because young teenagers weredownloading scripts files and conducting attacks, all without a prerequisite high level of technical knowledge.

Therefore, the level of risk today is much higher than 20 years ago. It is necessary for the IA function andother security personnel to understand the profiles of intruders and the types of popular tools being employed,in order to be best prepared to defend the corporate assets. (See Section 3.8 for more details.)



e. Cost-Benefit Analysis of Controls

An important constraint in developing internal controls is the use of cost-benefit analysis on controls. Controlactivities are subject to the same cost-benefit analysis of other management activities. But a 2 × 2 model ofrisk probability and cost provides additional guidance in decision-making related to security and controls (seeExhibit 3.2). For example, those risks that have a low probability and low cost should simply be ignored. Butfor those with high probability and high costs, control activities need to be implemented to prevent the riskfrom occurring. For example, a disaster may have a low probability but it has a high cost (see Exhibit 3.2);therefore management should employ insurance and/or backup plan as an appropriate control activity. Thismodel requires management to identify what needs protecting, what the risks are for those assets, and the levelof cost impact and probability for each risk. Input from internal auditors and IS professionals most likely willbe necessary to perform these steps appropriately.

Exhibit 3.2: Controls Decision Making Overview


TITLE: Effective Internal Control Models PAGES:

3.3 Effective Internal Control Models

There are numerous proven internal controls models that internal auditors can rely on in developing andmaintaining an effective internal control system. These come from reliable professional organizations such asCOSO, ISACA, IIA, AICPA, and the Canadian Institute of Chartered Accountants (CICA).

a. The COSO Model (AICPA, AAA, FEI, IIA, and IMA)

The COSO Model was developed by the Committee of Sponsoring Organizations (COSO), [1] originallyknown as the Treadway Commission. Organizations in COSO include American Institute of Certified PublicAccountants (AICPA), American Accounting Association (AAA), Financial Executives International (FEI),Institute of Internal Auditors (IIA), and the Institute of Management Accountants (IMA). The finalpromulgated model on internal controls was published in 1992. The model contains five elements: the controlenvironment, risk assessment, control activities, monitoring, and information and communication (see Exhibit3.3). This particular model has been widely accepted and used by internal auditors and financial executiveswith equal success, and provides an effective model for designing, implementing, evaluating, and managingan effective internal control system.

Exhibit 3.3: COSO Model



The COSO report defines internal control as "a process, effected by an entity's board of directors,management, and other personnel, designed to provide reasonable assurance regarding the achievement ofobjectives in the following categories: effectiveness and efficiency of operations, reliability of financialreporting, and compliance with applicable laws and regulations." The report emphasizes that the internalcontrol system is a tool of, but not a substitute for, management and that controls should be built into, ratherthan built onto, operating activities. Although the report defines internal control as a process, it recommendsevaluating the effectiveness of internal control as of a point in time.

COSO recognizes that people are involved with internal control as members of the board of directors(especially the audit committee), management, and other entity personnel such as internal auditors. Objectivesare categorized by COSO as operational, financial reporting, and compliance (see Exhibit 3.3).

COSO's "Internal Control Environment" covers factors such as integrity and ethical values of management,competence of personnel, management philosophy and operating style, how authority and responsibilities areassigned, and the guidance provided by the board of directors.

Under "Risk Assessment," COSO addresses the risk of failing to meet financial reporting objectives, failing tomeet compliance, and failing to meet operational objectives. COSO suggests the identification of external andinternal risks to the entity and to individual activities. The cost-benefit consideration is a part of the COSOModel, as well as the dynamic nature of risk assessment. The COSO Model considers management's analysisof risk and their ability to override and adjust the internal control system.

Information systems are covered in the "Information and Communication" segment of the COSO Model. Thisarea covers the need to capture pertinent internal and external information, the potential of strategic andintegrated systems, and the need for data quality. The Communication subsection discusses conveying internalcontrol matters, and gathering competitive, economic, and legislative information.

COSO discusses the "Monitoring" aspect by recognizing the need for management to monitor the entireinternal control system through the internal control system itself and through special evaluations directed atspecific areas or activities. It uses an internal perspective for monitoring, and covers them in broad terms.

"Control Activities" and procedures are discussed throughout the entity in the COSO Model. This model usesonly one classification scheme for IS control procedures (by contrast, SAC uses five different schemes).



COSO emphasizes the desirability of integrating control activities with risk assessment.

The AICPA has adopted the COSO Model officially by incorporating it into Statement on Auditing Standards(SAS) No. 78. SAS 78 revised SAS No. 55: Consideration of Internal Control in a Financial Statement Audit,and makes the COSO model part of external audit standards.

b. The CobiT Model (ISACA)

The CobiT Model [2] is the culmination of the evolution of ISACA's Control Objectives. In 1977, theElectronic Data Processing Auditors Foundation (forerunner of ISAC Foundation) published the first ControlObjectives. It was a compilation of techniques and procedures for conducting IS audits covering variousinformation technologies. This book provided a normative model for IS auditors in performing their duties.Control Objectives included not only objectives related to controls, but also audit procedures. The publicationmatched a particular IT with certain controls that ought to be addressed when conducting IS audits in that areaor technology. Thus, Control Objectives provided IS auditors a benchmark to measure audit effectiveness andemphasized best practices. The guidelines underwent revisions in 1980 and 1983 (second edition). The 1983version was intended to be a complete overhaul of delineating the discharge of IS auditors' responsibilities.Other revisions would occur in 1990 and 1992 (the fifth version of the document).

Then, in 1996, the ISAC Foundation revised the tools in Control Objectives into a new guidance publicationknown as Control Objectives for Information Technology—CobiT. CobiT helps bridge the gaps betweenbusiness risks, control needs, and technical issues. It is a control model, or framework, to meet the needs of ITgovernance and ensure the integrity of information and information systems applied on an international basis,from international input.

Research for the first (1996) and second (1998) editions included the collection and analysis of identifiedinternational sources and was carried out by teams in Europe (Free University of Amsterdam), the UnitedStates (California Polytechnic University) and Australia (University of New South Wales). The researcherswere charged with the compilation, review, assessment and appropriate incorporation of internationaltechnical standards, codes of conduct, quality standards, professional standards in auditing, and industrypractices and requirements, as they relate to the Framework and to individual control objectives. Aftercollection and analysis, the researchers were challenged to examine each domain and process in depth andsuggest new or modified control objectives applicable to that particular IT process. Consolidation of theresults was performed by the CobiT Steering Committee and the Director of Research of ISACF. [3]

The current edition is the third (2000) and is available on CD-ROM and online from ISACA. [4] CobiTprovides an Executive Summary, a Framework for control of IT, a list of Control Objectives, and a set ofAudit Guidelines. The latter two are reference works for the Framework.

CobiT adapted its definition of control from COSO: The policies, procedures, practices, and organizationalstructures are designed to provide reasonable assurance that business objectives will be achieved and thatundesired events will be prevented or detected and corrected. CobiT adapts its definition of an IT controlfrom SAC: a statement of the desired result or purpose to be achieved by implementing control procedures ina particular IT activity. The role and impact of IT controls as they relate to business processes are emphasizedin CobiT. The document outlines platform and application independent IT control objectives that can beapplied internationally.

CobiT combines the principles embedded in existing reference models in three broad categories: quality,fiduciary responsibility, and security. From these broad requirements, the report extracts seven overlappingcategories of criteria for evaluating how well IT resources are meeting business requirements for information.These criteria are effectiveness, efficiency, confidentiality, integrity, availability, compliance, and reliabilityof information. CobiT also classifies IT processes into four domains: planning and organization, acquisitionand implementation, delivery and support, and monitoring. These processes follow the system developmentlife cycle applicable to IT processes in any IT environment. CobiT includes definitions of both internal control



and IT control objectives, four domains of processes and 32 high-level control statements for those processes,271 control objectives references to those 32 processes, and audit guidelines linked to the control objectives.

c. The SAC and eSAC Reports (IIA)

The SAC report also has a long history of development and evolution. In 1977, the International EDP AuditCommittee (later known as the Advanced Technology Committee) codified and published best practicesamong IT shops related to EDP audits in a document entitled Systems Auditability and Control (SAC). Basedon empirical evidence from around the world and from a committee of experts, SAC was published in threeseparate documents: Control Practices, Audit Practices, and Executive Report. SAC enjoyed a high degree ofdissemination, mostly because of the numbers of copies distributed by the IIA to members, and by IBM, thefinancial sponsor of the project. After 11 printings of the original document, SAC was revised in 1991, andagain in 1994 by the IIA Research Foundation.

In order to emphasize both e-business impact and electronic delivery of the new material, in 2001 the IIAResearch Foundation issued a completely revised set of guidance, Electronic Systems Assurance and Control(eSAC). It brings executive management, corporate governance entities, and auditors new information tounderstand, monitor, assess, and mitigate technology risks. These guidelines examine and assess risks thataccompany each organizational component, including customers, competitors, regulators, communities, andowners (see Exhibit 3.4).

Exhibit 3.4: eSAC Model

The eSAC report defines the system of internal control, describes its components, provides severalclassifications of controls, describes control objectives and risks, and defines the internal auditor's role. Thereport provides guidance on using, managing, and protecting IT resources and discusses the effects ofend-user computing, telecommunications, and emerging technologies.

The eSAC report defines a system of internal control as: "a set of processes, functions, activities, subsystems,and people who are grouped together or consciously segregated to ensure the effective achievement ofobjectives and goals." The report emphasizes the role and impact of computer-based information systems onthe system of internal controls. It stresses the need to assess risks, to weigh costs and benefits, and to buildcontrols into systems rather than add them after implementation.

The system of internal controls consists of three components: the control environment, manual and automatedsystems, and control procedures. The control environment includes organization structure, control framework,policies and procedures, and external influences. Automated systems consist of systems and applicationsoftware. The eSAC report discusses the control risks associated with end-user and departmental systems, butneither describes nor defines manual systems. Control procedures consist of general, application, and



compensating controls.

The eSAC report provides five classification schemes for internal controls in information systems: (1)preventive, detective, and corrective, (2) discretionary and non-discretionary, (3) voluntary and mandated, (4)manual and automated, and (5) application and general controls. These schemes focus on when the control isapplied, whether the control can be bypassed, who imposes the need for the control, how the control isimplemented, and where in the software the control is implemented.

Risks in eSAC are defined as fraud, errors, business interruptions, and inefficient and ineffective use ofresources. Control objectives reduce these risks and assure information integrity, security, and compliance.Information integrity is guarded by input, processing, output, and software quality controls. Security measuresinclude data, physical, and program security controls. Compliance controls ensure conformance with laws andregulations, accounting and auditing standards, and internal policies and procedures.

The role of internal auditors is also defined in eSAC. Their responsibilities include ensuring the adequacy ofthe internal control system, the reliability of data, and the efficient use of the organization's resources. Internalauditors are also to be concerned with preventing and detecting fraud, and coordinating activities with externalauditors. The integration of audit and IS skills and an understanding of the impact of IT on the audit processare necessary for internal auditors. Internal audit professionals now perform financial, operational, and ISaudits.

d. SysTrust (AICPA and CICA)

In response to the increased dependence on IS, the AICPA and Chartered Accountants of Canada (CICA)developed SysTrust and introduced it in December 1999. SysTrust focuses on providing assurance of thereliability of the controls of a system. To evaluate the reliability of a system objectively, the CPA evaluatesSysTrust's four essential principles [5]—availability, security, integrity, and maintainability—individuallyagainst four categories of criteria—policies, communication, procedures, and monitoring. In a SysTrustengagement, the CPA reports on the availability, security, integrity, and maintainability of a system. Thesystem must meet all of SysTrust's four principles and 58 criteria to earn an unqualified SysTrust report (seeExhibit 3.5 for a list of the criteria). The SysTrust model is another potential model to use in designing,implementing, and especially evaluating an internal control system—in particular, where there is a highreliance on IS and IT for business operations.

Exhibit 3.5: SysTrust Model[6]

SysTrust Principles and Criteria

Availability. The system is available for operation and use at times set forth in service-level statements oragreements.

A1 The entity has defined and communicated performance objectives, policies, and standards for systemavailability.

A1.1 The system availability requirements of authorized users—and system availability objectives, policies,and standards—are identified and documented.

A1.2 The documented system availability objectives, policies, and standards have been communicated toauthorized users.

A1.3 The documented system availability objectives, policies, and standards are consistent with the systemavailability requirements specified in contractual, legal, and other service-level agreements andapplicable laws and regulations.

A1.4 Responsibility and accountability for system availability have been assigned.A1.5 Documented system availability objectives, policies, and standards are communicated to entity

personnel responsible for implementing them.



A2 The entity utilizes procedures, people, software, data, and infrastructure to achieve system availabilityobjectives in accordance with established policies and standards.

A2.1 Acquisition, implementation, configuration, and management of system components related to systemavailability are consistent with documented system availability objectives, policies, and standards.

A2.2 There are procedures to protect the system against potential risks that might disrupt system operationsand impair system availability.

A2.3 Continuity provisions address minor processing errors, minor destruction of records, and majordisruptions of system processing that might impair system availability.

A2.4 There are procedures to ensure that personnel responsible for the design, development, implementation,and operation of system availability features are qualified to fulfill their responsibilities.

A3 The entity monitors the system and takes action to achieve compliance with system availabilityobjectives, policies, and standards.

A3.1 System availability is periodically reviewed and compared with documented system availabilityobjectives, policies, and standards.

A3.2 There is a process to identify potential impairments to the system's ongoing ability to address thedocumented system availability objectives, policies, and standards and to take appropriate action.

A3.3 Environmental and technological changes are monitored and their impact on system availability isassessed on a timely basis.

Security. The system is protected against unauthorized physical and logical access.

S1 The entity has defined and communicated performance objectives, policies, and standards for systemsecurity.

S1.1 The system security requirements of authorized users and the system security objectives, policies, andstandards are identified and documented.

S1.2 The documented system security objectives, policies, and standards have been communicated toauthorized users.

S1.3 Documented system security objectives, policies, and standards are consistent with system securityrequirements defined in contractual, legal, and other service-level agreements and applicable laws andregulations.

S1.4 Responsibility and accountability for system security have been assigned.S1.5 Documented system security objectives, policies, and standards are communicated to entity personnel

responsible for implementing them.S2 The entity utilizes procedures, people, software, data, and infrastructure to achieve system security

objectives in accordance with established policies and standards.S2.1 Acquisition, implementation, configuration, and management of system components related to system

security are consistent with documented system security objectives, policies, and standards.S2.2 There are procedures to identify and authenticate users authorized to access the system.S2.3 There are procedures to grant system access privileges to users in accordance with the policies and

standards for granting such privileges.S2.4 There are procedures to restrict access to computer processing output to authorized users.S2.5 There are procedures to restrict access to files on off-line storage media to authorized users.

S2.6 There are procedures to protect external access points against unauthorized logical access.S2.7 There are procedures to protect the system against infection by computer viruses, malicious codes, and

unauthorized software.S2.8 Threats of sabotage, terrorism, vandalism, and other physical attacks have been considered when

locating the system.S2.9



There are procedures to segregate incompatible functions within the system through securityauthorizations.

S2.10 There are procedures to protect the system against unauthorized physical access.S2.11 There are procedures to ensure that personnel responsible for the design, development,

implementation, and operation of system security are qualified to fulfill their responsibilities.S3 The entity monitors the system and takes action to achieve compliance with system security objectives,

policies, and standards.S3.1 System security performance is periodically reviewed and compared with documented system security

requirements of authorized users and contractual, legal, and other service-level agreements.S3.2 There is a process to identify potential impairments to the system's ongoing ability to address the

documented security objectives, policies, and standards and to take appropriate action.S3.3 Environmental and technological changes are monitored and their impact on system security is

periodically assessed on a timely basis.Integrity. System processing is complete, accurate, timely, and authorized.

I1 The entity has defined and communicated performance objectives, policies, and standards for systemprocessing integrity.

I1.1 The system processing integrity requirements of authorized users and the system processing integrityobjectives, policies, and standards are identified and documented.

I1.2 Documented system processing integrity objectives, policies, and standards have been communicated toauthorized users.

I1.3 Documented system processing integrity objectives, policies, and standards are consistent with systemprocessing integrity requirements defined in contractual, legal, and other service-level agreements andapplicable laws and regulations.

I1.4 Responsibility and accountability for system processing integrity have been assigned.I1.5 Documented system processing integrity objectives, policies, and standards are communicated to entity

personnel responsible for implementing them.I2 The entity utilizes procedures, people, software, data, and infrastructure to achieve system processing

integrity objectives in accordance with established policies and standards.I2.1 Acquisition, implementation, configuration, and management of system components related to system

processing integrity are consistent with documented system processing integrity objectives, policies, andstandards.

I2.2 The information processing integrity procedures related to information inputs are consistent with thedocumented system processing integrity requirements

I2.3 There are procedures to ensure that system processing is complete, accurate, timely, and authorized.I2.4 The information processing integrity procedures related to information outputs are consistent with the

documented system processing integrity requirements.

I2.5 There are procedures to ensure that personnel responsible for the design, development, implementation,and operation of the system are qualified to fulfill their responsibilities.

I2.6 There are procedures to enable tracing of information inputs from their source to their final dispositionand vice versa.

I3 The entity monitors the system and takes action to achieve compliance with system processing integrityobjectives, policies, and standards.

I3.1System processing integrity performance is periodically reviewed and compared to the documentedsystem processing integrity requirements of authorized users and contractual, legal, and otherservice-level agreements.

I3.2 There is a process to identify potential impairments to the system's ongoing ability to address thedocumented processing integrity objectives, policies, and standards and take appropriate action.



I3.3 Environmental and technological changes are monitored and their impact on system processing integrityis periodically assessed on a timely basis.

Maintainability. The system can be updated when required in a manner that continues to provide for systemavailability, security, and integrity.

M1 The entity has defined and communicated performance objectives, policies, and standards for systemmaintainability.

M1.1 Documented system maintainability objectives, policies, and standards address all areas affected bysystem changes.

M1.2 Documented system maintainability objectives, policies, and standards are communicated to authorizedusers.

M1.3 Documented system maintainability objectives, policies, and standards are consistent with therequirements defined in contractual, legal, and other service-level agreements and applicable laws andregulations.

M1.4 Responsibility and accountability for system maintainability have been assigned.M1.5 Documented system maintainability performance objectives, policies, and standards are communicated

to entity personnel responsible for implementing them.M2 The entity utilizes procedures, people, software, data, and infrastructure to achieve system

maintainability objectives in accordance with established policies and standards.M2.1 Resources available to maintain the system are consistent with the documented requirements of

authorized users and documented objectives, policies, and standards.M2.2 Procedures to manage, schedule, and document all planned changes to the system are applied to

modifications of system components to maintain documented system availability, security, andintegrity consistent with documented objectives, policies, and standards.

M2.3 There are procedures to ensure that only authorized, tested, and documented changes are made to thesystem and related data.

M2.4 There are procedures to communicate planned and completed system changes to information systemsmanagement and to authorized users.

M2.5 There are procedures to allow for and to control emergency changes.M3 The entity monitors the system and takes action to achieve compliance with maintainability objectives,

policies, and standards.M3.1 System maintainability performance is periodically reviewed and compared with the documented

system maintainability requirements of authorized users and contractual, legal, and other service-levelagreements.

M3.2 There is a process to identify potential impairments to the system's ongoing ability to address thedocumented system maintainability objectives, policies, and standards and to take appropriate action.

M3.3 Environmental and technological changes are monitored and their impact on system processingintegrity is periodically assessed on a timely basis.

The evaluation of a system's reliability begins by understanding the basic components of the system. A systemis defined as a set of procedures used to accomplish specific results, and an information system consists offive basic components organized to transform data inputs (raw facts) into information outputs. These fivebasic components of a system are: (1) infrastructure, (2) software, (3) personnel, (4) procedures, and (5) data.A reliable system is capable of operating without material error, fault, or failure during a specified period in aspecified environment.

Availability is defined by the system being available for operations. Security is the protection of the systemagainst unauthorized physical or logical access—including both the physical components and the data.Integrity refers to system processing being complete, accurate, timely, and authorized. Maintainability refersto the required updates of the system, and whether such updates will continue to provide for the other three



aspects above.

For each of these aspects, the CPA practitioner uses four categories of criteria: Policies, Communication,Procedures, and Monitoring. For Policies, the CPA evaluates whether the entity had defined and documentedits policies relevant to the particular principle. Communication refers to the fact that the entity has defined andcommunicated performance objectives, policies, and standards for the essential principle being evaluated(availability, security, integrity, or maintainability). Procedures refer to the entity using procedures that are inaccordance with its established policies and standards. Monitoring is defined as the monitoring of the entity'sactivities and the surrounding environment of the system to identify potential impairments to the system'sreliability and to achieve compliance with objectives, policies, and standards for the essential principle beingevaluated. To further assist the practitioner in the evaluation of these criteria, the Systems Reliability TaskForce developed a list of illustrative controls. This list is not intended to be comprehensive, so the practitionermust tailor the list to the circumstances of the particular engagement. See Exhibit 3.5 for a list of theillustrative controls.

e. Conclusion: Comparing and Contrasting the Models

Although the different control definitions contain similar concepts, the emphases are somewhat different (seeExhibit 3.6 for a comparison table). The CobiT Model views internal control as a process that includespolicies, procedures, practices, and organizational structures that support business processes and objectives.The eSAC report emphasizes that internal control is a system—a set of functions, subsystems, people, andtheir interrelationships. The COSO Model accentuates internal control as a process—an integrated part ofongoing business activities. SysTrust emphasizes the reliability of IS in financial reporting and businessactivities.

Exhibit 3.6: Comparison of Internal Control Models

COSO CobiT eSAC SYSTRUSTPrimaryAudience

Management Management, users,process owners, auditors

Internal auditors External auditors

IC Viewed as a ... Process Set of processesincluding policies,procedures, practices, andorganizational structures

Set of processes,subsystems, andpeople

Not explicitly defined:Viewed similar to anassertion to which a CPAdoes an attestation

IC ObjectivesOrganizational

Effective andefficient operations

Reliable financialreporting.

Compliance withlaws andregulations

Effective and efficientoperations

Confidentiality, integrity,and availability ofinformation

Reliable financialreporting

Compliance with lawsand regulations

Effective andefficientoperations

Reliablefinancialreporting

Compliance withlaws andregulations

Effectiveness of businesspurposes andmanagement's objectives

Reliable financialreporting

Components orDomains

Controlenvironment

Risk management

Control activities

Planning andorganization

Acquisition andimplementation

Delivery and support

Controlenvironment

Manual andautomatedsystems

Availability

Security

Integrity

Maintainability



Information andcommunication

Monitoring

Monitoring Controlprocedures

Focus Overall entity Information technologyand overall entity

Informationtechnology

Information systems

IC EffectivenessEvaluated

At a point in time For a period of time For a period oftime

At a point in time

Responsibility forIC System

Management Management Management Management

Size 353 pages in fourvolumes

664 pages in fivevolumes

1,193 pages in12 modules

A few online pages

Source: ISACA, from web site www.isaca.org/bkr_cbt3.htm. Reprinted with permission.

The use of the COSO Model components is one way to compare and contrast the four models. The followinganalysis, therefore, is based on these five components.

Control Environment. The eSAC report describes three components of internal control. COSOdiscusses five components. CobiT incorporates the five components of the COSO report and focusesthem within the IT internal control system. CobiT further bridges the gap between the broaderbusiness control models such as COSO and highly technical IS control models—worldwide. SysTrustdescribes four principles measured by four categories.

1.

Information and Communication Systems. CobiT's focus is the establishment of a referenceframework for security and control in IT. It defines a clear linkage between IS controls and businessobjectives. In addition, it provides globally validated control objectives for each IT process that givespragmatic control guidance to all interested parties. CobiT also provides a vehicle to facilitatecommunications among management, users, and auditors regarding IS controls. The eSAC report,however, focuses on automated IS. The document examines the interrelationships among internalcontrol and systems software, application systems, and end-user and department systems. Thevolumes of eSAC provide guidance on internal controls in these areas. COSO discusses bothinformation and communication, emphasizing the need to capture internal and external information,the potential of strategic and integrated systems, and the need for data quality. Communicationfocuses on conveying matters related to the internal control system.

2.

Control Objectives. CobiT, eSAC, and SysTrust examine control procedures relative to an entity'sautomated IS. COSO discusses the control procedures and activities used throughout the entity. CobiTclassifies controls into 32 processes naturally grouped into four domains. SAC uses five differentclassification schemes for IS control procedures. COSO only has one classification scheme, andemphasizes the desirability of integrating control activities with risk assessment. SysTrust classifies58 controls into four classifications.

3.

Risk Assessment. COSO identifies risk assessment as an important component of internal control.CobiT identifies a process within the IT environment as assessing risks, falling in the planning andorganization domain and with six specific control objectives associated with it. CobiT addresses, indepth, several components of risk assessment in an IT environment. These include business riskassessment, the risk assessment approach, risk identification, risk measurement, risk action plan, andrisk acceptance. It also deals directly with IT types of risk such as technology, security, continuity,and regulatory risks. Lastly, CobiT addresses risk from both a global and systems-specificperspective. Risk assessment is an explicit component of eSAC's system of internal control, and thedocument contains extensive discussions of the importance of risk assessment as foundational tointernal controls. COSO and eSAC address risk concepts in a similar fashion. For example, bothaddress the risks of failing to meet compliance and operational objectives. SysTrust stresses the entireattestation is to identify weak controls or other risks in the internal control system. Only one of thecontrols, however, specifically addresses risk.

4.



http://www.isaca.org/bkr_cbt3.htm

Monitoring. In contrast to COSO, CobiT, and SysTrust, eSAC does not explicitly include monitoringas a component of the internal control system. SysTrust uses monitoring as one of the four categoriesthat must be addressed in each of the four principal areas of investigation. COSO discussesmonitoring activities in broad terms, and eSAC discusses specific monitoring activities that should beperformed. CobiT, in an in-depth manner, defines specific monitoring requirements andresponsibilities within the IT function. All the documents assign management the responsibility ofensuring the adequacy of the internal control system and its continued effectiveness.

All of the models provide tools, usually explicit tools or controls, as guidance in managing theinternal control system. There are some differences, but altogether, there are more similaritiesbetween the models. The more technology an entity uses, or the more reliance an entity had ontechnology, the more it needs CobiT, eSAC, or SysTrust. If the entity conducts e-commerce and ispublicly traded, SysTrust makes a good choice. If an entity has only a modicum of technology and alow-to-medium reliance upon IT, COSO is probably the best choice. The final choice is up to the IAfunction, in matching the entity with the strengths of these individual models, or it may choose todevelop its own unique model.

5.


TITLE: Regulations PAGES:[1]See www.coso.org.

[2]See www.isaca.org/cobit.htm.

[3]This paragraph is from the ISACA web page on CobiT at www.isaca.org.

[4]See www.isaca.org.

[5]An exposure draft exists that will change the principles to: (1) security, (2) availability, (3) processingintegrity, (4) online privacy, and (5) confidentiality.

[6]An exposure draft exists that will change the principles to: (1) security, (2) availability, (3) processingintegrity, (4) online privacy, and (5) confidentiality. These new principles will cause this chart to changeaccordingly.

3.4 Regulations

Internal auditors know the importance of adhering to federal and state regulations. Some of them apply tointernal controls. (See Section 1.6, "History of Federal Regulations Related to Auditing.")

a. Securities and Exchange Commission (1933, 1934)

The Securities Act of 1933 and the Securities Exchange Act of 1934 require all corporations that report to theSecurities and Exchange Commission (SEC) to maintain a system of internal control that is evaluated as partof the annual external audit. The acts give the SEC authority to oversee the setting of Generally AcceptedAccounting Principles (GAAP) for publicly traded companies. They also convey the authority to investigatecases of suspected financial fraud and to censure companies from trading (i.e., prevent the stock from being



http://www.coso.org

http://www.isaca.org/cobit.htm



traded publicly). The SEC laws have a direct impact on companies that have publicly traded stock, especiallyregarding the need for a system of internal control and its evaluation.

b. Foreign Corrupt Practices Act (1977)

The Foreign Corrupt Practices Act of 1977 also requires SEC companies to maintain an internal controlsystem with reasonable assurance that the organization's objectives are being met, and even providingpenalties for violations.

c. Copyright Laws (1976 et al.)

The Copyright Laws of 1976 (and other years) protect intellectual property. One aspect of intellectualproperty crucial to internal controls is software. Illegal copies of software on organizational computers canlead to severe penalties and bad publicity. In addition, management will be held responsible by federalofficials even if software piracy went on contrary to policy and without management awareness. Otherintellectual property includes books, music, and copyrighted graphical images (e.g., logos). Therefore,management must first develop a policy against violations of copyright laws, such as software piracy, andmake sure the internal audit function ensures compliance with the policy.

A study of 121 Certified Information Systems Auditors (CISAs) showed that software piracy is a problem inrelatively large firms—those with about 3,000 microcomputers. Although almost all (91%) indicated anorganizational policy governing unauthorized duplication of software, they estimated that more than 20% oftheir firms' employees had illegally copied software in the previous 12 months. Sixty percent of the auditorsreported that their typical audit program included a specific procedure that was designed to detect piratedsoftware. In spite of this fact, the auditors indicated that less than one-fourth of the audits that were conductedin the previous 12 months actually included such a test. Surprisingly, over one-third of the sample indicatedthat none of their audits included a test for unauthorized software.

Unauthorized software poses a legal and financial risk to firms. Risks (or exposures, as the case may be), suchas civil and criminal penalties, exist for those who use unauthorized or pirated computer software. These risksalso include significant monetary fines. Information systems auditors, in general, and CISAs, in particular,should be especially concerned with these risks. However, it has been reported that many managers andauditors are unaware of the potential legal liability from software piracy. According to ISACA, IS auditorshave a responsibility regarding the risks of software piracy to: (1) be aware of such risks, (2) communicatethese risks to management, (3) review software implementation, (4) develop adequate control procedures, and(5) incorporate appropriate techniques or tools in audit programs to detect unauthorized use of software.

ISACA Standards (Section 030.010.010, Irregularities and Illegal Acts, paragraph 2.1.1) defines irregularitiesand illegal acts as "Other acts that involve noncompliance with laws and regulations, including the failure ofIT systems to meet applicable laws and regulations." The Standard further clarifies that ISACA believes it ismanagement's responsibility to prevent and detect irregularities and illegal acts, and not the IS auditor's,unless evidence exists that would indicate an irregularity or illegal act has occurred. ISACA Standards assertthat IS auditors should be familiar with irregularities and illegal acts that are common to a particular industryor have occurred in similar organizations (paragraph 4.1.5).

d. Environmental Laws (Various)

In addition, there are federal laws regarding environmental issues that affect many organizations. Due to stiffpenalties and negative public image that result from violations, internal auditors must be cognizant of anyapplicable environmental laws.



e. Sarbanes-Oxley Act (2002)

Several public frauds carried out in the years prior to 2002 focused attention on all aspects of financialreporting. Enron collapsed after what amounted to financial fraud by some of its executive managers.WorldCom also filed for bankruptcy when an internal auditor, Cynthia Cooper, Vice President of InternalAudit, uncovered $3.8 billion in fraud, the largest accounting fraud at the time. She boldly identified the fraudand fraudsters to the board of WorldCom in June 2002; as much as $9 billion of fraud has since beenuncovered. She later was recognized as Person of the Year by Time magazine—along with Sherron Watkinsof Enron and Coleen Rowley of the FBI. Sherron Watkins, a former accountant, tried to blow the whistle atEnron, but the principal executive officers dismissed her claims of fraud. Other frauds were uncovered atAdelphia and Tyco, to mention just a few from this time.

As a result of these frauds and related pressures brought on the U.S. Congress, the Sarbanes-Oxley Act waspassed in the summer of 2002. The subsequent rules and regulations by the Securities and ExchangeCommission (SEC) and New York Stock Exchange (NYSE) will have a dramatic affect on internal controlsfor publicly traded companies. According to Section 404 (Management Assessment Of Internal Controls),affected companies are required to: (1) state the responsibility of management for establishing andmaintaining an adequate internal control structure and procedures for financial reporting, and (2) contain anassessment, as of the end of the issuer's fiscal year, of the effectiveness of the internal control structure andprocedures of the issuer for financial reporting. For the first time, the NYSE now requires an IA function in alllisted companies.

Because the law requires CEOs and CFOs to report on their internal control systems and sign off on—andtherefore certify—their financial statements filed with the SEC, this law will force top executives to assure theadequacy of their internal control systems. The role of internal controls and the system of internal controls hasbecome more critical. Therefore, the material in this chapter is an important resource for IA in performing thiscritical and required function. (See also Sections 1.6(e) and 9.2 for more on the Sarbanes-Oxley Act.)


TITLE: Policies PAGES:

3.5 Policies [7]

Internal controls should have objectives related to assets, security, and auditability—ideally, objectives sharedwith executive management. These objectives should be methodically developed into cogent policies thatprotect the assets identified as important (see Exhibit 3.7). Internal auditors will need to consider thefollowing areas (and maybe others) related to internal controls, with the goal of providing valuable input intomanagement's development of policies: computer system development, computer system usage, security,passwords, e-mail, business recovery (also disaster recovery), and privacy of both employee and customerdata. For all policies, management should provide oversight for enforcement to hold employees accountablefor them in order to increase the effectiveness of policies. While policies in and of themselves are notpreventive measures, they are the foundation for building appropriate preventive techniques or tools, they setthe tone for the internal control environment, and they provide the benchmark for evaluating controls (i.e.,measure compliance with the specifics of the policies). Where applicable, employees should sign a copy ofpolicies to indicate their commitment (e.g., e-mail, computer usage).

Exhibit 3.7: Internal Control System Model



Management PolicySystem Development System UsageSecurity (especially passwords) PrivacyE-Mail Business Recovery Plans

RegulationsSEC FCPAEnvironmental Copyright (e.g., software piracy)

Risk AssessmentInternal Threats: External Threats:Malicious Activities Remote AccessAccidents Intruders:Disgruntled Employees Hackers/Crackers/Script KiddiesIneffective Accountability VirusesFinancial Fraud/Theft of Assets Computer Crime

Control StrategiesPrediction (e.g., monitoring systems) Prevention (e.g., multi-layered firewall)Detection (e.g., intrusion detection system) Correction (e.g., DRP/IRP)Computer—General Controls Computer—Application Controls

Physical Controls (e.g., locked doors)Human Resource Procedures (e.g., background checks)

IA Function Computer Logs/Electronic Audit TrailSegregation of Duties (IS, et al.) Corporate Governance: Audit Committee and IT Governance

Specific Controls CAATTsAuthorization: LAN, Applications, Data (password systems) Fraud and Crime-Related Activities (e.g.,

encryption)Business Recovery Plans: Disaster Recovery Plan (DRP), IncidentResponse Plan (IRP), Backups

Data Integrity (e.g., validation proceduresin applications)

System Development Life Cycle Concepts Firewalls (multi-layered)Intrusion Detection Systems/Monitoring

Policies may be developed before a risk assessment is formally conducted, but if so, they are definitelyaffected by an appropriate risk assessment. Therefore policies, to some degree, will need to be flexible anddynamic in order to accommodate evolving issues. A well-written policy, however, should state in broadterms the organization's objectives regarding areas such as those discussed and allow the details and specificsto evolve based on the expertise and knowledge of the internal auditors and maybe IS personnel.

a. Systems Development Life Cycle Policy

A key policy consideration is information systems, especially systems development and implementation.There should be a written policy that segregates processes of systems development, usage (operations), andmaintenance (see "Segmentation of Duties" in this chapter for more information). There are many stories ofprogrammers and systems people who operated without proper segregation and were able to build fraudulentcodes into programs unnoticed. At least one case involved millions of dollars stolen from ATM machines, andmany others involved large sums stolen using techniques such as salami slicing. A review of theorganizational chart should indicate proper segregation of duties in the IS group.

One systems development life cycle (SDLC) concept that is often overlooked in actual practice is that oftaking systems off-line for upgrades, updates, and so on, and bringing them back online only after testing the



new system thoroughly. It is recommended that this concept be included as corporate policy.

b. Systems Usage Policy (End Users)

A second related area is computer usage. In order to effectively manage distributed computer resources, athorough written computer usage policy must be developed and communicated. The computer system usagepolicy should focus on identifying the authorized uses of company computer resources. One recent surveyshowed that a majority of employees use company computers for personal business while at work. A goodmethod of developing this policy is to specifically identify all of the approved uses of systems and to state allother uses are prohibited, unless permission is secured in writing from management. The policy should alsostipulate repercussions for violations.

c. Security Policy

Another critical policy is the security (or information security—InfoSec) policy. Internal auditors need toassist management in establishing fundamental security objectives tied to business objectives and assets thatneed protection from identified risks. One goal of the security policy is to emphasize to allstakeholders—employees in particular—that information and data are not just computer files—they are assetsthat have a value. A security policy will remind employees of the importance and value of information theyhandle, and the risks or exposures that exist. Such a policy will help create a corporate culture that is securityconscious. For a good overview of why to have an InfoSec policy, and how to develop it, view ComputerEmergency Response Team's (CERT's) presentation. [8]

d. Password Policy

A significant part of the security policy is a password policy. An effective password policy is a strategicadvantage in maintaining strong internal controls and helps to minimize adverse events such as computercrime, fraud, and other unauthorized activities. It has been shown that an effective password system inoperation prevents the majority of potential unauthorized activities. In one recent study, a researcher statedthat 80% of the fraud and malicious activities he found could have been prevented with an adequate passwordsystem.

For example, a former AT&T employee stole thousands of dollars of materials after being terminated. Heused his password to get into the system, then cracked the purchasing agent's password, then ordered materialsand had them shipped to him at a remote location. In a similar case, a former network administrator for amedium-size firm was terminated. He later logged onto the system with his regular password and proceededto destroy live data and online backup data. The company almost went bankrupt. Obviously, in bothcircumstances, the passwords for the terminated employees should have been disabled immediately upondismissal. That simple procedure would have prevented both tragedies.

Therefore, the password policy needs to include a strong statement about authentication and authorization viaaccess to systems using appropriate password schemes and structures, including the immediate removal ofpasswords when an employee is dismissed. (See Section 3.8(b) for more details on passwords; see Exhibit 3.8for additional guidance in developing an effective password policy.)

Exhibit 3.8: Password Policy

Communication — Promote it, use it during employee training or orientation, and find ways to continue toraise awareness within the organization.Multi-faceted — For example, use multiple levels of access requiring multiple passwords; use a passwordmatrix of data to grant read-only, read/write, or no access per data field per user; use biometrics (such asfingerprints, voice prints), smart cards, or beeper personal identification numbers (PINs) in conjunction withremote logins; and user-defined procedures.



= > 6 characters — The more characters, the more difficult to guess or crack. Eight characters provide aneffective length to prevent guessing, if combined with below.Mix numbers, special characters with alphabet — The more non-alpha, the harder to guess or crack. Makethem case-sensitive, and mix upper and lower case.Regular forced changes — At regular intervals, make employees change their passwords.Protection of individual passwords — Prohibit the sharing of passwords or "post-its" with passwordslocated near one's computer.Limited trials — Limit the number of attempts to access the system with invalid data to about three. Lockthe account after 1-3 false attempts to prevent hacking.Notification of significant employee changes — Make sure the IS department is notified immediately whenan employee is terminated or reassigned where responsibilities require a change in system access. Thisprocess prevents a disgruntled employee from perpetrating malicious activities.

e. E-Mail Policy

Internal auditors should also assist management in developing an e-mail policy that describes appropriate useof corporate e-mail resources. In order to enforce the policy, management will likely need to audit e-mailmessages from time to time. If there is ever a need to access an employee's e-mail messages, managementshould make sure that such access is stated in the e-mail policy and that all employees are aware that theire-mail could be read by management or staff. Otherwise employees rightfully could complain, maybe evensue successfully, for violation of privacy. The policy should address the unethical activities discussed later inthis chapter and procedures for opening attachments—because they could be viruses or other malicious codes.It should also be signed by every employee using corporate e-mail resources.

See Exhibit 3.9 for a checklist or questionnaire about e-mail controls. Also see Section 3.6(b) for discussionon a variety of e-mail issues that are unethical or detrimental, all of which need to be considered in the e-mailpolicy.

Exhibit 3.9: E-Mail Questionnaire

Are there effective procedures and controls in place to prevent viruses from penetrating the IS of theenterprise via e-mail attachments (a thorough anti-virus system—see Exhibit 3.11)?

1.

Are there effective procedures and controls in place to prevent employees from broadcasting hoaxvirus warnings to the employees of the enterprise?

2.

Are there effective procedures and controls in place to prevent flamming by employees?3.

Are there effective procedures and controls in place to prevent spamming? Has the enterprisedetermined which states have laws regarding spamming, and have the details of applicable laws beenincorporated into policy and controls?

4.

Are there effective procedures and controls in place to prevent spoofing?5.

f. Business Recovery Policy

An indispensable policy is business recovery plans (a.k.a. enterprise availability, business continuity). Thoseplans include adequate planning for business recovery of systems (e.g., after systems become unavailable,minor disruptions), disaster recovery (natural or man-made cataclysmic events that wipe out systems),incident response plans (to deal with the effects of a deleterious event such as theft of credit cards, includingbad press), and even ordinary backups of data. Because disastrous events are so rare, many organizations



(most organizations, according to statistics) do not plan adequately for any of the recovery procedures.However, the simple truth is every organization will deal with business recovery in some form or the other, tosome extent or scope. Not only can natural or man-made disasters disrupt the commercial affairs of anorganization, but system errors, system failures, hacking, or other computer attacks can also cause disruption.

For disaster recovery, the policy should include some basics of the disaster recovery plan. For example, theability to recover critical operations with minimal downtime should be the objective of the plan and thefoundation of the policy. The plan itself should cover backup measures for a site, hardware, system software,application software, data, supplies, and documentation (see Exhibit 3.10). In addition, the plan shouldinclude a means to develop a ranking of critical applications and to test for effectiveness.

Exhibit 3.10: Disaster Recovery Plan

Site — A backup site facility, including appropriate furniture, housing, computers, and telecommunications.Another valid option is a mutual aid pact where a similar business or branch of same company swapavailability when needed.Hardware — Some vendors provide computers with their site, known as a "hot site" or recovery operationscenter. Some do not provide hardware - known as a "cold site." When not available, make sure planaccommodates compatible hardware (e.g., ability to lease computers).System Software — Some hot sites provide the operating system. If not included in the site plan, make surecopies are available at the backup site.Application Software — Make sure copies of critical applications are available at the backup site.Data Backups — One key strategy in backups is to store copies of data backups away from the businesscampus, preferably several miles away or at the backup site. Another key is to test the restore function of databackups before a crisis.Critical Applications — Rank critical applications so an orderly and effective restoration of computersystems is possible.Team — The specific team members and their roles should be written, understood, and rehearsed. The teamleader is a critical success factor of the plan.Supplies — A modicum inventory of supplies should be at the backup site or be able to be delivered quickly.Documentation — An adequate set of copies of user and system documentation. Also, the steps andelements of the plan itself should be documented with adequate detailed information.TEST! — The most important element of an effective Disaster Recovery Plan is to test it before a crisisoccurs, and to test it periodically (e.g., once a year).

Results from one survey show data losses were due to hardware or system malfunctions (44%), human error(32%), software malfunctions (14%), viruses (7%), and natural disasters (3%). To survive such events withminimal losses, a business needs to formalize recovery procedures into a business recovery plan. It serves thispurpose and provides protection against other undesirable events, and usually goes beyond such ordinarybusiness decisions as insurance. Obviously, it is critical when disasters actually occur (e.g., hurricanes, floods,or the attacks on the World Trade Center on September 11, 2001). A cost-benefit analysis will also raiseeyebrows to the necessity of having an appropriate set of business recovery plans. Therefore, internal auditorsshould encourage management to have written policies about restoring or recovering systems and/or databefore a detrimental event occurs.

g. Privacy Policy

Information about individuals, either personal data or data about actions, is generally considered privateinformation. If an entity observes an employee secretively, it can be taken as intrusive; in some cases, thelegal system considers it an invasion of privacy. To protect the company from either of these injurious events,the company should protect the private information of employees wherever possible. When data is captured toensure compliance with policies, employees should be asked to sign the pertinent policy to ensure their



knowledge of this type of observation, the type of data about the employee being captured, and theramifications for violations.

For entities that have interactions with customers or clients over the Internet, a privacy policy should bedeveloped for them regarding information collected by the entity (e.g., cookies). Then, this policy should beeasily found on the web site home page and accessible to all customers or prospects. It is important forcustomers or potential customers to know how the entity will use their information, what the cookies willcontain, and how they will function in order to make them comfortable in conducting business online.


TITLE: Risk Assessment PAGES:[7]See Exhibit 3.1 for a full diagram of Sections 3.5 through 3.9.

[8]www.cert.org/present/cert-overview-trends/module-6.pdf.

3.6 Risk Assessment

Risk assessment is a critical step in building an effective internal control system that has the ability to manageundesirable events, primarily because it strategically focuses attention on the most likely trouble spots withthe highest costs rather than general protection. The IIA focuses on risk assessment in IA activities andstandards. Under the Performance Standards of the IIA's Standards for the Professional Practice of InternalAuditing, the first topic is Planning (section 2010): "The chief audit executive should establish risk-basedplans to determine the priorities of the internal audit activity, consistent with the organization's goals." Riskanalysis, or assessment, has become the preeminent method of guiding audits. External auditors have longbegun their process of financial audits with the audit formula—assessing inherent risk, control risk, detectionrisk, audit risk, and business risk. In SAS No. 78: Consideration of Internal Control in a Financial StatementAudit, [9] the AICPA institutionalized as guidelines the Committee of Sponsoring Organizations (COSO)model of internal control. The five major areas of internal control include (1) Control Environment, (2) RiskAssessment, (3) Information and Communication, (4) Monitoring, and (5) Control Activities. Lately, internalauditing has also put more focus on risk assessment. The current definition of internal auditing by the IIAstates:

Internal auditing is an independent, objective assurance and consulting activity to add value andimprove an organization's operations. It helps an organization accomplish its objectives by bringing asystematic, disciplined approach to evaluate and improve the effectiveness of risk management,control, and governance processes.

•

In 2000, the IIA basically adapted risk assessment as the cornerstone of audits in its Standards. In the Natureof Work section (SPPIA 2100), the first standard relates to Risk Management (SPPIA 2110). It states: "Theinternal audit activity should assist the organization by identifying and evaluating significant exposures torisk and contributing to the improvement of risk management and control systems." In order to developeffective audit planning, some type of risk analysis is necessary because it provides strategic direction forlimited resources.

One model for investigating risks is to view them as internal risks and external risks. This manual uses thissimple model for discussing some of the more common risks that exist in the average organization. See



http://www.cert.org/present/cert-overview-trends/module-6.pdf

Section 6.1(b) of this manual for more about risk assessment, especially as it relates to audit planning.

a. Risk Assessment: Internal Perspective

An effective risk assessment must emphasize a good understanding of the internal risks (i.e., risks from withinthe organization). Despite the high-profile stories of hackers in the public press, research shows that about 75to 80% of frauds and malicious activities actually originate from within the organization. An appropriate riskassessment would not only identify the specific risks associated with malicious activities, accidents, and otheractivities for the specific organization but perhaps put more emphasis on it than external threats—dependingon the specific system, risks, and threats.

There are several groups to think about in assessing risk from internal sources. Disgruntled employees as agroup probably present the highest risk—even more than hackers external to the firm. These people can bemotivated to cause extensive harm to the organization and, depending on their knowledge and access tosystems, data, and assets, may cause very costly damage.

Second, management itself is a risky group. Because of their unique position to override controls, they canmore easily commit fraud, especially financial fraud. If management is subjected to monetary pressures (e.g.,they have stock options, but declining profits are driving stock prices down, or their bonuses are based onprofits, etc.), they may be tempted to "cook the books." Even the normal aggressive nature of driven managerscan become a risk if not mitigated by strong personal and corporate ethics, and an effective internal controlsystem (e.g., audit committee). One management accountant reported his dilemma when his boss wanted himto reverse a correct accounting transaction because it caused a department to miss its profit goals (budgetvariances) for the first time in months. Such actions are indicative of ethical soft spots that can lead to fraud,theft, or material misstatements. Because of the nature of internal audit, it is difficult to assess this risk, butshould be analyzed thoroughly by external audits during financial audits.

Another dangerous group is the one of employees with personal problems. These conditions can motivatefraud, theft, or misuse of assets. For example, a person who has a severe deficit cash flow, for whatever reason(e.g., gambling, excessive lifestyle, etc.), coupled with weak controls or opportunity, may be tempted to stealassets to cover personal losses; often with the intent to "pay back" the organization shortly. Numerousreported frauds give credence to this particular set of risky circumstances internally. It is also possiblesomeone in the firm will become an industrial spy.

Malicious activities include destructive activities directed at the data or information system, communicationsto outsiders that would be detrimental to the organization, theft or fraudulent activities related to assets, andother similar activities.

A sample of accidents using the internal view would include the following: inadvertent data destruction (e.g.,erasing a hard drive), unintentional IS interruptions (e.g., infesting it with a virus or worm), errors in systemsdevelopment, and errors in accounting data.

Another area of concern is ineffective accountability. It is possible to create a strong set of appropriate internalcontrols only to have them fail to operate effectively. For example, well-designed systems provide errorreports or logs where errors have been detected but not corrected. Failure to review such reports on a timelybasis and provide corrective action quickly not only fails to correct an existing error but may likely lead tofurther errors. First, if the error is systematic, then obviously it will occur again when the circumstances areduplicated. Second, if the error report has actually identified a fraudulent event, this oversight caninadvertently allow the fraud to be perpetrated without discovery. A similar result can happen if managementfails to enforce policies when violations occur. Such neglect could encourage further violations or even extendthe scope of violations, since employees would know that repercussions are not forthcoming.



One other observation must be made concerning internal controls, fraud, and management. COSO made astudy of 200 randomly selected cases of alleged financial fraud investigated by the Securities and ExchangeCommission—about two-thirds of the 300 SEC probes into fraud between 1987 and 1997. In that decade,most of the financial frauds among public companies were committed by small corporations—well below$100 million in assets. Top senior executives were involved in most of the cases (CEO and/or CFO in 83% ofthe cases). The average misstatement or misappropriation of assets was $25 million, with a median of $4.1million. The size of the fraud relative to the size of the company is quite large. Some companies committingfraud were experiencing net losses or were at close to break-even positions in periods before the fraud.Pressures of financial strain or distress may have provided incentives for fraud for some companies. Forinternal auditors of firms of this size, these findings provide valuable input to a risk assessment.

b. Risk Assessment: External Perspective

An effective risk assessment must also emphasize a good understanding of the external risks (i.e., risks fromwithout the organization), especially if the firm has a web server connected to its internal systems, or hasremote access to networks. If the company has remote access to its computer systems, it should be concernedabout unauthorized access by users external to the organization. Unauthorized access would most likelyeventually lead to some detrimental activities.

If the company has employed electronic commerce, there are a number of risks to consider. These risks beingunique require some special expertise regarding internal controls. It begins with security of data.

While online, there is a risk that the data used in an e-commerce transaction might be stolen. However, securesockets layer (SSL) and secure electronic transaction (SET) have proven to be nearly invincible, usingencryption combined with public keys to protect data while exposed online. Both serve as effective tools inpreventing theft of data while online. It is after the online transaction is consummated that credit card data hasbeen stolen. For example, one online storefront selling compact discs (CDs) took down its firewall to upgradethe system. Once the upgrade was completed, the connection was restored but IS employees forgot toreactivate the firewall. Crackers broke through the system and stole files containing thousands of credit cards,and then held the firm hostage—threatening to post the credit card data on the Internet unless the firm paid theransom. The episode was devastating to the CD company, causing its financial collapse. This alsodemonstrates the combination of risks: an accident (firewall not restarted) and crackers (stolen credit carddata). There are other reports of "crackers" (see "Types of Criminals" in this chapter for definition anddescription of cracker) stealing credit card data but always from files on the back office computers or webservers after the transactions were completed online.

Some adverse activities have the objective of disrupting service (availability). For instance, denial of service(DoS) and/or distributed denial of service (DDoS) attacks are examples of crimes other than theft, in whichcrackers bring down an e-commerce server with technically devised computer attacks. One series of attacksbrought down eBay and Yahoo, among others, in early 2000. Yet even here, there were early warnings fromcertain groups that a DDoS attack was pending.

The likelihood of these kinds of attacks depend on whether it occurs because of personal reasons (e.g.,vengeance from disgruntled former employee or a computer whiz out to get your business) or because theorganization is high-profile (e.g., government entity, eBay, Yahoo, amazon.com, etc.). For internal auditors,that means the level of risk is lower if the company has a low profile, is not a government entity, or has a lowlevel of online transactions. Nevertheless, there is a serious threat to anyone connected to the Internet today,including desktop computers of a firm.

The highest risk associated with the Internet is neither hackers or crackers but viruses or worms. It isrelatively easy to spread malicious code as attachments to e-mail. And while it is virtually impossible toactivate a virus by simply opening an e-mail message, Microsoft complicated that by allowing the automaticopening of attachments in Outlook. Almost all widespread viruses depend on the features of Outlook (e.g.,



automatically open attachments) and the address book on each computer. One relatively easy and cheap wayto stop the spreading from a single infected computer is to add an e-mail address that will sort to the top witha bogus e-mail address. The costs of damages created by viruses and worms in 2001 ran $12 billion—each ofthe several successful ones perpetrated costing millions. Therefore, it is very important for internal auditorsand the internal control system to address this risk specifically and conscientiously. Anti-virus software aloneis insufficient as a control. For instance, new viruses would not be included in the database/definitions of ananti-virus system. Thus, some sort of dynamic, daily warning system is necessary. Several mailing lists offerthis service, including CERT, [10] SANS, [11] and Zdnet, [12] and IA should ensure the responsible party issubscribed to this kind of mailing list. Exhibit 3.11 provides a model for an effective anti-virus system.

Exhibit 3.11: Anti-Virus System/Model

Anti-virus software installed on all PCs (with online updates available).1.

Require regular desktop and laptop updates of virus definitions and databases (use e-mail remindersand/or policy).

2.

Responsible person or group subscribes to a credible virus alert mailing list (Cnet, Zdnet, NortonAnti-Virus Center, CERT, and others — to identify emerging viruses that cannot be detected usingexisting anti-virus databases, and to be able to get the newest anti-virus definitions when a new virusis released on the Internet).

3.

Regular virus scans of PC hard desktops and laptops (part of regular anti-virus maintenance).4.

Filter e-mail servers (using routers, firewalls, or software) for potential viruses.5.

Other measures as appropriate in particular enterprise (e.g., removal of floppy drives).6.

Training of all employees (e.g., during orientation).7.

Measures to prohibit propagation of hoax viruses (e.g., policy to not forward virus warnings exceptby executive designate).

8.

There are several other problem areas or risks associated with e-mail. One is the fact that some virus warningsvia e-mail are simply hoaxes. They are a problem, but much less costly than real viruses. Yet it only takes aminute to access one of the several hoax centers (e.g., computer incident advisory capability (CIAC), [13]

Norton Anti-Virus Center [14]) to authenticate the message before forwarding it to everyone you know—thehidden purpose of the perpetrator. One suggestion regarding policy is to forbid broadcasting virus warningsfrom anyone other than a designated person or group. If a person receives a message and he/she thinks it islegitimate, that person would be required to forward the message to the enterprise anti-virus person or group.This person or group can then authenticate any virus warnings and broadcast appropriate messages. Bycentralizing broadcast warnings, the enterprise can eliminate the waste of resources associated with hoaxviruses (time to delete, clogging bandwidth with numerous bogus messages, etc.).

Another e-mail risk to consider is flaming (electronic smash mouth, trash talking, derogatory messages, andeven biased remarks). Such use of corporate e-mail should be prohibited, whether the attack is anotheremployee or the company. It can be a serious problem, even leading to litigation, if it involves sexualharassment or racial slurs.

Spamming (junk e-mail) is a risk because it can clog bandwidth much like hoax viruses. Many states havelaws against spamming. But as long as the message has some mechanism to disable future messages, it is notconsidered spamming, although often such mechanisms do not work. Internal auditors should investigate



spamming legislation in the states where the enterprise has servers and promote an appropriate policyregarding the handling of spamming—received or sent. America Online (AOL) has a strict policy regardingspam and enforces it—as such AOL serves as a good model to follow. Anti-spam software packages areavailable but some have problems making a consistent distinction between spam and legitimate e-mail.

Spoofing (impersonating) can also be a risk. Spoofing refers to e-mail messages that pretend to be sent(authorized) by someone who has no knowledge of the message. For example, an e-mail message could bebroadcast to the enterprise's employees informing them of a day off, or some other message, and give theappearance of being authentic (such as the signature of an executive), yet be a bogus message. Exhibit 3.9provides a questionnaire for internal auditors that could be used to audit the e-mail services of an entity.

There are objects or code agents that pose threats similar to viruses or worms—be it applets, scripts, ActiveXelements, or other objects. Be sure the IS department has made the necessary precautions to prevent theseobjects from carrying out destructive code. Crackers and script kiddies also take advantage of security holes insystems. These holes allow outsiders to gain unauthorized access to systems and then they can do a widevariety of malicious activities, all unnoticed. Controls and procedures need to be developed to effectivelyprotect against such attacks and risks. See Exhibit 3.12 for a set of basic vulnerability controls, Exhibit 3.13for a questionnaire related to vulnerabilities, and Exhibit 3.14 for a list of the Top 20 vulnerabilities. Thelatter, developed by SysAdmin, Audit, Network, Security (SANS) and the FBI, documents the most oftenused vulnerabilities by attackers and intruders.

Exhibit 3.12: A Basic Vulnerability Plan

List of probable vulnerabilities (broad scope of input).1.

Use list as checklist to plug applicable vulnerabilities.2.

Subscribe to security-related mailing list (security alerts).3.

Regularly use the alerts to plug emerging leaks.4.

ALWAYS test all changes, fixes, plugs OFFLINE before putting the system backonline.

5.

Exhibit 3.13: Sample Questionnaire/Inquiry□ There is a reputable source or list of applicable vulnerabilities to our information systems.□ The list is reviewed on a regular basis to see that all applicable vulnerabilities have been corrected.□ There is a credible source to update the list for emerging vulnerabilities.□ The updates are reviewed daily (weekly) for applicable ones, and corrections made.□ Both processes are reported or checked off by a responsible party in InfoSec.□ The system is tested on a regular basis for known vulnerabilities or potential exposures.□ Fixes and changes are first thoroughly tested on systems OFFLINE before being allowed online.

Exhibit 3.14: SANS Institute: Top 20 Most Critical Internet Security Vulnerabilities (ver. 2.502)[15]

G1—Default installs of operating systems and applications

G2—Accounts with no passwords or weak passwords

G3—Non-existent or incomplete backups



G4—Large number of open ports

G5—Not filtering packets for correct incoming and outgoing addresses

G6—Non-existent or incomplete logging

G7—Vulnerable CGI programs

W1—Unicode vulnerability (web server folder traversal)

W2—ISAPI extension buffer overflows

W3—IIS RDS exploit (Microsoft Remote Data Services)

W4—NETBIOS—unprotected Windows networking shares

W5—Information leakage via null session connections

W6—Weak hashing in SAM (LM hash)

U1—Buffer overflows in RPC services

U2—Send mail vulnerabilities

U3—Bind weaknesses

U4—R commands

U5—LPD (remote print protocol daemon)

U6—sadmind and mountd

U7—Default SNMP strings


TITLE: Control Strategies PAGES:[9]SAS No. 78 revised SAS No. 55—the same topic.

[10]See www.cert.org.

[11]See www.sans.org.

[12]See www.securityresponse.symantec.com/avcenter or www.norton.com.

[13]See www.ciac.org/ciac by U.S. Department of Energy.

[14]See www.securityresponse.symantec.com/avcenter/ or www.norton.com.

[15]G = General Vulnerabilities, W = Windows Vulnerabilities, U = UNIX Vulnerabilities. Seewww.sans.org/top20.htm.



http://www.cert.org

http://www.sans.org

http://www.securityresponse.symantec.com/avcenter

http://www.norton.com

http://www.ciac.org/ciac

http://www.securityresponse.symantec.com/avcenter/


http://www.sans.org/top20.htm

3.7 Control Strategies

Effective control activities can help to mitigate the risks identified in the risk assessment. Control activitiesare developed at least in part from proven control strategies. Specific controls, such as CAATTs, are identifiedin "Specific Controls/CAATTS" in this chapter. Control activities will be presented in two models and someother general areas of control activities, with specific illustrations. The two models are discussed to provide away for internal auditors to think about developing general control activities and objectives.

a. Fourfold Perspective of Controls Model

Before developing management policies, management needs to have a general understanding of how to designeffective internal controls. The management of undesirable events is one aspect, which is divided into fourperspectives. The first is prediction. The second is preventive controls that will minimize the possibility of arisk occurring. The third and fourth are detective and corrective, where controls are able to detect undesirableevents after they have occurred and in some cases automatically correct it—in others it provides the means tocorrect it. Obviously, predictive and preventive measures are more efficient and less harmful and thereforeshould be premier in building the internal control system.

i. Prediction

The first area, prediction, is the most difficult. Profiling and background checks are specific activities thatserve to predict malicious behavior or actions. Others include systems that are capable of generating accuratewarnings regarding malicious activities. Two examples are certain mailing lists and Internet warning systems.One good example is the early warning system of a mailing list for malicious activities such as viruses andsecurity vulnerabilities. When a new virus is released on the Internet, several organizations watch for themand publish early warnings via a mailing list. These organizations include non-profit or government ones suchas CERT, some of the anti-virus manufacturers such as Norton, and technical publications such as ZDnet.Since anti-virus software is vulnerable to a new virus, such a system is both "predictive" and preventive, andas such is critical to protecting assets (see Exhibit 3.11 to illustrate the inclusion of a predictive step in ananti-virus set of controls). Another type of predictive control is an Internet-wide monitoring system such asthose employed by CERT, [16] BUGTRAQ, [17] and the Internet Storm Center (ISC). [18] The latter uses asimilar approach as the virus warning systems—to monitor the Internet in a broad manner to determine if anymalicious activity is emerging. The infamous Berkley Internet Name Domain (BIND) attack is an example ofhow access to the ISC serves as a predictive control.

On March 22, 2001, intrusion detection sensors around the globe logged an increase in the number of probesto port 53—the port that supports the domain name service. Attacks on port 53 are significant only becausethe software program called BIND [19] uses that port, and versions of BIND that had not been recently updatedhad a vulnerability that attackers could use to take over the systems. [20] Thousands of organizations that hadnot updated their version of BIND were being infected with a worm called Lion. Lion stole password filesfrom infected machines and sent them to a site in China, and it installed a distributed denial of service (DDoS)tool so that the infected machines could be used in denial of service attacks. But hundreds of intrusiondetection sensors that were logging attacks had become part of regional and industry-specific securitymonitoring networks. They sent their logs to analysis sites. There the data was aggregated and chartedautomatically, and posted for analysis at SANS. Analysts immediately saw a spike in the number of attacks onDNS Port 53. Some kind of man-made, "electronic storm" (actually an electronic packet storm) was sweepingthrough the Internet. The analysts determined what damage the worm did and how it was able to do it, andthen they developed a computer program to determine which computers had been infected. They tested theprogram in multiple sites and they also let the FBI know of the attack. Just 14 hours after the spike in port 53traffic was first noticed, the analysts were able to send an alert to 200,000 people warning them of the attack



in progress, telling them where to get the program to check their machines, and advising what to do to avoidthe worm. This episode demonstrates the value of sharing intrusion detection logs in real time. Only in theregional and global aggregates was the attack obvious which allowed the expeditious response to slow andthen stop the attacks—and serve as a predictive control for many organizations.

The technology, people, and networks that found the Lion worm were all part of the SANS Institute'sConsensus Incident Database (CID) project that had been monitoring global Internet traffic since November2000. CID's contribution the night of March 22 was sufficient to earn it a new title: Internet Storm Center.Today Internet Storm Center gathers more than 3 million intrusion detection log entries every day. It israpidly expanding in a quest to do a better job of finding new storms faster, isolating the sites that are used forattacks, and providing authoritative data on the types of attacks that are being mounted against computers invarious industries and regions around the globe. Internet Storm Center is a free service to the Internetcommunity. The work is supported by the SANS Institute from tuition paid by students attending SANSsecurity education programs. [21]

Another source that can serve as a predictive control is CERT. The CERT Coordination Center (CERT/CC) islocated at the Software Engineering Institute (SEI), a federally funded research and development center atCarnegie Mellon University in Pittsburgh, Pennsylvania. Following the Morris worm incident, which brought10% of Internet systems to a halt in November 1988, the Defense Advanced Research Projects Agency(DARPA) charged the SEI with setting up a center to coordinate communication among experts duringsecurity emergencies and to help prevent future incidents. Since then, the CERT/CC has helped to establishother response teams, and their incident handling practices have been adapted by more than 200 responseteams around the world. CERT focuses on protecting systems against potential problems, reacting to currentproblems, and predicting future problems. The organization's work involves handling computer securityincidents and vulnerabilities, publishing security alerts, researching long-term changes in networked systems,and developing information and training to help entities improve security at their site. The security alerts andmailing lists are excellent sources for predictive controls.

It could be argued that the internal auditor's experience and professional judgment have predictive powers ofsorts. If the company is experiencing a high degree of pressure in the stock market (e.g., declining stockprices, earnings per share below street predictions), and there is a weakening or soft profitability (e.g.,declining profits, declining revenues, economic woes of some sort), and personal weaknesses in executives(e.g., lifestyle is high or beyond means, weak personal ethics), then there is a high risk of financial fraud; thatis, it could be predicted. Most major financial frauds of the past have these factors in common. For employees,it is opportunity (exposure) combined with personal weaknesses; and the possible result is theft. Many pastemployee thefts have these traits in common. Therefore, the professional judgment of auditors should beviewed as and used as a predictive control. For financial fraud, this "control" is effective if, and only if, theinternal auditors report directly to the audit committee.

Some emerging technologies are being used to build predictive models with a relatively high degree ofaccuracy. Technologies such as artificial neural networks (ANN) have been shown to be more accurate thanother modeling tools at making predictions where the data is extensive or complicated. Studies have shownthe ability of ANN to predict with a relatively high degree of accuracy such events as financial distress of afirm (e.g., bankruptcy). Therefore it is not beyond the realm of possibility to use an ANN to build a predictivemodel for control breaches, "training" it by using actual past data. However, it does take special skills toproperly build such a system.

ii. Prevention

Secondly, activities should be implemented where the objective is to prevent malicious activities. For InfoSecand Internet resources, a multi-layered firewall is a good control. That is, a single firewall control, such as arouter with filters, is a weak control (i.e., becomes an exposure). A better control is a firewall that has multiplelayers: a combination of routers, filters, proxy servers, software, and so on, used to provide a shield that couldbe compared to an onion, with all its layers of skin. Preventive controls are also necessary in software



applications to prevent errors in data. System access likewise needs preventive controls to prohibitunauthorized access of systems and data.

iii. Detection

It is much easier to develop controls for detection, the third perspective. For InfoSec, there are somedeveloping, effective means of detecting general Internet attacks. For example, The Internet Storm Watcher[22] gathers information real-time from logs all over the Internet. When general attack is made, the StormWatcher is able to spot it much like a weather system predicts a physical storm. Monitoring systems thatmeasure traffic on specific ports of the Internet and then graph it can produce an outcome that can detect anintruder hacking into a system. There are more sophisticated intrusion detection systems, but any enterprisewith risks associated with the Internet needs a detection system commensurate with its level of risk.

Artificial neural networks mentioned above also have been shown to be able to detect fraudulent events ortransactions. Studies have shown that a detective model can be built to recognize potential fraudulenttransactions after having been trained by using actual past data (i.e., actual valid transactions and actual fraudtransactions). Such a system could potentially then "sit" on top of the processing systems and filtertransactions looking for potential fraudulent ones. Once a suspicious transaction is detected, the ANN wouldwarn someone in IA directly, giving IA and the firm a chance to detect a fraudulent or irregular transaction asit is being conducted, rather than detecting it weeks or months later in an audit. There is a need to make suresuch a system does not seriously impede the processing of transactions in the corporate system (i.e., ISperformance). Again, it does take special skills and knowledge, as well as a set of transactions to do thetraining.

iv. Correction

The last perspective, correction, is another fruitful source of controls. For instance, logs that generate a list ofdetected errors and the procedures to correct them are a critical component of applications and systems. Othertypes of correction controls include disaster recovery plans, business recovery plans, and incident responseplans—all intended to correct the damage from major catastrophes.

b. Information Systems and Controls Model

A second model applies to controls in general: physical and computer. Computer control is subdivided intogeneral and application controls (see Exhibit 3.15).

Exhibit 3.15: IS Model of Controls

Computer ControlsGeneral Controls Application ControlsPasswords Input Controls Output ControlsLocked Doors Processing Controls Batch Controls

Physical ControlsIndependent Verification Accounting Records

Segregation of Duties Transaction AuthorizationSupervision Access Control

i. Physical Controls

Physical controls involve controls of a manual nature (see Exhibit 3.16). Some examples follow forillustrative purposes and are not exhaustive.



Exhibit 3.16: Physical Controls

Transaction authorization (manual procedures)1.

Segregation of duties (IS processes, accounting processes, etc.) (authorization versus processing,custody versus recordkeeping, and such that fraud requires collusion)

2.

Supervision (compensating control when unable to use segregation of duties)3.

Accounting records4.

Access controls (direct, indirect)5.

Independent verification (performance, system integrity, data integrity)6.

Transaction authorization needs physical controls (i.e., manual controls) to ensure all material transactions areprocessed by the accounting system with integrity and in compliance with management policies andobjectives. Using management decision rules, certain recurring transactions become a programmed procedure,or operate under general authority. Other decisions of a non-routine nature need specific authority.

Segregation of duties is another important type of physical control. Three good rules of thumb for developingcontrols using segregation of duties controls is: (1) separate authorization of transactions from processingthem, (2) separate custody of assets from record keeping, and (3) create controls such that a successful fraudcan only be perpetrated using collusion. The latter generally can be accomplished by separating steps of theprocess between different individuals. Also, make sure segregation of duties extends beyond the typical areaof basic accounting functions. For example, segregation of duties has many applications in IS processes anddatabase management.

Some of the controls that illustrate proper segregation of duties in IS are:

Separate systems development from computer operations. This control should both deter fraud andincrease the quality of documentation.

•

Separate new systems development from maintenance, which also should increase the quality ofdocumentation. If this separation is not possible, systems analysis can be separated fromprogramming. This alternate organizational structure could lead to weaker documentation and createsan exposure for programming, leaving it open to possible malicious code (e.g., back doors, salamislicing).

•

Separate the database administrator (DBA) from other database and systems functions, computeroperations, development, and maintenance.

•

Separate data library function from computer operations, development, and maintenance. If theenterprise stores data tapes, backups, or other centralized storage, then a data librarian serves ascustodian of the data asset. Some enterprises include original software and their licenses in the"library" as well. Documentation of in-house software, including original source code, should also behoused in the library. Software and data assets should be treated much like inventory assets when itcomes to controls. That is, they need to have a custodian, strict procedures for checking assets in andout, and an adequate audit trail of transactions (where the assets go, why, and in this case, their safereturn). If a permanent librarian is not feasible, the rotation of a person on an ad hoc basis shouldsuffice as an adequate control.

•

Use of a data control group. This group (or person) serves as a control between operations and endusers—including management. They perform tasks such as: review and test computer procedures,monitor data processing, review and distribute computer output, serve as liaison with end users, and

•



review control logs from data processing. Therefore, this group, if employed, should be separatedfrom operations and systems development.

Other segregations may be necessary depending on the circumstances, size, and other issues pertinent to theenterprise. (See Section 3.7(f) for more on segregation of duties.)

Supervision is a vital part of physical controls. When segregation of duties becomes impractical, supervisionis the default compensating control. This control includes formal reporting and procedures as well asphysically supervising a person or process.

Accounting records should be kept in such a way as to prevent unauthorized physical access. That is,safeguard documents (e.g., checks) and physical accounting records (ledger cards).

Access controls (direct and indirect) are addressed in Section 3.8(b), and are a part of physical controls. Directcontrols involve physical access to assets such as inventory or cash. Indirect controls relate to documents andprocesses that control such assets (e.g., credit memos, purchase orders, etc.).

Management also will assess the integrity of the computer system and data on an ongoing basis as a part ofindependent verification. Internal controls should also be implemented for independent verification of data. Aclassic control in this category is the comparison of physical assets with accounting records, but it alsoincludes controls such as reviewing management reports.

ii. Computer Controls: General

Computer controls are subdivided into general and application. This section addresses general computercontrols.

They would include controls such as locked doors for sensitive areas (e.g., data storage, mainframe room).They should also include controls regarding the development of new systems. These controls might include:

Requiring a written request with justification from user(s)• Requiring a written evaluation and authorization of this request by IS staff• Requiring the design of the application by a cross-functional team that includes a CISA or CIA (toensure the inclusion of adequate controls during development)

•

Requiring adequate documentation procedures•

Requiring a written report on the testing (probably re-introduce CISA or CIA to the process at thispoint)

•

Requiring full off-line testing for new applications, hardware, or systems before activation online, and• Requiring training of new applications before implementation•

Major changes to existing software systems should generally follow the same set of controls.

There should also be controls regarding computer operations. For example, the system should build a log ofactivities including application used, data used, and manipulations made, how long the user used the data orapplication, and the identification of users. Some operating systems have the ability to build this kind of log(see "Logs and Auditability" in this chapter for more information). There should be some kind of controls forthe receipt of data for keying (if feasible) and for the distribution of output (e.g., data control group). Databackups (tapes or disks) should have controls for labeling (either internal or external labels). Otherlibrary-related controls may be needed for data backups.

Access to programs and data are critical and need controls, and have already been discussed. Segregation ofduties should be used to build independence (cannot alter programs or data), and to limit opportunities forconcealment of fraud.



iii. Computer Controls: Application

The next aspect of the IS controls models is application controls, which are more specific. They include inputcontrols, processing controls, and output controls. Examples of input controls include:

(A) Authorization. Proper authorization procedures and controls are essential to an effective internalcontrol system. The fact the accounting system is a computer-based one does have some effect onthese controls. Two basic control guidelines for authorization are:

Controls should make sure transactions are properly authorized in accordance withmanagement objectives and policies

♦

Embed controls where the computer performs the authorization♦ An example of the latter would be credit limits. The software should have built-in controls that verifya customer has sufficient credit to issue an invoice without going over the credit limit, and that requirespecial authorization (preferably from the credit department) to allow the invoice to be processedwhen the amount would put the customer over the credit limit.

•

(B) Converting data into computer files. Controls should be developed to ensure the validity of dataentry from the point of data capture and/or input.

Use of batch control methodology, where applicable♦ Record counts, batch totals, hash totals, computer editing controls, verification programs andcontrols

♦

•

(C) Subsequent accountability. Subsequent to data entry, application controls should be employed tomake sure data has not changed and data maintenance is validated, where applicable. Examplesinclude:

Transmittal controls♦ Routing slips♦ Control totals (hash, amount totals, etc.)♦

Examples of processing controls include the following:

Batch control where applicable (not likely to apply in real-time systems)—control totals,batch totals, hash totals, record counts

♦

Validity check test (e.g., valid data for the particular field, complimentary master record(s)exist, etc.)

♦

Limit test (data is within range of valid entries for the particular field, data is reasonable)♦ Self-checking digit, where applicable (telecommunications)♦

Example of output controls include the following:

Controls to ensure reliability of computer output (e.g., error reports, printed reports, printedchecks, etc.)

♦

Controls to ensure outputs are distributed with appropriate custody to authorized personnelonly

♦

If batch methodology is employed, reconcile output control totals with processing and inputcontrol totals

♦

Develop controls using error reports for data that does not meet certain validity checks,including control procedures for follow-up of error reports for corrections

♦

Develop effective controls such as data control group, the computer itself, and users toperform these control tasks (from most effective to least)

♦

•



c. An Internal Audit Function

The most important general control activity is an internal audit function. Each enterprise must have anindependent source for developing and verifying controls, above and beyond what the external auditors mightdo in a financial audit. Internal audit is much broader and more flexible in the tasks it performs. A qualifiedgroup of people, and an adequate staff, are indispensable in effective control activities, and a successfulinternal control system. Major bankruptcies such as Enron have brought criticism to the possible lack ofindependence when the internal audit function has been outsourced to the external auditors responsible for thefinancial audit. Therefore, if it is outsourced, management should be careful to maintain a maximum degree ofindependence. The best situation is to have an IA department within the firm. In fact, the New York StockExchange and the IIA have asked the SEC to require an IA function for all companies with publicly tradedstock. [23]

This manual stresses the activities, qualifications, and duties that make the IA shop successful and productive.The IIA argues that an internal IA shop is a critical success factor in effective corporate governance,especially regarding security, auditability, and controls.

d. Corporate Governance

A key control strategy is an effective corporate governance structure. This strategy begins with the IAfunction and includes an effective audit committee and IT governance.

i. Audit Committee

Another key major control activity is an adequate audit committee. But having an audit committee is not thesame as having an effective audit committee. For publicly traded companies, the SEC issued a ruling that tookeffect January 31, 2000, related to audit committees. The ruling [24] says in part:

The Securities and Exchange Commission is adopting new rules and amendments to its current rulesto require that companies include in their proxy statements certain disclosures about their auditcommittees and reports from their audit committees containing certain disclosures. The rules aredesigned to improve disclosure related to the functioning of corporate audit committees and toenhance the reliability and credibility of financial statements of public companies.

•

The SEC basically requires publicly traded companies to not only have an audit committee but to includeinformation on its activities in SEC reports. Companies that are not publicly traded but have a large number ofstockholders are probably in need of an audit committee because of the fiduciary responsibility. A significantresponsibility of the audit committee is to deal with risks of the entity. Therefore, businesses that have arelatively large risk of fraud, theft, security, or illegal activities should also have an audit committee. Forexample, financial institutions and other businesses that handle large volumes of cash daily are primecandidates for an audit committee because cash misappropriation is the highest of risks.

Companies need an audit committee for several reasons. The main reason is the fiduciary responsibility thecompany has to the shareholders. Management should also expect the audit committee to assist them inensuring the integrity of financial reports and in deterring fraud. The public expects no surprises in thefinancial health of the company, and it expects to be able to trust the financial reports. Audit committeesshould be able to serve as guardians of the public interest.

The audit committee serves as an independent "check and balance" with the internal audit function—servingas a watchdog over financial statements, risks, and management assertions—and liaison with externalauditors. They interact with both these groups with the objective of ensuring data integrity in financialstatements and the avoidance of fraud or illegal activities. They also look for ways to identify adverse events.For instance, they might serve as a sounding board for employees who observe suspicious behaviors oroutright fraudulent activities. The audit committee should have a willingness to challenge the internal auditor



function as well as management when necessary. For those entities that employ outside auditors, the auditcommittee should be best positioned to determine whether or not the provision of any particular service by theaudit firm is inappropriate. In fact, they should be responsible for deciding which external auditor to hire. Ingeneral, they become an independent source of protection of the entity's assets from a variety of risks, inwhatever fashion is appropriate. See Exhibit 3.17 for a list of audit committee oversight areas, based on astudy by the Financial Executives International (FEI).

Exhibit 3.17: Audit Committee Oversight Areas—In Order of Importance

Key areas of business and financial risk1.

Tone at the top/code of ethics2.

Internal controls and systems3.

External audit activity and relationships4.

Periodic financial reporting, including financial and accountingpolicies

5.

Internal audit activity6.

Key personnel selection for critical financial/control positions7.

Certain historical events remind managers, board members, auditors, and other stakeholders of the risks thatexist even for those businesses that seem to be immune to fraud. These events also show the need for effectiveaudit committees. Enron proved that large companies with billions of dollars in assets can go bankrupt underthe noses of well-intended board members. Enron had $10 billion book value, $60 billion market value, and$1 billion in profits in its latest financial reports that were "not materially misstated," according to its externalauditor, Arthur Andersen. Enron had an audit committee made up of distinguished members with financialaccounting pedigrees. Yet this large firm went bankrupt once it booked a $600 million entry to revise itsearnings in late 2001.

In 1998, COSO issued a report, "Landmark Study on Fraud in Financial Reporting," covering 10 years and200 randomly selected cases of alleged financial fraud investigated by the SEC from 1987 to 1997. The 200randomly selected cases make up about two-thirds of all the SEC probes into fraud during the time period.The results of the study provide valuable information for any organization in protecting against fraud, but it isespecially valuable in developing audit committees because of its applicability. The study develops severalcommon factors about the companies (see Exhibit 3.18).

Exhibit 3.18: Commonalities of Fraud Entities from COSO Study

Smaller firmsLack of experience in board membersLack of independence of audit committee/board membersAbsence of audit committee or infrequent audit committee meetingsLikelihood of involvement of executive managers in financial fraudMost of the auditors explicitly named in SEC enforcement releases were non-Big Five auditorsAudit firms of all sizes were associated with companies committing financial statement fraud (i.e., youcannot depend on your external auditors to detect fraud based on their size)



Cumulative amounts of frauds were relatively large in light of the relatively small sizes of the companiesinvolved — the average misstatement or misappropriation was $25 million

A model of attributes is presented based on the existing standards, SEC rules, and the COSO fraud report (seeExhibit 3.19). The model attributes include independence, competence, organizational structure, leadership,and a proactive approach.

Exhibit 3.19: Model of Attributes for Effective Audit Committee

Independence (outside directors)Competence (knowledge and understanding of accounting, auditing, and internal controls; critical thinkers)Organizational Structure (reporting channels direct from internal audit function, external auditors, whistleblowers)Leadership (active, strong, decisive chair)Proactive Approach

Audit committees need to be independent of management and even other board members in order toeffectively assess events, accusations, and risks. The main ingredient for an effective independence isskepticism. Outside directors make it easier to provide both an appropriate degree of skepticism andindependence.

Members should also be competent. The entity should consider looking for outside directors, and locatepeople who are well qualified in the area of financial accounting, auditing, internal controls, and riskassessment/management. But competence should also include critical thinking skills. Audit committeemembers need to be able to sort through facts, exhibits, and circumstances to ascertain possible questionableareas. They also need to ask tough questions and foresee situations that contain high risk. Lastly, competencealso includes experience; that is, experience being a board member for other organizations. Preferablyexperience also means experience as either a member of an audit committee or similar experience in auditing,security, risk, or internal controls. Thus a member of the audit committee should probably be the mostseasoned of the members of the board. However, one recent study [25] revealed just the opposite:

Unlike their counterparts, audit committee directors, for the most part, had served on significantlyfewer other committees and for a shorter period of time on the corporate board, which implied theywere mere "babes in the woods."

•

The organizational structure of the committee is also important. Some firms allow any employee to contactthe audit committee anonymously to report suspicious behaviors, fraud, or illegal financial activities. Such acommittee therefore serves as an ethics committee for financial reporting, fraud, and security (see item 2 inExhibit 3.17). Whatever management can do to encourage reporting of these events and behaviors should bedone. The audit committee will then have the opportunity to possibly identify fraudulent activities before theyadversely affect the firm.

Leadership refers to the chair of the audit committee. As in most committees, the chair sets the tone for theactivities, approach (proactive vs. reactive), and behaviors of the group. The chair needs to be active(proactive), strong (a capable leader and competent audit committee member), and decisive. These attributesidentify any good leader, but are essential for the audit committee to be effective.

Lastly, the audit committee needs to be proactive. The recent study by the FEI mentioned earlier shows thatmore than half of the respondents polled—chief financial officers and corporate controllers—felt that the auditcommittee needed to be more proactive. The same report suggests that audit committees need to challengemanagement assumptions and ask tough questions. Coca-Cola Company has a good set of such questions [26]

that illustrate a proactive approach, questions the company's board asks the IA function each year:



Are there any significant accounting judgments made by management in preparing the financialstatements that would have been made differently had the auditors themselves prepared and beenresponsible for the financial statements?

•

Based on the auditors' experience, and their knowledge of the Company, do the Company's financialstatements fairly present to investors, with clarity and completeness, the Company's financial positionand performance for the reporting period in accordance with GAAP and SEC disclosurerequirements?

•

Based on the auditors' experience, and their knowledge of the Company, has the Companyimplemented internal controls and internal audit procedures that are appropriate for the Company?

•

The model of attributes should empower the audit committee to serve its entity effectively in protecting theassets, inspecting suspicious behaviors or activities, ensuring the integrity of financial reports, and generallymanaging risks. There is also a list of attributes or situations to avoid—those that were common to the casesof financial fraud in the COSO study. The study mentioned that one consistent factor with the fraud cases wasthe absence of an effective audit committee. Often board members were neither independent (e.g., related toexecutives or owners) nor capable of dealing with audits and internal controls. Together, these two lists(Exhibits 3.18 and 3.19) will hopefully assist internal auditors in providing input into the board's decisionabout its audit committee, and in providing information on how to effectively interact with the auditcommittee.

One of the most effective techniques against fraud or crime is an internal audit function with a directconnection to an audit committee on the board, where such committee members are able to understand andrespond to audit evidence, reports, or internal control weaknesses. (See Section 9.2 for additional informationon audit committees.)

ii. Information Technology Governance

Information technology governance is similar to corporate governance in its objectives and is a prime serviceof ISACA. That organization defines IT governance as:

the responsibility of the board of directors and consists of the leadership, organizational structuresand processes that ensure that the organization's IT sustains and extends the organization's strategiesand objectives.

•

The more an organization relies on IT, the more IT governance is necessary; or put another way, ITgovernance becomes an integral part of corporate governance.

The objectives of IT governance are to (1) understand the issues and the strategic importance of IT, (2) ensurethat the enterprise can sustain its operations, and (3) ascertain it can implement the strategies required toextend its activities into the future. The primary goal is to ensure that expectations for IT are met and IT risksare mitigated. IT governance should address the following:

Appropriate and adequate business and IT performance measures• Appropriate and adequate business and IT outcome drivers•

IT strategic and alignment issues• Best practices in IT governance• Questions boards and management should ask•

Questions such as "Is IT doing the right things?" "Are they doing them the right way?" "Are they being donewell?" and "Is the enterprise actualizing benefits from IT activities?" should be answered by IT governanceprocesses. IT governance should also lead to a structure through which the entity's overall objectives are set,the method of attaining those objectives is outlined, and the manner in which performance will be monitored



is described. One performance measurement system being used is Balanced Scorecard (see Chapter 9).

Evidence of the need for IT governance is the number of chief executives who have criticized the benefits ofIT. [27] To promote IT governance, ISACA sponsors the IT Governance Institute and provides various supportdocuments and services. [28] This organization also promotes CobiT as another tool that assists management inIT governance.

e. Logs and Auditability

The last control activities area is that of logs. The more an enterprise is dependent on systems, automation,and computers, the more invisible audit trails tend to become. Therefore, it is imperative that the internalcontrol system has an adequate degree of controls related to electronic audit trails. One effective control is theimplementation of computer logs. Detailed computer logs should be evaluated (i.e., are they necessary, howdetailed the data should be) for access and log-in to the system, access and use of applications, access and useof data, changes to data, changes to applications, and changes to the operating system. When electronic logscannot be generated, paper ones should be considered (e.g., changes in an application).

If the entity is connected to the Internet, logs become even more important. Logs should be used to track datasuch as sites visited, files downloaded or uploaded, time spent on the Internet, etc. Sites visited could revealaccess to illegal sites, and have in the past (i.e., child pornography). Files downloaded could reveal viruses,hacking tools, illegal software, or other types of files that are contrary to organizational policy or federalregulations. Hacking tools might be an indication of an employee preparing to hack into the organization'ssystem.

Logs should be developed and implemented that will assist in safeguarding assets and ensuring compliancewith policy (e.g., computer usage). Logs are the enforcement control for policy, but the entity needs to makesure employees are told such actions are being recorded and even have employees sign policies that have thisform of enforcement (e.g., e-mail policy).

f. Segregation of Duties

Another primary objective of internal controls is the effective use of segregation of incompatible duties. Thisproven technique for designing internal controls, policies, and especially organizational structures wasdeveloped by accountants and auditors. Three rules to observe are to separate transaction authorization fromtransaction processing, record-keeping from asset custody, and any series of transaction processing steps suchthat a collusion of individuals would be necessary to commit fraud. Where segregation of duties is notfeasible, management should compensate by adding adequate supervision.

For example, one large tire reseller did not segregate duties. Because the firm had several locations, it madeuse of a central tire warehouse. There was no security at the warehouse, and all salespersons had a key to it.One salesman stole tires, drove to a nearby city, sold them to an acquaintance, and covered his tracks withcredit memos and phony invoices. No one suspected him, even though 75% of all credit memos came fromone individual (proof that management must review reports). The custody of the tires should have beensegregated from record-keeping of tire transactions (i.e., the sales force), and authorization of the creditmemos should have been separated from the processing. (See "Physical Controls" in this chapter for moreinformation.)

g. Investigation Procedures

Management must also consider what specific procedures should be employed to protect against internalthreats. Key positions, including executives, may require a background search.




TITLE: Malicious Activities PAGES:[16]See www.cert.org.

[17]See www.securityfocus.com.

[18]See www.incidents.org.

[19]BIND is one of the name services on the Internet—typically on Unix, Linux, etc.-based systems, thoughWindows XP does support BIND now.

[20]See Internet Vulnerability U3 on the Top 20 List (see Exhibit 3.12).

[21]The information for this paragraph came from a web page at The Internet Storm Center's web site. Thepage is located at www.incidents.org/isw/iswp.php.

[22]See www.incidents.org.

[23]Obviously, the SEC may or may not have adopted this ruling. Visit the IIA site www.theiia.org or the SECsite www.sec.gov for clarification.

[24]SEC Release No. 34-42266, File No. S7-22-99. See URL www.sec.gov/rules/final/34-42266.htm.

[25]Nikos Vafaes, "On Audit Committee Appointment," Auditing: A Journal of Practice and Theory, Vol. 20,No. 1 (March 2001).

[26]Connie McDaniel, vice president and controller of Coca-Cola Company, from a speech presented to theAAA, August 13, 2001.

[27]For example, Jack Welsh, former chairman of General Electric, said, "IT has been the longest runningdisappointment in business in the last 30 years." World Economic Forum, 1997.

[28]See www.itgi.org.

3.8 Malicious Activities

A brief description of aspects of malicious activities will assist in the development of effective specificcontrols. Areas to consider are computer crime, theft/financial fraud, and unauthorized access.

a. Crime and Misappropriation of Assets

Computer crime is becoming popular among those with a criminal mind. The average dollar value of acomputer crime is far greater than the average dollar taken in a bank robbery. But just as important, internalauditors need to understand the subtle differences between various attackers and thieves as well as typicalprofiles of these perpetrators. Almost all of these crimes are driven by (1) opportunity (control weakness), (2)pressure (e.g., cash flow problems), and (3) rationalization.



http://www.cert.org

http://www.securityfocus.com

http://www.incidents.org

http://www.incidents.org/isw/iswp.php



http://www.sec.gov

http://www.sec.gov/rules/final/34-42266.htm

http://www.itgi.org

i. Types of Crimes

Crimes associated with the theft of assets typically are carried out by employees. These frauds are conductedby employees who have some pressure to steal (personal cash flow problems), accompanied with weakpersonal ethics. If a weakness exists in the controls, the temptation can become too great for the employee toresist stealing from the organization. The rationalization is often that either the employee works hard anddeserves the extra money, or he/she is "borrowing" the money and plans to repay it. One typical area for fraudand theft is performance bonuses. Such tactics can become the impetus (pressure) mentioned earlier, and therationalization; and if accompanied by personal weak ethics and an exposure, the result can be fraud and theft.

Another crime is financial fraud. By its very nature, it is virtually limited to executive management.Management can come under pressure by such circumstances as economic problems in the firm (poorperformance of stock on the open market). Because of management's position, they are always in the positionto have opportunity; that is, they can override controls. The pressure to perform can be rationalized as performat any cost and lead to financial fraud.

Lastly, there are those who break in from the outside (see below). Some of these attackers come to steal, kill,and destroy. Others come to play—possibly bringing a system down and making it unavailable. But all causedamages and bring about costs. As such they are considered computer crimes (e.g., the laws againstspamming).

ii. Types of Criminals

Criminals can be broken down into different groups with specific profiles. The description of crimes includesa profile of the employee or manager who might commit a crime. The following describes the outsidecriminals.

According to President Bush's Commission on Critical Infrastructure Protection, an estimated 19 millionpeople worldwide have the skills to engage in malicious hacking. [29] The profile of the authors of the typicalDDoS (and other Internet security incidents) is a male, 13 to 15 years old, with a lot of computer intelligence(neon hair and body piercing optional!). They usually begin malicious activities early. For example, Mixter (aself-proclaimed "white hat") started learning computers at six and malicious activity at 14.

One way to think of the group of people who break into Internet systems is to subdivide it down by theobjectives of the person: The groups are technically known as hackers, crackers, and script kiddies. The true"hacker" (sometimes referred to as a "white hat" [30]) actually tries to do service to the Internet community.Hackers look for vulnerabilities and weaknesses, and then communicate the "hole" to the entity. These peopleenjoy the intellectual challenge of their activities, and are technically defined as "hackers." [31] Even then,there are rouges in this group. A contract employee at Intel went beyond the scope of his work, for which Inteldismissed the white hat employee and had him arrested.

Traditionally, "hacker" was a term that carried a positive connotation, a badge of honor regarding one'stechnical expertise. Then why is the popular press always referring to the "bad guys" as hackers? Because ofthe media's ignorance of the technical definitions. These people are actually "crackers" [32] (sometimesreferred to as "black hats") whose intent is to steal or destroy. So although hacker and cracker are often usedinterchangeably, they are in fact technically different sub-groups. It is the cracker who writes malicious codesuch as DDoS.

The term "script kiddie" refers to young computer enthusiasts who usually download the malicious code (e.g.,viruses, DDoS) generated by crackers, rather than author it, and conduct mischievous exploits onunsuspecting entities, resulting in systems havoc. Most are not necessarily malicious, just bored. They aresimilar to street gangs, having created a way to tag the Internet (viral code), having invented their own form ofgraffiti (web site defacements), and having fought gang wars online (using thousands of remote PCscontrolled by Internet Relay Chat (IRC) bots). [33]



One example is a female (rare among script kiddies) from Belgium who authored Sharpei, one of the first .Netviruses. She says writing these viruses and DDoS programs is "a form of art, just like other hobbies. Also, it'sa fun way to practice programming." This statement reflects the attitude, and demonstrates the problem, withDDoS attackers. They do not see any real harm to their victims and are in it for the personal pleasure it brings.

b. Unauthorized Access and Authentication

Access control systems are used to authenticate and verify usually by using one of three basic approaches tosecurity: (1) something you have, (2) something you know, and (3) something you are. [34] Specific controlsrange from access cards/readers (something you have), to passwords or PINs (something you know), tobiometrics (something you are). The more risk that exists, the greater the need to consider a multi-facetedaccess control system in order to maintain adequate security.

The most general authentication, authorization, and verification controls are password systems, firewalls, andoccasionally access cards or biometrics. The weakness of these former two security methods is that they havebeen compromised, and intruders have caused great harm and significant financial losses. The latter approach,biometrics, has the potential to provide the greatest level of security because it involves something you are,and because they can be more reliable than the passwords or firewalls—especially stand-alone password orfirewall systems.

There is a difference between verification and identification. Verification is the process of confirming that theperson carrying the token (badge, card, password, etc., which is the claim of identity) is the rightful owner ofthe token. Identification, on the other hand, is the recognition of a specific individual from among all theindividuals enrolled on the system. Ideally, access control systems would do both.

Passwords are the first line of defense in authenticating access to systems and data, and serve as a reasonablyeffective preventive system. One strategy is to create multi-faceted passwords, especially where remote accessis frequent or e-commerce is employed. One current sophisticated approach is to generate password PINs oververy short time frames, sometimes less than a minute. When remote users log in, they check a beeper for themost recent PIN and can only log in with both their password and the dynamic PIN. Another strategy is tocombine passwords with network administration such that a matrix is developed for access. The columns arefields, files, or other data element. The rows are users. The cells are accessibility: read-only (RO), read/write(RW), or none. This matrix approach minimizes the exposure of data to internal users, narrowingauthorization and access. (See Exhibit 3.8 for a password model to assist in developing the access controlsystem.)

Although they appear to be much less expensive than biometric systems, password systems might cost anorganization. This cost usually happens in two ways: passwords that are forgotten and passwords that arestolen. The former requires time and resources to reset passwords. The latter is a security breach and can bemuch more costly if the system is compromised. Since the human brain is not a perfect storage system when itcomes to complicated and long letter-number combinations, the more sophisticated passwords might beforgotten. In such situations, the password needs to be reset and a new password must be created. Accordingto Mandylion Research Labs, resetting a password security system of a company with 100 workers would cost$3,850 per year. If the company has 1,000 authorized personnel, the same process would cost up to $38,500per year!

For remote access, one control might be the use of call-back systems. If remote access is stationary (i.e., thesame person always accesses the system from the same phone), then this technique works well. Once a userlogs in from remote location, the system hangs up the line and calls back on a pre-determined phone number.Where call-back systems are impractical, multi-faceted password systems should be employed—maybebiometrics.

The most common biometric devices used for access control are fingerprint scanners, although facial and irisscanners and voice recognition systems are increasing in use. [35] Fingerprint scanners come in a variety of



formats, from stand-alone devices to readers built into keyboards and mice. They are unobtrusive,inexpensive, and, essentially, they work. For example, the public benefits administrators in Texas and NewYork claim fingerprint identification has virtually eliminated fraud in their programs. [36]

But of all types of biometrics available, the most practical—the best solution—for access control appears tobe fingerprint recognition or keystroke recognition biometric systems. Keystroke recognition systems aretrained to recognize the unique features of a person entering his/her password. Because it is only software, it isless expensive and easier to operate than fingerprinting and other biometrics. The fingerprint option should beconsidered as part of a smart card plus fingerprint plus password method—versus a stand-alone fingerprintsystem (if the risks warrant such a sophisticated access system). This system would provide a high level ofreliability with a high level of user acceptance, and a relatively low level of cost. They are also readilyavailable in the market.

Of special importance is the emerging trend toward integration of biometrics into networks and systems. Moretime is being spent on integrating biometrics into existing processes and applications, where feasible andapplicable, and into network access control systems. Biometric systems are being relegated as a commodityitem, and this progression leads to a potentially enhanced level of interoperability, something the biometricindustry needs. In recent months, an increasing number of devices, such as notebook computers and computerkeyboards, now come equipped with integral biometric fingerprint readers, and some with smartcard readersas well, plus several variants of biometric mice. [37] This area provides a lot of promise for all concerned withInfoSec.


TITLE: Specific Controls/CAATTs PAGES:[29]According to Computer Emergency Response Team. See "Combating Cyberthreats: Partnership BetweenPublic and Private Entities," E. Lee, Information Systems Control Journal, Vol. 3, 2002.

[30]They are called "white hats" because (a) they have obtained prior permission to "hack," (b) hacking is apart of their job description and they are an employee, (c) they have a contract to conduct a pen test (specificdomain, specific time frame), and (d) they have an engagement letter to conduct the pen test.

[31]See technical definition of hacker at www.pcwebopedia.com/TERM/h/hacker.html.

[32]See technical definition of cracker at www.pcwebopedia.com/TERM/c/crack.html. Likely a reference tosafe crackers.

[33]According to ZDNet associate editor Robert Vamosi. See "Can We Stop Script Kiddies? Yes! Here'sHow," ZDNet Reviews, May 15, 2002, online at www.zdnet.com.

[34]Liu & Silverman, "A Practical Guide to Biometric Security Technology," IEEE Computer Society. Onlineat www.computer.org/itpro/homepage/Jan_Feb/security3.htm.

[35]"The Lowdown on Biometrics," Government Computer News, 08/12/02. Online atwww.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn2&story.id=19567.

[36]Mark Kellner, "Digital Security," Government Computer News, 08/12/02. Online atwww.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn2&story.id=19565.

[37]Julian Ashbourn, "Biometrics: Making the Right Impression," SC Magazine, June 2002, pp. 58–63.



http://www.pcwebopedia.com/TERM/h/hacker.html

http://www.pcwebopedia.com/TERM/c/crack.html

http://www.zdnet.com

http://www.computer.org/itpro/homepage/Jan_Feb/security3.htm

http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn2&story.id=19567


3.9 Specific Controls/Caatts

One resource for internal auditors in developing an effective internal control system is proven controls andCAATTs, which includes people, techniques, and models.

People would include the use of experts and professionals in the IA function, whether the corporation has aseparate internal audit department, outsources the function, or relies on external auditors for the function.Regardless, management should make sure someone or some group is responsible for the internal audittasks—primarily the design, development, implementation, and examination of the corporate internal controlsystem. Management should require an appropriate certification of those to whom it entrusts its internalcontrols system. Some applicable certifications include: Certified Internal Auditor (CIA from IIA), CertifiedInformation Systems Auditor (CISA from ISACA), Certified Information Technology Professional (CITPfrom AICPA), Certified Information Systems Security Professional (CISSP from International InformationSystems Security Certification Consortium—ISC2), and Global Information Assurance Certification (GIACby Sans Institute).

Proven techniques include some already mentioned, such as an audit committee made up of qualified peoplewho are independent of owners and executive management.

a. Monitoring Systems

One of the best detective tools is a good monitoring system. Examples are intrusion detection systems, passivelogs, and traffic monitors. Intrusion detection systems are designed to detect crackers or hackers as they try togain unauthorized access to the company's system. Steve Gibson reported 500,000 attempts a day detected athis site when a 15-year old hacker got mad at him. [38] His intrusion detection system worked better than mostbecause he is an elite expert, but he wrote an open letter to hackers and admitted that his system could notwithstand a direct ongoing assault by hackers. Traffic monitors provide information to techies that willindicate adverse activity such as a denial of service attack. They simply graph certain technical aspects ofInternet activities and traffic, and visually indicate potential problem areas. The Internet storm watcher is oneexample of a broader monitoring system—monitoring activity of the Internet as a whole. Passive logs canprovide data that could help detect or correct adverse attacks after the fact.

b. Firewalls

Any server connected to the Internet should also have a firewall as a preventive scheme. A firewall is one ormore elements such as software, hardware, or techniques that inhibit unauthorized activities from externalusers. A variety of firewall defenses can be assimilated, and should be done so with the level of risk in mind.The higher the risk probability and cost, the more complex and expensive the firewall needs to be.

c. Generalized Audit Software

Using generalized audit software (GAS)—such as ACL, IDEA, PanAudit Plus, and others—has proven to beof immense value for internal auditors in detecting irregularities and fraud in computer systems. Auditsoftware is also valuable in auditing operations. Using GAS and CAATTs is more than extracting data,dumping the data into a spreadsheet, sorting the data, producing a report (information), and manuallyreviewing the paper copy. CAATTs use these steps as the precursor to the real work: the critical analysis ofdata. Using GAS can bring both effectiveness (quality of the audit) and efficiency (significant productivityincreases) to the IA function, and indeed has for many IA shops. One of the major benefits is the fact thatauditors are able to examine all of the records, not just a sample. To use CAATTs or GAS, the internal auditorshould follow these steps:



Set the audit objectives.1. Meet with the owner of the data and a programmer.2. Formally request the data.3. Create or build the input file definition of the GAS.4. Verify data integrity for the data imported.5. Gain an understanding of the data.6. Analyze the data.7.

In the fifth step, verify data integrity, it is helpful to ask for a printout of the first 100 records along with thedata. Once the data is fully imported and ready, a review of these 100 records can establish some reasonablereliability of the data set. The use of batch controls is very useful for this purpose, especially if the auditor canestablish those controls from the live data. In the sixth step, this understanding can generally be gained byrunning some standard overview commands such as COUNT, STATISTICS, CLASSIFY, STRATIFY, and soon, on the data set.

An internal auditor might run these types of tests:

Reasonableness• Completeness•

Gap• Duplication• Period-to-period (trends)• Regression analysis• Statistical analysis• Transaction matching•

d. Other Potential Controls/CAATTs

Other CAATTs include the following, which is not an exhaustive list, and some of which have been discussedpreviously in this chapter:

Embedded audit modules• Artificial neural networks• System development life cycle• Librarian• Passwords• Biometrics• Intrusion detection system• Firewalls• Anti-virus software• Digital certificates• Digital signatures• Encryption• Proposed XBRL system• Disaster recovery plan/business recovery plan (see Exhibit 3.10)• Incident response plan•

[38]Steve Gibson is the founder of Gibson Research Corporation, frequent writer and speaker on high-techtopics, and is considered a pioneer in the Internet and its technologies. See Gibson's open letter to the hackerand his report of the incident at his corporate web site: www.grc.com.



http://www.grc.com

References

Colbert, Janet L. and Paul L. Bowen. "A Comparison of Internal Controls: CobiT, SAC, COSO, and SAS55/78," ISACA at www.isaca.org/bkr_cbt3.htm.

Committee on Sponsoring Organizations, www.coso.org.

Electronic Commerce, Gary P. Schneider,James T. Perry, 2000, Course Technology: Stamford, Conn. (2 × 2security overview, Exhibit 3.1).

Information Systems Audit and Control Association, www.isaca.org.

Institute of Internal Auditors, www.theiia.org.

Institute of Internal Auditors, Standards for the Professional Practice of Internal Auditing (SPPIA),www.theiia.org/ecm/guide-stand.cfm?doc_id=124.

Information Systems Auditing and Assurance, James Hall, 2000, South-Western College Publishing.

Singleton, T. "An Empirical Investigation of IS Audits and Software Piracy," Information System Audit &Control Journal, Vol. VI, 1997, pp. 32–41.

Singleton, T. "Stop Fraud Cold With Powerful Internal Controls" (Building an Internal Control Environmentto Enhance Corporate Strategies), Journal of Corporate Accounting and Finance (Wiley), Vol. 13, Issue 4(May/June 2002), pp. 29–39.

Singleton, T. "Effective Audit Committees for Cooperatives: Part I—What, Why and How," The CooperativeAccountant, Summer 2002, pp. 22–30.

Singleton, T. "Managing the Most Critical Internet Security Vulnerabilities: One Effective Approach,"EDPACS, Vol. XXX, No. 2 (August 2002), pp. 1–11.

Singleton, T. "Managing Distributed Denial of Service Attacks," EDPACS, Vol. XXX, No. 5 (November2002), pp. 7, 9–20.

Singleton, T. "Biometric Security Systems: The Best InfoSec Solution?," EDPACS, forthcoming (January orFebruary 2003).

Endnotes

1. See www.coso.org.

2. See www.isaca.org/cobit.htm.

3. This paragraph is from the ISACA web page on CobiT at www.isaca.org.

4. See www.isaca.org.



http://www.isaca.org/bkr_cbt3.htm

http://www.coso.org



http://www.theiia.org/ecm/guide-stand.cfm?doc_id=124

http://www.coso.org

http://www.isaca.org/cobit.htm



5. An exposure draft exists that will change the principles to: (1) security, (2) availability, (3) processingintegrity, (4) online privacy, and (5) confidentiality.

6. See Exhibit 3.1 for a full diagram of Sections 3.5 through 3.9.

7. www.cert.org/present/cert-overview-trends/module-6.pdf.

8. SAS No. 78 revised SAS No. 55—the same topic.

9. See www.cert.org.

10. See www.sans.org.

11. See www.securityresponse.symantec.com/avcenter or www.norton.com.

12. See www.ciac.org/ciac by U.S. Department of Energy.

13. See www.securityresponse.symantec.com/avcenter/ or www.norton.com.

14. See www.cert.org.

15. See www.securityfocus.com.

16. See www.incidents.org.

17. BIND is one of the name services on the Internet—typically on Unix, Linux, etc.-based systems, thoughWindows XP does support BIND now.

18. See Internet Vulnerability U3 on the Top 20 List (see Exhibit 3.12).

19. The information for this paragraph came from a web page at The Internet Storm Center's web site. Thepage is located at www.incidents.org/isw/iswp.php.

20. See www.incidents.org.

21. Obviously, the SEC may or may not have adopted this ruling. Visit the IIA site www.theiia.org or the SECsite www.sec.gov for clarification.

22. SEC Release No. 34-42266, File No. S7-22-99. See URL www.sec.gov/rules/final/34-42266.htm.

23. Nikos Vafaes, "On Audit Committee Appointment," Auditing: A Journal of Practice and Theory, Vol. 20,No. 1 (March 2001).

24. Connie McDaniel, vice president and controller of Coca-Cola Company, from a speech presented to theAAA, August 13, 2001.

25. For example, Jack Welsh, former chairman of General Electric, said, "IT has been the longest runningdisappointment in business in the last 30 years." World Economic Forum, 1997.

26. See www.itgi.org.

27. According to Computer Emergency Response Team. See "Combating Cyberthreats: Partnership BetweenPublic and Private Entities," E. Lee, Information Systems Control Journal, Vol. 3, 2002.



http://www.cert.org/present/cert-overview-trends/module-6.pdf

http://www.cert.org

http://www.sans.org

http://www.securityresponse.symantec.com/avcenter


http://www.ciac.org/ciac

http://www.securityresponse.symantec.com/avcenter/


http://www.cert.org

http://www.securityfocus.com


http://www.incidents.org/isw/iswp.php



http://www.sec.gov

http://www.sec.gov/rules/final/34-42266.htm

http://www.itgi.org

28. They are called "white hats" because (a) they have obtained prior permission to "hack," (b) hacking is apart of their job description and they are an employee, (c) they have a contract to conduct a pen test (specificdomain, specific time frame), and (d) they have an engagement letter to conduct the pen test.

29. See technical definition of hacker at www.pcwebopedia.com/TERM/h/hacker.html.

30. See technical definition of cracker at www.pcwebopedia.com/TERM/c/crack.html. Likely a reference tosafe crackers.

31. According to ZDNet associate editor Robert Vamosi. See "Can We Stop Script Kiddies? Yes! Here'sHow," ZDNet Reviews, May 15, 2002, online at www.zdnet.com.

32. Liu & Silverman, "A Practical Guide to Biometric Security Technology," IEEE Computer Society. Onlineat www.computer.org/itpro/homepage/Jan_Feb/security3.htm.

33. "The Lowdown on Biometrics," Government Computer News, 08/12/02. Online atwww.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn2&story.id=19567.

34. Mark Kellner, "Digital Security," Government Computer News, 08/12/02. Online atwww.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn2&story.id=19565.

35. Julian Ashbourn, "Biometrics: Making the Right Impression," SC Magazine, June 2002, pp. 58–63.

36. Steve Gibson is the founder of Gibson Research Corporation, frequent writer and speaker on high-techtopics, and is considered a pioneer in the Internet and its technologies. See Gibson's open letter to the hackerand his report of the incident at his corporate web site: www.grc.com.



http://www.pcwebopedia.com/TERM/h/hacker.html

http://www.pcwebopedia.com/TERM/c/crack.html

http://www.zdnet.com

http://www.computer.org/itpro/homepage/Jan_Feb/security3.htm



http://www.grc.com

Part II: Management and Administration

Chapter List

Chapter 4: Department OrganizationChapter 5: Personnel, Administration, and Recruiting

Part II: Management and Administration 1

2 Part II: Management and Administration

2 Part II: Management and Administration

Chapter 4: Department Organization

Overview



4.1 Introduction

In order to achieve the goal of a world-class internal audit (IA) organization, standardized procedures must bedeveloped and followed by the staff.

Setting high standards will ensure that your department's work will be of sufficient quality to satisfy yourmission and enable reliance by your independent auditors. Development of each auditor's individualprofessionalism can be greatly enhanced by understanding the company's expectations and being evaluated oncompliance with approved departmental procedures.

a. Strategic Objectives

Internal audit consists of people and procedures. In order to maximize the productivity of a group, the groupneeds a mission and consistent procedures to attain departmental goals. This procedures manual, and thischapter in particular, provides a place to state the department mission and document departmental proceduresto attain that mission. All organizations need a mission. They also need goals—short-term andlong-term—that can be linked directly to the mission of the organization. Other elements of managementinclude feedback and mentoring, resources and training, and rewards. These elements can all be documentedin a procedures manual.

i. Mission Statement

While each organization will need to personalize its own mission statement, the following is a generalstatement that might apply or could be modified to apply:

The internal audit department will enhance corporate viability and/or profitability by providingmanagement with expertise in developing and maintaining an effective control environment,conducting efficient and effective audits, and building a quality IA department that will contribute tothe corporate mission.

•

From the mission statement, the IA department (in conjunction with management) should establish strategicobjectives to reach the mission. One example is: The department will strive to achieve world-class proceduresand quality of services by adhering to professional standards, best practices, and proven quality improvementtechniques. Another example is the actual mission statement of JPMorganChase, from the merger onDecember 31, 2002:

The General Auditor and his global team are the Corporation's independent control assessmentfunction, accountable for providing the Audit Committee, the Chairman, senior management, andregulators with reasonable assurance that the system of internal control achieves its objectives.Auditing's mission is to foster a continuous self-checking control environment in partnership with

•

Chapter 4: Department Organization 1

senior management to identify opportunities to ensure the adequacy of the risk management andinternal control processes. Auditing's primary objective is to identify emerging issues, detect controldeviations, and track management's corrective actions.

Long-term and short-term goals should be linked to the mission statement. Mission statements are criticalcomponents of most quality improvement programs (see Section 9.4). Therefore, it is obvious that the firststep in establishing the internal audit department is to develop an appropriate mission statement.

ii. Why a Procedures Manual

The mission statement, objectives, goals, and procedures of the internal audit department need to bedocumented in such a way that the resulting document can be used as a reference manual. Auditor andmanager turnover is unavoidable. An appropriate manual will allow for smooth transitions. It will alsodocument questions about issues such as travel and other policies. But it is also a dynamic entity, and shouldbe updated with a conscientious approach to being current, correct, and consistent (e.g., with professionalstandards, with itself, with corporate policies and goals).

iii. Major Challenges of the Department

We have said that internal auditing involves people and procedures. In most cases, the procedures involvereviewing and evaluating controls, efficiency, effectiveness, and other aspects of the business. Efficiencygenerally relates to measures of operations or delivery of services, especially as a ratio of inputs to outputs.Effectiveness is a measure of how well the organization meets its goals. Effectiveness usually focuses onstrategy and improvements to decision making.

The review process creates at least two factors for audit management to consider. The first is the difficulty inmeasuring internal audit productivity, and the second factor relates to the potentially negative nature of theauditing business. Both of these factors must be addressed in a progressive internal audit department.

Auditor productivity requires the development of a proactive spirit, a high degree of professionalism, andmeasurement techniques, including budgets and time reporting. The methodology contained in this manualincludes a conscientious attempt to address all of these areas. Budgets are important. Timereporting—although a laborious task—is necessary to properly analyze productivity. A proactive spirit andprofessionalism must be instilled in all staff members through the department's professional developmentprogram.

Auditors can reach beyond the negative aspects of the auditing business. A modern audit departmentproactively seeks positive deliverables from within the work of the organization. This effort may involve thedevelopment of preventive control procedures, and the recommendation of these to auditees before audits. Theoverreaching goal of the audit program should be to improve the control environment within the company(refer to the mission statement). It should not be to catch company units or individuals in violation of controlprocedures. It is critical that the audit department develop a "work with" attitude within the organization.

b. Essence of Internal Auditing

One of the major challenges of audit management is contributing to the organization's mission. It is oftennoted that internal auditors do not create, make, find, or deliver the organization's products or services. Howdoes internal audit fit into the organization's mission? If audit programs were suspended, what would be theshort-term and long-term effects?

Company management will periodically examine the contribution of the internal audit program. Will yourfunction pass this test? Unlike functions that produce products or services, audit results may be more difficultto measure. How is productivity of the internal audit function measured? Does your audit function have the

2 Chapter 4: Department Organization


internal system to measure and improve internal audit productivity? Other areas of organizations, andbusinesses in general, are monitored and pushed to greater limits and improvements in quality; why notinternal audit?

All too frequently, audit management becomes lax. Decisions to spread out and space out audits are all tooeasy. These types of issues do not exist in other functions: shipping is measured monthly, sales sometimesdaily, accounting reports are issued monthly. With audit management comes the responsibility to push forgreater volume, efficiency, and effectiveness (see definitions of each above). Audit management needs toemploy any and all tools and procedures to measure and improve productivity. All of these procedures andmethodologies should be carefully developed, documented in your procedures manual, and built into youraudit culture.

What happens if you become lax? Management does not look at internal audit every day, month, or quarter.Over time, an impression is recorded on the effectiveness and efficiency of the internal audit function. Inmany cases, change is made in dramatic fashion by changing audit management, or by eliminating, reducing,or outsourcing the function. The fact that all appears quiet may be only a warning for an impending storm.

Measuring efficiency in internal audit is generally a simple and feasible process. Measuring the inputs—laborhours or some other quantitative measure—is relatively simple. But outputs need to take on relevance to theorganization rather than a simple number of audits conducted, or ignoring outputs and simply quantifyinginputs. Effectiveness is quite different. Based on the definition of effectiveness, management of internal auditshould first establish a reasonable, achievable, and relevant mission statement, with appropriateaccompanying goals and strategies (both must be measurable). This mission should be compatible with theorganization, culture, management's goals and objectives, and professional responsibilities. Then effectivenessbecomes a measure of how well internal audit accomplishes the mission, as measured by how well it isreaching its goals associated with the mission statement. This measure is the one with which corporatemanagement will be most concerned.

To function effectively, internal auditors and the customers of audit services should possess a similarunderstanding of what makes internal auditing a value-added activity. Failure to reach this understandingcould result in the perception that internal audit is simply an obstacle to achieving production objectives. Thisperception can result in underutilized audit services and ignored audit recommendations. [1] It is imperativethat IA staff members articulate the mission of the IA function to its stakeholders effectively to avoid thisunproductive environment.

c. Quality Assurance Reviews of Internal Audit

Recently, quality assurance reviews of internal audit functions have been on the rise. This internal or externalreview is a very positive development for internal auditing as a profession. To some extent, this trend isencouraged by the very nature of internal audit and the concern on the part of management about internalaudit effectiveness and efficiency.

Every dollar spent on internal audit is a dollar not earned on the bottom line. Why not challenge the spending,as is the case in other areas of the company? (Chapter 9 proposes a full quality assurance programadministered by audit management.)

d. Outsourcing Internal Audits

In the 1990s, a manifestation of the concern of management about the effective use of corporate resources forinternal auditing was the ever-expanding trend toward outsourcing the internal audit function.

As noted earlier, internal auditing management requires a proactive approach, good personnel, personaldevelopment programs, structured procedures, a mission, short-term and long-term objectives, qualityassurance reviews, productivity measures, and so on. However, there is no simple measurement tool such as



units booked, units shipped, financial statements produced on time with accuracy each month,comparable-store sales versus last year, capacity utilization, and so forth.

Audit contribution is very difficult to measure! Therefore, when management is offered a simple, perhaps lessexpensive approach, it will be seriously considered. Is internal audit an organization's core competency? Canit be more efficiently and effectively implemented by the organization dedicated to internal audit as a corecompetency? These are questions currently being explored by many organizations.

Clearly, there are many factors involved in the decision to outsource all or part of an internal audit function. Amajor element is size and ability to maintain various specialized skill sets, such as information systems (IS)audit. In smaller organizations, outsourcing of general IS audit may be effective and efficient. In largerorganizations, with IS audit staffs, outsourcing certain very technical audits may be the advisable course ofaction. Outsourcing should be considered during the departmental planning process. That is, if there is a needfor technical competencies not immediately available in the staff (e.g., Internet, encryption, intrusiondetection), audit management should consider whether to outsource or develop the skill internally.

The Institute of Internal Auditors (IIA) issued a report entitled, "Perspective on Outsourcing InternalAuditing." In it, the IIA takes the following view:

The IIA's perspective is that internal auditing is best performed by an independent entity that is anintegral part of the management structure of an organization. The IIA states unequivocally that acompetent internal auditing department that is properly organized with trained staff can perform theinternal auditing function more efficiently and effectively than a contracted audit service.

•

Internal auditing by definition should be internal and integral to the organization, and the internalauditing department should be staffed with professional internal auditors who adhere to the Standardsfor the Professional Practice of Internal Auditing and the related Code of Ethics. One of the bestevidences of internal auditing competence is the Certified Internal Auditor (CIA) designation.

•

Most internal auditors are degreed professionals. In fact, many hold advanced degrees and haveacquired specialized skills related to the organization for which they work. These professionals areaware of their responsibilities with regard to the organization and the Standards.

•

The key proficiency of internal auditors is internal control in its broadest sense. Internal auditorsprovide management and the board of directors with competent evaluations of an organization'ssystem of internal control and the quality of performance of assigned responsibilities regarding thereliability and integrity of information, compliance with laws, and regulations, the safeguarding ofassets, the economical and efficient use of resources, and accomplishment of goals and objectives.

•

Several common themes recur in control models, such as the Committee on Sponsoring Organizations(COSO) of the Treadway Commission, Criteria of Control Committee of the Canadian Institute ofChartered Accountants (CICA), and Cadbury Committee: "Internal control is management'sresponsibility; tone from the top is important; controls must be built in not on; and internalcommunication and people development are critical elements of the control framework." Internalauditors' value and effectiveness are linked not only to their attunement to management's philosophyand direction, but to their understanding of internal control and their direct knowledge of operatingsystems that are often in flux.

•

Internal auditors are in touch with governance issues and are intimately acquainted with theirorganization's policies, procedures, operating practices, and personnel. They are able to devote theirfull attention and loyalty to the organization and to identify subtle changes and ambiguities that maysignal trouble. Internal auditors can respond immediately to the concerns of senior managementbecause they are familiar with their organizations' culture and processes, and their status asemployees ensures confidentiality and loyalty.

•

As long as internal auditing staffs are highly skilled, efficient, and responsive to management,organizations are best served by keeping the internal auditing function internal.

•

The Enron fraud and disaster (bankruptcy) of 2001 also lends credence to the IIA's stance. Enron wasquestioned for its outsourcing of the internal audit function, and the possible loss of independence when its



external auditor firm, Arthur Andersen, was awarded the outsourcing of the internal audit function.

ISACA Standards provide guidance in and issues related to outsourcing. Standard #010.010.020 says insection 2.1.1: "Where any aspect of the IS function has been outsourced to a service provider, these servicesshould be included in the scope of the audit charter." Section 2.1.2 further states: "The Audit Charter shouldexplicitly include the right of the IS Auditor to (1) review the agreement between the service user and theservice provider (pre-effect or post-effect), (2) carry out such audit work as is considered necessary regardingthe outsourced function, and (3) report findings, conclusions, and recommendations to service usermanagement." Thus outsourcing is something to be considered during the development of the audit charter(see "Corporate Audit Charter" in this chapter).

e. Control Self-Assessment

In the 1990s, in reaction to the ever-expanding requirements for internal audit services and the need to controloverhead costs, internal audit groups have been turning to control self-assessment (CSA) reviews, also knownas self-audits. CSA reviews are performed by line managers under the direction of the internal audit program.Most line managers are concerned about controls over their operations and have a basic knowledge of controlissues related to their function of operation. Of course, CSA is not performed by individuals independent ofthe operations under review and, therefore, will only supplement, not replace, internal audit activities.

In the current marketplace, all organizations are affected by global competition, as well as demands for greateraccountability. Customer-focused organizations are attempting to reengineer systems and eliminate activitiesthat do not add value to customers. These programs are changing business processes very rapidly, and in somecases, reducing the internal control systems. At the same time, the profession of internal auditing, through theIIA and other professional organizations including the American Institute of Certified Public Accountants(AICPA) and the Financial Executives International (FEI), have redefined internal control with a broader,more detailed definition, adding to the work of internal audit.

In this period of rapid change, CSA has arisen as a means of raising control awareness and coverage. Thisinnovative approach provides the internal audit department with an opportunity to meet its audit customers'(management's) needs while controlling auditing costs.

CSA, or self-auditing programs, are usually built around self-audit questionnaires or audit programs. CSAprograms are initiated by sending a letter about the program to line or operating managers explaining how theprogram will work, what their responsibilities will be (completion of the self-audit appraisal questionnaire)and how the information will be used by the internal audit department. The letter should point out that theinformation will not only be reviewed, but will also be verified during subsequent audits.

A member of the audit department at the supervisor or manager level will review the CSA response andfollow up on noted significant control weaknesses immediately if deemed necessary. All less significantissues will be followed up at the point of the next audit. The CSA reports will also be integrated into the auditplanning process. It is advisable to assign a supervisor or manager who is acquainted with the subjectoperations and/or who will be assigned to subsequent audits. Over time, locations or operations subject toCSA reviews can be considered for extended audit intervals or lower risk assessments in the three-year plan.This process will have the effect of reducing the audit time and travel expenses. Of course, the quality of theCSA document and the seriousness with which local management implements the CSA program will beimportant factors.

CSA programs are relatively new methods of delivery of the internal audit service. Each organization willdevelop a program that fits its organization. Another major benefit of this approach is that it allows theinternal audit function to continue to evolve from the policing role to the facilitator of controls and policiesrole. Through CSA line or operations, managers assume more ownership and accountability for controls andparticipate in the process of reviewing and improving control effectiveness.



f. Integrating the Auditing Process

The core process in an internal auditing function is the auditing process. This core process is supplemented bytangent processes such as personal development and quality assurance. The auditing process is defined in thismanual as consisting of three major aspects:

The Planning Process (see Chapter 6)1. The Auditing Process—Performance (see Chapter 7)2. The Reporting Process (see Chapter 8)3.

We have learned that there exists the ability to link these processes and leverage work performed in oneprocess to benefit the auditors, or reduce their work and thereby increase their productivity in a subsequentprocess. In addition, the methodology involves paying a great amount of attention to planning so that properobjectives are set and work is directed to the higher-risk areas within the organization. An example of theleverage is the use of information from the planning process, including the scope and auditee profile, in theresulting audit report. Good planning leads to improved effectiveness and better quality results.

This methodology has been successfully implemented in a number of audit departments, and although at firstit may appear overly structured, the implementation has resulted in a consistently high-level, quality auditproduct. There are no government or professional requirements for internal audit management to be sostructured; however, it has been our experience that operating in an unstructured environment causes anerosion of management support and credibility over time.

Audit departments do not need to implement all of these strategies; however, they support the practice andprovide management with a clear understanding of the process. Without this process, management maysometimes question the value of contribution of internal auditing.


TITLE: Corporate Audit Charter PAGES:[1]"Information Systems Personnel Express a Desire for Change in the Functioning of Internal Auditing," DaleL. Flesher and Jeffrey Zanzig, SOBIE conference proceeding, April 15, 2002.

4.2 Corporate Audit Charter

Audit departments should operate pursuant to a written charter indicating the purpose, authority, duties, andresponsibilities of the function. The audit department charter should be formally approved by the auditcommittee and the board of directors, updated periodically, and distributed to all company management. (SeeSection 9.5, "Marketing the Audit Function.")

The IIA Standards suggest the charter should (1) establish the department's position in the organization; (2)authorize access to records, locations, and personnel; and (3) define the scope of internal activities. (SeeExhibit 4.1.)

Exhibit 4.1: Sample Corporate Audit Charter[2]

(a) Policy Statement



It is the policy of Sam Pole Company (the Corporation) to maintain an audit department as a means ofproviding the Board of Directors and all levels of management with information to assist in the control ofoperations and to assist senior management in reaching a conclusion concerning the overall control over assetsand the effectiveness of the system of internal controls in achieving its broad objectives. Additionally, theAudit Department will review the effectiveness and efficiency of operations and organizational structures.

Complementary objectives of the corporate audit department are to develop personnel (see Chapter 5,"Personnel, Administration, and Recruiting," and Section 9.5, "Marketing the Audit Function").

(b) Responsibility of the Director of Auditing

The Director of Auditing is responsible for properly managing the department so that (1) audit work fulfillsthe purposes and responsibilities established herein; (2) resources are efficiently and effectively employed;and (3) audit work conforms to the Standards for the Professional Practice of Internal Auditing.

(c) Reporting and Relationship of Audit Committee

The Director of Auditing will report to the Audit Committee for approval of audit scope, policy, andadministration. The Director will report in writing on all internal reviews conducted in the Corporation andwill attend the Committee meetings to report on significant recommendations and the operations of theinternal audit function.

(d) Independence

Independence is essential for effective operation of the internal audit function. It is the policy of theCorporation, therefore, that all audit activities shall remain free of influence by any organizational elements.This objective shall include such matters as scope of audit programs, frequency and timing of examinations,and the content of audit reports.

(e) Scope of Audit Activities

Audit coverage will encompass, as deemed appropriate by the Director of Auditing, independent reviews andevaluations of any and all management operations and activities to appraise:

Measures taken to safeguard assets, including tests of existence and ownership as appropriate• The reliability, consistency, and integrity of financial and operating information• Compliance with policies, plans, standards, laws, and regulations that could have significant impacton operations

•

Economy and efficiency in the use of resources• Effectiveness in the accomplishment of the mission, objectives, and goals established for theCorporation's operations and projects

•

Audit activities will be coordinated, to the extent possible, with the public accountants so as to enhance auditefficiency.

(f) Access and Confidentiality

In accomplishing activities, the Directors of Auditing and their staffs are authorized to have full, free, andunrestricted access to all Corporation functions, activities, operations, records, data files, computer programs,property, and personnel. Under appropriate circumstances, the Director of Auditing is specifically authorizedto communicate directly to the Chairman, President, and/or the Board of Directors. It is expected thatDirectors of Auditing and their staffs will exercise discretion in the review of records to ensure theconfidentiality of all matters that come to their attention.



(g) Responsibility for Corrective Action

The manager or head of the division, department, unit, or site audited is responsible for either planning ortaking corrective action on recommendations made or deficient conditions reported by the auditor. If theproper corrective action is not taken, the Director of Auditing is responsible for presenting a report onsignificant matters to a senior financial officer and/or the Audit Committee.

(h) Limitation of Authority and Responsibility

In performing their functions, the Director of Auditing and corporate audit staff members have neither directauthority over, nor responsibility for, any of the activities reviewed. Internal auditors will not develop andinstall procedures, prepare records, make management decisions, or engage in any other activity that could bereasonably construed to compromise their independence. However, in connection with the complementaryobjectives of this audit function, Internal Audit will recommend accounting and information systems policiesand procedures for approval and implementation by appropriate management. Therefore, internal audit reviewand appraisal do not in any way substitute for other activities or relieve other persons in the organization ofthe responsibilities assigned to them.

The Information Systems Audit & Control Association (ISACA) Standards also address audit charters.Standard #010.010.010 states in section 2.1.1:

The IS Auditor should have a clear mandate to perform the IS audit function. This mandate isordinarily documented in an audit charter that should be formally accepted. Where an audit charterexists for the audit function as a whole, wherever possible the IS audit mandate should beincorporated.

•

In Section 2.2.1 it further states: "The audit charter should clearly address the three aspects of responsibility,authority and accountability." Under responsibility, the first subtopic is mission statement. Other ISACAStandards affect the development of the audit charter, such as outsourcing mentioned previously. Thus ISACAGuidelines provide a lot of general guidance in developing the audit charter, mission statement, and otherorganizational documents.


TITLE: Company Organization PAGES:[2]Note: Adapted from Guide to Accounting Controls, Price Waterhouse, 1981, Warren Gorham Lamont.

4.3 Company Organization

Auditors should be aware of their company structure and management organization. In order to provide thisbackground, a section of the audit manual should be devoted to a description of the company's activities. Thissection can include a copy of the company's divisional or subsidiary organization structure. In addition to thisstructure, it is common to produce management organization charts. The senior management organizationchart should be included in the internal audit manual. Exhibit 4.2, "Sam Pole Company Organization Chart,"is an example of a high-level organization chart depicting the financial organization and the auditing



organization.

Exhibit 4.2: Sam Pole Company Organization Chart

The positioning of internal audit within a company can vary. There is a great debate in the profession thataddresses the independence of internal auditing. The Sam Pole Company organization chart depicts theDirector of Auditing reporting directly to the Board of Directors, with a dotted-line responsibility to the ChiefFinancial Officer (CFO) and Audit Committee. In some companies, the internal auditing function reportsdirectly to the CFO. This organization may be appropriate if the circumstances warrant this reportingrelationship. Whenever possible, the reporting relationship should be independent of the financialorganization.

a. Audit Department Organization

The audit department organization chart should be included in the manual. If practical, it is beneficial toinclude the names of all the auditors in the department. This approach provides a level of personalization forthe manual. However, this approach will require more frequent revisions.

Exhibit 4.3 is the "Sam Pole Company Audit Department Organization Chart." The chart depicts an integratedaudit department approach in which staff are available to managers of each audit discipline. This approach isunusual and was included in this version of the manual to provide a thought-provoking example. Mostdepartments have organization charts which can be easily included in this section of the manual. The jobclassifications/descriptions that follow have been developed in a format consistent with this organizationchart.

Exhibit 4.3: Sam Pole Company Audit Department Organization Chart



Another method for improving commitment and team spirit is to include the names of all the departmentmembers on a departmental routing slip. This routing slip can augment the organization chart.

b. Job Classifications and Descriptions

Job descriptions formally define the functions, duties, and responsibilities of a position. They also indicate theknowledge and skills required for successful performance. As such, they provide a vehicle for definingdifferent levels on the audit staff and also provide criteria for performance evaluation.

The Corporate Audit Department currently has three levels of professional job classifications, in addition tothe Director of Auditing. They are: Manager/Director, Senior Auditor, and Auditor. In addition, there is oneadministrative position: executive secretary. Job descriptions for the current professional positions can befound on the following pages. These job descriptions reference responsibilities for the major procedurescontained in the processes in other sections of the manual. Therefore, they document the responsibilities ofeach staff member related to these methodologies.

POSITIONNAME:

DIRECTOR OF AUDITING

REPORTSTO:

Senior Officer for Administration and the Board of Directors (usually through the AuditCommittee) for audit scope and policy.

FUNCTION: The position is responsible for properly managing the department so that (1) audit workfulfills the purposes and responsibilities established in the department charter, (2) resourcesare efficiently and effectively employed, and (3) audit work conforms to the Standards forthe Professional Practice of Internal Auditing.

DUTIES AND RESPONSIBILITIES:

To direct independent reviews and evaluations of any and all management operations and activities toappraise:

The reliability and integrity of financial and operational information•



Compliance with policies, plans, standards, laws, and regulations that could have significant impactupon operations

•

Measures taken to safeguard assets, including tests of existence and ownership as appropriate• Economy and efficiency in the use of resources• Effectiveness in the accomplishment of objectives and goals established for corporation operationsand projects

•

To coordinate activities to the extent possible with the public accountants to enhance audit efficiency.

To exercise discretion in the review of records to ensure confidentiality.

To present to a senior officer and/or the Audit Committee, a report on significant recommendations ordeficiencies on which audited management has not taken proper corrective action.

To ensure that the department does not develop or install procedures, prepare records, make managementdecisions, or engage in any other activity that could be reasonably construed to compromise its independence.

The Director must have an in-depth knowledge of the audit profession as well as the audit function at SamPole Company, from both conceptual and technical viewpoints. Therefore, the Director should maintain anexpert knowledge of auditing and the auditing profession.

The Director must have excellent written and verbal communication skills as well as excellent editing skills.He/she is responsible for monthly activity reports to senior management and updates to the Corporate AuditProcedures Manual. The Director will perform a final review of corporate audit reports.

The Director should have excellent interpersonal skills. These skills are critical to develop and maintaineffective working relationships with all levels of management, the external auditors, consultants, and variousindustry representatives.

The Director will also need to counsel managers and audit staff members as to their performance and careerdevelopment.

International:

Sam Pole Company is a dynamic company with significant operations all over the world. The Audit Directorwill be involved with audits in foreign and domestic locations. This involvement will lead to travel to foreignand domestic locations, where in some cases English may not be the first language.

CONTACTS&"para">Internally, the incumbent deals directly with all levels of management in thecompany. The incumbent works with the corporate audit staff, managers, and senior officers of thecompany.

Externally, the incumbent maintains close relationships with the Institute of Internal Auditors (IIA), theInformation Systems Audit and Control Association (ISACA), and the American Institute of Certified PublicAccountants (AICPA) in order to keep abreast of trends and developments in the auditing profession. Theincumbent has regular dealings with managers and partners of the company's external auditors to obtainmaterial including information that should be disseminated to the audit staff and management of the company.

The Director of Auditing develops contacts with suppliers of materials and other supplies for the functioningof the Audit Department.

QUALIFICATIONS—MINIMUM KNOWLEDGE AND SKILLS:



This individual will have at least a four-year college degree and possess approximately 10 to 15 years ofexperience in internal auditing and external auditing, including at least seven years at the manager or directorlevel.

A CPA or CIA certification and CISA is desirable.• Experience with financial, operational, and management auditing.• Experience in a manufacturing and/or distribution environment.• A good understanding of IS auditing.• The ideal candidate will also possess foreign language skills.•

POSITIONNAME:

AUDIT MANAGER—INTERNATIONAL, PLANNING, AND CONTROL

REPORTSTO:

Director of Auditing

FUNCTION: The position is responsible for overall audit planning, policies and procedures, coordinationwith external audit and consultants, and quality assurance.

The position is responsible for ensuring that the overall audit function of the companymonitors trends in the auditing field and applies them when appropriate to the practice ofauditing in the company. The position is also responsible for coordinating/initiating allplanning, quality assurance, and human resources-related functions for the Corporate AuditDepartment. Furthermore, the position is responsible for the preparation and implementationof a training plan for the department and the individual professionals therein andcoordinating the activities of internationally based auditors.


The individual will have direct responsibility for preparing an Audit Department multi-year plan, and:

Coordinate input from the Director of Auditing as well as audit managers in developing the plan• Summarize input received from managers and Director of Auditing, with international plans, andproduces a draft plan for discussion

•

Update drafts based on input received until final draft is approved• Prepare six-month and one-year plans for the three-year plan•

The individual will be responsible for the coordination and administration of the Audit Department, and:

Develop and maintain the Audit Procedures Manual of the Corporate Audit Department• Prepare the operating budget for the department for approval by the Director of Auditing• Monitor expenses by overseeing purchases and payment of invoices, and recommending viablealternatives to the audit management

•

Prepare annual summaries of external audit fees for the Director of Auditing• Prepare periodic reports for senior management for the Director's review; also oversee the preparationand production of periodic and biannual audit report summaries to the Audit Committee

•

Maintain a complete file on each member of the audit staff, with job descriptions, resumes, careeractions, performance appraisals, training plans, and development records; produce and analyze reportson various personnel statistics

•

Advise Corporate Audit management on training needs and availability•

The individual will be responsible for developing and implementing the department's Quality AssuranceProgram, and:



Maintain the department's policies regarding periodic reviews of entire assignments, summaryreviews of all assignments, and external peer review

•

Schedule staff for reviews of entire engagements• Schedule staff for summary reviews of each engagement on an availability basis• Prepare reports for the Director of Auditing, discussing the areas where improvement is needed in theaudit process

•

Internationally Based Auditors:

The individual will be responsible for coordinating the activities of the internationally based auditors, and:

Coordinate the development of the international audit plans and integrate them into domestic plans• Monitor the activities of the internationally based auditors• Provide guidance on company developments•

Audits:

In addition to the significant administrative responsibilities discussed in the job description, the individual willbe involved in selected audits, both domestic and international.

This position is responsible for maintaining expert knowledge of the auditing profession. The incumbent mustkeep abreast of new or proposed developments to the auditing function, and analyze their impact on thecompany. In addition, the incumbent is an authoritative source of information to the audit group regarding thepractice of auditing.

The incumbent must have an in-depth knowledge of the audit profession as well as the audit functionat Sam Pole Company, from both conceptual and technical viewpoints. Also the incumbent shouldhave a good understanding of the company's primary lines of business and organizationalstructure—or if such knowledge is minimal, should be capable of quickly becoming familiar withthese activities.

•

The incumbent must have excellent written and verbal communications skills as well as excellentediting skills. In addition, the incumbent must prepare monthly activity reports to senior managementand update (as necessary) the Corporate Audit Procedures Manual. The manager must review and editcorporate audit reports and be able to effectively communicate departmental policies and proceduresto staff.

•

The incumbent must have well-developed interpersonal skills. They are critical to develop andmaintain effective working relationships with all levels of in-house management, the company'sexternal auditors and consultants, and various industry representatives. The incumbent also needs tocounsel audit staff members as to selected training and career development.

•

The incumbent must develop and maintain ongoing contact with peers in industry for the purpose ofgathering information and exchanging ideas.

•

The incumbent must gather information on proposed legislation, analyze impact to the company, anddraft statements for consideration by the Director of Auditing.

•

The incumbent must interact with associations and institutions to keep abreast of developments andtrends in the auditing profession and ensure that both the Audit Department and business units arekept informed.

•

International:

Sam Pole Company is a dynamic company with significant operations all over the world. Audit managers andstaff will be involved with audits in foreign and domestic locations. This involvement will include travel, forperiods of time, to foreign and domestic locations where, in some cases, English may not be the first language.



CONTACTS—INTERNAL AND EXTERNAL:

Internally, the incumbent deals directly with all levels of management in the audit function to the company, inorder to provide guidance when requested. The incumbent works with the Corporate Audit staff and seniorofficers of the company including cross-relationships with Human Resources, Officer Services, andInformation Systems.

Externally, the incumbent maintains close relationships with the Institute of Internal Auditors (IIA), theInformation Systems Audit and Control Association (ISACA), and the American Institute of Certified PublicAccountants (AICPA) in order to keep abreast of trends and developments in the auditing profession. Theincumbent has regular dealings with managers and partners of the company's external auditors to obtainmaterial including information that should be disseminated to the audit staff and management of the company.

The Audit Manager develops contacts with suppliers of materials and other supplies for the functioning of theAudit Department.


This individual will have a four-year college degree and possess approximately five to eight years ofexperience in internal auditing.

A CPA, CISA, or CIA certification is desirable.• The ideal candidate will also possess foreign language skills.•

POSITIONNAME:

AUDIT MANAGER—FINANCIAL/OPERATIONAL AUDIT

REPORTSTO:


FUNCTION: Responsible for properly maintaining the department so that (1) audit work fulfills thepurposes and responsibilities established in the department, (2) resources are efficiently andeffectively employed, and (3) audit work conforms to the Standards for the ProfessionalPractice of Internal Auditing, published by the Institute of Internal Auditors (IIA) and theGeneral Standards for Information Systems Auditing published by the Information SystemsAudit and Control Foundation (ISACA).


To direct independent reviews and evaluations of any and all management operations and activities toappraise:

Reliability and integrity of financial and operational information• Compliance with policies, plans, standards, laws, and regulations that could have significant impactupon operations

•

Effectiveness in accomplishment of objectives and goals established for the corporation and projects• Measures taken to safeguard assets, including tests of existence and ownership as appropriate• Economy, effectiveness, and efficiency in use of resources (operational audits)• Effectiveness of organizational structures to achieve corporate goals and ability of management toplan, organize, direct, and control its function (management auditing)

•


To exercise discretion in the review of records to ensure confidentiality of all matters that come to attention.



For All Assigned Audits:

Scope and Procedures. Implement the department procedures for audit planning, establishing scope,and determining appropriate audit procedures.

•

Document Development/Review. Develop or review the following audit documents on auditsassigned:

Preliminary survey: Review planned survey; review survey results♦ Audit time budget♦ Planning memo♦ Audit programs♦

•

Pre-Audit Conference. Establish audit objectives to be discussed at the conference.• Field Work. Perform or review field work, as appropriate.• Workpapers. Perform a limited review, as appropriate, based on senior detail review of workpapers;approve reviewed workpapers for filing.

•

Interim Recommendations. Prepare recommendations following field work and documentation ofauditee position.

•

Status Memo. The basis of memo contents, consider appropriateness of original audit plan and scopeor need to modify to attain audit objective.

•

Closing Conference. Plan and conduct audit closing conference.• Report Preparation/Review. Develop, review, and approve revisions before submitting reports to theDirector of Auditing and Audit Committee.

•

Summary Memo. Review results of audit regarding attainment of objectives; review and approvecomparison of actual to budgeted hours and explanation for variance.

•

Audit Management Letter. Review and follow up on all profit center responses to the publicaccountants' Audit Management Letter, including a report to the Audit Committee.

•

Performance Evaluation. Prepare evaluation of senior auditors and conduct review.• Information Systems. Have sufficient basic IS knowledge to be able to discuss and determineapplication of IS audit resources.

•

Decision-Making Responsibility/Conclusions. Responsible for administrative and audit relateddecision making and conclusions based upon completed audits.

•

Counsel/Guide/Motivate. Provide direction to immediate assistants to enable them to counsel, guide,and motivate staff. Empower assistants to be effective. Participate directly in these activities whenappropriate.

•

Auditee Relationship. At executive management level, identify and develop audit opportunities toprovide a more effective audit service to management.

•

Other Matters:

Special Investigations. Provide direction and guidance. Review results. Recommend action incoordination with other interested company and outside parties.

•

Continuing Education. Pursue regular program for continuing education for self (related tocertifications held). Pursue professional development for self, as appropriate (e.g., systems seminar inarea of emerging systems development within the company, courses to pursue certification,management training). Review and approve suitable program for departmental staff.

•

Special Projects. As assigned, may participate. Direct, review, evaluate, and report work of assistants.• Professionalism. Demonstrate superior performance and direction in all attributes of professionalconduct of self and staff, including professional codes of ethics (e.g., IIA, AICPA, ISACA) andcorporate ethics.

•

International:

Sam Pole Company is a dynamic company with significant operations all over the world. Audit managers and



staff will be involved with audits in foreign and domestic locations. This involvement will include travel, forperiods of time, to foreign and domestic locations where, in some cases, English may not be the first language.


Internally, the incumbent deals directly with all levels of management in the audit function to the company, inorder to provide guidance when requested. The incumbent works with the Corporate Audit staff and seniorofficers of the company especially with the accounting functions.

Externally, the incumbent maintains close relationships with the Institute of Internal Auditors (IIA), theInformation Systems Audit and Control Association (ISACA), and the American Institute of Certified PublicAccountants (AICPA), if applicable, in order to keep abreast of trends and developments in the auditingprofession. The incumbent has regular dealings with managers and partners of the company's external auditorsto obtain material including information that should be disseminated to the audit staff and management of thecompany. Contact with organizations specializing in operational and management auditing must bemaintained.


A degree in accounting or other qualified discipline• CPA, CISA, or CIA certification• Experience in a manufacturing and/or distribution environment• Experience in a supervisory capacity and the ability to direct and develop others• Experience with financial, operational, and management auditing•

POSITIONNAME:

AUDIT MANAGER—IS AUDIT

REPORTSTO:


FUNCTION: Responsible for properly maintaining the department so that (1) audit work fulfills thepurposes and responsibilities established in the department, (2) resources are efficiently andeffectively employed, and (3) audit work conforms to the Standards for the ProfessionalPractice of Internal Auditing, published by the Institute of Internal Auditors (IIA) and theGeneral Standards for Information Systems Auditing published by the Information SystemsAudit and Control Foundation (ISACA).


This individual will have primary responsibility for reviews of the company's information systems (IS)environment:

Reliability and integrity of information systems (IS)• Compliance with policies, plans, standards, laws, and regulations that could have significant impacton IS or operations

•

Effectiveness in accomplishment of objectives and goals established for IS• Measures taken to safeguard IS assets, including tests of existence and ownership as appropriate• Economy, effectiveness, and efficiency in use of IS• Involvement in systems development audits to ensure controls are built in during the systemsdevelopment life cycle (SDLC) process

•

To develop an audit program to address systems in development including:

Analyses of SDLC methodology, providing for internal audit input at key points in the processincluding the use of continuous assurance techniques including embedded audit modules and

•



intelligent agentsPlanning of audits of development projects (or ongoing audit involvements) to provide critical inputwhile the project is in process

•

The individual will be responsible for taking a leadership position in expanding the use of computers by theaudit staff:

Expand use of computer-assisted audit techniques (CAATs) to support audit projects• Monitor the department's data processing requirements for microcomputer based tools including auditsoftware and administrative packages

•

Establish and maintain an automated time and expenses reporting system•

The position is responsible for maintaining an expert knowledge of the IS audit profession. The individualmust keep abreast of new and proposed developments in the IS auditing field and analyze the impact on thecompany. The individual should be an authoritative source of information to the audit group as regards thepractice of auditing.

The incumbent must have a good working knowledge of the information systems development at SamPole Company. Consideration should be given to attending IS Steering Committee meetings.

•

The incumbent must have excellent written and verbal communication skills as well as excellentediting skills. The individual must prepare monthly activity reports to senior management on ISauditing activities.

•


To exercise discretion in the review of records to ensure confidentiality of all matters that come to attention.

The position will be responsible for working on selected financial and operational audits. These willsupplement the primary area of responsibility of IS auditing.


Scope and Procedures. Implement the Department procedures for audit planning, establishing scope,and determining appropriate audit procedures.

•

Document Development/Review. Develop or review the following audit documents on auditsassigned:

Preliminary survey: Review planned survey; review survey results♦

Audit time budget♦ Planning memo♦ Audit programs♦

•

Pre-Audit Conference. Establish audit objectives to be discussed at the conference.• Field Work. Perform or review field work, as appropriate.• Workpapers. Perform a limited review, as appropriate, based on senior detail review of workpapers;approve reviewed workpapers for filing.

•

Interim Recommendations. Interim recommendations following field work and documentation ofauditee position.

•

Status Memo. The basis of memo contents, consider appropriateness of original audit plan and scopeor need to modify to attain audit objective.

•

Closing Conference. Plan and conduct audit closing conference.• Report Preparation/Review. Develop, review, and approve revisions before submitting reports to theDirector of Auditing and Audit Committee.

•



Summary Memo. Review results of audit regarding attainment of objectives; review and approvecomparison of actual to budgeted hours and explanation for variance.

•

Audit Management Letter. Review and follow up on all responses to the public accountants' AuditManagement Letter, including a report to the Audit Committee.

•

Performance Evaluation. Prepare evaluation of senior auditors and conduct review.• Information Systems. Have sufficient IS knowledge to be able to discuss and determine applicationof IS audit resources, to judge effectiveness of computer controls, and participate in systemsdevelopment projects.

•

Decision-Making Responsibility/Conclusions. Responsible for administrative and audit-relateddecision making and conclusions based upon completed audits.

•

Counsel/Guide/Motivate. Provide direction to immediate assistants to enable them to counsel, guide,and motivate staff. Empower assistants to be effective. Participate directly in these activities whenappropriate.

•

Auditee Relationship. At executive management level, identify and develop audit opportunities toprovide a more effective audit service to management.

•

Other Matters:

Special Investigations. Provide direction and guidance. Review results. Recommend action incoordination with other interested company and outside parties.

•

Continuing Education. Pursue regular program for continuing education for self (related tocertifications held). Pursue professional development for self, as appropriate (e.g., systems seminar inarea of emerging systems development within the company, courses to pursue certification,management training). Review and approve suitable program for departmental staff.

•

Special Projects. As assigned, may participate. Direct, review, evaluate, and report work of assistants.• Professionalism. Demonstrate superior performance and direction in all attributes of professionalconduct of self and staff, including professional codes of ethics (e.g., IIA, AICPA, ISACA) andcorporate ethics.

•

SDLC/Systems Projects. Preferably ensure that a CISA (or staff member if a CISA is not available) isa part of any systems development teams or projects.

•

International:



Internally, the incumbent deals directly with all levels of management in the audit function to the company, inorder to provide guidance when requested. The incumbent works with the Corporate Audit staff and seniorofficers of the company, especially with Information Systems.

Externally, the incumbent maintains close relationships with the Information Systems Audit and ControlAssociation (ISACA), the Institute of Internal Auditors (IIA), and the American Institute of Certified PublicAccountants (AICPA), where applicable, in order to keep abreast of trends and developments in the ISauditing profession. The individual has regular dealings with managers and partners of the company's externalauditors to obtain material including information that should be disseminated to the audit staff andmanagement of the company. The individual maintains contact with audit software vendors to stay abreast ofdevelopments in the field.




A four-year degree in accounting and/or an IS degree• A Certified Information Systems Auditor (CISA) certification; CPA or CIA is not essential but is anadvantage

•

Experience in a manufacturing and/or distribution environment• Experience with computers, preferably both micro-computers (PCs) and either mainframe ormini-computers (mid-range)

•

Experience with local area networks (LANs) or wide area networks (WANs)• Experience in a supervisory capacity•

POSITION NAME: SENIOR AUDITORREPORTS TO: Internal Audit ManagerFUNCTION: Plan, organize, conduct, supervise, and formally report on a scheduled audit.DUTIES AND RESPONSIBILITIES:

Planning Scope and Procedures. Develop or supervise assistants in planning the scope of audits andselection and development of appropriate audit procedures for manager approval.

•

Preliminary Survey. Direct the development and preparation of the survey approach. Participate andoversee work by assistants, if applicable.

•

Audit Time Budget. Ensure establishing a practical budget, completing work on time, and evaluatingperformance and variance.

•

Planning Memo. Review assistant input and document thorough and complete approved plan forspecific audits after obtaining general guidelines from manager.

•

Audit Programs Development/Changes. With manager approval, develop audit programs necessaryto promote effective audit coverage.

•

Pre-Audit Conference. Ensure that audit objectives have been clearly and completely set forth to theauditee before the audit.

•

Field Work. Perform all field work in a competent and professional manner. Provide evidentialsupport for all report recommendations.

•

Identifying System Control Points. Document controls or perform expert review of work byassistants.

•

Workpapers. Prepare selected workpapers and review assistants' workpapers.• Interim Recommendations. Prepare recommendations for auditee consideration; review and evaluateassistants' recommendations, considering materiality, pertinence to audit and documentary evidence.

•

Status Memo. Prepare or review draft and finalize status memo for presentation to manager.•

Closing Conference. Prepare or review agenda of recommendations and comments. Conduct withsupport from assistants.

•

Report Preparation/Review. Prepare or review detailed recommendations and comments formateriality and relativity of items, adequacy of workpaper documentation and auditee position (ifknown). Responsible for completeness and accuracy of entire report subject to manager approval.

•

Summary Memo. Prepare or review final summary memo based on review and evaluation of input byassistants. Submit future audit planning recommendations.

•

Performance Evaluation. Complete timely performance evaluations for assistant on audit and reviewevaluations with them (if applicable).

•

Information Systems. Apply, in appropriate circumstances, knowledge of basis IS audit techniques.• Company Audit Procedures. Demonstrate complete comprehension and ability to (1) assess validityof existing policies and procedures, and (2) recommend sound alternatives.

•

Decision-Making Responsibility/Conclusions. Demonstrate capacity and evidence for effectivedecision making and drawing sound conclusions.

•

Auditee Relationships. Ensure continuing development of effective professional relationships withauditee personnel.

•

Special Investigations. Possess ability to carry out assignments discreetly, effectively, and efficientlyin sensitive, confidential circumstances.

•



Awareness of the State-of-the-Art. Demonstrate clear understanding of current developments,associating that understanding with company audit applications. Recommend adaptation, whereappropriate, in our audit approach.

•

Continuing Education. Pursue departmental-approved program for continuing education for self andrecommend suitable programs for department associates. Pursue professional development (PD) forself, as appropriate, and recommend PD for department.

•

Travel. Meet requirements and recommend improvements and alternatives to ensure timely, effectiverealization of the department audit plan.

•

Special Projects. Participate, as assigned. Recommend special projects, based upon experience and/orneed.

•

Professionalism. Demonstrate superior performance in all attributes of professional conduct,including professional codes of ethics (e.g., IIA, AICPA, ISACA) and corporate ethics. Encourageothers toward comparable performance.

•

International:



Internally, department management and associates; most levels of auditee management. Externally, technicaland other business professionals through societies and association memberships.


Have achieved or work toward certification by examination• Have a four-year degree in accounting (or qualified discipline)• Have achieved high academic standing• Have special skills or knowledge and the ability to instruct, train, and develop others in those skills• Have apparent management potential•

POSITION NAME: AUDITORREPORTS TO: Senior AuditorFUNCTION: Plan, organize, conduct, and formally report on a scheduled audit.DUTIES AND RESPONSIBILITIES:

Planning Scope and Procedures. Develop the scope for audits and selection and development ofappropriate audit procedures for senior/manager approval.

•

Preliminary Survey. Develop and prepare the survey.• Audit Time Budget. Ensure establishing a practical budget, completing work on time, and evaluatingperformance and variance.

•

Planning Memo. Provide input and document plan for specific audits after obtaining generalguidelines from senior/manager.

•

Audit Programs Development/Changes. With senior approval, develop audit programs necessary topromote effective audit coverage.

•


•


•

Identifying System Control Points. Document controls.•



Workpapers. Prepare selected workpapers.• Interim Recommendations. Prepare recommendations for auditee consideration; review, consideringmateriality, pertinence to audit and documentary evidence.

•

Status Memo. Prepare draft status memo for presentation to manager.• Closing Conference. Prepare preliminary agenda of recommendations and comments.• Report Preparation/Review. Prepare detailed recommendations and comments.• Summary Memo. Prepare preliminary summary memo. Submit future audit planningrecommendations.

•

Performance Evaluation. Complete timely performance evaluations for assistants on audit andreview evaluations with them (if applicable).

•

Information Systems. Apply, in appropriate circumstances, knowledge of basis IS audit techniques.• Company Audit Procedures. Demonstrate complete comprehension and ability to (1) assess validityof existing policies and procedures, and (2) recommend sound alternatives.

•


•


•


•


•

Continuing Education. Pursue departmental-approved program for continuing education for self.Pursue professional development (PD) for self, as appropriate.

•


•


•


•

International:



Internally, department management and associates; most levels of auditee management. Externally, technicaland other business professionals through societies and association memberships.


Have achieved or work toward certification by examination• Have a four-year degree in accounting (or qualified discipline)• Have achieved high academic standing• Have ability to supervise and get along with people• Have special skills or knowledge and the ability to instruct, train, and develop others in those skills• Have apparent management potential•



POSITIONNAME:

SENIOR AUDITOR—EUROPE (INTERNATIONAL LOCATION)

REPORTS TO: Audit Manager—Planning and ControlFUNCTION: This position is responsible for performing audits in Sam Pole's European operations.

Corporate audit procedures established in the United States, to the extent possible, will befollowed by the Senior Auditor—Europe.


The individual will have direct responsibility for preparing preliminary, annual, and multi-year audit plans forapproval in the United States, for all European operations.

The individual will prepare drafts of expense budgets for one-year plans as appropriate, for approval in theUnited States. The individual will maintain a copy of the Corporate Audit Policies and Procedures Manual ofthe Corporate Audit Department for use in Europe.

The individual will maintain contact and develop lines of communication with auditees throughout theEuropean operations.

The individual will attempt to maintain knowledge of developments in the various European operations. Thisprocess will involve monitoring periodic management reports and staying apprised of economic developmentsin each country. Periodically, reports on these developments will be made to the Manager—Planning andControl.


Planning Scope and Procedures. Develop the scope for audits and selection and development ofappropriate audit procedures for senior/manager approval.

•

Preliminary Survey. Direct the development and preparation of the survey approach. Participate andoversee work by assistants, if applicable.

•

Audit Time Budget. Ensure establishing a practical budget, completing work on time, and evaluatingperformance and variance.

•

Planning Memo. Review assistant input and document a thorough and completely approved plan forspecific audits after obtaining general guidelines from manager.

•

Audit Programs Development/Changes. With manager approval, develop audit programs necessaryto promote effective audit coverage.

•


•


•

Identifying System Control Points. Perform expert review of work by assistants.• Workpapers. Prepare selected workpapers and review assistants' workpapers.• Interim Recommendations. Prepare recommendations for auditee consideration; review and evaluateassistants' recommendations, considering materiality, pertinence to audit and documentary evidence.

•

Status Memo. Prepare or review draft and finalize status memo for presentation to manager.• Closing Conference. Prepare or review agenda of recommendations and comments. Conduct withsupport from assistants.

•

Report Preparation/Review. Prepare or review detailed recommendations and comments formateriality and relativity of items, adequacy of workpaper documentation and auditee position (ifknown). Responsible for completeness and accuracy of entire report subject to manager approval.

•

Summary Memo. Prepare or review final summary memo based on review and evaluation of input byassistants. Submit future audit planning recommendations.

•

Performance Evaluation. Complete timely performance evaluations for assistants on audit andreview evaluations with them (if applicable).

•



Information Systems. Apply, in appropriate circumstances, knowledge of basic IS audit techniques.• Company Audit Procedures. Demonstrate complete comprehension and ability to (1) assess validityof existing policies and procedures, and (2) recommend sound alternatives.

•


•


•


•


•

Continuing Education. Pursue departmental-approved program for continuing education for self andrecommend suitable programs for the department. Pursue professional development (PD) for self, asappropriate, and recommend programs for the department, where appropriate.

•


•


•


•

International:

Sam Pole Company is a dynamic company with headquarters in the United States and significant operationsall over the world. All audit managers and staff are involved with audits in foreign and domestic locations.This involvement includes travel to foreign locations, where, in some cases, language differences may beencountered. The Senior Auditor—Europe will possess multi-language skills and/or recommend alternativeaudit approaches, including use of outside accountants or other company personnel.


Internally, the incumbent deals directly with all levels of management in the European headquarters andcountry operations. Requests for audit assistance by the operating units should be communicated to U.S.headquarters and considered during the planning process. The position works closely with the Director ofFinance for European Operations.

Externally, the incumbent should be a member of the Institute of Internal Auditors (in the United Kingdom)and other appropriate audit institutes in Europe. The incumbent will have regular dealings with managers andpartners of the company's external auditors.


Have achieved or work toward certification by examination• Have a four-year degree in accounting (or qualified discipline)• Have achieved high academic standing (i.e., honors)• Have fluent command of English and other language skills• Have experience in the multinational auditing environment• Have ability to supervise and get along with people• Have special skills or knowledge and the ability to instruct, train, and develop others in those skills• Have apparent management potential•



Independent thinker•


TITLE: Audit Department Policies PAGES:

4.4 Audit Department Policies

In addition to the specific department procedures and administrative programs (see Chapter 5), the departmentshould have various policies. The examples of these policies include those in this chapter. However, theseshould not be considered all-inclusive by any means. All departments should have confidentiality, travel, andentertainment policies. These would be the minimum policies, and every effort should be made to documentpolicies on a case-by-case basis as they arise. This section can be used as the area to record all departmentpolicies:

Confidentiality• Orientation (Training)• Days Off for Extensive Travel• Professional Certification•

a. Confidentiality

In accordance with the approved Corporate Audit Department Charter under subsection Access andConfidentiality, "in accomplishing his activities, the Director of Auditing and his staff are authorized to havefull, free, and unrestricted access to all corporation functions, activities, operations, records, data files,computer programs, property, and personnel."

This access exposes the staff to confidential corporate information either by examination or discussion. Theprivileged permission to be informed of confidential information carries a responsibility for the AuditDepartment staff's confidentiality.

Confidentiality is defined as to "hold secret." The only exception is to report to audit management and otherson a defensible need-to-know basis.

i. Policy

All information known to require or deemed to (by a reasonable person test) require confidentiality should bekept so.

ii. Discussion

Corporate Audit Department management is forced to guard their responsibility for staff confidentiality toprotect the department's reputation and credibility. This protection includes present staff, transfers, and pastemployees.

Breaches of confidentiality may be either intentional or by accident, as being overheard in public places,elevators, or restaurants.



We are involved in and knowledgeable of a number of sensitive company situations including unionagreements, company politics, different pay scales, and special investigations that require good judgment andlimited exposure of details.

Another area of which the auditor must be constantly aware is gossip. Many people on the company grapevinefeel creditability is given to their conversation if they can include, "I heard it from an auditor." So beware ofthe person who asks a lot of questions.

It should be clear to current or past employees of the Corporate Audit Department violations of confidentialityor gossip may result in:

Immediate termination• Probation• Suspension without pay• Warning• Lawsuit•

The consequences will be at the judgment of the Director of Auditing and/or Audit Committee. A lawsuitcould result from third-party damage as defamation of character from a libelous or slanderous statement. (See"Responsibilities of an Auditor" in this chapter.)

b. Orientation (Training)

i. Objective

Provide reasonable assurance that the new employee will become promptly productive.

ii. Responsibility

Orientation is the responsibility of the manager to whom the new employee reports.

iii. Orientation Outline (See Section 5.6)

Information about Sam Pole Company• Information about the Internal Audit Department of the Company•

Introduction to audit staff personnel and other employees with whom the auditor will work• Discussion of duties and responsibilities• Control of work:

Hours of work♦ Time reports♦ Paycheck distribution♦ Travel regulations♦ Expense report preparation♦ Supplies♦

•

Readings:

Audit manual♦ Standards♦ Literature on modern internal auditing♦ Recent audit reports♦ See recommended reading list♦

•



c. Days Off for Extensive Travel Policy

No specific corporate policy has been set forth on this subject. Therefore, the following policy for the InternalAudit Department will apply:

One day for each seven consecutive nights in an international location may be taken off with pay.• One day for the first 14 consecutive days of domestic (North American) travel may be taken off withpay. For every additional seven consecutive and contiguous days thereafter, one additional day offmay be taken.

•

Such days must be utilized by the end of the calendar year or they are automatically forfeited.•

d. Professional Certification Policy

In order to encourage professional development within the Corporate Audit Department at Sam PoleCompany, the Company will support employees who wish to attain a recognized professional certification.The programs currently being supported include the Certified Internal Auditor (CIA), the CertifiedInformation Systems Auditor (CISA), the Certified Public Accountant (CPA), the Certified ManagementAccountant (CMA), the Certified Fraud Examiner (CFE), and the Certified Information Systems SecurityProfessional (CISSP). The successful completion of these written examinations will result in a demonstrationof personal achievement and enhance the professional posture for the department.

In order to encourage employees to attain professional recognition by passing an exam certification, theCompany will assist staff members by providing:

The cost of registration and fees for the initial sitting for the examination.1. Fifty percent of the cost for recognized preparation (review) courses to a maximum of $750. To avoidmisunderstanding, selected courses should be approved by the Director of Auditing prior toregistration and payment of fees. Attendance at classes is to be scheduled during non-working hours(Monday through Friday) or, preferably, on weekends. Staff assignments to projects will considerreview course attendance, but Sam Pole work must take precedence in cases where staff members arerequired to fulfill Company commitments.

2.

Time for sitting for examinations will be considered authorized excused leave.3.

It is anticipated that the Company will benefit from the attainment of certifications through increasedprofessional knowledge and adherence to professional standards and codes of conduct.

Endnote

1. "Information Systems Personnel Express a Desire for Change in the Functioning of Internal Auditing,"Dale L. Flesher and Jeffrey Zanzig, SOBIE conference proceeding, April 15, 2002.



Chapter 5: Personnel, Administration, andRecruiting

Overview



5.1 Introduction

Internal audit consists of people, information systems, and procedures. Talented people followingwell-thought-out, tailored methodologies will produce consistent quality audit products. Organizations shouldnot lose sight of the support role of audit. Like the accounting department and other important groups in anorganization, audit does not produce the primary product or service. The audit mission (as defined in the auditdepartment charter), however, is crucial to the organization's success, providing independent review andconstructive advice.

In order to attract and maintain qualified staff, the corporate Audit Department has put in place a personneldevelopment program (see "Personal Development" in this chapter). However, the selection of the bestindividuals is the first step in the process.

a. Sources of Personnel

Internal auditors are typically accountants who have an interest in auditing. In many cases, this interest iscombined with a desire to gain a good understanding of many business functions. The audit function exposesauditors to a large number of areas in a company's operations. Therefore, it is considered an excellent trainingground. Consequently, some entry-level auditors will consider audit a stepping-stone in their careerprogression. If the audit department is successful and well respected, a percentage of auditors will choose toremain and progress to audit management positions. Because most organizations, including audit departments,have pyramid structures, these career path issues must be managed effectively to promote audit staffdevelopment and progression.

Staff can be obtained from a number of sources, which include:

Direct recruitment from colleges• Transfers from other company functions• Outside hires•

i. Direct Recruitment from Colleges

To develop a professional-level internal audit program, most functions require a college degree for new hires.Colleges and universities develop students' basic skills and most include an auditing course in the accountingcurriculum—a requirement in most degree programs. In addition, most colleges and universities try toaccommodate the 150-hour rule for the Certified Public Accountant (CPA) exam by offering graduate coursesin accounting. A second auditing course is normally offered for those pursuing a master's degree.

Chapter 5: Personnel, Administration, and Recruiting 1

Even more importantly, many universities are forming specialty degrees in systems, public accounting, andinternal auditing. The Institute of Internal Auditors (IIA) has a "Model Curricula for Classroom Use" that wascarefully constructed considering the Certified Internal Auditor (CIA), CPA, management consulting,computer sciences; and considering the standards of the American Assembly of Collegiate Schools ofBusiness (AACSB), the International Association for Management Education, and the American AccountingAssociation (AAA). The IIA maintains information on its "IIA Academic Program" online including a120-hour model curriculum, 150-hour model curriculum, and a list of Endorsed Internal Auditing Programsall online at their web site. [1]

The first step in recruiting from colleges and universities is to identify the schools with which you may wantto work, and review their curriculum and program for compatibility. One resource might be the IIA's list ofEndorsed Internal Auditing Programs, especially if one is fairly close by. Students in these programs havealready expressed an interest in internal audit, and are being educated more precisely (i.e., probably betterqualified than other accounting students) for internal audit jobs. Once you identify a school, it is beneficial todevelop a relationship with the accounting department and its students. Recruiting activities could include:

Campus job placement department• On-campus interview• Job fairs• Partnering with accounting department and its faculty• Speaking to a class or accounting student club•

Most schools encourage on-campus recruitment activities and have structured means to accommodate them.For example, most schools have a department that specializes in job placement—typically called "CareerServices" or a similar name. This group is one important contact because they can facilitate conductinginterviews, screen candidates based on the audit department's criteria, and forward applicable student resumes.Most schools today are associated with some sort of job fair, either on campus or in the local area. Manyprofessors or department chairs will also work with companies one-on-one. If, for example, the university isan endorsed IIA program and if an audit department wanted to hire regularly over time, then the departmentwill probably be willing to partner with the audit department (company) and provide specialized servicesconcerning recruitment. All universities encourage professionals, such as internal auditors, to visit campus tospeak to either classes (e.g., auditing) or student clubs in accounting. These activities are opportunities toobserve first-hand potential job candidates before getting involved with interviews, etc. Schools benefittremendously by bringing the "real-world" professionals and their experience and views into the course.Accounting academics will appreciate any internal auditor who contacts them to schedule speakingengagements. All of these resources are valuable to recruitment because each one causes some of the work ofthe recruitment process to be transferred to the school, saving the audit department time and resources. Andtogether, they can expose the audit department to the best and brightest students for entry-level jobs.

ii. Transfers from Other Company Functions

In some cases, candidates may be available within the company. Most companies have sophisticated humanresource (HR) programs that can assist audit management with hiring and career progression issues. Forinstance, many firms are employing elaborate systems that gather individual skills, training, and abilities.These systems allow easy retrieval of people who fit a certain profile. Such a system is extremely helpful inlocating people with the interest and abilities related to internal auditing, and thus if your organization is usingthis type of system, the corporate audit department needs to ensure coding is compatible with its needs. Auditfunctions should always attempt to hire the best possible candidates and never "settle" or accept an individualas an accommodation to another department.

iii. Outside Hires

An excellent source of outside candidates is from public practice. Approximately two-thirds of all entry-levelauditors will leave public accounting within three years. Public accounting firms recruit primarily accounting

2 Chapter 5: Personnel, Administration, and Recruiting


graduates and, in most cases, provide them with formal hands-on training programs in the early years of theperson's employment. Some also provide industry and computer training. Of course, large internal auditdepartments are capable of organizing and providing similar professional development programs. In mostcases, however, they cannot provide the diversified experience available in public practice.

b. Recruitment Aids

Forethought and planning will improve recruiting results. Candidates will be favorably impressed whenpresented with company structure charts, organization charts, and a schematic of the personnel developmentprogram similar to the one presented in the manual. Some audit departments develop brochures describingfunctions, activities, and benefits (e.g., experience in many company operations, travel, and potential careerprogression). The development of a summary of the current staff with qualifications may also add value.Some departments that encourage career development in the audit department and within the companydevelop career summaries on current and preceding members of the department.

An interview questionnaire for new internal auditors should be developed and used to summarize interviewsand results. Exhibit 5.1 is a sample form.

Exhibit 5.1: Interview Questionnaire for New Internal Auditors



c. Management Development Programs

People can be products too! Some audit departments develop or participate in management developmentprograms. These programs can involve internal audit as an initial or mid-career step. For instance, new collegegraduates can be hired by internal audit and assigned to other company operations for portions of the year.After two or three years, they transfer to another unit on completion of a successful project. This process willadd work to the audit management function, and it will also create a positive deliverable or product. Suchprograms would be discussed with senior management and/or the audit committee, and added to the auditdepartment function directly in the audit charter.

In some notable examples, personnel development programs have greatly enhanced the reputation of the auditfunction through the addition of a tangible measurable product: former audit personnel rising to higher levelpositions in the organization.



d. Certifications

Certifications, including Certified Internal Auditor (CIA), Certified Public Accountant (CPA), CertifiedInformation Systems Auditor (CISA), and Certified Management Accountant (CMA) are significant personalachievements, and provide evidence of basic skill levels and knowledge. In today's business environment, theCertified Fraud Examiner (CFE) and Certified Information Systems Security Professional (CISSP) havebecome both valuable and relevant. Any of these certifications also add to internal audit's image. Policies canbe developed to encourage staff members to attain certifications, which should be seriously considered inreviewing new-hire qualifications.


TITLE: Personal Development PAGES:[1]See www.theiia.org/ecm/iiaap.cfm?doc_id=209 or www.theiia.org and do a search.

5.2 Personal Development

Internal auditing consists of quality people employing quality procedures and quality systems in anindependent and proactive manner. In order to sustain the implementation of the most appropriate proceduresand to provide for the continuing improvement of the auditors, a professional development program becomesa critical component of the internal audit practice.

Consider the following quote from Future Shock, by Alvin Toffler:

If society itself were standing still, there might be little pressure on the individual to updatehis own supply of images, to bring them in line with the latest knowledge available in society.So long as the society in which he is embedded is stable or slowly changing, the images onwhich he bases his behavior can also change slowly. But to function in a fast-changingsociety, to cope with swift and complex change, the individual must turn over his own stock ofimages at a rate that, in some way, correlates with the pace of change. His model must beupdated. To the degree that it lags, his responses to change become inappropriate, hebecomes increasingly thwarted, ineffective. Thus, there is intense pressure on the individualto keep up with the generalized pace. Today, change is so swift and relentless in thetechno-sciences that yesterday's truths suddenly become today's fictions, and the most highlyskilled and intelligent members of society admit difficulty in keeping up with the deluge ofnew knowledge—even in extremely narrow fields. [2]

a. Introduction

In order to ensure that the Corporate Audit Department's education plan is implemented, the responsibility forcoordination has been assigned to the Manager of Policies and Control. As Coordinator of Education, theManager of Policies and Control will assist in the development of the departmental education plan andindividual auditors' educational plans. He/she will work closely with the staff and managers to achieve theobjectives of the Professional Development Program and report periodically to the Director of Auditing on thestatus of the program.



http://www.theiia.org/ecm/iiaap.cfm?doc_id=209


b. Objectives

The Corporate Audit Department Training Program has been designed to improve and maintain theprofessional competence of the corporate auditors so that they can effectively perform their function to thefullest extent. Additionally, it is intended to provide for personal professional growth and job satisfaction. Theprogram, combined with on-the-job experience and training, and a comprehensive evaluation process, isintended to provide a basis for advancement in the Audit Department, or for potential placement in keyfinancial or general management positions within the company.

Every professional has a responsibility to maintain and advance his or her basic skills. The program isintended to provide a vehicle for the individual to accomplish this requirement. The program will be assuccessful for you as you make it. Additionally, to develop strong business acumen, daily reading of thegeneral financial press is essential. Auditors are generalists, to a large degree, and should always be cognizantof current trends in business and finance, to ascertain the importance, if any, on their audit assignment.

c. Coordinator of Education

The Coordinator of Education is responsible for overseeing the educational needs of the department, andensuring that those needs are adequately met. The Coordinator reports to the Director of Auditing regardingplans and resources needed to obtain and maintain an adequate level of knowledge and skills individually andcorporately in the department. Duties include:

Assists the Director and audit managers in surveying staff and analyzing training needs.• Recommends comprehensive, systematic training program for the Corporate Audit Department.• Coordinates the training activities for corporate auditors and makes staff aware of all trainingopportunities.

•

Assists auditors in developing individual goals and training programs.• Develops and implements evaluation programs for all training activities involving Internal Audit.• Investigates specific training programs as requested by other members of the staff and authorized bythe Director of Auditing.

•

Assists in the evaluation of training programs and review regular (quarterly) training reports on staffmembers for the Director of Auditing.

•

Develops policies and procedures for maintaining and using the staff library. Assures auditmanagement that the library is adequately stocked and keeps staff informed of new acquisitionspertinent to their particular needs.

•

d. Corporate Audit Training Model

The Corporate Audit Training Model (Exhibit 5.2) includes a structured approach to core training critical forfirst- and second-year auditors. The model goes on to suggest a training program for auditors beyond the basiccore programs. These are labeled as "advanced," for the third year and thereafter.

Exhibit 5.2: Overview of Corporate Audit Training Model



The core of the Corporate Audit Program is on-the-job training through effective supervision and constructiveevaluations covering areas of need. The program is two-fold: the Core Program covering new auditors, andthe Advanced, covering education for career-minded internal auditors for periods beyond two years of workexperience.

On-the-job training is supplemented with the following types of formal and informal education:

In-house seminars and self-study training through the use of audio and visual training courses, andonline courses via the web.

•

Teaching or speaking engagements to help broaden one's knowledge and communications skills.• Attendance at various outside seminars, workshops, lectures, and conferences, etc.&"listitem">

Availability of a library of texts and reference materials covering internal auditing, as well as specificareas of business management, taxation, finance, purchasing, construction, contracts, etc.

•

Online services: Examples include Lexis/Nexis, [3] the AICPA (Auditing Standards), [4] ISACA'sK-net and CobiT, [5] and other providers of reference materials. Lexis/Nexis provides authoritativelegal, news, public records, and business information online. K-net is a global knowledge network forIT governance, control, and assurance. CobiT is a generally applicable and accepted standard forinformation technology (IT) security and control practices, providing a framework for management,users, and information systems (IS) audit, control, and security practitioners.

•

Specialized courses, when available and/or practical, specially designed to meet the internal auditor'sneeds.

•

Routing of selected educational material to the Internal Audit staff to maintain current knowledge inthe field.

•

The Core Program requires a minimum of two weeks, or 80 hours, per year of formal education or teaching.The Advanced Program requires a minimum of one week, or 40 hours, per year. These minimumrequirements do not include self-study courses, outside professional meetings, on-the-job training, research,and the use of the library.

e. Core Program

First Year:

During the first year of employment, attendance at various structured courses is required. The followingschedule will be followed, interfaced with on-the-job training:



All new hires will attend an orientation program on the company and the Corporate AuditDepartment.

•

All entry-level auditors will attend a one- to two-week course on Introduction to Corporate AuditingProcedures. This subject could be administered in-house by experienced corporate auditors, orprovided by outside trainers.

•

All auditors will attend at a minimum a five-day Introduction to Computer Auditing course.• All staff members will attend audio/visual courses on audit-related topics during the year.• There will be mandatory attendance at all staff meetings and in-house internal audit seminars on aregional and centralized basis.

•

Second Year:

The training program will continue into subsequent years. By the end of the second year, the following shouldhave been attained:

Continuation of Corporate Auditing procedures at the Intermediate Level as well as attendance atcourses relating to the evaluation of internal controls

•

Attendance at an in-house or outside seminar on advanced computer audit techniques or software (i.e.,Computer-Assisted Audit Tools and Techniques, or CAATTs)

•

Participation in audio/visual courses on specific topics to be announced; that is, systems auditing,statistical sampling, fraud detection, Internet security, and so on

•

Attendance at in-house Corporate Audit seminars (one week) and regularly scheduled staff meetings•

f. Advanced Program

The Advanced Program will involve specific tailoring to meet each individual's development needs. As theinternal auditor's career progresses, decisions need to be made regarding the individual's long-term objectives.If those objectives lie in the Internal Audit area, provision should be made for the attendance at Internal Auditmanagement training and conferences. There may be a need for auditors to develop specific skills further. Forinstance, operational auditing or IS auditing skills may be required by the department, and/or requested byindividuals in their career planning meetings. The professional development program can be tailored for eachindividual, to help meet departmental, as well as individual, goals.

Included in the advanced stage of the program is an anticipation that the staff member will increase his or herinvolvement with professional organizations such as the IIA, American Institute of Certified PublicAccountants (AICPA), American Management Association (AMA), Information Systems Audit and ControlAssociation (ISACA), and participate in their educational programs. Staff members, at this level, should bestrongly encouraged to develop their own expertise in specific areas and provide training courses to theseorganizations. Committee assignments can, in some cases, be considered as continuing education endeavors.These decisions must be made by audit management, and documented in the individual's professionaldevelopment plan.

g. Record-Keeping

Each auditor is responsible for maintaining a chronological record of his/her training or educationalaccomplishments while on the Corporate Audit staff. This record will be forwarded quarterly to theCoordinator of Education. (See Exhibit 5.3, "Continuing Professional Education (CPE) Record.")

Exhibit 5.3: Continuing Professional Education (CPE) Record

NAME_________________________ PERIOD________________CPE HOURS

DATE ORGANIZATION COURSE INSTRUCTOR PREPARATION TEACHING ATTENDED



CPEProvider

#

TOTAL

The coordinator will review the forms quarterly and submit them to the Director of Auditing for inclusion ineach Auditor's personnel file. Certain continuing education credits needed to maintain various professionalcertifications should be pursued by each individual auditor and will be retained in his or her personnel file.Individuals should keep copies of course outlines as required by various certifications for CPE requirements.

Performance evaluations will be conducted after each assignment or periodically by each level of supervision,and also placed in the file, so that needs analysis can be made to determine what additional education isrequired to maintain each staff member's proficiency.

Training records will be used as a reference in scheduling staff members to various assignments. Theseassignments will help reinforce the retention of course curriculum obtained from the training programs. TheDirector and Audit Managers will periodically assess the auditor's training needs, using the CPE record and/orthe section on development needs as shown on the performance evaluations. After training assessments aremade, both individual and staff training goals and programs will be further developed as required.



The results of this training program should improve the professional competence of all staff members, thusproviding the knowledge to function and cope with our fast-changing, complex environment.


TITLE: Personnel Files PAGES:[2]Future Shock, Alvin Toffler, Bantam Book, August 1971.

[3]See lexis.com and lexisnexis.com.

[4]See www.aicpa.org.

[5]See www.isaca.org.

5.3 Personnel Files

In order to properly manage the audit profession's department, personnel files will be maintained. AuditDepartment personnel files should be multi-partition files and include, but not be limited to:

Employee resume and a copy of the original Company application (if appropriate)1. Periodic performance appraisals2. Summary of salary history and promotions3. Corporate Audit Department Background Information Form (Exhibit 5.4)

Exhibit 5.4: Corporate Audit Department Background Information Form

4.





Corporate Audit Department Interest Questionnaire (Exhibit 5.5)

Exhibit 5.5: Corporate Audit Department Interest Questionnaire Form

5.



These files should be maintained by the Audit Department in addition to files maintained by the HumanResources (HR) function. To facilitate the development and maintenance of these audit departmental files andfacilitate the gathering of specific information necessary to proactively manage the corporate audit function,two departmental forms should be completed by all employees and updated annually. These forms are:

Corporate Audit Department Background Information Form• Corporate Audit Department Interest Questionnaire•

a. Corporate Audit Department Background Information Form

This form (Exhibit 5.4) facilitates two-way communications and helps standardize the basic informationrequired for each employee. The form should be kept in the inside cover of each personnel file. The form alsoserves to reinforce interest in certifications and professional activities and provides a feedback mechanism forinformation related to these activities.

b. Corporate Audit Department Interest Questionnaire

The Corporate Audit Department Interest Questionnaire (Exhibit 5.5) expands on the Corporate AuditDepartment Background Information Form by requesting additional information related to the auditprofessional's preferences. Not all preferences can be granted, but in some cases preferences can beconsidered in planning.


TITLE: Periodic Performance Evaluation Review PAGES:

5.4 Periodic Performance Evaluation Review

Periodic performance evaluation is an essential part of our personnel development program. It is expected thatall staff members will become familiar with and understand the reporting requirements and instructiveguidelines. Staff evaluations, prepared accordingly, can then be expected to be fair and objective appraisals of



the person's performance. It cannot be emphasized too strongly the importance of timely, constructive interimfeedback by the supervisor. Such feedback will help to shape the end-of-assignment evaluation and willexpedite its completion and review in the shortest time. The Performance Evaluation Review Form is includedas Exhibit 5.6. The report is to be prepared for staff personnel by the in-charge senior or manager promptly atthe end of the assignment.

Exhibit 5.6: Performance Evaluation Review Form



a. Performance Evaluation Review Guidelines for Preparation of Report

Continuous and timely review and evaluation of performance is essential to effective personnel development.To provide for that continuity, the Performance Review report should be prepared promptly by the Auditor'ssupervisor at the end of each assignment. The evaluation should be discussed with the Auditor in aconstructive manner to encourage continuing efforts toward improvement in performance and the eliminationof shortcomings.

The completed report, signed both by the preparer and the person evaluated, will document the following:

Accurate, complete record of the auditor's performance• Notification of observed strengths and weaknesses• Basis for assessing training and development needs (correlated with the auditor's departmentaltraining record)

•

Basis for appraisal toward promotion or for transfer, salary review and warning or otheradministrative action

•



The periodic, end-of-assignment review should be reinforced through effective interim oral or writtenfeedback by the supervisor during the assignment. Interim feedback is the continual process, an integral partof the supervisor's functions. Failure to provide timely feedback is a weakness in the supervisor'sperformance. The interim performance discussion should provide analysis of both strengths and areas forimprovement, emphasizing constructive actions for improving performance. Although interim evaluationsneed not be in writing, the evaluation form can serve as a checklist for areas to be considered and for notes, asboth a basis for that evaluation and a reference point for the end-of-assignment evaluation.

i. Preparation

Report preparation is important, and ample time should be allotted to prepare the report.

(A) Assignment Responsibilities and Circumstances. The form is designed to obtain specific answers toquestions, amplified as appropriate by description, comment, or discussion.

Regarding the level at which the person was used on the assignment, indicate the level at which he or shefunctioned rather than the actual level. Criteria should include the nature of the work, degree of supervision,and prior staffing of the assignments.

The nature of the work, for the auditor's major responsibilities, should be described in sufficient detail. Forexample: internal control (sales, cash receipts, payroll): documentation, audit program, walk-through;inventory: observation, pricing finished stock; accrued liabilities: test for unrecorded liabilities. Unusuallydifficult or simple situations should be identified.

(B) Manager/Director Approval. This approval is required on all evaluations prepared by staff-levelpersonnel, namely supervising senior, senior, and so forth. Approval should be indicative of Manager/Directorconcurrence with the evaluation (see Manager/Director Comments section) and that it contains the appropriateinformation. When prepared by staff-level personnel, it is recommended that the report be read by theManager prior to review with the individual. Manager/Director approval should occur after the report has beendiscussed with the individual and finalized. Any Manager/Director comments should be included in theevaluation at the time the individual signs off on the report.

(C) Comments Section. When completing this section, the auditor's experience level should be considered inevaluating his or her performance. For example, the criteria for measuring a staff auditor's technical skillswould differ significantly from those used in evaluating a senior. It is expected that completion of allcategories will generally be appropriate except for the Development of Assistants category for evaluations ofstaff auditors.

The boxes at the right margin are to be used to insert the abbreviation for the effectiveness level of each listedqualification. Effectiveness levels are defined on the last page. It is expected that everyone will becomefamiliar with the definitions and use them as explained. Although the ratings "OUTSTANDING" and"UNSATISFACTORY" should be clearly explained, specific comments should also be given for othereffectiveness levels for informative reporting to the auditor and the reader.

Areas noted for improvement should include any recommendations for the individual's development. Indiscussing weaknesses, the evaluation should assess the progress made in correcting those weaknesses duringthe course of the engagement. In situations when mitigating circumstances may have contributed to aweakness, appropriate details should be provided. However, it is not appropriate, for example, to discussbudget overruns when it clearly was not within the control of the individual. When one weakness impactsseveral qualification categories, the evaluation should clarify this fact so as not to mislead the reader intoconcluding that several weaknesses exist.



(D) Appraisal Section. The last page of the report summarizes the results of the performance evaluations, bothinterim and end-of-assignment.

Where completing the sections dealing with Developmental Needs and Promotability, comments, reasons, andrecommendations should be expressed clearly and constructively to provide reliable source information toaudit management for future assignments and indicated training and development needs.

The Manager/Director Comments section is required for all evaluations where that level of approval isnecessary. The basis for approval may be discussions with the in-charge senior, review of work papers orpersonal contact. The Manager or Director may also include other significant comments.

The Summary Evaluation section should be completed subsequent to the Comments section and should besupported by the written comments. Because it represents a summary of the written comments, emphasis isagain placed on the need to rate individuals on the basis of their experience level and standards normallyexpected at that level. In rating an individual's effectiveness level, supervisors should refer to the definitionsprovided on the form. Ratings other than these should not be used. The most appropriate rating must bechosen. Written comments should explain borderline decisions.

ii. Performance Appraisal Meeting

Performance appraisal meetings provide a very important opportunity to discuss and improve employeeperformance. Such meetings are a major element in a personnel development program. At every opportunity,the Audit Department culture should emphasize the importance placed on continuing personnel improvementand development. The Audit Department is only as good as the personnel performing the work. To the extentthat employees' performance can be improved, the overall quality of the audit products will be improved.

It is important that adequate time be allowed to plan for and conduct a performance appraisal meeting. Themeeting should be scheduled with the employee to reduce the anxiety usually associated with performanceappraisal meetings. All attempts should be made to create a comfortable atmosphere and reduce or eliminateinterruptions. The performance meeting presents an opportunity to review progress and priorities, resolve anyproblems with performance, discuss future potential development needs, and the needs to meetthem&"para">Conducting the performance review can be a challenging endeavor, and efforts should be madeto train supervisory staffs to better conduct performance review meetings. During the meetings, it is importantto create two-way communications. One objective of the meeting is to get the employee to open up. Theevaluator will be prepared with his or her comments. The meeting atmosphere should be informal andunhurried. This objective can be accomplished by meeting in a conference room or away from a manager orsupervisor's desk, if possible. It is also important to emphasize the good work that the employee hasaccomplished. There should be an emphasis on "praise" in the appraisal. It is important that the reviewerprobe and ask questions, and most importantly, listen to the answers. This approach will provide ample timefor the employee to discuss thoughts on his or her mind.

One of the objectives of the review process is to allow the employee to face up to any problems that mightexist. In some cases, the best approach to mentioning a problem is to use the self-appraisal approach. Underthe self-appraisal approach, the supervisor or manager will ask the employee to discuss his or her performancefrom their perspective. It is very important to always discuss the performance—and not the individual'spersonality. Any criticism should be made in a positive manner. For instance, talk about how the person canmake needed improvements.

There should be few surprises in the appraisal meeting. Problems should be discussed with the staff when theyare recognized. This method will allow the supervisor to correct the problem earlier and also demonstrate byexample the existence of the problem. When this method is not used, specific examples should be raisedduring the appraisal review meeting. However, this method is not as good an alternative as actually havingmentioned the problems as they occurred.



Before the meeting is concluded, you should agree on a plan of action. Outline your thoughts on action pointsprior to the performance meeting. Focus on facts and avoid general judgments. Set objectives and goals, andagree upon completion dates.


TITLE: Annual Staff Meeting/Conference PAGES:

5.5 Annual Staff Meeting/Conference

As pointed out in this manual, personnel development is critical to the development and maintenance of aquality audit program. The Core and Advanced Personnel Development Programs are set out in PersonnelDevelopment in this chapter. One of the key programs in any audit department is the Annual StaffMeeting/Conference. The meeting has many objectives, including:

Setting aside some time for department-wide administrative updates• Discussions of company developments• Audit training• Reports on results of quality assurance reviews and related changes• Opportunity for feedback from the staff and for suggestions for improvement of departmentoperations

•

The location of the meeting is very important to the overall success of the meeting. Meetings should beplanned outside the office for a maximum impact. In addition, it may be combined with a social or sportsactivity to help build morale and camaraderie among the staff.

The program can include a State of the Department Address by the Chief Auditor. Presentations bydepartment managers are also very important. Each functional leader should also provide an update on theiradministrative activities, including the quality assurance program and the personnel development program.

a. Group Discussions

In order to provide a form for feedback from the staff, consideration should be given to holding groupdiscussions. These sessions would allow staff members to discuss any topic related to their department. Planfor a sufficient amount of time—a minimum of two hours—for group discussions. The staff should be brokendown by groups, and these sub-groups should be provided with private meeting space to hold thesediscussions. In order to organize the group discussion, prepare a Group Discussions Instruction Sheet. Exhibit5.7 illustrates this document for a fictional meeting. The groups should have a Group Leader and a Scribe.The role of the Group Leader and the Scribe should be set out in the Group Discussion Instruction Sheet.

Exhibit 5.7: Group Discussions Instruction Sheet

Objective

To provide a forum for the staff to discuss their concerns and hear other members' concerns• To provide feedback to Audit Management as to what are the main concerns of the staff and whatpossible solutions they project

•

Group Leader's Role



Set the stage by informing the staff that this is their time to talk about anything related to theCorporate Internal Audit Department's organization or activities. Tell them you have a list of someitems of potential interest you will use to generate conversation when there is none or to improve theproductivity of the conversation if it gets way off course.

Explain that there is a scribe to take notes on what is said, not who said it, and that we will providefeedback later in the day.

Ask the group to begin and wait a few minutes. Give the group a good chance to start on their own.

Keep the meeting moving. If too much time is spent on a topic, ask to move on to another topic.

•

Scribe's Role

Listen carefully and make notes of key concerns, suggestions, items of interest, etc. If you don'tunderstand what someone is trying to say, ask questions to clarify the issue.

•

Observer's Role

Listen in on a portion of each meeting•

Potential Topics

How important is audit planning? Is our approach adequate? How should we approach it?1. Should we employ management by objectives and goal setting?2. Should we require certification of some kind (CPA, CIA, CISA, CDP) within a given time frame?3.

How much of a factor should evaluations of performance be in determining raises and promotions?4. Other:

Annual Staff Meetings♦ IS Audits/Training Participation in Audits♦ Job/Career Future♦ Audit Staff; Administrative Matters; Travel, Advances, Accommodations, etc.♦

5.

The Leader's role is to set the stage by informing the staff that this meeting is their time and that they couldtalk about anything related to the department's organization or activities. The Leader should be provided witha list of some potential items of interest to generate conversation if necessary. However, there should besufficient time allotted before this list is introduced to ensure that the staff has an opportunity to bring theirown thoughts and ideas. The role of the Scribe is to listen carefully and make notes of key concerns,suggestions, and items of interest. Having someone perform this role frees the Group Leader to concentrate onthe Leader's role—keeping the meeting moving. The Scribe will produce a list that should be provided toaudit management. The list should not indicate who made what recommendation—anonymity adds credibilityto comments by mitigating "groupthink" problems.

In many group discussion meetings, an Observer is also involved. The Observer could be the Chief Auditor orAudit Management. The role is to listen in on a portion of each meeting to gain an understanding of thetemperament and direction of each meeting. The Observer should not speak at any meeting. The purpose ofthe meeting is not to provide answers but to develop questions of interest and proposed solutions.

Group discussions require feedback from Audit Management. The Scribe's individual meeting summariesshould be combined for review by Audit Management at a subsequent meeting or responded to at theconclusion of the Annual Staff Meeting/Conference. The sooner the feedback is reviewed, the better. Forinstance, if simple issues or ideas are brought up that could be acted upon immediately, these responses



should be included in the closing remarks of the Chief Auditor. Those issues and suggestions that requiremore careful attention should be thought through and summarized in a memorandum to all participants in theAnnual Meeting.

Annual Meetings usually prove to be very productive, if proper attention is paid to planning and arrangements.


TITLE: New Staff Orientation PAGES:

5.6 New Staff Orientation

Welcome to Sam Pole Audit. We hope you find your position with us beneficial and rewarding. One of thefirst projects necessary to acquaint you with Sam Pole and Corporate Audit is orientation. Orientation isdesigned to formally introduce you to our company and significant department policies and procedures. Achecklist has been provided to ensure your orientation is thorough and that you receive all materials. Thechecklist is to be signed off by you and the person making the orientation presentation. This form will beretained in your personnel file.

Many of these items may already have been discussed during your interview with Sam Pole. However,orientation will give you a more detailed explanation. We encourage you to ask questions; people on the staffwill be happy to help you, or many questions can be answered by reading the procedures manual. Please askany questions you may have.

These welcoming remarks are often used when new personnel join the department. A sample orientationchecklist can be found in Exhibit 5.8. A general description is provided here for each item on the orientationchecklist.

Exhibit 5.8: Orientation Checklist

DATE INITIALSIntroduction to Staff _______________ _______________Facility _______________ _______________Parking _______________ _______________Key Personnel/Organization Review _______________ _______________Annual Report Issued _______________ _______________Employee Benefits _______________ _______________Job Description _______________ _______________Performance Evaluation Review _______________ _______________Three-Month Probation _______________ _______________Working Hours/Salary/Overtime _______________ _______________Vacations _______________ _______________Sick Leave _______________ _______________Personal Leave _______________ _______________Time Reports _______________ _______________Travel _______________ _______________



Cash Advances _______________ _______________Air/Rail Travel _______________ _______________Expenses _______________ _______________Keys (Sign Out) _______________ _______________Library _______________ _______________Data Processing Security/Badges _______________ _______________Professionalism _______________ _______________Procedures Manual _______________ _______________Safety Equipment Issues _______________ _______________

Hard Hat• _______________ _______________

Glasses• _______________ _______________

All items listed above have been explained to me, and I have no further questions at this time.

_________________________ __________ _________________________ __________Orientation Supervisor Date Employee Signature Date

Introduction to Staff. The person presenting the orientation will introduce you to members of thestaff in the office. That person will also identify those staff members who are not present and provideyou with a list of the staff in the Audit Department.

•

Facility. You will be given a guided tour of the Corporate Audit Department and other nearbyfacilities.

•

Parking. Parking will depend on the division where you work. Additional parking facilities areavailable at a cost to you.

When you are in the field, during your initial visit to the auditee's office, identify where you haveparked and ask about their parking requirements.

•

Organization. Organization charts of the Corporate Audit Department and the Corporation are inChapter 4 of this manual.

•

Annual Report. You will receive the current annual report of Sam Pole Corporation. Key officials areidentified in the annual report, along with major components of the Sam Pole organization. Youshould study this report thoroughly.

•

Employee Benefits. You will be issued employee benefit authorization cards that must be filled outand signed. You will be issued an employee benefits manual. Read it carefully, and if you have anyquestions, discuss them with Audit Department management. If we do not know the answers, we willobtain them from the Employee Benefits office or refer you to the Human Resources Department.

•

Job Descriptions. Job descriptions are available in the Procedures Manual. Your job description willbe carefully discussed with you during orientation. If you have any questions, please see the Manager.

•

Performance Evaluation Reviews. The form that is used for performance evaluations will bediscussed with you. It is contained in Chapter 5 of the procedures manual. Study the form; if you haveany questions, please ask them.

•

Three-Month Probation. All employees hired by the Corporate Audit Department are subject to athree-month probationary period. This procedure is for the evaluation of initial performance.

•

Working Hours. Normally, the office hours are from 8:00 A.M. to 5:00 P.M. Monday through Friday.The exception to this standard is when auditing outside of your home location. If 40 hours can beaccomplished Monday through Thursday by working 10-hour days, then at the discretion of auditmanagement, you may return home Thursday night.

•



Auditing, however, is a concerted task-oriented profession. As professionals, when circumstanceswarrant, expect to spend the necessary additional hours to accomplish our objectives in a timelymanner.Salaries. Professionals employed by the Corporate Audit Department are salaried personnel.Overtime is not paid.

•

Vacations. The Corporate Audit Department follows vacation schedules as set forth in the Sam Polepersonnel policy manual.

•

Sick Leave. The Corporate Audit Department will follow Corporate sick pay policy. If you are sick,you are to notify the office and the in-charge auditor as early as possible in the morning.

•

Personal Leave. Personal time is provided by the Corporate Policy providing three personal days peryear. There are times when personal business, such as studying for certification exams, may beconducted during working hours—if prior permission is obtained from the Manager of CorporateAudit.

•

Time Reports. Time reports are required on a semi-monthly basis. A form will be shown to you, andyou will be instructed on how to complete it correctly.

•

Travel. With audit functions situated away from home offices, there is a need for travel to theselocations. For travel information, refer to the Corporate Audit Department procedures manual—travelpolicies.

•

Advances. Each division may make temporary cash advances for expenses. Advances must be shownon expense reports and accounted for monthly. Unused advances must be remitted to the companymonthly.

•

Air/Rail Travel. Tickets for air/rail travel can be obtained from the travel department (and accountedfor in the same manner as cash advances) or purchased directly by the auditor and reported on theexpense report.

•

Expenses. Sam Pole has issued a pamphlet, "Reporting of Travel and Business Expenses," to be usedwith the exception of those items that are specifically provided for by the Corporate AuditDepartment.

•

Keys. The new employee will be given certain keys where appropriate. These must be signed out onthe log maintained by the secretary at your location.

•

Library. The department office library contains various Sam Pole manuals. You should becomeacquainted with these manuals. Other publications available for education or research are also in theoffice library. You will see these, as well as checkout procedure applicable to the local offices (seeRecommended Reading List).

•

Security Badges. Where badges are required, you will be evaluated on an as-needed basis beforebadges will be issued to you. Necessary security codes, computer/network passwords and log-inaccess, and/or badges will be arranged through the Manager of Corporate Audit.

•

Professionalism. Corporate Audit is striving to make our department a world-class department. Afriendly, courteous relationship with auditees, outside auditors, and other Sam Pole employees isparamount in establishing and maintaining good public relations. We consider ourselves professionalsand should act and dress accordingly. Dress should be in good taste. Try not to have extremes ineither direction.

•

Procedures Manual. The master manual is retained in the office; in-charge auditors have a copy to beused at the work sites. A better option would be to keep an electronic copy of the manual on the AuditDepartment Intranet site for easier access (e.g., 24/7 availability to anyone). This manual wasdeveloped for the benefit of new employees and to document procedures to be followed. It isimportant to become familiar with the manual because we follow these procedures and are evaluatedaccordingly.

•

Safety Requirements. There are occasions when we must work in areas that require safety equipment.Typically, the location will provide the equipment. In the division where visits to the factories arecustomary, the department issues a hard hat and safety glasses.

•



Endnotes

1. See www.theiia.org/ecm/iiaap.cfm?doc_id=209 or www.theiia.org and do a search.

2. Future Shock, Alvin Toffler, Bantam Book, August 1971.

3. See lexis.com and lexisnexis.com.

4. See www.aicpa.org.

5. See www.isaca.org.



http://www.theiia.org/ecm/iiaap.cfm?doc_id=209




Part III: Technical Procedures

Chapter List

Chapter 6: Audit PlanningChapter 7: Audit PerformanceChapter 8: Audit Reporting

Part III: Technical Procedures 1

2 Part III: Technical Procedures

2 Part III: Technical Procedures

Chapter 6: Audit Planning

Overview


TITLE: Corporate Audit Planning, Scheduling, andStaffing

PAGES:

6.1 Corporate Audit Planning, Scheduling, and Staffing

In January 2002, the Institute of Internal Auditors' (IIA) Standards for the Professional Practice of InternalAuditing (SPPIA) became effective. These standards emphasize the need for planning (see section 2010 inparticular). One Guideline states, "The chief audit executive should establish policies and procedures to guidethe internal audit activity" (IIA — SPPIA, 2040). Under the Performance Standards of the SPPIA, the firsttopic is Planning (section 2010): "The chief audit executive should establish risk-based plans to determine thepriorities of the internal audit activity, consistent with the organization's goals."

The Information Systems Audit and Control Association (ISACA) also has established a similar emphasis onplanning. One guideline states, "The information systems auditor is to plan the information systems auditwork to address the audit objectives and to comply with applicable professional auditing standards"(ISACA—IS Audit Guideline 050.010 [Audit Planning]). Additionally, another ISACA guideline addressesplanning related to day-to-day activities: "Before beginning an audit, the IS auditor's work should be plannedin a manner appropriate for meeting the audit objectives" (ISACA—IS Audit Guideline 050.010.2.1.1).

Planning is a very basic element of all business activities. The Audit Department is no exception. Thelong-term departmental operating plan will demonstrate an organized approach to systematically auditing allcompany operations. In this book, a three-year operating plan has been developed. The extended cycle ofaudit coverage should be discussed with management and, if appropriate, with the Audit Committee. Thisprocess would establish the overall strategy for auditing company locations. In many companies, every aspectof the company's operations should be audited, to some extent, on a formal rotation basis (see Section 6.3).Even small operations should be considered for audit visits. The audit "deterrent factor" should not beunderestimated.

To accomplish the responsibility for planning for internal audit activities, a planning matrix (Exhibit 6.1) hasbeen developed as a tool. It illustrates the flow and relationship of the three-year plan to the annual operatingbudget, six-month audit plan, three-month audit schedule, and two-month staff schedule. By beginning withthe long-term planning exercise, the work investment naturally flows down to the planning for the shorterperiods. Here is where the chief internal audit executive looks for integration of activities to save work lateron. In formulating the three-year plan, one should consider the subsequent shorter-term plans by developing along term in six-month or other appropriate sub-periods to feed into the shorter-term planning process.

Exhibit 6.1: Corporate Audit Planning, Scheduling, and Staffing

Three-YearOperating Plan

Annual Budgetand Plan

Six-Month AuditPlan

Three-MonthAudit Schedule

Two-MonthStaff Schedule

Purpose Document Forecast Plan detail of Schedule Notify

Chapter 6: Audit Planning 1

departmentoperating planfor AuditCommittee andManagement.

Coordinate auditcoverage withpublicaccountants.

calendar-yearaudit plan as basisfor financialbudget.

audit assignments:nature of audit;scope; timing;manpower.

three-monthsegment ofsix-month plan.

supervision andstaff ofassignmentschedules.

Basis Owner's requestto provide totalcoverage ofprincipal auditareas over athree-year cycle.

Auditmanagementdecisionregardingrotation.

Audit plans:Second halfcurrent year; firsthalf next year.

Manpower,traveling,professionaldevelopment andadministrationcosts. Auditmanagementdiscretion.

Specificimplementation ofeach six-monthperiod of thethree-year plan.

Budgetconstraints.

Auditmanagementdiscretion.

Attainable auditobjectives forthree monthsbased uponsix-month plan.

Managementdiscretion.

Three-monthaudit schedule.

Managerdiscretion.

TimingRevision

Timing:

Annually inAugust

Timing:

Annually inAugust

Timing:

Semiannually: 60days prior tosix-month period

Timing:

Beginning offirst month foreach three-monthperiod

Revision:

As required

Timing:

Beginning of firstmonth of eachtwo-monthperiod;administrativeassistant to staff

Revision:

As requiredResponsibility Primary -

Manager - P&C

Secondary - Sr.

Primary -

Manager - P&C

Secondary - Sr.

Primary -

Manager - P&C

Secondary - Sr.

Primary -

Manager - P&C

Secondary - Sr.

Primary-Manager

Secondary - Sr.

a. Three-Year Operating Plan

One of the responsibilities designated by the Corporate Audit Charter is for the Director of Auditing of thecorporation to establish a plan of audit. The three-year audit plan (Exhibit 6.2) provides long-term forecasting.It also establishes the coverage of audits for a three-year cycle approach to total coverage of locations,branches, or companies with the organization. The objective to audit all company operations over a period orcycle can be difficult to achieve. Of course, the number of personnel required on the staff to achieve thisobjective will need to be calculated.

Exhibit 6.2: Sample Three-Year Audit Plan

2 Chapter 6: Audit Planning


Sam Pole Company Corporate Audit Department Three-Year Audit Plan

AuditUnit

Number

AuditUnit

RiskFactor× wt. 1

RiskFactor× wt. 2

RiskFactor× wt. 3

RiskProfile

Jan.–June20xx

July–Dec.20xx

Estimated Audit HoursJan.–June

20xx + lJuly–Dec.20xx + l

Jan.–June20xx + 2

July–Dec.20xx+2

The three-year plan optimizes staffing requirements and the cost effectiveness of the Audit Department. Theplan is based on materiality and exposure to risk for establishing priorities of the audit entities and number ofhours for the audits. The three-year plan may be developed in detailed increments of six-month time periods.Circumstances that affect change to the plan are management requests and detailed monthly planning.

i. Auditable Units

In order to develop an audit plan, a company's auditable unit must be selected. An audit unit can be asubsidiary operation, a department, a division, a system, or even an account. For instance, the XYZ Companymay be audited. Alternatively, the XYZ Company's sales cycle (sales, accounts receivable, and cash receiptssystems) can be audited or its accounts receivable balance can be subject to audit verification. A logicalapproach for each company must be developed based on infrastructure, resources, system specifics, andcorporate strategies. In many cases, combinations of audit types will result. Often, various audit units at aspecific location will be combined to create a logical audit unit.

b. Risk Analysis

Risk analysis, or assessment, has become the preeminent method of guiding audits. External auditors havelong begun their process of financial audits with the audit formula—assessing inherent risk, control risk,detection risk, and audit risk. In Statement on Auditing Standards No. 78, Consideration of Internal Controlin a Financial Statement Audit, the American Institute of Certified Public Accountants (AICPA)institutionalized as guidelines the Committee of Sponsoring Organizations (COSO) model of internal control.The five major areas of internal control include (1) control environment, (2) risk assessment, (3) informationand communication, (4) monitoring, and (5) control activities. The COSO model has also become a commonmethodology used to design the internal control environment (see Chapter 3). Lately, internal auditing hasalso put more focus on risk assessment. The current definition of internal auditing by the HA states:

Internal auditing is an independent, objective assurance and consulting activity to add value andimprove an organization's operations. It helps an organization accomplish its objectives by bringing asystematic, disciplined approach to evaluate and improve the effectiveness of risk management,control, and governance processes.

•

In 2000, the IIA basically adapted risk assessment as the cornerstone of audits in its Standards. In the Natureof Work section (Standard 2100), the first standard relates to risk management (Standard 2110). It states: "Theinternal audit activity should assist the organization by identifying and evaluating significant exposures to riskand contributing to the improvement of risk management and control systems." In order to develop effectiveaudit planning, some type of risk analysis is necessary because it provides strategic direction for limitedresources.

For example, one published survey on best practices for audit efficiency concluded that correlating auditefforts to the levels of risk and materiality helped increase audit efficiency. Thus auditors should try to limitprocedures in low-risk areas and focus their attention on trouble spots. [1]



Depending on your company's specific operations and management concerns, the various risk factors areidentified in the plan. Care must be taken to analyze the cost versus benefit of a complex risk-based auditplan. Many risk analyses result in a potentially complex summary of mostly subjective criteria, such as resultsof previous audits or the control concern level of management, and a restatement of obvious objective criteria,such as materiality. However, a basic summary of risk analysis should be performed. Since all risks are notequal, each risk factor is assigned a weighting factor. The following is an example:

Risk Factor Weight Factor (1 = lowest, 5 = highest)

Materiality 5Results of Prior Audits 3For each audit, a score for each risk factor should be developed and multiplied by the risk factor weighting.For instance, a scale of 1 to 5 can be used with 5 representing high risk and 1 representing low risk or a goodcontrol environment. The following is an example:

Risk Factor Weight Factor (1 = lowest, 5 = highest) Risk Score

Materiality 5 5Results of Previous Audits 3 1From this type of analysis, a risk profile can be developed to support decisions of audit frequency or scope.Finally, audit review and management judgment should be applied to the plan and risk assessment. All auditmanagers should be encouraged to provide input and review.

c. Annual Budget and Plan

The company utilizes many budgets to operate its various companies, divisions, and so on. Local budgetsconsolidate into corporate budgets, production forecasts, capital appropriations budgets, and many otherbudgets. Auditing, along with all other departments within the company, must comply with these accountingpractices.

Departmental budgets and plans are the direct responsibility of the Director of Auditing. Departmentalbudgets and plans include the annual departmental budget, the three-year audit plan, annual audit plan, andmonthly staff assignments. Each kind of plan is discussed in more detail in subsequent sections.

i. Annual Department Budget

The Audit Committee requests the annual departmental budget each fiscal year. The Director of Auditingmust present the departmental budget as a corporate cost center to the Chief Financial Officer (CFO) and thecorporate budget department after the Audit Committee has approved it.

The annual departmental budget covers all facets of the department's expenditures for the following calendaryear. This budget includes the number of personnel, salaries, salary raises, supplies, conferences, travel,employment fees, benefits, and several other expenses. Once the budget is developed and approved, itbecomes difficult to substantially change the direction of the department when additional costs will beincurred. However if circumstances warrant a scope change, discussions with the audit committee should bescheduled.

ii. Annual Audit Plan

An annual audit plan is primarily developed from the three-year plan and becomes a determinant in preparingthe department budget. The annual audit plan is principally a summary of the next two applicable six-monthperiods of the three-year plan. The annual plan is used to support the manpower and travel expense estimates



used in the annual budget.

d. Six-Month Audit Plan

Most audit departments prepare an annual audit plan. Our example is broken down into six-month modules toprovide for synchronization with external auditors (if applicable). Most external auditors plan for the nextannual audit in the spring (assuming a calendar year end). This plan may inhibit coordination if the internalaudit plan is fixed for the calendar year. Therefore, the internal audit plan is projected for the year, but fixed insix-month modules to provide for some flexibility in the second half of the year. This flexibility is alsodesirable in order to be able to plan audits consistent with changes in the company's direction.

e. Three-Month Audit Schedule

The six-month plan is used to develop the department schedule for the next three months. The schedules arerequired to be in place at the beginning of each three-month period. Nevertheless, it is desirable that they beprepared at least 15 days before the beginning of the period.

f. Two-Month Staff Schedule

For the purpose of providing as much advance notice of pending audits as possible, a Corporate Audit StaffSchedule form is completed two months in advance for distribution. The form is designed by listing staffalong the left side of the form and days of the month across the top. Assignments are written for each staffmember across this matrix. The schedule allows the staff to plan the beginning of audits and project travelassignments for personnel purposes.

Although the best intentions and forethought go into developing the Corporate Audit staff schedule, not allcircumstances can be anticipated. Auditees may require or request different time periods for their audit thanthose scheduled. Management may request an audit not previously scheduled or change the timing of others. Itmeans that auditors must remain flexible.

When scheduling changes affect your plans, it may be possible to make other arrangements. Contact theInternal Audit Manager to see what can be worked out.


TITLE: Internal Controls PAGES:[1]September 2000 issue, "Best Practices for Audit Efficiency." Found atwww.aicpa.org/pubs/jofa/sep2000/dennis.htm.

6.2 Internal Controls

Evaluating internal controls is such a significant part of Audit Planning that a separate chapter has beendevoted to the subject. Chapter 3 provides more information that is relevant to audit planning.

SAM POLE COMPANY



http://www.aicpa.org/pubs/jofa/sep2000/dennis.htm

Corporate AuditDepartment ProceduresManualNO: 6.3 REV NO: DATE:

TITLE: Materiality PAGES:

6.3 Materiality

A significant function of auditing is to express an opinion regarding the fair representation of financialstatements and the adequacy of the system of internal controls or other audited areas. In forming this opinion,judgment must be exercised involving the materiality of exceptions to mathematical accuracy, auditingprocedures, compliance with Generally Accepted Accounting Principles (GAAP) and consistency in theapplication of those principles.

In their pronouncements, the American Institute of Certified Public Accountants (AICPA), the Securities andExchange Commission (SEC), and Financial Accounting Standards Board (FASB) stress materiality.Bulletins of committees of the AICPA relating to accounting and auditing procedure remind readers that theyapply only to "items material and significant in the relative circumstances" and that "items of little or noconsequence may be dealt with as expediency may suggest." Regulations of the SEC require that theaccountant express an opinion as to "any material differences between the accounting principles and practicesreflected in the financial statements and those reflected in the accounts."

How is the auditor to determine what is material, significant, or of consequence? The courts and the SEC havefurnished a few guidelines, including:

Where a misrepresentation would be likely to affect the conduct of a reasonable man with reference toa transaction with another person, the misrepresentation is material (Restatement of the Law ofContracts).

A.

A material fact . . . (is) a fact which if it had been correctly stated or disclosed would have deterred ortended to deter the average prudent investor from purchasing the securities in question (Securities andExchange Commission. In Matter of Howard et al., 1 SEC 6).

B.

The term "material," when used to qualify a requirement for the furnishing of information as to anysubject, limits the information required to those matters as to which an average prudent investor oughtreasonably to be informed before purchasing the security registered (Securities and ExchangeCommission. Regulation C, Rule 405, of Securities Act Regulations).

C.

The U.S. Supreme Court held that a fact is material if there is "a substantial likelihood that the . . . factwould have been viewed by the reasonable investor as having significantly altered the 'total mix' ofinformation made available" (Basic, Inc. v. Levinson, 485 U.S. 224, 1988).

D.

The FASB defined "materiality" in Financial Accounting Concepts Statement No. 2, QualitativeCharacteristics of Accounting Information: "The magnitude of an omission or misstatement of accountinginformation that, in the light of surrounding circumstances, makes it probable that the judgment of areasonable person relying on the information would have been changed or influenced by the omission ormisstatement." As a response to some concerns raised by Chairman Levitt, the SEC issued Staff AccountingBulletin (SAB) No. 99 in August 1999. The Bulletin contends that FASB's definition is similar to theinterpretation of materiality upheld by the courts under federal securities laws. [2]

From these definitions, we may conclude that materiality depends on surrounding circumstances, the settingin which the item appears, and the setting in which it will be used. If the probable effects of theitem—whether through omission or commission—would be to give rise to misleading inferences by theperson or class of persons whom it will logically reach, it is material, significant, consequential, and



important. For this purpose, these four words are practically synonymous, although some make a distinctionbetween material and significant, attaching material primarily to a dollar amount.

Clearly, there are degrees of materiality and, as a consequence, there will be borderline cases. These willrequire all the good judgment that the auditor can summon. Standards that would guide an auditor indetermining whether or not a deviation would require correction, disclosure, or qualification of an opinionwould be of immense help to auditors.

Research shows that the assessment of materiality differs among individual accountants and among publicaccounting firms and that it varies with the size and geographical location of the practice. In arriving at thesedecisions, the auditor should keep these matters in mind:

Relative size of the item. Failure to disclose a liability of $5,000 in the balance sheet of an enterprisewith net assets of $40,000 would result in a material misstatement. In a balance sheet showing netassets of $3 million, it would ordinarily not be material.

•

Absolute size of the item. In spite of the importance of relativity, size alone may be important. Manyaccountants would consider a large amount important, even though it is only 3 to 4% of net assets, or3 to 4% of net income before taxes.

•

The nature of disclosure. The fact that a company has pledged its accounts receivable as security fora loan is significant because it discloses that the company is using a comparatively expensive form offinancing and is therefore a material fact—even though the amount may not be material in relation tothe working capital.

•

Use to be made of the report. If it is known that the report will be used for the sale of stock or forobtaining long- or short-term credit, the effect the item might have on purchasers or long- orshort-term creditors would be considered.

•

Evidence of a desire to mislead. The existence of an incentive for error would be considered. Anaccidental error would have less significance than a deliberate departure from accepted procedure.

•

Favorable or unfavorable effect of adjustment or disclosure. Unfavorable ones are usually givenmore weight.

•

Stability of income. If net pre-tax income fluctuates widely, unusual items are more important.• Effect of future earnings. Items whose effect will continue into the future are more important thanthose with only current significance.

•

Materiality may determine not only the need for exception or disclosure but also the extent of the audit worknecessary to sustain an informed opinion. Inventories of a manufacturing company are of greater relativeimportance that those of a personal service organization, not only in size and amount but also because of thegreater number of ways in which they may be improperly handled, both physically and in the records. Whereaccounts receivable consist of relatively few, but large, balances, the percentage of accounts confirmed shouldnormally be much higher than if they comprise a large number of small balances, even though the total maybe the same.

In summary, sound judgment is required in determining what is or is not material. No definition of materialityneed deter you from recommending adjustments of errors or omissions on the books or financial statements.Auditees, as mentioned earlier, generally wish to have errors or deficiencies corrected.


TITLE: Types of Audits PAGES:[2]C.T. Grant, C.M. Depree Jr., and G.H. Grant, "Earnings Management and the Abuse of Materiality,"Journal of Accountancy, September 2000, pp. 41–43.



6.4 Types of Audits

The following descriptions are of the audit types performed by the Internal Audit Department. The majority ofaudits performed by the department are financial, operational (managerial), and information systems. (For adiscussion of control self assessment (CSA) or self audits, see Section 4.1(e).) The type of audit performed ona particular auditable unit can be any combination of the types described below. The type of audit to beperformed is determined in the initial planning process.

a. High-Level Review of Procedures

A high-level review is a special type of review that measures general compliance with key corporate policiesand with sound business practices. The objectives of this review are to provide the auditor with anunderstanding of an operation and to determine the nature of detailed testing that may be needed in certainareas.

Procedures for this review follow the general guidelines for external auditors, as specified in Statement onAuditing Standards (SAS) No. 36: Review of Interim Financial Information. These procedures consistprimarily of inquiries and analytical review concerning significant accounting matters related to financialinformation being reviewed. Additionally, the internal auditor should obtain an understanding of the entity'ssystems of accounting and internal controls.

Our high-level review includes other tests outlined in greater detail than in SAS No. 36. Compliance and somesubstantive tests are to be performed over certain areas of an entity; including cash, accounts receivable,credit, travel and expense, brand sales, product costing, marketing variable, fixed assets, debts, and inventory.

b. Financial Audit

A financial audit is a study of the current financial position of an operation to evaluate the fair presentation ofthe financial position as reported on the balance sheet, income statement, and the statement of cash flows. Fullfinancial audits of significant company operations and subsidiaries are typically performed by external,independent auditors. In some cases, however, full financial audits may be performed by Sam Pole's internalauditors.

The primary reason for a financial audit is to assure parties relying on financial statements that the data arepresented fairly in accordance with GAAP. A financial audit would be appropriate before tax reporting,expansion ventures, mergers, acquisitions, disposal, economy fluctuations, and periodic presentations offinancial position.

The approach to a financial audit would be governed by the purpose of the audit. If current liquidity were ofprime importance, collectibility of trade receivables, short-term investments, turnover of inventory, andliquidation of accounts payable would be considered. If expansion or acquisition were of prime importance,both long- and short-term debt would be considered. If economic fluctuations called for entrenchment, thenpurchasing practices, inventory stockpiling, overhead reductions, and other operating costs would beconsidered. Regardless of the purpose of the audit, financial controls would always be of prime considerationin evaluating audit risk.

In all financial audits, the general ledger, general and specific journals, voucher registers, bank reconciliation,and account analyses would be reviewed. These records would tell the auditor where the operation's assetswere utilized and why. Depending on the purpose of the audit, a review of the following reports would be



considered:

Accounts Receivable Aging• Accounts Payable Aging• Inventory Aging• Discount Income versus Discount Expense• Physical Inventory Reconciliations• Inventory/Receivable Turnover Ratios• Variance Analyses• Standard Cost Revisions• Transportation Costs• Capital Expenditures versus Return on Investments• Purchasing Cost Savings•

These records and reports would tell the auditor where the operation was, where it is, and how it got there.They would highlight efficiencies and inefficiencies in vital areas such as credit and collections, inventorycontrol, production scheduling, capital investments, and purchasing coordination.

Given all the above factors, the audit plan would then be devised, giving consideration to:

Objective of the audit• Time requirements•

Staff requirements• Starting and concluding dates• Auditor assignments•

c. Operational/Managerial Audit

An operational audit can be defined as an extension of a financial audit. A financial audit tells where the entitywas and where it is; an operational audit tends to answer the questions why the entity is where it is and how itgot there. In this sense, the operational audit falls into the category of a management service by evaluating thefour functions of management: (1) planning, (2) organizing, (3) directing, and (4) controlling. The operationalaudit can be broken down further as a functional review; for example, Purchasing as a department versus theoverall Procurement operation in coordination with production scheduling and market forecasting. There areseveral reasons for performing an operational: compliance with policies and procedures, excessive customerreturns, equipment down time, adverse variances, proposed product changes, theft, or personnel turnover. Thetimeliness of an operational audit is determined by the reason for the audit and the areas to be audited.

To formulate the approach to an operational audit, an auditor must first establish the scope. This stepdetermines the extent of the audit. The next step is to become familiar with an auditee's operation, its purposein the total structure of the entity, its history, its staff, and its reporting path. The reporting path is of primeimportance because this path is the communication route along which audit results and conclusions will flow.The auditor should advise the location's management in advance of a planned visit so that suitable workingand living accommodations may be arranged.

The prime records to be obtained in an operational audit are the organizational chart of the function/operation,applicable policy guides, and procedures directives. These will outline each employee's responsibility andauthority. The function's/operation's performance reports for at least one year prior to the audit should bereviewed to determine trends that have developed over the past year. These records and reports could indicatesuch trouble areas as segregation of duties, imbalance in reporting path, over- or under-staffing,noncompliance with corporate policies and procedures, weaknesses in internal controls, or inadequate jobrotations. These indications could aid the auditor in determining priorities as to depth of investigation andareas of potential improvement. Reports must be informative and timely, and directed to the proper levels of



management.

d. Compliance Audit

A compliance audit involves two different, though closely related, types of issues:

The nature and scope of the transaction against which the compliance is to be ascertained1. The degree to which it is practicable, or even desirable, to determine the compliance2.

Therefore, a compliance audit can be defined as a rerun of a given task over a prescribed course that ismonitored by various checkpoints to reach a desired conclusion.

Reasons for a compliance audit can vary with the size and complexity of the organization, type of product,market involvement, quantity and locations of sites or levels of standardization. A compliance audit may beperformed due to a recent history of excess customer returns, unusual buildup of inventory, increase in scrap,increase in bad debt write-offs, proposed realignment of responsibilities, manpower turnover, or a routinereview of procedures.

e. Contract Audit

A contract audit is defined as the review and evaluation of a contract (terms, conditions, etc.) and its relatedfinancial transactions. The terms construction and contracts are sometimes used interchangeably in the auditprofession because a construction project requires a contract. Contracts, however, cover a wide range of areassuch as repairs, maintenance, rentals, and consulting.

Contract audit objectives are segregated into:

Corporate Audit Objectives:

Assess the adequacy of internal accounting control systems and operating procedures.• Monitor compliance with corporate policies and procedures, contractual provisions, budgetaryguidelines, and operating safeguards and controls.

•

Highlight problem/opportunity areas and make appropriate recommendations to management for thedevelopment of new operating and control procedures.

•

Contract Audit Objectives:

The contract specifically includes the right-to-audit clause.• Controls exist to assure that construction or other costs, which are billed by the contractor, are inaccordance with the terms of the contract.

•

Contactor controls and procedures are adequate to assure that the billed costs are proper andreasonable.

•

Controls exist to assure that other charges to the project are proper and reasonable.•

Contract audits are appropriate on a continuing basis when:

Contracts are issued for significant amounts.• Actual expenditures exceed budget.• Control weaknesses are noted during a financial audit.• A unit experiences management turnover.• Integrity of personnel is questioned.• A request is received from management (corporate or unit).•



The approach to a contract audit includes the following steps:

Review the contract to determine that it is in accordance with established company policies (e.g.,competitive bidding).

1.

Document and evaluate the system of internal control.2. Review pertinent data (project expenditures) to determine test criteria.3. Perform a review to ascertain that all expenditures (included in test) are accurate, properly supported,and in agreement with terms and conditions of contract.

4.

If considered necessary, visit the contractor's office and review records to determine that charges tothe company are proper.

5.

Ongoing contract audits require the preparation of periodic interim reports to management advising onsituations encountered so that prompt corrective action can be taken. A formal report is also required oncompletion of an assignment, and status reports to audit management should also be issued from time to time.

f. Desk Review

In a desk review, the internal auditor will obtain a package of financial and other documentary informationfrom the auditee and perform limited procedures. In most cases, all procedures will be performed fromcorporate offices and not at the auditee location.

Several benefits result from frequent desk reviews. First, the internal auditor can determine if the auditee iscurrently in compliance with previous recommendations. Second, internal auditors can expand the coverage oftheir audits to nearly the entire organization without making trips to every location. A related benefit isreduced travel time and travel expenses. Finally, the desk review is ideal for training new internal auditors,allowing them to gain an understanding of an entity's operations prior to doing a field audit.

A desk review can be combined with a control self-assessment review, see Chapter 4.1(e).

(g) Follow-Up Audits

Follow-up audits are performed 6 to 12 months after a major audit has been completed, to ensure thatpreviously accepted audit recommendations have been effectively implemented. These audits are typicallyperformed if the audit identified significant conditions.

h. Information Systems Audits [3]

Information systems (IS), or electronic data processing (EDP), audits are the examination of significantaspects of the IS environment. The company may have several different IS environments, such as: mainframe,mini-computer, microcomputer (PCs), local area networks (LANs), wide area networks (WANs), electronicdata interchange (EDI), and Internet hosts (servers, electronic commerce).

The nature of business systems changed dramatically in the 1990s. More and more businesses went toreal-time, online systems. The Internet expanded into the World Wide Web (WWW, web) where a geometricgrowth of pure digital business transactions has occurred (i.e., electronic commerce). In general, moreaccounting functions are computerized and more business transactions are now entirely in digital form.Therefore, IS audits are becoming increasingly more important for data integrity, system availability, andsecurity. For those businesses that have some or all of their business transactions embedded within IS, theavailability of the system has become critical to the success of the firm. Even for external audits, the "whitebox" technique [4] of financial audits is becoming more necessary and will become more and more common.

The internal auditor should have identified audit units for each of the IS environments above applicable to thefirm. The COSO model is an excellent way of identifying such units. Using both COSO and other sources, the



following is a list of major audit units to be considered for each environment, although it is notcomprehensive:

System Control Activities: General Controls Review. Review of general control units such asorganizational structure policies and controls related to all information systems or technologies. Thisreview could be done in conjunction with other audits (i.e., integrated approach). An examination ofgeneral controls might include units such as:

Access Security

"Top Secret," RAC-F, ACF-2◊

♦

System Availability/Continuity of Operations♦ Documentation Standards♦ Program Development and Change Control

Program change control—"PanValet"◊

♦

Disaster Recovery/Business Recovery♦

•

System Control Activities: Application Controls Review. Application controls are embedded in thecode. Hopefully, internal auditors (such as CIAs or Certified Informations Systems Auditors, orCISAs) provided guidance in developing the controls as each application was being produced.Basically, auditors will examine software systems' controls for processing applications such as:

Revenue cycle programs (e.g., accounts receivable, sales)♦ Expenditure cycle programs (e.g., accounts payable, purchases)♦ Payroll cycle programs♦ Inventory cycle programs♦ General ledger♦ All other financial applications♦

•

Physical Control Activities. An examination of various physical controls. They include controls suchas:

Transaction authorization♦ Segregation of duties♦ Compensating controls (often necessary in IS environments)♦ Accounting records (especially audit trails)♦ Independent verification (management's assessment of individuals, integrity of AccountingInformation System (AIS), and integrity of the data in the records)

♦

•

Detailed Examination of Operating System. Audit specific to MVS operating system, AS/400, Unix,Linux, Novell, Windows, etc. The audit should have at least these objectives:

Protect itself from users♦ Protect users from each other♦ Protect users from themselves♦ Be protected from itself♦ Be protected from its environment♦

•

i. General Controls: Disaster Recovery Review

A Disaster Recovery Plan (DRP) is a comprehensive statement of all actions to be taken before, during, andafter a disaster, along with documented, tested procedures that will ensure the continuity of operations. [5] TheDRP starts with a written plan that also identifies the procedures for restoring operations with the DRPelements. The procedures should rank critical applications for the restoring process so as to minimize the lossof critical transactions during the down time. The plan also identifies the DRP team. Every organization needsan appropriate DRP. A review of the DRP includes at least the following items:



Backup Site. An offsite facility equipped to restore operations (e.g., hot sites, such as the recoveryoperations center); cold sites, with equipment backup separate; and mutual-aid pact).

•

Backup Data. An offsite receptacle for archived data, stored frequently and timely (e.g., online datavaulting and data sets such as tapes, disk packs, etc., stored in a fireproof vault, etc.). This processshould have been tested for reliability.

•

Backup Software. Backup copies of all relevant software and applications. These should be storedoffsite at the site backup or with the data backup.

•

Backup Resources. Items such as paper supplies (e.g., continuous forms for printing invoices orchecks) and other supplies necessary for systems to function. These items should be stored at or nearthe backup site.

•

Backup Documentation. Any manuals or documentation that are necessary for operations. Again,stored at or near the backup site.

•

Backup Team. The identification of the DRP team, with responsibilities for each member havingbeen described in the written DRP. All of the DRP recovery processes should be made theresponsibility of various team members with overlap or backups for personnel in case of the greatesttragedy—the death of a DRP team member.

•

Critical Applications. A ranking of all applications to be restored. The ranking provides a way toprioritize DRP recovery processes.

•

Tested. Has the plan been tested in a realistic manner?•

ii. Applications Controls Review: Further Guidance

Application controls can be tested and examined using the system model: input controls, processing controls,and output controls.

Input Controls. Input controls would focus on maintaining the integrity of data entry and assertionssuch as completeness and existence (occurrence). They are designed to ensure that the transactionsthat bring data into the system are valid, accurate, and complete. Data input procedures can be eithersource document-triggered (batch) or direct input (real-time). Source document input requires humaninvolvement and is prone to clerical errors. Direct input employs real-time editing techniques toidentify and correct errors immediately. The following is a list of some input control areas for whichto plan and investigate:

Source document controls♦ Data coding controls♦ Batch controls (where applicable)♦ Validation controls (e.g., field characteristics)♦ Input error correction controls♦

A.

Processing Controls. Processing controls are the most important and most difficult because theyinvolve the computer processing steps inside the system. Applications and systems need expert designfeatures to have adequate processing controls, which can be provided by CIAs, CISAs, or otherqualified auditors. The following is a list of some processing control areas for which to plan andinvestigate:

Run-to-run controls (during posting, etc.)♦ Operator intervention controls (i.e., minimize human intervention, build audit trails when theydo)

♦

Audit trail controls (building an adequate digital audit trail of internal processing activities)♦ Logic testing (formulas, etc.)♦

B.

The latter area is a real key to most systems and is extremely valuable for reviews of new or significantlyrevised applications. In order to conduct a white-box-type IS audit, an in-depth understanding of the internallogic of the application being tested is imperative. There are several techniques for testing logic directly.



These approaches use small numbers of specially and expertly crafted test transactions used to verify aspectsof the application's logic and controls. With known variables and calculated results, auditors can then conductprecise tests, obtain computerized results, and compare them against the objective set. The following list isindicative of the types of tests that could be run to test application logic:

Authenticity Tests. Verify that an individual, a programmed procedure, or a message attempting toaccess a system is authentic.

•

Accuracy Tests. Ensure that the system processes only data values that conform to specifiedtolerances.

•

Completeness Tests. Identify missing data within a single record and entire records missing from abatch or file.

•

Redundancy Tests. Determine that an application processes each record only once.• Access Tests. Ensure that the application prevents authorized users from unauthorized access to data.• Audit Trail Tests. Ensure that the application creates an adequate audit trail. This test should verifythat the system produces complete transaction listings, and generates error files and reports for allexceptions.

•

Rounding Error Tests. Verify the correctness of rounding procedures. Failure to properly account forthis rounding difference can result in an imbalance between the total (control) interest amount and thesum of the individual interest calculations for each account. Rounding problems are particularlysusceptible to so-called salami slicing, a criminal technique that tends to affect a large number ofvictims, but the harm to each is immaterial. Each victim only sees one of the small pieces and isusually unaware of being defrauded. Operating system audit trails and audit software (i.e., GAS) candetect excessive or unusual file activity. In the case of the salami fraud, there would be thousands ofentries into the computer criminal's personal account that may be detected using generalized auditsoftware (GAS) or computer-aided auditing tools (CAATs).

•

Output Controls. Lastly, internal auditors should plan for an examination of output controls. Outputcontrols are intended to ensure that system output is not lost, misdirected, or corrupted, and thatprivacy is not violated. The type of processing method in use influences the choice of controlsemployed to protect system output. Batch systems are more susceptible to exposure and require agreater degree of control than real-time systems. These controls are much easier to audit thanprocessing or input controls. The following is a list of some output control areas for which to plan andinvestigate:

Batch systems output controls♦ Output spooling controls (print spooler)♦ Print program controls♦ Bursting controls (if applicable)♦ Waste controls♦ Data control group control♦ Report distribution controls♦ End user controls♦ Real-time systems output controls♦

C.

Another key element to IS audits is the use of computer-assisted audit tools and techniques (CAATTs). Theinternal auditor should make an assessment of applicable tools and techniques for the specific unit and auditobjectives. The following is a list of possible tools and techniques, but is not fully inclusive:

Generalized audit software (GAS)• Embedded audit modules (EAM)• Generalized data input systems (GDIS)•



i. E-Commerce Audits

Electronic commerce (e-commerce) has some special considerations beyond those identified in the IS auditssection because the IS audit is typically conducted on the "back office" system. E-commerce is the "front end"system. The audit of e-commerce will focus on controls, access, security, and availability. The higher risks ine-commerce at the present are viruses, hackers and crackers, and activities intended to crash the system. SomeCAATs provide auditors the ability to probe for weaknesses—to play the devil's advocate on their ownsystems (e.g., SAINT). These tools are extremely beneficial in doing e-commerce audits. A review shouldinclude the following applicable units or areas, although this list is not exhaustive:

Unauthorized access [6]• Firewalls [7]• Intrusion detection• Data encryption [8]• Transaction and access logs• Challenge-response activities• Authentication methods [9]• E-commerce protocols [10]• Non-repudiation controls• System availability, fail-safe controls• Anti-virus protection•

j. International Audits

An international audit is a full-scope audit of a particular division or subsidiary. These are performed on aregular basis or on request. The scope of this type of audit includes a financial section, an operational section,an IS section, and a section addressing the unique characteristics of the location's customs and duties andgovernmental affairs. Depending on staff levels, distance and capabilities, international audits may be a goodcandidate for outsourcing.


TITLE: Time Reporting PAGES:[3]See Section 3.6 for more on IS audits. Some of the material in this section is from the following book:James A. Hall, Information Systems Auditing and Assurance, SouthWestern College Publishing, 2000.

[4]This term refers to the approach where the auditor audits through the computer system rather than around it(i.e., black box).

[5]James A. Hall, Information Systems Auditing and Assurance, South-Western College Publishing, 2000.

[6]More than passwords, because secured access for e-commerce is usually multi-faceted. For example, afirewall, intrusion detection system, and passwords combined for access control(s).

[7]Overlaps with unauthorized access and system availability.

[8]Online and offline: almost all credit card theft over the Internet has been from files on the system, not fromstealing them during transactions.



[9]Digital signatures, digital certificates, call-back modems, multi-faceted access methods (e.g., a passwordand a PIN generated via pager; an access ID and password, and another ID and password for access toapplications or data).

[10]For example, SSL, SET, S-HTTP.

6.5 Time Reporting

Planning and budgeting are important procedures that should be performed as integral elements of every audit.Time records aid these functions because they provide cumulative data regarding the actual time spentaccomplishing specific assignments on previous or similar engagements. As a result, the senior auditor canuse this data, along with an evaluation of the procedures to be performed and the capabilities of the applicablepersonnel in order to better estimate (budget) the time required for the current audit.

Other benefits of time reporting are:

Providing the quantitative support necessary at the staff level. Accurate budgeting of all auditactivities throughout the year will summarize into a viable total from which to determine the numberof auditors required.

•

Adding to job control. Prompt time reporting enables the in-charge manager to effectively analyzehow much time has been spent, how matters stand against the budget, and how much further time isrequired for completion.

•

Supporting productivity. Time reporting provides the ability to monitor actual time spent on auditsversus administrative and other lost productive time.

•

The following discussion is an explanation of a basic time reporting form as well as a listing of basic reports.Each audit assignment should be given a number indicating the year and the audit number—beginning with001, followed by 002, etc. Task and audit type codes should be added as described below.

a. Form: Corporate Audit Time Report

A form is to be completed semimonthly and approved by the senior, supervising senior, or manager. A sampleof this form is provided at the end of this section (Exhibit 6.4).

To use the Corporate Audit Time Summary:

Complete the form in detail. Be neat.1. Account for eight hours per day and 40 hours per week.2. Corporate Audit time reports are due semimonthly.3. Record time accurately to within half hour.4.

b. Report for the Period Ending

The form is designed to be used for either the first through the fifteenth, or the sixteenth through thethirty-first of the month.

c. Auditor's Name/Employee Number

The auditor to whom the time report pertains should sign the time report. Each auditor should have beenassigned an employee for time reporting purposes.



d. Job Number

Each assignment will have a specific job number. Job numbers assist in the identification and accumulation oftime reported by several individuals on various jobs. If you are asked to perform a task, obtain the appropriatejob number from your supervisor or get the number from the planning memo in the administrative binder forthat job.

e. Audit Codes

Audit codes relate to the type of audit. A listing of these and task codes follows. (See Exhibit 6.3.)

Exhibit 6.3: Time System Codes: Audit Type Codes and Task Codes

Audit Type Codes01 High-Level Review 05 Contract Audit02 Financial Audit 06 Other Audit03 Operational Audit04 IS Audit 99 Non—audit[a]Details to be listed on back of timereport.

Task Type Codes01 Planning/Planning Memo 40 Pre-implementation System Review02 Audit Program/ICEG Development 41 Post-implementation System Review03 Technical Research 42 Systems—Operational04 Supervision 50 Contract Review05 Review Workpapers 51 Contract Procedures/Controls06 Write Reports/Memos 52 Contract Billing07 General 53 Investigation08 Cash 54 Benefit Plans09 A/R Confirmation 55 Projects[a]

10 Inventories/Physical Observation 60 Quality Control1 I Supplies Inventory 61 Performance Evaluation12 Inventories—G/L 62 Orientation13 Other Assets 63 Scheduling14 Liabilities 64 Interviewing/Recruiting15 Revenue/Expense 65 Education and Training Administration16 Payroll 66 Administrative—Other[a]

17 Revenue System—Cycle 70 Staff Training—Internal18 Expenditures System—Cycle 71 Conferences/Seminars19 Payroll System—Cycle 72 Education Course—CPE20 Production System—Cycle 73 Professional Organization21 Auditee Conferences 74 Self Study22 Permanent Files 75 Time Report Input23 System Files 80 Sick24 Travel—Work Time 81 Personal25 Travel—Other 82 Vacation30 Data Center Review 83 Holiday



31 Applications Review 84 Compensation32 Production/Maintenance 90 Administrative—Department[a]

33 Computer Program Changes 91 Peer Review34 Conversions 92 Status Reports35 IS Operating System 99 Other[a]Details to be listed on back of time report.

f. Task Codes

Task codes should be used to detail the specific work performed. A listing of these codes follows. (SeeExhibit 6.3.) Consult your supervisor or the job budget in the planning memo for the proper task code.

g. Hours

Only total hours for the semimonthly period need to be recorded in the "hours" column. The daily hours areaccumulated on the right side of the sheet. Hours should be reported to the half hour.

h. Productive Time

Record all time applicable to the job. This record includes time spent working at the job site, in the office atnight, in the motel, or at home. Think of reporting time as though you were going to bill your time to theauditee. Remember, future projects will be understated if actual time spent on an audit is not recorded andremains hidden. Record travel as work time only between the normal work hours of 8:00 A.M. and 5:00 P.M.,or normal hours applicable to your organization. This travel time should be charged to the normal job number,audit code, and task 24.

i. Nonproductive Time

Record travel time outside normal working hours of 8:00 A.M. to 5:00 P.M., Monday through Friday or aftera 40-hour week of flexible hours has been worked. An example is to assume you left the job at 4:00 P.M. afteryou have spent seven hours on the audit at the job site. One hour should be recorded as productive time andthe remainder of the time spent traveling should be recorded as nonproductive.

Travel time is defined as the time required to commute to the airport, from departure airport to destinationairport, and the commute from destination airport to office, home, or motel. If you are traveling byautomobile, it is that time you leave the home, office, job site, etc., until you arrive at your destination. Travelduring non-work hours should be charged to the job number, audit code 99, and task 25.

Other nonproductive time—including vacation, holidays, sick leave, personal leave, training, andseminars—has specific task codes that are self-explanatory. Time charged to the administrative category mustbe explained on the back of the time report to avoid making it a catch-all task code. All nonproductive chargesgo to job number 000, audit code 99, with the appropriate task.

"Administrative" is defined as work that is beneficial to all jobs, not just one. If an auditor is writing the reportfor job number 01-010 in the office, it would be chargeable to job number 01-010. But, if the same personwere writing a policy statement that applies to office procedure and would affect the conduct of all jobs, thenthe hours would be charged to administrative. One would normally expect very little staff time charged to theadministrative category. As a general rule, all staff time should be charged to a job. However, time spentfilling out time reports, expense reports, etc., should be considered administrative.



j. Summarizing Time

Each individual's time is entered into a time reporting application after it has been approved. Once all timesheets are input, the data is compiled into various reports by the application. The following reports should beconsidered:

Report 10—Listing of employee names and numbers• Report 20—Listing of job numbers and job names• Report 30—Listing of audit numbers and names•

Report 40—Listing of task numbers and task names• Report 50—Semimonthly input summarized by employee number within date• Report 60—Listing of hours by job number, employee, and task• Report 70—Listing of hours by employee, by job, and by task• Report 80—Listing of hours by audit, by job, employee, and task• Report 90—Listing of total audit and non-audit hours by employee• Report 100—Listing of non-audit hours by employee, by task• Report 110—Listing of budgeted versus actual hours by job, by task• Report 120—Listing of budget to actual hours for all jobs•

Exhibit 6.4: Sample Corporate Audit Time Summary Form


TITLE: Expense Reporting PAGES:

6.6 Expense Reporting

All approved expense reports should be submitted to the Audit Director. A copy should be retained for thedepartment's records. This process will provide a means for reconciling the monthly Departmental BudgetProgress Reports on a timely basis and will provide auditors with a record, if necessary.



a. Travel Expenses

General guidelines for travel arrangements and travel expenses:

Airfare. Flight arrangements should be made through the travel department in accordance withcorporate policy.

•

Lodging. Lodging arrangements are to be made through the travel department, but are first to beapproved by the manager level or above.

•

Meals. Reasonable meal expenses will be reimbursed.• Local Transportation. The decision of whether to lease a car or use cabs is to be discussed at themanager level or above. Car rental is to be arranged through the travel department.

•

Telephone. Non-excessive expenses for personal calls will be reimbursed. Personal calls, however,should be limited to one per day.

•

Advances. Expense advances are to be obtained through the accounting department and are to beapproved by the manager level or above.

•

Expense Report Settlements. Individual auditors are responsible for settling their own expensereports with the accounting department.

•

Mileage. Mileage expenses will be reimbursed at the current rate acceptable by the Internal RevenueService.

•

This list serves as only a general guideline, and exceptions will occur; you will be asked, however, to explaindeviations. When in doubt, general company guidelines apply. Before leaving on a trip, any expectedexceptions must be discussed at the manager or director level.

Endnotes

1. September 2000 issue, "Best Practices for Audit Efficiency." Found atwww.aicpa.org/pubs/jofa/sep2000/dennis.htm.

2. C.T. Grant, C.M. Depree Jr., and G.H. Grant, "Earnings Management and the Abuse of Materiality,"Journal of Accountancy, September 2000, pp. 41–43.

3. See Section 3.6 for more on IS audits. Some of the material in this section is from the following book:James A. Hall, Information Systems Auditing and Assurance, SouthWestern College Publishing, 2000.

4. This term refers to the approach where the auditor audits through the computer system rather than around it(i.e., black box).

5. James A. Hall, Information Systems Auditing and Assurance, South-Western College Publishing, 2000.

6. More than passwords, because secured access for e-commerce is usually multi-faceted. For example, afirewall, intrusion detection system, and passwords combined for access control(s).

7. Overlaps with unauthorized access and system availability.

8. Online and offline: almost all credit card theft over the Internet has been from files on the system, not fromstealing them during transactions.

9. Digital signatures, digital certificates, call-back modems, multi-faceted access methods (e.g., a passwordand a PIN generated via pager; an access ID and password, and another ID and password for access to



http://www.aicpa.org/pubs/jofa/sep2000/dennis.htm

applications or data).

10. For example, SSL, SET, S-HTTP.



Chapter 7: Audit Performance

Overview


TITLE: Corporate Audit Performance Process Matrix PAGES:

7.1 Corporate Audit Performance Process Matrix

This chapter presents a number of audit tasks and documents that are necessary for effective audits. They alsoare compatible with audit standards such as the Institute of Internal Auditors' (IIA's) Standards for theProfessional Practice of Internal Auditing. [1]

The audit process begins with the notification of the auditee and concludes with the performance evaluation ofeach staff member on the project. The corporate audit performance matrix (Exhibit 7.1) summarizes theactivities contained within our sample audit process. This sample process places a heavy emphasis onorganization and implementation of all authorized department procedures. It is a structured program with agreat deal of attention to planning. The importance of structuring the audit process and following documenteddepartment procedures cannot be overemphasized. It is through strict adherence to procedures performed bycompetent staff that good audit reports will result.

Exhibit 7.1: Corporate Audit Performance Process Matrix

AssignmentCheck List

EngagementMemo—Notice

to Auditee(Section 7.2)

PlanningMemo

Status Memo Tentative AuditRecommendations

Worksheet

Audit ReportDistributionWorksheet

Audit Report(See Section8.1—Report

Process)

Summary Memo PerformanceEvaluations

PURPOSE Establishcontrol overaudit; assignnumber andlog it.

Announce audit. Establishauditobjective,scope, andapproach.

Interim field auditreport ofsignificantfindings/problems

Documentsignificant findings.

Track reportpreparation andissuance.

Document resultsof audit reportedto AuditCommittee.

Documentachieved auditobjectives;budget/actual timecomparison.

Periodicevaluation ofperformanceonengagement

TIMING Begin twoweeks beforeaudit;completeone weekafter reportis issued.

Approximatelyfour weeksbefore audit

Before or atbeginningof audit

As required, basedupon existingcircumstances

Promptly upon auditdisclosure

Uponcompletion offield work

One week afterManager approvalof agreed text

Promptly uponcompletion of finaldraft of auditreport

ToaccompanySummaryMemo

AUTHORADDRESSEECOPIES

Senior

Workpapers

None

I.A. Manager

Unit Head

Unit Controller,Manager, others

Senior

I.A.Manager

Manager

Auditor

Auditee

Workpapers

Auditor

Auditee

Workpapers

Senior/Manager

Workpapers

None

I.A. Manager

Audit Committee

Distribution tomanagement

Senior

I.A. Manager

I.A. Manager

StaffPersonnel

CONTENTS

Chapter 7: Audit Performance 1

Calendar ofauditcheckpoints

Audit entity orlocation, auditobjectives, auditperiod start date,end date, requestresponse

Auditobjective,audit scopetiming,budgethoursdetailed byarea,significantauditareas/audit,approachstaffing

Outline ofsignificant auditdevelopments,timing problems,need to alterobjective or scope,high-levelbudget/actualhours comparison

Findingsdocumentation,status anddisposition

Calendar ofcheckpoints;distribution ofcopies

ID of audittransmittal toAudit Committee,highlights ofaudited entity,scope of audit,auditors'conclusions,detailedcomments andrecommendations(for managementonly)

Outline achievedaudit objectives orshortcomings,detailedbudget/actualhours comparisonwith explanations,future auditrecommendations,oral report todirector ofsignificantfindings beforeaudit report

As prescribedon form

APPPROVAL None None Manager None Senior Manager None Manager

The example included in this manual requires the audit team to formally notify the auditee and develop adetailed audit plan and budget. The purpose of the detailed plan is to ensure that the objectives of the audit arethe most appropriate for the circumstances. Given the limitation of time for each audit, the scope andobjectives should be seriously considered not only by field staff auditors, but also by the audit management.This process is institutionalized through the development of a proper audit planning document.

The budget will help guide the staff to put their time into the proper areas. It will also assist audit managementin explaining why audits have taken more or less time than originally planned. Budgets also help refine thelong-term planning process and provide improved credibility for the audit function. One must always keep inmind that it is very difficult to measure audit productivity. With budgets in place, some of the managementand auditee doubts are mitigated.

a. Assignment Log and Checklist

At the commencement of an audit assignment, a number is given to the audit project. The number consists oftwo digits for the year and a three-digit number designating the particular engagement.

One of the first steps in the audit performance process is to initiate an assignment checklist (see Exhibit 7.2).The checklist is used as an overall control form and should be the first paper seen on the top of a workpaperbinder set. This checklist is a guide to ensure that all critical elements of the audit performance process arecompleted.

Exhibit 7.2: Sam Pole Company Corporate Audit Department Assignment Checklist

Audit #01 -nnn

Company: _______________________________________________

Location: ________________________________________________

Assignment: ______________________________________________

Date: __________________________________________________

Date

Notice to Auditee1. ___/___/___

2 Chapter 7: Audit Performance


Planning Memo2. ___/___/___

Field Work3.

Preaudit Conference• ___/___/___

Begun• ___/___/___

Status Memo• ___/___/___

Completed• ___/___/___

Closing Conference4. ___/___/___

Senior Finalization of workpapers5. ___/___/___

Manager review (two days before outsidedeadlines)

6. ___/___/___

Audit Report draft7. ___/___/___

Summary Memo8. ___/___/___

Audit Report issued9. ___/___/___

Performance Evaluations10. ___/___/___

Name Completed by DateSupervising: ________________________________________ ___/___/___In Charge: __________________________________________ ___/___/___Assistant: ___________________________________________ ___/___/___

i. Audit Performance Process Log

In order to maintain control over all audit assignments, a log is kept by the department administrator. The logconsists of a column to the left indicating the year and audit number. These are followed by columns to theright indicating the status of the audit and the beginning of the report initiation and completion process.

b. Description of Notice to Auditee

As discussed in Corporate Audit Performance Process Matrix in our example, we have opted to notifyauditees in advance of audits. In general, it is more appropriate to notify the auditee that an audit will takeplace. This notification allows for a more orderly project. In some cases, this approach may not beappropriate. For instance, petty cash counts are usually performed on a surprise basis.

Some audit departments do not notify auditees because they can improve or address areas that may comeunder audit procedures. If the notice of audit provides the impetus for the auditee department to improve, thatresult is accomplishing the spirit of the audit mission. What follows in Exhibit 7.3 is a sample notice to theauditee. The manual should contain a sample so that there is a consistency within the audit function andbetween all audits.

Exhibit 7.3: Sample Notice to Auditee



September 10, 200x

Mr. E.S. JonesSam Pole Company2010 Main StreetAnytown, USA

Dear Mr. Jones:

In accordance with our audit plan, we have scheduled an audit during the period from September 1 throughSeptember 9, 200x. It will be performed under the supervision of Mr. Justin Tyme, who will arrive in theoffice on September 1st.

A full financial audit will be conducted, including the evaluation of internal controls and tests of transactionssupporting related account balances as well as verification of physical inventory valuations and circulation ofcustomer accounts receivable balances.

Please contact me if you have any questions related to our visit or if you have areas of concern that you maywish to have reviewed.

Very truly yours,

Newley A. PointedAudit Manager

c. Preliminary Survey

i. Purpose

The purpose of a preliminary survey is to

Gain a basic understanding of the entity to be audited, especially related to risk assessment• Begin the planning process•

These purposes relate to Generally Accepted Auditing Standards and IIA Standards. The following standardsapply to the practical aspects of the audit planning process including: adequate skills, competencies, andknowledge; adequate resources; the underlying role of risk assessment; and the nature of the work.

Attribute Standard No. 1210 (Proficiency). Internal auditors should possess the knowledge, skills,and other competencies needed to perform their individual responsibilities. The internal audit activitycollectively should possess or obtain the knowledge, skills, and other competencies needed to performits responsibilities.

•

Attribute Standard No. 1210.A1. The chief audit executive should obtain competent advice andassistance if the internal audit staff lacks the knowledge, skills, or other competencies needed toperform all or part of the engagement.

•

Performance Standard No. 2010 (Planning). The chief audit executive should establish risk-basedplans to determine the priorities of the internal audit activity, consistent with the organization's goals.(Note: Subsection A1 further states that a "risk assessment should be undertaken at least annually.")

•

Performance Standard No. 2030 (Resource Management). The chief audit executive should ensurethat internal audit resources are appropriate, sufficient, and effectively deployed to achieve the

•



approved plan.Performance Standard No. 2100 (Nature of Work). The internal audit activity evaluates andcontributes to the improvement of risk management, control and governance systems.

•

Auditors should obtain background information about the activities to be audited. This process isaccomplished by performing, as appropriate, an on-site survey to become familiar with risks, and activitiesand controls to be audited; to identify areas for audit emphasis; and to invite comments and suggestions. Toperform an audit in accordance with Generally Accepted Auditing Standards and IIA's Standards, a properlyconducted preliminary survey is required.

ii. Progression of and Procedures for Preliminary Survey

Review the scope of the pending audit.

The comprehensiveness of the survey depends on the scope of audit. For example, if the audit is limited inscope, then the survey will be limited. A memo should be prepared discussing:

Purpose of the engagement• Nature of the final report, if any• Timing of the engagement• Auditee contacts•

Arrange a preliminary meeting with management.

The purposes of this meeting are to:

Meet management and inform them of the objectives of the survey• Arrange for working space• Prepare preliminary time tables• Gain the confidence of location management• Gain an understanding of management's objectives• Gain understanding of problems as perceived by local management• Gain understanding to determine if a new risk assessment needs to be undertaken•

Write a memo documenting the preliminary meeting with management. The following information should beincluded in the memo:

Time, date, and participation (who was there)• Summary of topics discussed• Potential problem areas noted• Potential conflicts• Office policies peculiar to that location•

After a memo is prepared documenting the preliminary meeting with management, the fieldwork portion ofthe survey is ready to begin.

Complete preliminary survey field procedures.

The field survey procedures for a full scope audit are:

Through interview, observation, and documentation, gain an understanding of the followingcharacteristics of the entity:

•



Brief history of entity♦ Size of entity♦ Products produced♦

Process flow♦ Principal customers♦ Principal supplies♦ Current trends♦

The understanding should be documented in memorandum form. The purpose is to provide the reader with anoverall understanding of the entity as it relates to Sam Pole Company.

Perform a cursory review of the accounting system by obtaining and preparing the appropriatedocuments and memoranda:

Obtain an organizational chart♦ Determine the extent of information system (IS) and information technology (IT) usage♦ Briefly describe the following systems. Note the volume of transactions and the apparentcontrol points and control weaknesses:

Purchasing, accounts payable, and cash disbursements◊ Order entry, sales, accounts receivable, and cash receipts◊ Product inventory, aging and obsolescence review procedures◊ Supply inventory system◊ Cost accounting system◊ Environmental accounting system (if applicable)◊ Fixed assets and depreciation◊ General ledger system◊

♦

•

The following questions should be answered for each system:

What is the job?• Who does it?• Why is it done?• How is it done?•

Where is it done?• When is it done?• How is it monitored?• How much does it cost?•

Prepare a schedule of all significant books of original entry. For computer systems' master files, andtransaction registers.

Prepare a schedule of primary management reports.

Overview systems flowcharts may be prepared for any of the accounting systems if they enhance theunderstanding.

In connection with the review of the accounting system, the following documents should beidentified, if available:

Internal accounting procedures and practice manuals♦ Governmental regulatory reports♦

•



Prior audit reports, both internal and external♦ Authoritative accounting publications related to the industry♦ Industry standards♦ Perform a risk analysis: Professional practice standards (see "Purpose") require the auditor toexercise due professional care. Due professional care is not intended to mean that the auditoris infallible or that extraordinary performance is to be expected. But it does require thatreasonable care be taken. In order to exercise due professional care, the auditor must be awareof potential risks.

A risk can be defined as an exposure to loss or to less than the maximization of efficiencyresulting from the lack of internal controls.

Common risks include:

Inadequate controls◊ Inadequate planning and organizing◊ Inadequate directing and controlling◊

Perhaps the easiest and most expedient means to detect common risks is a cursory internalcontrol review using standard internal control questionnaires. These questionnaires willcontain questions that point out unique risks for each system under review. An analysis ofanswers to the forms will aid the auditor in determining: (1) if the nature of the weakness isconfined to a single system, and (2) if the nature of the weakness is pervasive throughout theentire organization.

For example, if auditors note a lack of segregation of duties of cash, they should determinewhether it is unique to cash or pervasive throughout the whole system of internal control. Ifthe weaknesses are pervasive throughout the whole system, then the problem would be one ofinadequate planning and organizing. If the weaknesses are confined only to cash, then theproblem would be one of inadequate directing and controlling.

Collation of risks—To assess the effectiveness of internal controls, it is necessary to relaterisks to exposure, to controls, to planned audit effort, and then to the eventual results of theaudit procedures. A suggested format is to schedule the above on work-papers that will beused during the actual performance of the audit.

Evaluation of risks—Evaluation of risks consists of the auditor's evaluation of the exposureresulting from the lack of functioning of an internal control over the particular risk. It consistsof the auditor's answers to the question, "What is the maximum exposure to the corporation ifthis particular internal control is not functioning effectively?" In answering the question, theauditor must consider any compensating controls that may be in existence. To write aneffective audit plan, it will be necessary to identify, relate, and evaluate the risks.

♦

d. Planning Memo

i. Purpose

The planning memo outlines the manner in which the department audit plan is to be implemented for aspecific audit, special assignment, or other activity. Planning represents an extremely important aspect ofauditing and is required by the IIA and the American Institute of Certified Public Accountants' (AICPA)Statement on Auditing Standards of Field Work No. 1.

Before each assignment, a planning memo is required to establish coordination between internal audit staffand management. This document will ensure that the objectives and scheduling of the audit are being



communicated and understood by all involved. Properly implemented, it ensures that the more experiencedauditors (management) consider scope and procedures prior to implementation.

ii. Objective

The planning memo serves several purposes; namely, to document audit objectives, auditee backgroundinformation, and financial highlights; to describe significant audit procedures, budgeted hours, engagementtiming and personnel assigned.

iii. Procedure

Planning memos are to be typed on interoffice stationery and addressed to the Director of Auditing. A copy isalso included in the workpapers.

The planning memo should be completed far enough in advance of an assignment for manager review andapproval. Prior to preparing the memo, the senior auditor, if circumstances warrant, may have to visit the auditsite to conduct a preliminary survey to obtain sufficient information to complete the planning memo. Only inunusual circumstances will the planning memo be accepted after the audit has been started. If after the auditbegins, conditions change affecting the initial planning memo, an addendum should be written and forwardedto the manager. The addendum should explain and document the reason for the changes, even if previousapproval has been obtained.

iv. Format

The format designed to be used consistently for a planning memo is shown in Exhibit 7.4. A brief explanationfor each section follows:

Introduction—The first brief paragraph outlines what was stated in the "Notice to Auditee" (see"Corporate Audit Performance Process Matrix"). It should contain the name and location of the entityto be audited, scheduled dates to begin and complete field work, a brief description of the type ofaudit, and the audit date(s).

•

Objective—The deliverable product of an assignment requires a conclusion that will providemanagement with either assurances or reasons for action concerning, for example, account balances,internal controls, various functions or operational procedures, etc. Prior to the audit, we must plan forthe objective to direct our efforts toward that end result. Establishing objectives encourages an orderlywork process and concentration of the audit effort toward a predefined goal. Consideration should bedirected toward potential high-risk and material areas.

•

Scope—Once the objective is documented, the planning memo then logically leads into the scopesection. If the objective is to state an opinion on the adequacy of a certain system, then the scope willexplain compliance, and the substantive testing necessary to arrive at an opinion. Areas of emphasisshould be defined along with significant audit steps and procedures.

•

Background—Background information is necessary in order to give the reader a description of theentity or area to be audited. It does not need to be long or detailed, but should contain the entity name,location, and procedures or description of operations. Facts that are unusual or pertinent should beidentified. Examples include situations where the controller is new, the location is known to have hadinternal control problems in the past, sales have fallen off heavily, or operating costs have increasedsubstantially.

•

Financial Highlights—The financial highlights section includes a summary of major accountbalances. Accounts outlined in the objective section are also included in order to bring these accountsto the attention of the reader. Comparative figures for two corresponding periods should be included.

•

Significant Audit Areas/Audit Approach—This section identifies and outlines the more significantareas mentioned in the scope section. It also states the audit approach to be used in these areas. Thismethod will assist all parties in understanding the areas of concern and how these areas are to be

•



audited.

Staff and Timing—This section lists the staff assigned to the audit, their job level, and the datesassigned to the audit. Planning in this area is necessary to ensure that the fieldwork will be completedwithin the audit budget.

•

Budget—The audit budget is a compromise between what audit management would like toaccomplish and that for which it can effectively allow time in meeting the overall departmentobjectives. Normally, total hours will be estimated in a three-year plan. An appraisal is made of theobjective and scope of work to be performed and the number of hours to complete each area of theassignments. The hours for each area should agree with total budgeted hours.

•

Exhibit 7.4: Sample Planning Memo

Date: October 20, 200xFrom: SeniorTo: ManagerSubject: Planning Memo—Sam Pole's Best Ozone Paint Manufacturing FacilityField work for the manufacturing facility interim audit will begin on Monday, October 26, 200x, and will becompleted on Friday, November 20, 200x. The interim audit as of September 30, 200x, will include afinancial audit. A year-end audit will also be performed by the internal audit department in January 200x.

Objective

The interim audit will be conducted to determine the adequacy of internal accounting controls (through areview of accounting systems and a test of transactions) as a basis for the formulation of year-end balances.

A year-end review will also be conducted to determine the validity of accounting data that will be included inyour company's consolidated general ledger trial balance as of December 31, 200x.

Scope—Interim

The audit will include the documentation, review, and detail compliance testing of existing key internalaccounting controls in significant financial areas as of September 30, 200x, trial balance.

Emphasis will be on inventory, sales billing, accounts payable, and payroll. A variation analysis will beperformed of all accounts with significant changes in comparison with the 200x year-end balance. A review ofthe August 31, 200x, physical inventory compilation and a follow-up of previous audit comments will also beconducted.

Background

Sam Pole's Best Ozone Paint—located in Anytown, AZ, USA—is a key location for the company's ozonepaint manufacturing. It joined the company in 200x and experienced several startup problems.

Financial Highlights For the six months ended June 30 ($000's omitted)

Balance Sheet 200x 200xInventories $ 4,000 $ 5,000Other Current Assets 100 300Total Current Assets 4,100 5,300Net Fixed Assets 13,000 15,000



Total Assets $17,100 $20,300Total Liabilities 12,000 14,000Equity 5,100 6,300Net Liabilities and Equity $17,100 $20,300Income Statement 200x 200xNet Sales $24,000 $35,000Cost of Sales 18,800 23,500Gross Profit 5,200 11,500SG&A 3,200 7,500Net Income Before Taxes $ 2,000 $ 4,000

Significant Audit Areas/Audit Approach

Inventory—Inventory is considered to be the most significant area at Sam Pole's Best Ozone Paintmanufacturing facility. Our audit procedures will include observation of the physical inventory, testing of thesystem of internal controls, testing of the inventory compilation, review, and testing of the roll forward fromthe physical to September 30, 200x.

Payables—Payables are significant because of the amount of volume and its interrelationship with inventory.Our procedures will include flowcharting and testing of the system, testing of cutoff, vouching of selectedaccount, reviewing and preparing reconciliations of vendor statements and examining subsequent payments.

Other Balance Sheet Accounts—Our approach to auditing these accounts will be to perform an analyticalreview to compare current-year balances to prior-year and accounting for all significant changes. Substantiveaudit procedures will be used on all material balances.

Other Areas

Other areas that will be given emphasis in the current audit include:

Analysis of repair and maintenance accounts• Analysis of all outside service accounts• Review of controls over customer returns•

Staff and Timing

The audit will be conducted by both the Internal Audit Manager and J. Smith, a new audit senior. Field workwill begin on October 26 and will last for two weeks.

Budget (in Hours)

Planning 6Supervision 2General 4Meetings, tours, etc. 4Analytical review 4Flowcharting and review of systems controls:

Inventory ledger• 12

8



Purchasing/Accounts Payable•

Payroll• 8

Sales/Billing• 8

Cycle Tests 10Trial Balance 3Cash 2Accounts Receivable 4Inventory 20Fixed Assets 6

Other Assets 3Accounts Payable 6Accruals 4Income and Expense 6Internal Control:

Questionnaire Review• 4

Travel 4Finalization of W/P 8Report 16TOTAL: 152

e. Audit Status Report

The purpose of a status report is to provide audit management with a progress report of the assignment. Onassignments scheduled for more than four weeks, a status report is required. A typical report would outlinesignificant findings, audit scope changes and rationale, work completed, and an estimate of time to completethe assignment. This information documents and enables the manager to make a decision on additional scopechanges, staffing (increase or decrease), and staff schedule changes. The in-charge auditor has theresponsibility for the status report. In some instances, due to the importance of the matter, the manager willissue a memo to the Director of Auditing.

A formal status report is not usually required for a short period assignment. However, an informal report canbe phoned into the manager, describing significant findings, the status of the work completed, the estimate oftime of completion, and other situations affecting the audit.

Communication keeps the manager aware of current situations and assists in the decision making on thatassignment as well as scheduling other audits. It also provides documentation, as required in our corporateaudit performance process, in our project control file.

f. Developing Audit Recommendations

An audit recommendation is a condition that, in the auditor's judgment, requires change or action and is ofsufficient magnitude to warrant the attention of management. Discovery of an exception is the starting point indeveloping a recommendation. When an exception is revealed during audit testing, development of arecommendation may require a series of expanded audit tests, research, and communication. The problem orsituation as it exists must be fully defined and explained. The ability to express the results of an audit inwell-written audit recommendations is a measure of assurance that management will take appropriate action



and one of the principal bases on which audit performance will be judged. Each auditor must assumeindividual responsibility for improving proficiency in this respect.

Basic Criteria

Some basic criteria for effective writing that should be observed in the preparation of auditrecommendations are:

Accuracy. Recommendations in audit reports must be verified thoroughly so that there are nofactual errors. The auditor should be careful not so use data that could be misleading.

1.

Objectivity. Include all significant, relevant information, even if it indicates disagreementwith the auditor's position. Do not rely on inferences and implications. Adequate backgroundinformation should be provided so that the reader can grasp the significance of the situationbeing reported.

2.

Readability. In preparing an audit recommendation, the auditor should be continuouslyconscious of how it will be perceived by the reader. Avoid disagreeable or inflammatory tone,sarcasm, ridicule, or oratory. Try to foresee the reader's reactions to certain words or phrases.Be tactful. The use of correct grammar and proper punctuation is an imperative forwell-written recommendations.

3.

Clarity. To the extent possible, clarity should be interpreted as requiring that every statementcannot only be understood, but that it cannot reasonably be misunderstood.

4.

A.

General Characteristics

Evaluate the significance of what you are reporting.1. Write in simple, non-technical, clear language.2. If you refer to a form number, state its name or subject somewhere in the report.3. If you use abbreviations, spell out their meaning when they first appear.4. Reasonable logic is important.5. Be concise. Avoid wordiness and inclusion of extraneous matter.6. Do not be evasive. If you have something to say and can support it, then say it.7. Write constructively. Stress the need for improvements in the future rather than focusing ondeficiencies in the past.

8.

Provide support to all information in recommendations.9. Present relevant comments and reviews of the issues being discussed.10. Clearly identify opinions, especially if they concern significant matters.11. Do not generalize by simply saying that a practice "weakens controls." Specify how itweakens controls.

12.

B.

Development Process

The following steps should be followed in order to provide for systematic development of arecommendation after an exception is revealed:

The problem or situation as it exists must be fully defined and explained.1. The criteria or standards for an activity should be re-evaluated as to applicability andadequacy at this point in the development of the recommendation. Some criteria regarding theperformance of the activity must be established based on authority, generally acceptedprinciples, or reasonableness.

2.

It is necessary to look at the effect and significance of the problem. Through further testingand gathering of data, the extent of a problem and its importance must be determined. Effortsshould be made to obtain quantification in the gathering of measures of effect.

3.

If the effect is minimal, this condition is the auditor's notice to discuss the problem with theoperating level of management. A recommendation is not required in an audit report when theeffect is minimal.

4.

C.



If, in the auditor's opinion, the effect is significant, the auditor should proceed with thedevelopment of the recommendation.

5.

The auditor must seek to find out, through expanded testing and gathering of data, whatcaused the problem or situation. Frequently, this step is the most difficult one in thedevelopment of an audit recommendation. However, without it, you have an incompleterecommendation and can offer management only a correction of the existing problem. Youcannot provide a statement of action that will give assurance that a situation will not recur.

6.

If the actual cause of the problem cannot be disclosed through expanded testing and gathering of data, theauditor should discuss the situation with responsible management. In this discussion, the auditor should seekto obtain a response as to what would improve the condition or situation. Based on the outcome of thisdiscussion with the auditee, the auditor will be guided as to the statement of action that should be made forcorrecting the condition. If an actual cause of the condition is revealed, the statement of action should bedirected at the correction of the cause. A discussion with the responsible management as to the problem, thecriteria, the effect, and the cause should be held to obtain their comments in order to further substantiate theaccuracy of the developed recommendation.

Developing Recommendation Data

Statement of Condition. In this section, the auditor should state the circumstances surroundingthe recommendation. In a logical sequence, present the facts and specific illustrationsdescribing the condition. Each statement of condition must contain sufficient qualitative andquantitative information to fully support the conclusions or main point. The statement ofcondition should be brief, but not to the point where completeness is sacrificed.

1.

Criteria. The criteria represent the standards against which the auditor is measuring aquestionable condition or practice. The criteria applied may vary; however, the auditor shouldconcentrate on the criteria that are important to the objective of the audit. Some examples ofcriteria are:

Written requirements (laws, regulations, instructions, manuals, directives, etc.)a. Independent opinion of experts outside the organizationb. Prudent business practicec. Verbal instructiond. Managerial expertisee. Unwritten overall objectives as explained by management officialsf. Common senseg.

Published criteria may be directly quoted, summarized, or paraphrased. If criteria are notalready set forth in writing, the auditor may have to obtain information that will serve asevidence of criteria. If common-sense subjective judgment is to be used as a criterion, itshould be both logical and convincing to the reader.

2.

Effect. Effect is the actual or potential adverse impact, which has resulted or can result fromthe condition being questioned, in dollars or other terms. Some examples of effect are:

Uneconomical or inefficient use of resources (time, money, labor)a. Loss of potential incomeb. Violation of lawc. Funds spent improperlyd. Information or records that are meaningless or inaccuratee. Ineffectiveness; the job not being accomplished as well as it could be or as intendedf. Inadequate control or loss of control over resources or actionsg. Lack of assurance that the job is being done properlyh. Lack of assurance that objectives are being met. If the auditor does not presentinformation on the actual or potential adverse effect, the reader might assume that the

i.

3.

D.



apparent lack of concern means that the recommendation is not very important. If theeffect is not significant, the recommendation should not be included in the report.Caution should be exercised not to create an issue larger than facts actually warrant.

Cause. The cause is the underlying reason why questionable behavior or condition occurs.This sensitive, and usually highly judgmental, area requires the most penetrating efforts andinsights of the auditor. As a minimum effort, the auditor should have explored the situationthoroughly enough to be able to generate what is termed a "first-level statement of action."That is, one that is sufficiently detailed or specific enough to enable the recipient of therecommendation to correct the conditions. It is necessary to get as close to the real cause ofthe problem as possible, or at least to one or more causes that will put the recommendation inperspective; make the recommendation convincing and lead to a sensitive, specific statementof corrective action. Simply stating that the problem or adverse condition exists becausesomeone did not comply with company policy is not very meaningful. Also, this approachusually confines the auditor to the rather superficial statement of action to "comply withcompany policy." Some examples of cause are:

Lack of traininga. Lack of communicationsb. Unfamiliarity with requirementsc. Negligence or carelessnessd.

Guidelines or standards (criteria) are inadequate, not provided, obsolete, orimpractical

e.

Conscious decision or instruction to deviate from requirements (for any of a varietyof reasons)

f.

Lack of resources (funds or staff)g. Failure to use good judgment or common senseh. Dishonesty or personal gaini. Lack of effective or sufficient supervision, or lack of supervisory reviewj. Unwillingness to changek. Lack of planning, faulty or ineffective organizational arrangement, or delegations ofauthority

l.

4.

Statement of Action. Generally, each recommendation will result in one or more statements ofaction. Experience indicates a great receptivity to constructive audit statements of action.Some basic guidelines for developing statements of action are:

Present statements of action as a logical sequence to the related statement ofconditions.

a.

Present statements of action that are as specific, realistic, and as helpful as possibleand related directly to the cause of the weakness or deficiency. State what action willprovide a meaningful solution to the problems, and not simply recommend that"regulations be complied with," "controls be strengthened," or "procedures beestablished."

b.

Direct the statements of action toward the audited organization and to the specificpersons, by title, who have responsibility and authority to take corrective action.

c.

Do not include statements of action on which adequate action has been taken beforethe report is issued. Instead, report, in the body of the recommendation, what actionhas been taken to correct the situation and only present additional statements ofrecommended action as warranted.

d.

Avoid the use of extreme language in making statements of action, such as"immediately," "expedite," "without delay," "as soon as possible," unless the natureof the problem is so serious that such language seems particularly appropriate.

e.

The expression "for consideration" should not be used in presenting statements off.

5.



action. Since the Audit Department is a staff function and its service advisory, allstatements of action are "for consideration."Material, thoughts, or information that were not developed in the body of therecommendation should not be introduced in the statement of action. The statementof action should follow logically from what is presented in the recommendation.

g.

i. Recommendation Worksheet

A form should be created for the purpose of writing up the recommendations as they are initially discovered(see Exhibit 7.5 for an example of a worksheet format). A copy should then be given to the auditee. There aremany good reasons for following this procedure.

Exhibit 7.5: Recommendation Worksheet Example

Audit Job No.______

Recommendation No.______

Workpaper Ref.______

Auditee ______ Audit Date ______Statement of Condition: (What is) _________________________________

Criteria: (What it should be) ______________________________________

Effect: (So what?) _______________________________________________

Cause: (Reason for deviation)______________________________________

Statement of Action: ____________________________________________

Present Status: ________________________________________________

Recommendation corrected during audit____________________________• Auditee agreed with recommendation______________________________• Detailed support for adjustment/correction provided to auditee ____________• In process of implementing ________________________________________• Auditee disagrees with recommendation/comment ______________________•

Preparer signature: ____________________________

Senior Auditor signature: _______________________

Provide a copy of this completed form to auditee ASAP/Use form for the Closing Conference.

If recommendations are neat and well written at the time of discovery and copies given to the auditee,valuable research and input can be obtained before the closing conference. This makes the closingconference more productive as both sides are knowledgeable on the subject. Generally, the auditee isblindsided at the closing conference if recommendations have not been previously presented.

1.

The procedure lends itself to better written, more factual audit recommendations because the materialis fresh on the auditor's mind—preferable to writing the recommendation later in time (i.e., at the endof the audit). Strengths and weaknesses can be reconciled to improve the quality of the

2.



recommendations.Why take many recommendations to the closing conference when a "climate for change" can beinitiated during the course of the audit? Too many recommendations presented at one time tends tomake the auditee nervous and worrisome about how the report is going to look to others. Tentativerecommendations should be provided to the auditee periodically, once a week, and not on a dailybasis.

3.

If the recommendation has been resolved by the auditee during the audit, it is much more agreeable tothe auditee if only mention is made summarizing items corrected during the audit.

4.

The interim communication also gives the auditor a written workpaper document to use in discussingrecommendations at the closing conference.

5.

Once written recommendations are resolved to the degree possible, corrections should be made andsubmitted for typing the final report.

6.

ii. Form Format

The form is designed to be as functional as possible, but it is limited in space to encourage factual, precisewrite-up of recommendations.

Recommendation/Discussion Item—A recommendation is a material exception to corporate policy,procedures, as examples, which are controllable by the auditee. The auditee is required to submit a writtenresponse to the recommendations. A discussion item is also an exception that may be material, but is notcontrolled by the auditee. Therefore, the auditee is not required to respond to the discussion item.

Audit—Write the name of the branch or location in the space provided to facilitate audit identification.

Subject—Identify the subject area where the exception occurred as payroll, accounts payable. For example:

CAJ No.—Corporate Audit Job Number• CAR No.—Corporate Audit Recommendation Number•

Corporate Audit Job Numbers will be standardized and assigned by the audit division offices. The CorporateAudit Recommendation Number is the sequenced number of the recommendation developed as the audit workprogresses. The Corporate Audit Recommendation Number is to be used as a control point.

Recommendation/Facts—Remembering that a statement of action is a call for action by management andmust be written on that basis, the facts follow the attributes of a recommendation:

Statement of condition (what is)A. Criteria (what it should be)B. Effect (so what?)C. Cause (reason for deviation)D.

Present Status—A space provided for comments by the auditee to elaborate on original intentions or reactionto the audit recommendation. It may only be necessary to check one of the preprinted comments such as"Recommendation Implemented During Audit."


TITLE: Workpapers PAGES:[1]The Institute of Internal Auditors officially revised the "Red Book," or Standards for the ProfessionalPractice of Internal Auditing. At the end of 2001, this new version became effective for auditors and



interested parties.

7.2 Workpapers

Workpapers serve mainly to aid the auditor in conducting work and provide important support for theauditor's opinion. Such language as "Workpapers are a record ... of tests and procedures," "Workpapers,accordingly, may include work programs, analysis memoranda, letters of representation, confirmations,abstracts of company documents, schedules, and commentaries prepared by the auditor," further attempt todescribe workpapers and some of their contents. Other comments, such as "Workpapers should fit thecircumstances and the auditor's needs on the engagement to which they apply," are from Statement ofAuditing Standards (SAS) No. 1, Section 338. Although SASs are written for public accountants, thesecomments are also applicable to internal auditors. For external auditors to rely on our workpapers, internalauditors must produce documents of the same quality. It is imperative that standards of compliance beestablished to help ensure quality workpapers.

Before preparation, give consideration to the objectives for creating your workpapers. Only informationsupporting your objectives should be included. Envision how the workpaper will look after it is completed.Does it appear logically organized, relevant, and neat—without half erasures, with figures and comments notcrowded together? Is it complete—without loose ends that need to be addressed?

A second thought, and one that should be seriously considered, is that the IRS can and has subpoenaedinternal auditors' workpapers into court. The question is, would you be embarrassed if your workpaper wasmade a document of the court? What if the court made an enlargement of your workpaper and it wasdisplayed on a screen for all to see?

Other factors to consider in developing workpapers are:

Control• Retention• Headings• Permanent files: contents and format• Current files: contents and format• General organization• Detailed workpaper section organization• Indexing and cross referencing• Referencing• Standard tick marks•

a. Control

For Corporate Audit purposes, workpapers are confidential documents used to support our conclusions. Inorder to maintain our independence and protect confidentiality, audit bags containing workpapers must belocked if left overnight at the auditee's office.

During working hours, workpapers should be retained in a controlled, orderly fashion. That is, they should notbe left lying around the work area or left out in the auditee's office where they can be seen, handled, ormisplaced by the auditee employees.

In the office, workpapers should be filed in secured cabinets. During work hours, care should be exercisedensuring that visitors do not inadvertently observe confidential information lying on desks. Prior to leaving



the office, workpapers should be secured in locked cabinets or desks.

b. Retention

The retention period for both workpapers and reports is five years. If an exception arises in which theretention period is to be extended beyond this period, a notation indicating the destruction date should beboldly printed on the outside cover of the workpaper binder or on the face of the report.

c. Headings

In order to standardize Corporate Audit workpaper headings, the following information should be used for allworkpapers:

Description on Workpapers Location of WorkpapersName of auditee—location Top-CenterAs-of date of audit Top-CenterIdentification of workpaper Top-CenterInitials of auditor performing the work Bottom-Right (area provided)Initials of in-charge senior manager Bottom-RightWorkpaper index (red pencil only) Bottom-Right (area provided)WORKPAPER "DOS" AND DON'TS"

Do

While the audit is in progress, prepare a to-do list of points that have not been resolved.1. Resolve points with auditee at one time during the day.2.

For those workpapers kept by hand, be neat, write legibly, use a medium-hard lead pencil, keepfigures in proper columns. For workpapers on computer, develop a professional look with consistentformatting.

3.

If done by hand, use a ruler; single line for subtotals, double line for totals. If done by computer, usethe same guideline.

4.

Avoid crowding on a single page.5. Be accurate; be sure amounts are accurate and footings are correct. If using a computer, double-checkall formulas. It is recommended that the auditor print out the worksheet formulas and audit thembefore relying upon them.

6.

Head every workpaper (see headings above).7. Identify the source of information on each workpaper, reference books or original entry, vouchernumbers, conversations with employees, and so forth. Distinguish between fact and opinion.

8.

If a workpaper is "prepared by auditee," indicate so with "PBA" on the workpaper. Indicate the nameof employee performing the task.

9.

Initial and date each workpaper (printed version if using a computer).10. Indicate analysis that requires more than one workpaper by: 1 of 5, 2 of 5, etc.11. Adequately explain all tick marks other than the standard tick marks. Summarize explanations at thebottom of each workpaper by using a legend.

12.

Use proper grammar.13. When referring to auditee employees, spell their names and titles completely and correctly.14. Indicate clearly the extent of tests made.15. Write your opinions and conclusions, using care to differentiate among facts, opinions, andexplanation.

16.

If memoranda are done by hand: All memoranda should be prepared on memo pad paper. Skip everyother line and write only to the right-hand margin line. If memoranda are done by computer, setformatting according to this guideline.

17.



Write on just one side of a working paper, if done by hand.18. Remove all items that have no value in supporting the conclusion.19.

Verify that the final figures on each workpaper agree with the lead sheets, working trial balance, andcross-reference thereto.

20.

Reference and cross-reference to other workpaper and interim recommendation worksheets.21. Leave enough space on each workpaper to clearly identify adjusting entries and comments. If using aspreadsheet, avoid using "comments" for substantive remarks; rather, add a column for remarks on theworksheet.

22.

Use legal size paper; set electronic document margins to the equivalent size.23. Use red pencil; use red fonts if the workpaper is in electronic form.24.

Don't

Do not prepare workpapers without first considering the objectives.1. Do not follow previous audit workpapers blindly, but have a logical reason for changes.2. Do not prepare separate income and expense account analyses when the accounts can be moreeffectively covered in conjunction with balance sheet items.

3.

Do not leave open points or questions on your workpapers.4. Do not merely cross over points or questions, but explain disposition.5. Do not repeat scope of work when steps are outlined in the audit program. Indicate the audit programfollowed.

6.

Do not make workpapers available to anyone without prior approval from the manager.7.

d. Permanent Files: Contents and Format

Permanent files are to be used for documents that will be needed in audits for a number of years. The bindershould be labeled "Permanent Folder" and contain an index showing the contents of the folder.

Permanent files should be economical in content. They should not be cluttered with documents that cannoteffectively help or provide information for future audits. Exhibit 7.6 outlines the format of the permanent file.This outline will also act as the index for the file. For example, consider A-Corporate AuditReports/Responses. The first report entered into the permanent folder will be indexed in A-1, the second inA-2, and so on. Each document entered into the permanent file must include the date and initials of theauditor. Revisions of modifications must also be initialized and dated. Use red pencil for this purpose.

Exhibit 7.6: Permanent Files Index

Sam Pole Company

Corporate Audit Department

Permanent Folder Index

Corporate Audit Reports/ResponsesA. Reports (Other)B. Carry Forward CommentsC. Organization Charts/Key PersonnelD. Internal Control Questionnaire/Audit ProgramsE. Contracts/Lease AgreementsF. Labor AgreementsG. Historical Information/Pictures/Nature of Business UnitH. Correspondence (Major)I. Excerpts from Meeting (i.e., plant, branch, board)J.



Company Directives MemorandaK. Account AnalysisL. OtherM.

e. Current Files: Contents and Format

The criterion for determining whether information should be included either in the permanent file or thecurrent file is the useful life of the information. Place information into the permanent file if the usefulness ofthe information is longer than two years. The majority of information obtained during an audit usually appliesto the current year and will only be used for comparison and guidance in the subsequent year. Accordingly,such expected useful life would be less than two years and is filed in the current file.

f. General Organization

Use the printed workpaper binder cover and back furnished by the department. Note that certain informationis to be completed on the cover of the binder: company identification, contents of the binder, the names ofauditors who worked on sections included in the binder, review signatures, and the name of the audit officeproducing the file.

Acco fasteners have 2 3/4-inch centers with 2-inch capacity. If files exceed two inches, Acco fasteners ofgreater capacity can be obtained.

All workpapers are to be 8 1/2 inches by 14 inches—legal size paper. If auditee documents are less than legalsize, attach the document to heavy-grade legal size paper and then file it. Do not waste memo or 17-columnpaper for this purpose.

Create dividers by using heavy-grade paper and attaching a tab at the bottom of the sheet. A second method isto use 14-column paper as a wraparound for the individual section. The section name and indexing lettershould be indicated in red at the bottom right-hand corner after the 14-column paper is folded in half.

g. Detailed Workpaper Section Organization

Each job will have a systems binder to be updated yearly. The following sequence will be utilized to organizethe systems binder where the "S" denotes systems documentation work:

SA-1 Flowchart (manual/IS)SA-2 Narrative descriptionSA-3 List of key reports (official report title and informal user name)SA-4 Internal control questionnaireSA-5 Summary of major strengths and weaknessesSA-6 Audit approach memoSA-7 Other systems information as needed

The compliance and substantive work for each account will be organized in the following sequence in aseparate current file:

A/C Overall scope and conclusionA/P Audit programA Lead sheets



A-1 toA-nn

Account detail (substantive testing), cycle testing (compliance testing), comments for future auditsand confirmation forms: detailed audit work supporting lead sheet balances

Note The audit procedures performed and workpapers generated should be organized in a mannerdeemed to be logical and expedient in the senior's judgment.

SA-1, Flowcharting. Include both the manual and data-processing flow of documents as youflowchart the system. Graphically depict the inputs, processing, and outputs of each system.

•

SA-2, Narrative system description. Narratives may be used to describe a system on a step-by-stepbasis. The narrative system description can supplement flowcharts or stand alone if it best fits thesystem.

•

SA-3, Key reports listing. The key report listing should list important reports by their official title andalso by informal names used by the auditee. This listing will greatly assist the following year's audit.

•

SA-4, Internal control evaluation guide. The internal control evaluation guide should be developedto include only questions applicable to the section involved. "A," the cash section, should include theinternal control questionnaire evaluations guides only for cash.

•

SA-5, Summary of major strengths and weaknesses. Once the flowchart and internal controlquestionnaire have been prepared, a summary of the system's major strengths and weaknesses shouldbe prepared. This summary will aid in the development of the audit approach.

•

SA-6, Audit approach memo. Based on the above procedures, the auditor should have a good idea ofthe strengths and weaknesses of the system. The logic behind the selected audit procedures should bewritten up in a memorandum and included in this section.

•

A/C, Overall scope and conclusion. This workpaper will be the last item completed in the section, butit is the first in the organization sequence. Identify the work involved to support yourconclusion—procedures such as sample size, extent of testing, and compliance with audit program. Inthe conclusion section, state your opinion based on the testing performed in the scope. Makereferences and cross-references to adjustments and recommendations or comments that were the resultof your work.

•

A/P, Audit programs. Audit programs should include all the steps necessary to test the system andreach a logical conclusion. Such tests will include substantive tests of account balances andcompliance tests of the system.

•

A, Lead sheets. The auditor should give advance thought to the preparation of lead sheets. Minimuminformation includes a comparative schedule showing account balances at the prior year audit dateand the book balance for the current audit date. Also, columns are prepared for adjustments and finalbalances. These schedules should reference the working trial balance.

•

A-1 to A-NN, Account detail (substantive testing). The evidential matter obtained through twogeneral classes of auditing procedures: (1) test of details of transactions and balances and (2)analytical reviews of significant ratios and trends, and the investigation of unusual fluctuations andquestionable items.

•

A-100 to A-NNN, Cycle testing (compliance testing). The purpose for tests of compliance is toprovide reasonable assurance that accounting control procedures are being applied as prescribed.

•

h. Indexing and Cross Referencing

Workpapers should be indexed using the prescribed standard index. Each schedule should be marked in redpencil (or font) in the designated box at the bottom right corner. The index can then be utilized throughout thefiles whenever a cross-indexing reference is made to that particular schedule or to an amount therein.

An index has been assigned to each major account classification. Single alpha letters are used for asset sectiondesignations. Double alpha letters are used for liabilities or capital accounts. Numbers are used to indicateaccounts in the income statement. These sections will be preceded by "PL" before the number indicated laterin the index sample.

The first section of the indexing system is referred to as the administrative section. The index to reference thissection is "AD."



The workpaper sections will include subaccounts under the major account classification. For example, cash,the major account, also includes subaccounts of Cash in Bank, Cash on Hand, and so on. The lead sheet(indexed "A") for this section should show the applicable subaccount balances for the current period and theprior period. These columns should be footed to show the total balance in the major account. The analysis ofthe subaccounts should be documented on supporting schedules (i.e., A-1—Analysis of Cash in Bank,A-2—Analysis of Cash on Hand, etc.).

Occasionally, a section within a file binder may become too large to control effectively. In that instance, thesection may be extended into another binder. The indexing for the extended file binder becomes X. Forexample, if section CC Accounts Payable becomes too large, part of the file can be stored in another filebinder indexed CCX. Appropriate referencing should be indicated in the working papers.

Three separate sections have been included for the work performed on confirmations, inventory observation,and inventory compilation. The section for confirmations is to be used when the number of confirmations sentis too large to be practically included in the applicable account classification. The other two sections are to beused when a physical inventory observation and a review of the inventory compilation are included within thescope of the audit. Be sure to appropriately reference these sections in the working papers.

The following is a listing of the indexes that should be used:

Index DescriptionAdministrativeAD1 Copy of the audit reportAD2 Assignment checklistAD3 Copy of financial statementsAD4 Summary memo—in-chargeAD5 Manager comments—interpretive comments, major problems and their solutionsAD6 Working trial balancesAD7 Adjusting journal entriesAD8 Analytical review and interim financial statementsAD9 Audit planning memoAD 10 Time budgetAD11 Interim audit recommendations and comments summary (AUD form 1)AD12 Prior audit reports and follow-upAD13 Other correspondenceAD14 As neededAssetsA CashB Securities and other negotiable assetsC Sales, shipping, and trade receivables

D Inter-company receivablesE (Used for other accounts)F InventoryG Prepaid expenses and other assetsH (Used for other accounts)I (Used for other accounts)M Other tangible assets



S Property, plant, and equipmentLiabilitiesBB Notes payableCC Accounts payableDD Accounts payable inter-companyFF CompensationGG (Used for other accounts)HH Other liabilities and deferred creditsWW Capital stock and surplusPP Notes and inter-company debtIncome Statement and OtherPL1 Sales and revenuePL2 Cost of goods soldPL3 Selling, general, and administrative expensesX Extended file

i. Referencing

Normally, detail sub-schedules support the amounts shown on the lead schedules. Also, the lead schedulessupport the amounts shown on the trial balance. These workpapers should be cross-referenced to one another.Referencing should be done by inserting the page index next to the corresponding amount. Writing the pageindex to the right of the amount indicates "going to" a certain page. Writing a page index to the left of theamount indicates "coming from" a certain page. The referencing of final totals (double underscored) may bedone by inserting the page index directly below the applicable amount.

When referencing on the same page, either a circled number or a circled capital letter should be used. Acircled number is used when referencing a number to a number. A circled capital letter is used whenreferencing a number (or any other section or symbol on the workpaper) to a note. All referencing should bedone in red pencil (or font if electronic).

j. Standard Tick Marks

Standardizing certain tick marks will result in uniformity and time saving for the preparer and reviewer byduplicating the tick marks and writing one explanation. Tick marks should be simple in design. Alwaysexplain tick marks in a legend located in the workpapers. Use a "Standard Tick Mark Sheet" to explainstandard tick marks. Basic tick marks should be placed after the figure being checked. Prepare all tick marksin red pencil (or font if electronic).

Standard tick marks are as follows:

F (under number) footedF (to right of number) cross-footedT/B agreed to trial balanceG/L agreed to general ledgerSAM POLE COMPANY Corporate Audit

Department ProceduresManualNO: 7.3 REV NO: DATE:

TITLE: Audit Objectives PAGES:



7.3 Audit Objectives

As described in Chapter 6 of this manual, the Corporate Audit Department may be responsible for conductinga variety of different types of audits. These types of audits may have different overall objectives that theauditor must satisfy through the performance of audit procedures.

The most common type of audit for which auditors are responsible is the financial audit. Broadly described,the overall objective of a financial audit is to assure that the financial statements are fairly stated, that they arein conformity with Generally Accepted Accounting Principles (GAAP), and that the accounting principles thatwere applied are consistent from year to year. In order to satisfy this overall objective, it is necessary to satisfyspecific objectives that apply to the various accounts that comprise the financial statements. The following is alisting of objectives that apply to the various audit areas (accounts) that normally are included in a financialaudit. This listing is not all-inclusive, and all of the objectives may not apply in every circumstance. Theyshould be used as a guide and should be included, excluded, and/or modified as dictated by the auditsituations encountered. The list provides examples of assessing the five major management assertions infinancial statements: existence or occurrence, rights and obligations, presentation and disclosure, valuation orallocation, and completeness.

Cash

Cash recorded properly represents cash and cash items on hand, in transit, or in banks.• Adequate disclosure is made of restricted or committed funds and of cash not subject to immediatewithdrawal.

•

All receipts are properly identified, deposited, and recorded.• There is a proper accounting for all inter-company and inter-bank transfers.• All bank accounts and cash on hand are subject to effective custodial accountability procedures andphysical safeguards.

•

Receivables

Recorded receivables exist and are carried at net collectible amounts.• All collections are properly identified, control totals are developed, and collections are promptlydeposited.

•

Billings and collections are properly recorded in individual customer accounts.• Allowance for doubtful accounts is adequate.•

Inventories

Periodic physical inventories, or cycle counts, are taken and are valued in accordance with companypolicies that are in accordance with GAAP.

•

The quantities properly represent products, materials, and supplies on hand, in transit, in storage, oron consignment that belong to the company.

•

All receipts, transfers, and withdrawals of stock are properly and accurately recorded.• All production activity and costs are properly and accurately reported and maintained in up-to-datecost records.

•

The items are priced in accordance with GAAP, consistently applied, at the lower of cost or market.• Excess, slow-moving, obsolete, and defective items are reduced to net realizable values.• Adequate provision for losses on purchases or sales commitments exist.• The ending inventories are determined as to quantities, prices, computations, excess stocks, and so on,on a basis consistent with the inventories at the end of the preceding year.

•



Investments

The physical evidence of the ownership of investments is on hand or held in custody or safekeepingby others for account of the company.

•

The basis on which the investments are stated conforms to GAAP and is consistently applied.• All purchases or sales are initiated by authorized individuals and are properly approved.• Income from investments is accounted for properly.•

Fixed Assets

All recorded assets exist.• The basis upon which the property accounts are stated is proper, conforms to GAAP, and has beenconsistently followed.

•

All productive asset transactions are initiated by authorized individuals after advance approval hasbeen obtained.

•

The additions during the period under audit are proper capital charges and represent actual physicalproperty installed or constructed.

•

Adequate cost records are maintained for all in-progress and completed projects.• Physical inventories of recorded productive assets are taken at periodic intervals.• Depreciation charged to income during the period is adequate but not excessive, and has beencomputed on an acceptable basis consistent with that used in prior periods.

•

The balance in accumulated depreciation accounts is reasonable, considering the expected useful livesof the property units and possible net salvage values.

•

Other Assets

Recorded prepaid and deferred expenses represent proper charges against future operations.• The additions during the audit period are proper charges to those accounts and represent actual cost.• Amortization or write-offs against revenues in the current period, and to date, are reasonable underthe circumstances, and have been computed on an acceptable basis consistent with prior periods.

•

Purchasing, Accounts Payable, and Disbursements

All costs are properly recorded and classified as expense, inventory, fixed assets, and other assets.• All purchase requisitions are initiated and approved by authorized individuals.• All material and services received agree with original purchase orders.• All invoices processed for payment represent goods and services received and are accurate as toterms, quantities, prices, extensions, and account distributions.

•

All checks are prepared on the basis of adequate and approved documentation and are compared withsupporting data.

•

All checks are properly approved, signed, and mailed.• All disbursements are properly recorded.• All accrued expenses relate to goods and services received as of the end of the fiscal period.•

Notes and Loans Payable

All amounts owed are properly recorded.• Accrued interest is recorded.• Compliance with all provisions of loan agreements has occurred.• All debt transactions are initiated by authorized individuals and are approved by the Board ofDirectors or executives to whom this authority has been delegated.

•



Capital Stock and Surplus

The capital stock and surplus accounts are properly classified, described, and stated in accordancewith GAAP, and are not in conflict with the requirements of the corporate charter (or articles ofincorporation) or with the applicable statutes of the state of incorporation.

•

Transactions in the capital stock and surplus accounts during the audit period are properly authorizedor approved where necessary, and are recorded in accordance with GAAP.

•

Revenues, Costs, and Expenses

Reported revenues, costs, and expenses are properly applicable to the accounting period underexamination.

•

Reported revenues and applicable costs are recorded on a timely basis.• Charges to customers are for valid claims for sales rendered in accordance with established pricingpolicies.

•

Costs and expenses are properly matched with revenues.• Recognition has been given to revenues, costs, and expenses (including losses) which should be sorecognized.

•

Revenues, costs, and expenses are appropriately classified and described in the statement of income.•

Payroll

Compensation costs reflect the aggregate cost of employee services during the period and aredistributed to appropriate inventory and expense accounts.

•

Compensation rates are in accordance with applicable union agreements and/or approved rates.• Additions, separations, wage rates, salaries, and other deductions are authorized and recorded on atimely basis.

•

Employee time and attendance data are properly reviewed, approved, and processed on a timely basis.• Payroll deductions are determined in accordance with legal requirements or employee authorizationsand are paid to the government, unions, and other specified parties in a timely fashion.

•

Payments for compensation and benefits are made only to bonafide employees.• All authorized employee benefit plans and related costs are appropriately controlled and administered.•

Travel and Entertainment Expense

All expenses recorded must be "ordinary," meaning "customary and usual" within the experience ofthe particular community.

•

All expenses recorded must be "necessary," meaning "appropriate and helpful" for the development ofthe entity's business.

•

Sufficient documentation must exist. Specifically, the amount, time, place, business purpose, andbusiness relationship of the entertained party must be recorded.

•

Reimbursements to employees must be fully accountable, so as not to be considered compensatory. Ifany reimbursements are compensatory, appropriate tax information must be retained.

•

Endnote

1. The Institute of Internal Auditors officially revised the "Red Book," or Standards for the ProfessionalPractice of Internal Auditing. At the end of 2001, this new version became effective for auditors andinterested parties.



Chapter 8: Audit Reporting

Overview


TITLE: Corporate Audit Report Process PAGES:

8.1 Corporate Audit Report Process

The Corporate Audit Report is perhaps the most significant product of the audit function. The procedurescontained in this section of the manual are designed to help ensure that the best possible quality product isprepared.

The objectives of the report process include:

To ensure the development of comprehensive and accurate reports• To provide guidelines resulting in timely issuance of final reports• To provide the opportunity to convey additional related information to readers of the report•

Since the audit report is the most significant product issued by the Audit Department, the report format shouldbe carefully considered. It is the policy of Sam Pole Company to issue a summary-and-detail report for eachsignificant audit completed. The purpose of the summary report is to provide, in brief presentation format, theessence of the scope and results of the audit. It also allows for a profile section to convey additionalinformation of interest to the Audit Committee and senior management. The thoughtful and creative use of theprofile section provides a vehicle for the Audit Department to convey information beyond the negativereporting process that is inherent in internal auditing. To put it another way: the use of the profile sectionenables us to convey information that may contribute positively to the management of the corporation. Insome instances, this information would be basic financial or operational, which helps put the audit results inthe proper context. Detailed descriptions of the summary and detailed report formats, with examples, arecontained in other sections of the manual.

The reporting process begins with the draft audit comments and follows through to the issuance of reports andthe report to the Audit Committee (if appropriate). The corporate audit reporting process matrix, Exhibit 8.1,summarizes the activities contained in this process.

Exhibit 8.1: Corporate Audit Reporting Process Matrix

Assign No. DraftComments

Assign No.Report

DistributionWorksheet Draft Reports

Draft toAuditee

Inclusionof AuditeeComments

Issue FinalReport to

Management

Open AuditResults andComments

Follow-Up/ComplianceAudit (One

Year)

AuditCommittee

StatusReport

PURPOSE Document auditfindings,comments, andrecommendationsfor review,

Log/trackreportpreparationanddistribution

Formalize auditconclusions,findings,comments, andrecommendations

Obtainagreement onfacts andcircumstances,substance, and

Incorporateauditeeresponsesinto draftreports

Apprise AuditCommittee ofaudit results

Identifycomments tobe addressedand providean

Document andreviewresolution ofaudit findings

AppriseAuditCommitteeof status ofaudit results

Chapter 8: Audit Reporting 1

approval, andresolution

for review,approval, andreporting

materiality ofissues foraudited entity

agreed-uponplan ofaction

and updates

TIMING

As disclosed orperiodicallyduring audit

Regularlyfromcompletionof field workto issuedreport

In office uponcompletion offield work

Within twoweeksfollowing exitconference

Within 30daysfollowingreceipt

Promptly uponreply andresolution ofDirector ofAuditingconsideration

30 daysfollowingtransmittalof finalreport

Within fivedays followingdue date

30 daysfollowingtransmittal ofstatus report

PREPARED BY Staff or Senior Senior Senior Senior Senior Manager Auditee Senior/Manager Manager

REVIEWED BY Senior orManager

Manager Manager Manager Director ofAuditing

Senior/Manager Managerafter Senior

Manager Director ofAuditing

RESPONSIBILITY Senior orManager

Senior Senior/Manager Manager Manager Manager Manager Manager Manager

CONTENTSDOCUMENTATION

Per tentativerecommendationsworksheet

Perdistributionworksheet

Developcomments intosummary anddetailed reports(see AU/ED)

Auditeecomments andresponses

Revisedetailedreports forauditeeresponses;comment insummaryreport onresponses

Audit report to:AuditCommittee

Status reportto AuditCommittee

DISTRIBUTION

Manager Manager Manager Financial,official ataudited unit:manager

Comptrollerand ChiefAccountantof auditedentity

(SeeDistributionSectionAU/ED)

IA Manager Manager AuditCommittee,Comptroller,ChiefAccountantof auditedentity

Audit workpapers Auditworkpapers

Audit workpapers Auditworkpapers

Auditworkpapers

CorporateSecretary; IAManager,workpapers

Workpapers;IA Manager,AuditCommitteefiles

Auditworkpapers

Auditworkpapers;IA Manager,PolicyCommittee

a. Draft Reports

The audit report process begins with a review of the tentative audit recommendations worksheets preparedduring the audit performance process. Each individual page contains comments accumulated during the auditprocess. These pages will have been preliminarily reviewed by the auditee during the audit process. Themanager will review all comments in conjunction with his review of the workpapers, ensuring that allcomments are adequately supported. Within approximately one week from the completion of the audit fieldwork—or the closing conference of the audit team—the audit manager or his designee will draft an auditfinding and recommendation for each of the tentative audit recommendation worksheets. These commentswill then form the basis of the detailed audit report draft.

The audit manager will begin the preparation of the summary audit report. Information regarding the scopeand highlight sections will be based on information contained within the planning, status, and summarymemos as well as the detailed finding and recommendation report. The Director of Auditing will review thedraft and provide input.

2 Chapter 8: Audit Reporting


b. Draft to Auditee

Various practices regarding distribution of draft audit reports to auditees exist within the internal auditingprofession. The trade-off issues involve the interest in accuracy and fair presentation versus the issue oftimeliness. Some audit departments believe that timeliness is not the most critical factor, and obtaining inputfrom auditees and incorporating it in the audit report provides for increased accuracy and a more level"playing field." Still other audit departments believe that the function of the audit is to issue comments assoon as possible, and they bypass or reduce the auditee review process. The auditee will then issue a responseand discussion of implementation plans.

The policy of Sam Pole Company is to review comments with the auditee as they are developed. Once theaudit draft has been developed, the draft is forwarded to the auditee for review. Auditees will have two weeksto review the comments and prepare a paragraph detailing their actions or position on the comment.

Exhibit 8.2 provides an example of a transmittal of the report draft to audit entry, and Exhibit 8.3 is anexample of a transmittal of the report to senior financial officials.

Exhibit 8.2: Transmittal of Report Draft to Audit Entity Example

Date: [date]To: Financial Official, Audited EntityFrom: Audit ManagerSubject: Corporate Audit Report DraftThe enclosed draft of a report on the recently completed [kind of audit] at [audit location] is for limiteddistribution to you and the Audit Director.

Please review the draft to confirm (or not) that the recommendations and comments agree with thosepresented to and discussed with you at the closing audit conference. Also include your response in one or twoparagraphs for inclusion in the detailed audit report. Please reply to me or [designate] by phone by [date], sothat we may proceed to issue the final report.

/S/ Manager

Enclosures

cc: Audit Director

Exhibit 8.3: Transmittal of Report Draft to Senior Financial Officials ExampleDate: [date]To: J.K. SmithFrom: L. GordonSubject: Corporate Audit Report DraftThe enclosed draft of a report on the recently completed [kind of audit] at [audit location] has been reviewedwith [financial official] at [audited entity], who is in agreement with the content of the report and detailedcomments.

I would appreciate receiving your comments, if any, by [date] on the issues discussed in the report so that wemay proceed to issue the final report at the next meeting of the Audit Committee.



/S/ Audit Manager

Enclosures

cc: Audit Director

c. Inclusion of Auditee Comments

In the example here, the auditees' responses have been incorporated into the audit report. Upon receipt of theauditee's comments, the Audit Manager will review their comments and integrate them into the draft auditreport. The revised draft, with the auditee comments clearly identified, will be provided to the Director ofAuditing for review. The Director of Auditing, upon satisfaction with the foregoing steps, will approve thefinal audit report for issuance. The Audit Manager will be advised of any final changes to the report and willhave the report dated, processed, and transmitted in final form for signature and reproduction.

i. Audit Report Responses

The objectives of monitoring audit report responses are:

To provide a framework to monitor, obtain, and evaluate such responses from audited units• To enable the Director of Auditing to report on the adequacy of responses to, as appropriate, seniormanagement and the Audit Committee

•

Each auditor will develop and implement procedures to attain the objectives outlined above and ensure thatthe total audit process is completed for both this department and the public accountants.

In cases when audited units have not responded within the prescribed period of time, standard 30-day(overdue reports) and 60-day (delinquent reports) letters are to be issued by the affected auditor and Directorof Auditing, respectively. (See Exhibits 8.4 and 8.5.)

Exhibit 8.4: Overdue Response to Audit Report—30-Day Letter Example

Date: [date]To: Financial Official, Audited EntityFrom: Audit ManagerSubject: Response to Audit Report[The Corporate Audit Department]/[public accountants] issued its report, dated _____________ on the resultsof its examination [covering internal accounting controls]/[of balance sheet accounts]/ of[______________________] for the period ended _____________ [date].

This letter is to remind you that a written response to the audit report is due no later than 30 days followingthe report transmittal date. Please advise when we can expect your response.

Audit Manager

cc: Audit Director

Public Accountants (if appropriate)



Exhibit 8.5: Delinquent Response to Audit Report—60-Day Letter ExampleDate: [date]To: Financial Official, Audited EntityFrom: Audit ManagerSubject: Response to Audit ReportSixty days have now passed since [The Corporate Audit Department]/[public accountants] issued its report,dated ______________, on the results of its examination [covering internal accounting controls]/[of balancesheet accounts]/ of [_____________________] for the period ended ______________ [date].

You will recall that ____________, our manager in _______________, reminded you one month earlier thatcorporate policy requires a written response to the audit report no later than 30 days following the reporttransmittal date.

In the event you have compelling reasons for not responding, please call me or _____________ immediately.Otherwise, we expect your response within a week's time. My responsibilities to the Audit Committee andsenior management require regular reports on the adequacy and timeliness of responses to audit reports.

Audit Manager

cc: Audit Director

Public accountants (if appropriate)

In addition to monitoring and accounting for responses, each manager is responsible for evaluating them todetermine that satisfactory management action has or will be taken. Evaluation of responses is to bedocumented in the workpapers or, when pertinent, advised in writing to the public accountants.

Management recommendations issued by the public accountants require similar responses from appropriatedivision or department management. A letter should be sent to the appropriate auditee which includes thecompany policy on responding to comments by public accountants and includes the public accountants'comments or is a transmittal for the comments. (See Exhibit 8.6.)

Exhibit 8.6: Transmittal of Policy on Reports of Public Accountants

Date: [date]To: Division or Department ManagerFrom: Audit DirectorSubject: Reports of Independent Public AccountantsPurpose

This memorandum provides additional procedures implementing the policy covering the distribution ofreports of independent accountants and, when required, management responses to them.

Policy

The Sam Pole Company auditing policy states the following:

Audit findings, recommendations and other matters deemed to be significant by the publicaccountants are reported directly by them to the Audit Manager, Chief Financial Officer, and the

•



Audit Committee.

The policy further requires with respect to management responses:

A prompt formal written response to the Audit Manager, covering internal control and managementrecommendations made by both the public accountants and corporate auditors. Responses are due nolater than 30 days following the date of the auditor's report and in the format as shown on attachedExhibit 8.7.

•

Insert comments here or note regarding attachment of comments from public accountants.

Subsequent audit procedures to test completed/proposed corrective action would be adequately documentedand outlined for either Corporate Audit or public accountants' performance. When responses do not dealsatisfactorily with audit recommendations, the auditor should advise the auditee and Audit Manager, inwriting, concerning additional audit requirements and resolution of the issues. Exhibit 8.7 is the standard formon which the audited unit should reply. These should be sent to the unit along with the final report.

Exhibit 8.7: Audit Response Example

Company: ________________________________________________________

Operating Unit: ___________________________________________________

Audited By: ______________________________________________________

Submitted By: ____________________________________________________

NO. RECOMMENDATION IMPLEMENTATION RESPONSIBLE PERSON TARGET DATE

ii. Additional Procedures

The following amplifies the policies covering the distribution of public accountants' reports and relatedresponses to ensure that they are distributed properly:

Reports of Independent (Public) Accountants• Reports on internal control recommendations are issued to the individual with overall responsibilityfor the location under audit (i.e., President, General Manager, Plant Manager) and the Chief FinancialOfficer. Copies are distributed to the Vice President and Comptroller, the Secretary (for the officialcompany record), and the Audit Manager.

•

Management Responses• Audited entities respond in writing to internal control recommendations in accordance with theaforementioned policy. The response is addressed to the Director of Auditing, with copies to the Vice

•



President and Comptroller, other key financial officials and the public accountants.

The additional procedures outlined above enable implementation of effective and consistent practices tomonitor and report on the results of audits by public accountants in the United States and other countries.

d. Issue Final Report to Management

After approval by the Director of Auditing, the final report will be distributed in accordance with thedistribution policy discussed in the following sections of the manual. It should be noted that there will bedifferent levels of distribution for the summary and detailed reports. However, anyone receiving the summaryreport can request a copy of the detailed report.

i. Audit Report Format

The audit report and the detailed recommendations and comments section have a standard format that will beadequate for writing most reports. There may be times when it will be appropriate to deviate from the standardformat. These instances must be discussed with the manager before proceeding. Exhibit 8.8 is an example ofan audit report.

Exhibit 8.8: Corporate Audit Report Example

Company Location:Audit Date: Audit Manager:Date Completed: Audit Office:Auditors:

Date of Report:The Audit Committee

Sam Pole Company

This report summarizes the results of our audit of the company's accounting records and selected internalcontrol procedures. Detailed recommendations and comments, after review with local management, wereprovided to the local accounting personnel for written responses to this office, and to other key officials, andto the public accountants for their information.

Sam Pole Company Profile

The manufacturing plant produces approximately NNN square yards of carpet tile per month. Comparativeoperating data are as follows:

2002 2003Sales $xxx,xxx $xxx,xxxCost of Sales xxx,xxx xxx,xxxInventory xxx,xxx xxx,xxxSALESBacklog x,xxx x,xxxNumber of Employees xxx xxx

Scope of Audit

Our examination included a review and evaluation of accounting systems, internal control procedures, andtests of account balances.



Conclusion

In our opinion, internal controls are adequate, and account balances, as adjusted, are fairly stated in allmaterial respects. Quantities of inventory on hand December 31, 200x, are fairly stated. Weaknesses outlinedin the detailed recommendations and comments provided to local management did not have a material effecton the account balances at December 31, 200x.

Summary

The significant matters discussed in the detailed report include the following:

A Disaster Recovery Plan should be developed for the data processing operation.• Procedures to ensure that computer program changes are properly authorized should be developed.• Documentation for significant computer applications is weak and should be improved.•

Manager

Internal Audit Department

Distribution:

Headquarters

President

Chief Financial Officer

Local President

Local Accountant

ii. Standard Format

I. Audit Report—Summary II. In-Depth Recommendations and Comments—DetailHeading Cover Page (Optional)Salutations HeadingLead Paragraph Lead ParagraphProfile CategoriesScope RecommendationsConclusion CommentsSummary Discussion ItemsManager's Signature Manager's SignatureDistribution Exhibits (Optional)

I. Audit Report—Summary

Heading. The heading is preprinted on the Corporate Audit Report preprinted form. Company/location, AuditDate, Audit Office, and Audit Manager are all self-explanatory.

Date Audit Completed. The date of the closing conference or last day of fieldwork, whichever is later.



Auditors. All auditors who participated in the audit. Use the first two initials in all names.

Date of Report. The date the report is issued for distribution.

Salutation. This item will generally be addressed as follows:

The Audit Committee

Sam Pole Company

Lead Paragraph. The lead or introduction paragraph indicates to the Audit Committee that this report is asummary of the results or our audit or review. It refers to the detail section that recommendations andcomments have been discussed with local management and require a response. It also states that the detail hasbeen distributed to key officials and the public accountants.

It should not be necessary to restate the auditee's name or dates, because this information is included in theheading.

Profile. "Profile" is generally preceded by "plant, company, or department," which refers to the auditee. Theprofile section is intended to be informative to the reader. In some instances, the reader has not had theopportunity to visit the auditee's facility. The profile section should be designated to be a "stage setter" for thereader. It should help the reader visualize the entity, number of employees, production, or implications ofadjustments attributable to company size. The profile, as the situation warrants, may be excluded or contain anarrative description or financial schedules.

The profile should not dominate the report. Instead, it should be limited in size to approximately oneinformative paragraph. Comparative financial information, if included, should not leave the reader withunanswered questions. Significant variations should be explained.

Keep in mind that the profile should not distract from the purposes of the report, which are the summary,scope, and conclusion sections.

Scope. The scope section has two principal functions. One is to identify exactly what was done during theaudit and the second is to delineate in writing that which was not done.

The scope should clearly state the work that was limited to or restricted to the payroll system, as an example.If internal controls were reviewed on certain systems, but not others, it must be clearly indicated. A generalstatement such as, "we reviewed the plant's systems of internal controls," is not specific to the reader andleaves the audit open for question later. To state "certain" systems were reviewed is better, but not as good asindicating that specific systems such as payroll, accounts payable, and accounts receivable were not reviewed.Clearly stating what was done in the audit leaves no doubt as to what was not done. In certain situations, itmay be necessary to clearly qualify the scope section by saying, "we did not review, test, etc."

Conclusion. The conclusions can only be written on the basis of the work performed in the scope section andsubject to the major exceptions contained in the summary section. No new or additional information can beinterjected into the conclusion that has not been specifically stated in these two areas (scope and summary).

The auditors should conclude or state their opinion on the fairness of the account balances, financialstatements, the adequacy of internal controls, or the reliability of systems.

Summary. The summary component summarizes the detailed recommendations and comments section of thereport. The detailed recommendations and comments section does not accompany the audit report issued tothe Audit Committee. Therefore, the summary never contains information not published in the detailed



recommendations and comments section.

Of the five attributes that are used as a basis for writing a recommendation, only a statement of condition anda statement of action are used to write the points of the summary.

The summary only includes major or material exceptions resulting from the audit. Considerable thoughtshould be given to what is included in the summary and, second, to how it is written. Problems may arise ifthe auditor overreacts or improperly states the situation. Therefore, the summary may indicate that an auditdisclosed no material weaknesses. Other recommendations and comments that are not considered "material"should be addressed in the summary by referring to them in total as one item covered by a few sentences.

Statement of action to summary items may either be included with the summary items individually orprepared in a trailing paragraph to the last summary item.

Discussion items may be included in the summary if material. Because discussion items are written with thesame attributes as recommendations, the statement of condition and statement of action will be included.Discussion items are generally only used when auditees object to recommendations on the grounds that theyhave no control over the subject. If auditors feel strongly that the item should be included in the report, thediscussion item approach is a way around the situation. Discussion items do not require a response from theauditee, but still communicate the problem to management and the Audit Committee.

Examples of summary items are as follows:

Accrued payroll was understated $1 million at December 31. It was recommended that managementinvestigate and adjust the account. This account was adjusted January 7, 200x.

•

Contract terms covering sales of real estate should be reviewed by counsel and entries properlyrecorded in accordance with Generally Accepted Accounting Principles (GAAP).

•

Fifty thousand dollars were lost due to weak internal controls in the data processing area. Werecommend system changes to help prevent future occurrences.

•

Manager's Signature. The Audit Manager is responsible for the review and signing of the audit report issuedto the Audit Committee of the Board of Directors. He may assign this responsibility to others under certaincircumstances.

Distribution. The distribution is a multi-step process. After the report is written in draft form, a copy is sent tothe Director of Auditing and the auditee simultaneously. A specific designed cover letter is used to convey thedrafts to the auditee. This cover letter indicates the draft has been sent to the auditee first for comments andthat time is of the essence.

The second step toward distribution, after review and corrections are accomplished, is to send the draft to theCorporate Controller and Director of Auditing, or the next level of authority over the auditee.

After the drafts clear the second step and adjustments or corrections are made, it may be necessary to send acopy to the auditee and Director of Auditing, a second time. But, pending this situation, the report is ready fordistribution. Standard distributions for the report consist of:

Sam Pole Company

Audit Committee

Chief Operating Officer

Company Level




Chief Financial Officer

Division/Branch/Department

(as applicable)

Branch Manager/Division President

Comptroller

Chief Accountant, etc.

Public Accounting Firm

Partner

Manager

II. In-Depth Recommendations and Comments—Detail

This section is issued with the audit report, but is not distributed to everyone on the distribution list. Seedistribution of the audit report in a prior section. Because this section may become separated from the auditreport, it must be written to stand alone as an independent document. Exhibit 8.9, "Corporate Audit DetailRecommendations and Comments," presents an example of this report.

Exhibit 8.9: Corporate Audit Detail Recommendations and Comments Example

SAM POLE COMPANY

Corporate Audit

Recommendations & Comments

December 31, 200x

These detailed recommendations and comments supplement our report to the Audit Committee, in which weconcluded that account balances as adjusted were fairly stated in all material respects and controls wereadequate at December 31, 200x. These detailed recommendations and comments were reviewed withappropriate levels of management and, in accordance with corporate policy, are subject to their writtenresponse.

Disaster Recovery

In the event of emergency or disaster in which the AS/400 system is not available for long-term use, there areno contingent plans in effect for the continuance of processing on the AS/400. This weakness could result in adelay of processing transactions and have an adverse effect on business operations.

Recommendations/Comments• We recommend that management initiate efforts to develop a Disaster Recovery Plan. In the eventthat the AS/400 System is disabled, contingency plans would then be in place to allow continuedprocessing at an off-site facility. A Disaster Recovery Plan should meet the following criteria:

•



To identify a location for further processing. This site could be a cold site in which a thirdparty has another AS/400, which the company would have access to, or an arrangement withIBM that would permit them to be provided with another AS/400 on short notice.

♦

A list of contacts and responsibilities in the event of emergency.♦ A list of programs and data files needed for recovery, including a ranking of criticalapplications and adequate method of creating, testing, and storing data backups.

♦

Detailed instructions on execution of a Disaster Recovery Plan.♦

Program Change Control

Program change control is not formally addressed. Requests for changes to programs should be authorized byuser departments. To be properly controlled, a formal authorization form should be developed, indicating thereason for the change, user approval to initiate the project, and final sign-off. Only properly authorized,changed programs should be placed into production libraries.

Recommendation• All program change requests should be properly authorized in writing by the manager or supervisor ofthe user departments. When the program change has been made, the manager or supervisor of the userdepartment should sign the program change form, signifying that the program has been changedaccording to the original instructions. The program change form should then be filed in numericalsequence. A copy of the program change form should also be filed with the system's documentationsuch that a record of each change made to the system is kept in chronological sequence.

•

Documentation

Good documentation of computerized applications is necessary to document the methods and formulasutilized in the computer operation, to provide a tool to train new personnel, to provide operators withinstructions, and to assist programmers with systems development and program modification work.

We believe documentation is an important area and should be implemented. This process may requiremanagement support for the development of a plan to document systems by certain key target dates. Wesuggest that documentation along the following lines be considered:

Systems documentation includes:

System description♦ System flowcharts, showing the flow of data through the system and the relationship betweenprocessing and computer steps

♦

Input descriptions♦ Output descriptions♦ File descriptions♦ Copies of authorizations and their effective dates for system changes that have beenimplemented.

♦

•

Program documentation consists of:

Brief narrative description♦ Flowcharts♦ Sources statements or parameter listings♦ Control features♦ File formats and record layouts♦ Record of program changes♦ Input/output formats♦ Operating instructions.♦

•



Operation documentation includes:

Descriptions of functions♦ Inputs and outputs♦ Sequence of cards, tapes, disks, and files♦ Setup instructions and operating system requirements♦ Operating notes listing program messages, halts, and action to signal the end of jobs♦ Control procedures to be performed by operations♦ Recovery and restart procedures♦ Estimated normal and maximum run-time♦ Instructions to the operator in the event of an emergency♦

•

User documentation consists of:

Description of the system♦ Error correction procedures♦ List of control procedures and an indication of who is responsible for performing thoseprocedures

♦

Cutoff procedures for submission of data to the data processing department♦ Description of how the user department should check reports for accuracy♦ Application analyst support (i.e., name of contact)♦ Impact on operations (i.e., resources consumed, response time, turn-around time, elapsedtime, manual labor time, user training/impact.

♦

Testing plan (i.e., individuals responsible and titles, testing schedule, test results)♦

Authorization (i.e., data center approval, programmer and project manager, quality assurance,and user approval)

♦

A log to permit the tracing of transmittals through the change control cycle.♦

•

Establishment of formal testing procedures to include:

Identification of the person responsible♦ When the test will take place/begin♦ When the test will be completed♦ Details of the test♦ Actual results of the test♦ Approval of test results by the data center, programmer, and user.♦

•

Manager

—Internal Audit Department

Cover Page. An optional cover page may be developed to separate the audit report from the detailedrecommendations and comments section. If you elect to insert this page, it could contain "DetailedRecommendations and Comments" as a title and be centered on the page.

Heading. The heading consists of the auditee name, the name of the section, "Corporate Audit DetailedRecommendations and Comments," and the "as of" date of the audit.

Lead Paragraph. The purpose of the lead or introduction paragraph is to convey to the reader three points.First, this document supplements the summary audit report to the Audit Committee. Second, there is asummarized restatement of the conclusion. Finally, a written response is required. For example:

These detailed recommendations and comments supplement our summary audit report to the AuditCommittee of the Board of Directors in which we concluded that internal controls for the payroll andaccount balances were fairly stated in all material respects as of April 30, 200x. These detailed

•



recommendations and comments were reviewed with appropriate levels of branch management andare subject to their written response in accordance with corporate policy.

Categories. For purposes of organization, subtitles are used to group recommendations and comments relatingto the same subject; that is, all recommendations and comments relating to accounts payable should benumbered under the subtitle "accounts payable." The subtitles are typed on the left margin in bold type andunderlined. To emphasize the subtitle, double spacing is used before and after the subtitle. The numberingsequence starts with the first recommendation and is continuous to the last recommendation under thatsubtitle. Numbers start over for each subtitle.

Recommendations. Use "recommendations" rather than "findings" to describe the audit exceptions because ithas a more positive connotation. Recommendations are one of the five attributes that make up a finding, aspublished by the Institute of Internal Auditors. In lieu of saying, "These are our findings," inferring somethingwrong was found, present a more positive image by saying, "These are our recommendations forimprovement." Do not report something was wrong merely that the auditee can improve existing conditions.A more positive approach implies professionalism by suggesting improvements as opposed to dwelling on orpublishing problems and failings.

Comments. Comments differ from recommendations in that the five attributes—condition, criteria, effect,cause, and recommendation—are not present. Comments are more of a remark or brief statement of fact oropinion. To lessen the confusion, the attribute recommendation has also been renamed statement of action.Care should be used in that generally, anything material enough for the report should be adequately supported.

Discussion Items. Discussion items are developed and written as recommendations, but differ in that theauditee is not required to respond to these items. Discussion items are used in instances where auditees objectto an item being included in the report when they are not directly responsible for the situation. The auditorsfeel strongly that the situation needs exposure in a written report. A compromise is the discussion itemapproach, which could be used only as a last resort.

Manager's Signature. The manager is responsible for signing the recommendation and comments section.

Exhibits. The exhibit section is optional, but should be considered if additional information will help make theaudit recommendations and comments clear to the auditee or management. Exhibits may take the form ofphotographs, flowcharts, financial schedules, adjustment schedules, or other sundry schedules of supportinginformation. Like pictures, exhibits are worth a thousand words. Supporting exhibits not only add clarity, butif properly done, add a degree of professionalism to the auditor's work.

e. Open Audit Results and Comments

A task listing will be prepared containing all open audit issues and comments on date of implementation. Thislist will be used to monitor the implementation of audit comments. Periodically, management will be queriedon the status of open issues. Follow-up compliance audits will take place one year after the date of the audit,and these task lists will be updated and, in most instances, closed out.


TITLE: Report to Management PAGES:



8.2 Report to Management

The report to management should summarize the activities of the department in the interim since the lastreport to management. These activities should include audits performed and planned or changes made toplans. All department administrative activities including quality assurance, personal development programs,and participation in other company-sponsored programs should be considered. The report should be preparedon a detailed basis prior to the next scheduled Audit Committee meeting. This process will enable auditors toinform management of some of the items that will be included in the administrative section of the report to theAudit Committee. It will also enable auditors to integrate the text of this material into the Audit Committeereport to save work when that report is being developed.

Communications with management is a very important element of an internal audit function. It is moreimportant than in some other operations because the management issues and output of the audit function aremore qualitative than quantitative. In a manufacturing or distribution operation, one can measure the output inunits and analyze it in many ways. Audit functions have a lot of control over the quantity and quality of thework they perform. However, it is difficult for management to understand the issues involved in running asuccessful audit function and producing quality audit reports. Audit management has a number ofopportunities to express their issues and report on activities. The formal process involves issuing audit reports(see "Corporate Audit Report Process") and issuing reports to the Audit Committee (see "Report to AuditCommittee"). In this section, we deal with the opportunity to report on a somewhat more detailed basis tomanagement.

As noted earlier in this section, if possible, the Report to Management should be prepared prior to AuditCommittee meetings. This sequence will enable the material developed for this report to be reworked forinclusion in the report to the Audit Committee. There are no formal guidelines for what should be included inthe Report to Management. Therefore, wide latitude should be used to help explain issues and promoteprogress achieved within the audit operation. Exhibit 8.10 is an example of a Report to Management. Theformat is simple and self-explanatory. However, great care should be taken to include all relevant activities ona prospective basis, as well as activities that have already taken place. In order to demonstrate the tone andrange that a Report to Management can take, a number of sample report elements have been included in theexample. In addition, the report could be patterned after other similar reports required within the organization.Some of the sections that should be considered include: Corporate Audit Department personnel issues;activities related to the external accounting firm; education; internal audit reports issued, pending and inprocess; and budget status.

Exhibit 8.10: Report to Management Example

SAM POLE COMPANY

INTEROFFICE CORRESPONDENCE

TO: Senior Management OFFICE: New YorkFROM: Chief Auditor OFFICE: New YorkSUBJECT: Internal Audit Status Report DATE: September 10, 200xThis report summarizes the department and my activities since the status report date July 15, 200x.

BUDGET FOR 200x

The Budget for 200x has been drafted and will be presented to you and the Audit Committee on schedule. Dueto the addition of a Director and an operational audit unit, the total budget will grow beyond normal inflation.

INTERNAL AUDITS



Audit Reports• We continue to strive for timely report issuance. At this date, we have the following audit reportstatus:

Issued Since July Status Report

XYZ Subsidiary◊ Tulane Contract Audit◊ Purchasing Department Audit◊

♦

Pending Issuance

Transportation Department◊ ABC Subsidiary◊

♦

•

Physical Inventories• In cases where reports are to be issued upon completion of location audits, inventory audit findingswill also be included. In other cases, only exception reports will be issued regarding observations andreview of compilations. We observed these physical inventories since the July status report:

XYZ Subsidiary♦ ABC Subsidiary♦ Main Supplies Inventory♦

•

ORGANIZATION/PERSONNEL

The department is currently comprised of 37 professionals and two secretaries at September 1, which reflectsthe termination of John Doe and the resignation of Jane Smith in the East and the hiring of Pay Plum(CPA-CISA) as a semi-senior in the West. We continue to attempt further East staff reduction by transfer toother departments. To date, the West manager is pleased with the performance of his staff. He is nowrecruiting another semi-senior.

Total East West InternationalProfessionals 35 15 14 6Secretaries 2 1 1 0

37 16 15 6Annual performance reviews were discussed with each eligible East staff member in conjunction with salaryincreases granted effective September 1. The staff generally responded receptively to constructive criticismdesigned to insist on or encourage, at minimum, competent professional performance. With certainexceptions, staff members considered salary increases equitable.

EDUCATION/TRAINING

Advance Systems, Inc.• Jim will lead a one-day, in-house, videotape-supported orientation program on IS audit concepts forthe East staff (scheduled for August 25 at the East office). The West staff participated in a similarprogram on August 15. These in-house seminars are designed to provide basic background and set thetone for maximum benefit from the MPC Institute course.

•

MPC Institute• The MPC Institute staff will conduct, at their New York offices, a week-long seminar beginning onSeptember 14, for the entire professional staff, concentrating on auditing in a contemporary computerenvironment. We have also invited Sam Pole personnel from other departments/locations to join usfor some of the more technical sessions dealing with controls, to convey to them the significance ofcontrols and also to improve their understanding of the auditor's purpose and responsibilities in acomputer environment.

•



Other• In a less formal, yet structured manner, individual staff members are involved with IIA self-studycourses dealing with internal audit theory and practice, and statistical sampling. This work ismonitored by our Personnel Development Coordinator.

•

In order to enable staff members to prepare for the CPA examination and still fulfill audit scheduleresponsibilities, we have arranged with XYZ to use their self-study guides, at no cost to Sam Pole.

•

MANAGEMENT DEVELOPMENT PROGRAM PARTICIPANTS— OFF-STAFF ASSIGNMENTS

Bill Clark, between audit assignments, will assist the CFO during October in assembling, reviewing, andanalyzing operating companies' 200x budget proposals. We have also offered to assist the Director ofFinancial Analysis on 200x budget matters, by making Peter Daily (East) or Rod Stewart (West) available forsix weeks to two months. These opportunities have a two-fold purpose: (1) to broaden participants' exposureand experience in Sam Pole, and (2) to add another dimension in the evaluation process from sources outsideinternal audit.

We do foresee a potential problem associated with these off-staff assignments. The demand for ManagementDevelopment Program participants to work outside the department is likely to conflict with our peak workloadperiod—the Fall—when we experience our heaviest external audit coordination commitment. We aredeveloping our audit plans and schedules to attempt effective attainment of both goals.

SPECIAL STAFF ASSIGNMENTS

New Jersey Mill• John Jones continues to assist in the development of a plant cost accounting manual. We havereceived favorable feedback regarding his contribution. Out-of-pocket expense and pro-rata salary isbilled to the plant, relieving department expenses.

•

Atlanta Foundry• At the ADC Division's request, Jane Paul and Marc John were given a two-week assignment todevelop overview flow charts of the plant cost accounting system. Having completed a portion of thework, continuing the assignment has been suspended pending agreement on the scope of the work.Out-of-pocket expenses were billed to ABC.

•

POLICY STATEMENTS

Compliance Program• Results of circularization for employee acknowledgment of compliance with our code of conduct arevirtually complete. Responses received at this office disclosed no conflict or other situations thatwarrant reporting. We plan to issue a brief formal report on the results of our review.

•

Policy Statement Booklet• The supply of booklets in New York is exhausted. We have submitted suggested changes to the textof the booklet to the General Council. We also offered to assist them toward publication of the nextrevision.

•

OTHER MATTERS

Security• As noted in my prior status reports and memos, we have been working with the Finance Director toassess ways to improve the corporation's focus on security. We are considering the need forcentralizing the responsibility for all aspects of security within the company. Our recommendationwas for a high-level survey of our current practices and security plans. To further our groundwork, wehave set up a meeting with the General Council to apprise him of our activities to date and get his

•



input.Professional Activities• As president of the New York Chapter, ISACA, John Jones presides over monthly board meetingsand plans education events for members.

•

On July 24, the Chief Auditor addressed our external audit firm's seminar for internal auditors oninternal audit department practices.

•

Marc John serves on the IIA Board of Governors and as Chairman of the Editorial Committee.• Jane Paul serves on the IIA International Research Committee.•

Regards,

The Report to Management should be addressed to the management reporting line of the Chief Auditor. Thisreport is generally not copied to the Audit Committee, but should be copied to the President or CEO, ifappropriate.


TITLE: Report to Audit Committee PAGES:

8.3 Report to Audit Committee

In addition to the distribution of reports as audits are completed, periodically a summary report will be madeto the Audit Committee. This report will include a report on internal controls and summary of items ofsignificance, the summary of the Corporate Audit Department reports, and Audit Department status reports.This report provides the opportunity to explain the accomplishments of the department and should be viewedas a critical Audit Department product. Exhibit 8.11 presents a sample of a report to the Audit Committee.Also review Section 9.5, "Marketing the Audit Function."

Exhibit 8.11: Report to Audit Committee Example

SAM POLE COMPANY101 Mapole Street EastFlagstaff, AZ 12345

February 28, 200x

Gentlemen:

I am pleased to present this report to the Audit Committee, comprising:

Report on internal controls and summary of items of significance1. Summary of Corporate Audit Department reports2. Corporate Audit Department status report3.

Audits in process and concluded since our report dated December xx, 200x, have not disclosed anydevelopments that require action by the Committee.



I look forward to meeting with you to review the contents of this report and any other matters you may wishto discuss.

Very truly yours,

S. Jones

Internal Audit Director

SAM POLE COMPANY

Report to the Audit Committee

February 28, 200x

SECTION I

Report on Internal Controls

Sam Pole Company maintains systems of internal accounting controls and procedures designed to providereasonable assurance that all transactions are properly recorded in the books and records, that prescribedpolicies and procedures are adhered to, and that the corporation's assets are protected from unauthorized use.

Based on continuing reviews of internal controls at company locations, nothing has come to our attentionsince our prior report that would indicate that the existing systems of internal controls are not effective.However, as commented on in our December report, the company must be continually alert, so that thechanging conditions in Sam Pole Company's operations— primarily reductions in the number of salariedemployees—are not accompanied by a weakening of existing internal controls, more specifically, thesegregation of duties. We plan to continually focus on such areas of potential weaknesses and report situationswhere we believe action is required.

Summary of Items of Significance

Although we have made recommendations to management to improve internal controls, nothing of asignificant nature was disclosed that would require action by the Audit Committee. We have received fullcooperation from all levels of management and have been permitted access to all requested company recordsand documents.

SECTION II

Summary of Corporate Audit Department Reports

The following audit reports, issued since the December 5, 200x, Audit Committee meeting, are enclosed foryour review:

Corporate Data Center• Sam Pole Antenna Company• Payroll System• Products Company• Sales Company—Trading and Logistics•



Recommendations relate to internal controls that can be improved; however, no material exceptions werenoted. In the event of significant findings, we would promptly advise the Committee and issue a preliminaryreport.

Our comments and recommendations have involved matters significant to the organizational units audited.Based on our evaluation of auditee responses, we believe that our recommendations have been or are beinggiven considerable management attention and action.

SECTION III

Audits and Related Activities

Audit Activities

Audits pertinent to annual corporate financial statement reporting centered primarily on completing interimand year-end audits under the rotation plan with our external auditors. We also continued our reviews ofautomated systems, including customer accounts receivable, salaried payroll, and accounts payable.

Supplies Inventories

At the December meeting of the Audit Committee, we reported on our management-requested special reviewof supplies inventories. Since our last report. . .

Steering Committee

The Director of Auditing, while not a member, attends by invitation the Information Resource SteeringCommittee meetings. Briefly, this involvement provides input to the Committee and knowledge of companyplans to the Director. As a result of attending these meetings, we are planning special audit training in thefollowing areas . . .

Disposition Audits

As previously reported, we have been significantly involved in disposition audits of the various units. Mostrecently, we assisted in the development of data that allowed for timely ...

Administrative and Other Matters

Professional Staff

The current field staff, meeting our authorized complement, totals 20: six in New York and fourteen inDenver (as compared to 19 in 200x). Our current three-year plan indicates a need for approximately 21auditors. We will adjust this plan and reevaluate staffing requirements after developing the rotation program,based upon the company's new operating structure, with the public accountants.

High turnover has continued in Denver, due to the company's situation and increased salaries available in anarea with a high employment rate. Future recruiting, unless otherwise required, will be at the entry level.

We are pleased to report that we have promoted Mr. Sharp to manager in New York and Jane Pink tosupervising senior in Detroit. Two individuals transferred from the audit staff— one to the Controller's staffand the other to MIS.

Quality Assurance Program



A responsibility of the Director, as described in the department's charter, is that audit work conform to theStandards for the Professional Practice of Internal Auditing. The Standards call for an independent externalreview at least once every three years, to appraise the quality of the department's operations. Accordingly, wehave tentatively agreed to reciprocal department reviews with IPL Corporation in 200x and 200x. Preliminarydiscussions will be held in late February, with a review of our department planned for June 200x.

We have been planning this independent review of our total department performance for several years.Initially, we had each audit group perform a high-level quality assurance review. In 200x, we had a morein-depth review in New York and Detroit with a good appraisal (on a test basis) of the adequacy of eachother's performance. We are now looking forward to this independent peer review to see how we can improveour operations.

Professional Certification

We have developed a professional certification policy for the internal audit department. We are stronglyencouraging certification (CPA, CIA, CISA, CMA, etc.) within the first five years or before promotion tosenior. We are providing partial company assistance to provide further incentive and yet ensure theindividual's own sincere interest. A copy of the policy for your review is enclosed in Appendix XX. (Notshown here—see "Policies" section of the manual).



Part IV: Long-Term Effectiveness

Chapter List

Chapter 9: Managing the Effectiveness of the Audit Department

Part IV: Long-Term Effectiveness 1

2 Part IV: Long-Term Effectiveness

2 Part IV: Long-Term Effectiveness

Chapter 9: Managing the Effectiveness of the AuditDepartment

Overview



9.1 Introduction

The internal audit (IA) function should be more than activities as prescribed by management and professionalorganizations. By choice, the IA department can be a "world-class" entity—achieving excellence andmaintaining it. But that will only happen with a great deal of commitment and effort. There are a number ofmethods, techniques, programs, and tools available to assist IA in attaining the highest level of excellencepossible. In order to achieve the status of a world-class entity, and to be as effective as possible, IA will needto address issues such as corporate governance, quality assurance, continuous improvement systems, andmarketing the IA function.


TITLE: Corporate Governance PAGES:

9.2 Corporate Governance [1]

Recent financial failures such as Enron, WorldCom, and Adelphia remind managers, board members,auditors, and other stakeholders of the risks that exist even for those businesses that seem to be immune tofraud. These events also show the need for effective corporate governance. Enron proved that large companieswith billions of dollars in assets can go bankrupt under the noses of well-intended board members—anddespite the fact an internal audit function is present. (Note: At one time, Enron outsourced its IA to its externalauditor—Arthur Andersen.) Earlier in 2001, Enron had a $10 billion book value and a $60 billion marketvalue. Their latest audited financial reports showed $1 billion in profits. Enron had an audit committee madeup of distinguished members with financial accounting pedigrees. Yet this large firm went bankrupt afterbooking a $600 million entry to revise its earnings in late 2001, followed by a loss of confidence in creditmarkets.

In 2002, the U.S. Congress passed the Sarbanes-Oxley Act as a result of these and other financial failures. Ingeneral, the law supports efforts to make corporate governance more effective. For example, at least onemember of the audit committee is required to be an expert in financial accounting, members are required to beindependent, and the committee is required to perform certain interactive activities and processes associatedwith audits—such as being responsible for hiring external auditors and maintaining regular communicationswith the IA function. (See also Sections 1.6(e) and 3.4(e) for more on the Sarbanes-Oxley Act.)

Chapter 9: Managing the Effectiveness of the Audit Department 1

Effective corporate governance is a synergy between internal auditors, the board of directors, seniormanagement, and external auditors. The importance of corporate governance is illustrated by a McKinseyreport that stated that investors are willing to pay a premium on shares of companies that had a corporategovernance framework in place: 12 to 14% in North America and Western Europe, 20 to 25% in Asia andLatin America, and 30% in Eastern Europe and Africa. [2] The IIA believes that good corporate governanceprinciples could prevent some of the frauds that have been investigated by the Securities and ExchangeCommission (SEC).

The National Association of Corporate Directors has recommended that the SEC require public companies todisclose the extent to which they meet endorsed standards developed by the listing exchanges. Codes ofgovernance in the United Kingdom, Canada, South Africa, and other countries already require disclosure ofconformity to certain recommended governance practices. In the United States, governance policies andpractices vary considerably from state to state, and from company to company.

One emerging model has been proposed by the Corporate Governance Center at Kennesaw State University inKennesaw, Georgia [3]; it has been endorsed by the IIA. Their model of principles includes:

Interaction. Sound governance requires effective interaction among the board, management, theexternal auditor, and the internal auditor.

1.

Board Purpose. The board of directors should understand that its purpose is to protect the interests ofthe corporation's stockholders while considering the interests of other stakeholders (e.g., creditors,employees, etc.).

2.

Board Responsibilities. The board's major areas of responsibility should be monitoring the chiefexecutive officer (CEO), overseeing the corporation's strategy, and monitoring risks and thecorporation's control system. Directors should employ healthy skepticism in meeting theseresponsibilities.

3.

Independence. The major stock exchanges should define an "independent" director as one who has noprofessional or personal ties (either current or former) to the corporation or its management other thenservice as a director. The vast majority of the directors should be independent in both fact andappearance so as to promote arms-length oversight.

4.

Expertise. The directors should possess relevant industry, company, functional area, and governanceexpertise. The directors should reflect a mix of backgrounds and perspectives. All directors shouldreceive detailed orientation and continuing education to assure they achieve and maintain thenecessary level of expertise.

5.

Meetings and Information. The board should meet frequently for extended periods of time andshould have access to the information and personnel it needs to perform its duties.

6.

Leadership. The roles of board chair and CEO should be separate.7. Disclosure. Proxy statements and other board communications should reflect board activities andtransactions (e.g., insider trades) in a transparent and timely manner.

8.

Committees. The nominating, compensation, and audit committees of the board should be composedonly of independent directors.

9.

Internal Audit. All public companies should maintain an effective, full-time internal audit functionthat reports directly to the audit committee.

10.

In addition, the IIA recommends:

Internal Controls. The board of directors of all publicly traded companies should be required topublicly disclose an assessment of the effectiveness of internal controls within their organizations.Such disclosures should address internal controls broadly, rather than being limited to accountingcontrols over the recording and reporting of financial information. This recommendation includes thesuggested usage of the Committee of Sponsoring Organizations (COSO) model described in Chapter3.

•

Internal Audit Function. All publicly held companies should establish and maintain an independent,•

2 Chapter 9: Managing the Effectiveness of the Audit Department


adequately resourced, and competently staffed internal auditing function to provide management andthe audit committee with ongoing assessments of the organization's risk management processes andthe accompanying system of internal control. If an internal audit function is not present, the board ofdirectors should be required to disclose in the company's annual report why the function is not inplace. Consideration of the work of internal auditors is essential for the audit committee to gain acomplete understanding of an organization's operations.Internal Audit Independence. In establishing and providing oversight for an internal audit function,audit committees should ensure that the function is structured in a manner that achieves organizationalindependence and permits full and unrestricted access to top management, the audit committee, andthe board.

•

Internal Audit Professionalism. In establishing and providing oversight for the internal auditingfunction, audit committees should charge chief audit executives (CAE) with the responsibility ofensuring that internal audit work is performed in accordance with the IIA's Standards. Internalauditors, and especially CAEs, should demonstrate their professional competency by attainingappropriate professional certification.

•

Insight into the audit committee element of corporate governance can be drawn from a study by COSO. In1999, COSO issued a study on the SEC enforcement activities from 1987 to 1997. The study analyzed 200randomly selected cases of alleged financial fraud investigated by the SEC during the decade, which is abouttwo-thirds of all the SEC probes into fraud during the time period. The results of the study provide valuableinformation for any organization in protecting against fraud, but prove especially valuable in developing auditcommittees. The "COSO Landmark Study on Fraud in Financial Reporting" points to several common factorsabout the companies in the study (see Exhibit 9.1).

Exhibit 9.1: Commonalities of Fraud Entities from COSO Study

Smaller firms vs. larger firms were investigatedLack of experience in board membersLack of independence of audit committee/board membersAbsence of audit committee or infrequent audit committee meetingsLikelihood of involvement of executive managers in financial fraudMost of the auditors explicitly named in SEC enforcement releases were non-Big Five auditorsAudit firms of all sizes were associated with companies committing financial statement fraud (i.e., youcannot depend on your external auditors to detect fraud based on their size)Cumulative amounts of frauds were relatively large in light of the relatively small sizes of the companiesinvolved-the average misstatement or misappropriation was $25 million

First, most fraud in financial reporting among public companies was committed by smallercorporations—well below $100 million in assets. Most were not listed on the New York or American StockExchanges.

Second, the boards of directors of the companies investigated were dominated by insiders and directors withsignificant equity ownership. They also had little apparent experience in serving on the boards of othercompanies.

Third, most audit committees of the firms investigated met only about once a year, or the company had noaudit committee at all. The absence of an active audit committee leaves a gap in the enterprise internal controlenvironment.

Last, the riskiest group of perpetrators was executive managers—83% of the cases appeared to involve eitherthe CEO or chief financial officer (CFO), and the CEO appeared to be involved in the financial frauds in 72%of the cases. This statistic is particularly chilling because of the role executives play in the business, of their



ability to override internal controls, and of the difficulty in recognizing the involvement of executives infinancial frauds. One way to provide a control against management fraud is to have an effective, aggressiveaudit committee that is willing to challenge management, when necessary, and an audit committee vigilant inlooking for signs indicative of ongoing fraud in management.

From this data, a model for audit committees can be developed. This model of attributes was developed basedon existing standards, SEC rules, and the COSO fraud report (see Exhibit 9.2). The model attributes includeindependence, competence, organizational structure, leadership, and a proactive approach.

Exhibit 9.2: Model of Attributes for Effective Audit Committee [4]

Independence (outside directors)Competence (knowledge and understanding of accounting, auditing, and internal controls; critical thinkers)Organizational Structure (reporting channels direct from internal audit function, external auditors, whistleblowers)Leadership (active, strong, decisive chair)Proactive Approach

These points are made to assist IA in providing input into audit committee members, board members, andother responsibilities it has related to both corporate governance and quality. IA is an integral part of effectivecorporate governance.


TITLE: Quality Assurance PAGES:[1]Much of this section comes from the IIA's "Recommendations for Improving Corporate Governance," aposition paper presented to U.S. Congress, April 8, 2002. It is available online atwww.theiia.org/ecm/guide-pc.cfm?doc_id=3602.

[2]Global Investor Opinion Survey: Key Findings, 2002, McKinsey. Available online atwww.mckinsey.com/practices/corporategovernance/PDF/GloballnvestorOpinionSurvey2002.pdf.

[3]Corporate Governance Center, Kennesaw State University, 21st Century Governance and FinancialReporting Principles for U.S. Public Companies, 2002. The University of Delaware also sponsors a Center forCorporate Governance at www.be.udel.edu/ccg/staff.htm.

[4]From "Effective Audit Committees for Cooperatives: Part I — What, Why and How," The CooperativeAccountant, Summer 2002, pp. 22–30, T. Singleton.

9.3 Quality Assurance

Quality assurance provides a similar service to IA that IA provides to management. It is an independentreview of the quality of its service, much like a review of quality of earnings, operations, and so on, that IAprovides. IIA Attribute Standard No. 1300 requires directors to develop and maintain a QA program.



http://www.theiia.org/ecm/guide-pc.cfm?doc_id=3602

http://www.mckinsey.com/practices/corporategovernance/PDF/GloballnvestorOpinionSurvey2002.pdf

http://www.be.udel.edu/ccg/staff.htm

a. Objective

The objective of the quality control program is to ensure that all assignments are completed in accordancewith the department, IIA, and Information Systems Audit and Control Association (ISACA) standards whereapplicable.

b. Responsibility

It is the responsibility of the Director of Auditing to have quality audits completed on all assignments and tomaintain a quality control program to evaluate the operations of the department. The Director of Auditing willappoint a Quality Assurance Coordinator, who will be responsible for the quality control program, and forkeeping the Director of Auditing informed of all results.

c. Method

The program is in four parts:

Summarized review of all assignments by unassigned auditors1. Detailed review of selected assignments2. Annual self-assessment of department-wide standards, policies, and procedures3. Tri-annual external review4.

i. Summarized Review of All Assignments by Unassigned Auditors

Objective. The objective is to ensure that all assignments meet minimum standards for planningsupervision, and documentation.

•

Responsibility. The manager on the engagement is responsible for ensuring:

The workpapers are complete.♦ The work was properly planned.♦

The work was properly supervised.♦ The workpapers were properly reviewed.♦

It is the responsibility of the Quality Assurance Coordinator to have all assignments reviewed formeeting of minimum department standards. The Coordinator is also responsible for communicatingthe deficiencies noted to the Audit Manager and to follow up on correcting the deficiency.

•

Method. Unassigned auditors will be required to review assignments on which they did not work. Thereview will be completed by answering the questions in the quality control checklist (see Exhibit 9.3for checklist). All "no" and "N/A" answers must be fully explained. The completed checklist, togetherwith the workpapers, are then forwarded to the Quality Assurance Coordinator for follow-up.

Exhibit 9.3: Quality Assurance Checklist

GENERAL

Is the General section complete?A. __________Are the workpapers in a binder and ready for filing?B. __________Are all review notes and pending matters complete and removed fromthe binder?

C. __________

Are workpapers properly ordered? Do they contain indexes and leadsheets where appropriate?

D. __________

Is the engagement checklist complete?E. __________

I.

•



Have all employee evaluation forms been completed?F. __________Was timely notice given to auditee?G. Has the auditee response been:H.

Received?1. ◊ __________Reviewed: By Manager? By In-Charge?2. ◊ __________

REPORTING AND CONTROL SECTION

Audit ReportA. ____________Is a final copy included in the workpapers?1. ◊ __________Is the report in standard format? The following should beincluded:

2. ◊

Introductiona. ⋅ ◊ __________Profile and/or financial highlightsb. ⋅ ◊ __________Scope of auditc. ⋅ ◊ __________Conclusiond. ⋅ ◊ __________Summarye. ⋅ ◊ __________Other commentsf. ⋅ ◊ __________Detailed recommendationsg. ⋅ ◊ __________

Do the detailed recommendations contain the following fiveattributes?

3. ◊ __________

Statement of conditiona. ⋅ ◊ __________Criteriab. ⋅ ◊ __________Causec. ⋅ ◊ __________Effectd. ⋅ ◊ __________Statement of actione. ⋅ ◊ __________

Was the report issued timely? If not, is the reason explainedon the report distribution worksheet?

4. ◊ __________

Is a copy of the year-end financials, or other meaningful reports,included?

B. __________

Summary MemorandumC. Is it completed?1. ◊ __________Was it prepared by senior or other appropriate individual?2. ◊ __________Does it contain the following:3. ◊

Audit objectivesa. ⋅ ◊ __________Audit resultsb. ⋅ ◊ __________Auditee background informationc. ⋅ ◊ __________Budgeted hours to actual hours analysis, andexplanations of significant variations

d. ⋅ ◊ __________

Comments for subsequent audits, if applicablee. ⋅ ◊ __________Manager Comments — Are all significant accounting and auditingproblems fully documented?

D. __________

Working Trial Balance (for year-end financial audits) — Is aworking trial balance complete and cross-referenced to thesupporting workpapers?

E.

__________Audit Planning MemorandumF.

Was it completed prior to the audit field work?1. ◊ __________

II.



Approved by manager and Director of Auditing?2. ◊ __________Does it contain the following:3. ◊

Audit objectivesa. ⋅ ◊ __________Background informationb. ⋅ ◊ __________Financial highlightsc. ⋅ ◊ __________Description of significant audit proceduresd. ⋅ ◊ __________Budgeted audit hourse. ⋅ ◊ __________Timing of auditf. ⋅ ◊ __________Auditors assignedg. ⋅ ◊ __________

Audit ProgramsG. __________Are they complete?1. ◊ __________Are they approved by manager and senior?2. ◊ __________Are changes approved by manager and senior?3. ◊ __________

Fluctuation Analysis — Has it been completed and are all significantfluctuations explained?

H. __________

Time BudgetI. __________Is it completed?1. ◊ __________Does it agree to hours reported per semimonthly CorporateAudit progress reports?

2. ◊ __________

Audit Recommendation Summary/Interim RecommendationWorksheet

J. __________

Is it complete?1. ◊ __________Are comments appropriately cross-referenced to detailedworkpapers?

2. ◊ __________

Are all recommendations not included in the detailed Reportof Recommendations and Comments explained?

3. ◊ __________

Were prior audit reports included? Did the auditee implement theitems noted? Have the comments been repeated in the current year'sreport?

K.

__________Is the notice to auditee and other appropriate correspondenceincluded in the binder?

L. __________

Noted for Future AuditsM. __________Has consideration been given to developing CAAPs?1. ◊ __________Are the significant comments included in the summarymemorandum?

2. ◊ __________

Is the closing conference documented?N. __________AUDIT WORKPAPERS

Have they been properly reviewed, as evidenced by:A. All workpapers referenced?1. ◊ __________All workpapers signed off?2. ◊ __________Do all workpapers contain headings?3. ◊ __________Do workpapers contain evidence of review?4. ◊ __________Have internal controls been considered and, if appropriate,tested?

5. ◊ __________

Are conclusions on major accounts or areas stated andproperly supported?

6. ◊ __________

III.



Were all material adjustments approved by the senior andmanager?

7. ◊ __________

Do the workpapers include a final report copy?8. ◊ __________

The Quality Assurance Coordinator will review all deficiencies noted with the senior and the managerof the assignment. The manager is responsible to see that the deficiencies are corrected. Once alldeficiencies are corrected, the Quality Assurance Coordinator will sign off on the engagementchecklist.

ii. Detailed Review of Selected Assignments

Objective. The objective of this phase of the quality control program is to see that Corporate Auditworkpapers:

Support the conclusions reached♦ Are efficient♦ Are appropriate in the circumstances♦ Comply with department and professional standards♦

•

Responsibility. The selection of assignments to be reviewed will be made by the Quality AssuranceCoordinator (see Exhibit 9.4 for criteria). The Coordinator will assign the detail review of workpapersto two seniors, preferably from two different locations or groups.

Exhibit 9.4: Selection of Assignments for Detailed Review

Audits and special projects would be selected to meet the following criteria:

Minimum 10% of all assignments◊ Minimum 10% of audit hours incurred during the year◊ At least one assignment for each senior or supervising senior◊ At least one of all types of audits:

Financial⋅ Systems review⋅ Special projects⋅ Data center audits⋅

◊

1.

Assignments will be selected at random, supplemented by the Quality AssuranceCoordinator's judgment, to meet all of the above criteria.

2.

•

Method. Workpapers will be reviewed in detail using a published checklist (if appropriate). All "no"answers will be reviewed with the manager and the senior in-charge. All noted items, or the fact thatthere are no items, will be reported to the Quality Assurance Coordinator in selected assignmentreview memoranda.

The Quality Assurance Coordinator will summarize all items noted in these reviews and prepare theselected assignments review memo to the Director of Auditing.

•

iii. Annual Self-Assessment of Department-Wide Standards, Policies, and Procedures

Objective. The objective of this review is to ensure that the department is in compliance withdepartment, corporate, and professional standards (e.g., IIA, ISACA).

•

Responsibility. The Quality Assurance Coordinator is responsible for completion of this review.• Method. The Quality Assurance Coordinator will compare the actual operating procedures of thedepartment with the Standards of Professional Practice of Internal Audit, ISACA Standards, andother corporate and department standards as appropriate. This process will be accomplished through

•



review of documentation, interviews, and actual experience. Upon completion, the Quality AssuranceCoordinator will prepare the annual report to the Director of Auditing.

iv. Tri-Annual External Review

Objective. The objectives of this review are to:

Obtain an outside view of the department's performance versus professional and internalstandards

♦

Obtain suggestions for improving operating efficiencies♦

•

Responsibility. It will be the responsibility of the Director of Auditing, upon the recommendation ofthe Quality Assurance Coordinator, to have a tri-annual review performed.

•

Method. The method of review—public accounting, other internal auditors, or an IIA team—will bedecided upon a complete review of the alternatives. Items that must be considered are:

Cost♦ Confidentiality of records♦ Expertise in performing reviews♦ Knowledge of business and operating environment♦

•

d. Reports

There are several key reports. They include:

Annual Report to the Audit Committee of the Board of Directors• Annual Report to the Director of Auditing• Selected Assignments Review•

i. Annual Report to the Audit Committee of the Board of Directors

This report is a summarized one, prepared by the Director of Auditing, sent to the Audit Committee, reportingon the quality control program and the results of the annual self-assessment.

ii. Annual Report to the Director of Auditing

This report is a summarized one of the quality control program for the year that includes results of the annualself-assessment, summary of deficiencies noted, and suggestions for improvement.

iii. Selected Assignments Review

This report is a summary memorandum and detailed checklist, enumerating the deficiencies and findings fromthe detailed review of selected audits, prepared for each assignment selected in the annual review processdiscussed below. This memo is first reviewed with the assignment manager and in-charge accountant beforebeing given to the Quality Assurance Coordinator.

e. Summary of Review

The Quality Assurance Coordinator prepares a summary of the detailed deficiencies noted in the ongoingreview of all workpapers. This memorandum is sent to the Director of Auditing and is discussed with theentire staff during an annual meeting.



f. Quality Assurance Checklist

Prepared by unassigned auditors, the checklist will be completed on all assignments after they have beenapproved for filing by the manager, and the report has been issued (see Exhibit 9.3 for a checklist). Uponcompletion, the checklist will be forwarded to the Quality Assurance Coordinator who is responsible forfollow-up, to ensure the elimination of any deficiency noted.


TITLE: Continuous Improvement Systems for InternalAuditors

PAGES:

9.4 Continuous Improvement Systems for Internal Auditors

Continuous quality improvement methodologies can provide the tools to lead IA into becoming, ormaintaining, a world-class status. Most of the current continuous improvement programs were designed formanufacturing and then adopted to service organizations. They include: Total Quality Management (TQM),Six Sigma, Baldrige National Quality Program, Kaizen, Theory of Constraints, Balanced Scorecard,Value-Based Metrics (VBM), and the International Organization for Standardization (ISO) 9000 family. Otherimprovement methodologies that are not necessarily continuous include Activity-Based Costing and BusinessProcess Reengineering (BPR). From these systems, the ones that should be most applicable to the IAdepartment are Balanced Scorecard, VBM, ABC, TQM, ISO 9000, and maybe Baldrige.

a. Balanced Scorecard [5]

The center of the Balanced Scorecard System is the entity's strategy and vision. For the IA department, thatwould be related to the mission statement discussed in Section 4.1 (a) i. The strategic objectives related toaudits and services provided by IA are translated into measures that can be used to track how IA's servicescreate value for its customers (see Section 9.5(b) later in this chapter for discussion of IA's "customers"), howinternal processes can be enhanced, and how the investment in people supports improved future performance.The Balanced Scorecard System combines both financial and non-financial performance measures; in fact,users of Balanced Scorecard only have about 20% of their measures as financial. Users of Balanced Scorecardlearn to take advantage of non-financial measures successfully. Measures are made from four perspectives(presented as originally developed for businesses in general — see Exhibit 9.5):

Customers. Focuses on the external environment to understand, discover, and emphasize customerneeds. Common measures include customer satisfaction, customer loyalty, and customer retention.

•

Internal Business Processes. Focuses internally along a value chain comprising innovation,operations, and post-delivery service processes. Common measures include research and developmentexpenditures, sales from new products, productivity, cycle time, and throughput efficiency.

•

Learning and Growth. Provides the foundation, or infrastructure, needed to meet the objectives fromthe other two operational perspectives. Common measures include employee satisfaction, dollarsspent on training, and voluntary turnover.

•

Financial. Focuses on shareholders. Every measure in the Balanced Scorecard System should be partof a causal link that ends in financial measures. Common measures include economic value-added(EVA®), return on investment, and net income.

•

Exhibit 9.5: Balanced Scorecard System Model



Some of the above measures and concepts do not apply to IA, or do not directly apply. The Internal Auditdepartment would obviously use what can apply and ignore the rest. For customers, the customer satisfactioncomponent is important and can be measured by a survey instrument. Customer loyalty and retention,however, do not easily apply (i.e., captive audience exists).

In the area of internal business processes, innovation could be things such as new computer-aided audit toolsand techniques (CAATTs) applied to audits, and even Balanced Scorecard System itself being applied to IA.Post-delivery services could include gathering empirical data, on the effectiveness of audit recommendationsfrom audits (i.e., were they implemented, what improvements were realized, etc.), or follow-up procedures toaudit recommendations. Applicable measures include productivity, cycle time, and efficiency. The documentsand processes recommended throughout the manual provide source documents to assist in these measures,recognizing that an appropriate Balanced Scorecard System would likely include other documents andmeasures. Comparing budgeted hours for audit projects versus actual time is a good measure for efficiency(see Exhibit 6.2 and Section 6.1(a), "Three-Year Operating Plan").

For Learning and Growth, employee satisfaction within the department can easily be measured, if it can bedone anonymously. Training can be measured by PD/CPE hours and the annual staff conference (see Section5.5). Voluntary turnover can be measured from the Human Resource Summary recommended in Section9.5(d) (see Exhibit 9.6).

Exhibit 9.6: Summary of Personal Activities



Financial could be measured by using IA as a profit center, or even a cost center with budget variances.Shareholders could be extended to stakeholders as a more effective scope. Stakeholders would include:executive management (CEO, CFO, etc.), the Audit Committee, the Board of Directors in general, andshareholders or the public. That focus is more aligned to the responsibilities of the IA function.

Altogether, the Balanced Scorecard System provides an excellent model for IA to use in pursuing world-classquality in its processes, duties, and services. Balanced Scorecard can be adopted, fairly easily, by the IAdepartment.

b. Value-Based Metrics

A system similar to Balanced Scorecard is Value-Based Metrics (VBM). Like Balanced Scorecard, the VBMapproach ties measures into strategic objectives. VBM are particularly useful as the basis for incentivecompensation, resource allocation, investor relations, and other areas. The true drivers of VBM are oftennon-financial. In the VBM system, VBM and targets are set that are aligned (linked) to business strategies.The following is a sample of possible non-financial measures in VBM: innovation, growth, operatingeffectiveness, operating efficiency, employee skills and training, on-time delivery of services, customersatisfaction and retention, and value chain.

c. Activity-Based Costing

Activity-based costing (ABC) is a cost accounting theory used to allocate overhead costs to products based onthe cost of the activities that are required to produce the product or deliver the service. The allocation basesare cost drivers&"drive" the costs.

An ABC system usually involves two stages. In the first stage, costs are allocated to activity pools accordingto the type of activity carried out in each pool. For example, a pool for training would include costs associatedwith the Annual Staff Conference, Continuing Professional Education/Professional Development (CPE/PD)



seminars attended by staff, and other training costs. In the second stage, costs are allocated from the activitypools to a cost object, such as a good or service (e.g., an audit project).

Appropriate application of ABC for service entities can be effective if the entity focuses on core activities andreducing non-core activities. For IA, the core activity would be audits.

While ABC is not a continuous improvement program, it can help to control departmental overhead on acontinual basis and keep it current.

d. Total Quality Management

Total Quality Management (TQM) is another strategic approach to business improvement. Its unique featureis the emphasis of quality from the customer's viewpoint, rather than the producer's. Quality is, therefore,defined by customers; that is, the product or service must meet or exceed the requirements or expectations ofcustomers for that product or service. These expectations may involve attributes such as performance,reliability, durability, responsiveness, aesthetics, after-sale service, timeliness of delivery, and product orservice features. TQM may use a variety of tools and techniques to seek continuous improvement of quality,productivity, flexibility, durability, and customer responsiveness. Entities that use TQM need to commit to [6]:

Even better, more appealing, less-variable quality of the product or service• Even quicker, less-variable response — from design and development through supplier and saleschannels, offices, and plants all the way to the final user

•

Even greater flexibility in adjusting to customers' shifting volume and mix requirement• Even lower cost through quality improvement, rework reduction, and non-value adding wasteelimination

•

Total Quality Management (TQM) is an applicable continuous improvement approach, which appliedappropriately, should be effective in achieving and maintaining high quality.

e. ISO 9000 Family [7]

The International Organization for Standardization (ISO) is another continuous improvement system. ISO hasbeen developing voluntary technical standards over almost all sectors of business, industry and technologysince 1947. ISO standards were, before ISO 9000 and ISO 14000, principally of concern to engineers andother technical specialists concerned by the precise scope addressed in the standard. Then, in 1987, came ISO9000, followed nearly 10 years later by ISO 14000, which have brought ISO to the attention of a much widerbusiness community. However, both ISO 9000 and ISO 14000 are known as generic management systemstandards.

Generic means that the same standards can be applied to any organization, large or small, whatever its product— even if the "product" is actually a service — in any sector of activity, and whether it is a businessenterprise, a public administration, or a government department. Management system refers to what theorganization does to manage its processes, or activities. In a very small organization, there is probably no"system," as such, just "our way of doing things," and "our way" is probably not written down, but all in themanager's or owner's head. The larger the organization, and the more people involved, the more the likelihoodthat there are some written procedures, instructions, forms or records. These help ensure that everyone is notjust "doing his or her thing," and that there is a minimum of order in the way the organization goes about itsbusiness, so that time, money and other resources are utilized efficiently. To be really efficient and effective,the organization can manage its way of doing things by systemizing it. This ensures that nothing important isleft out and that everyone is clear about who is responsible for doing what, when, how, why and where.Management system standards provide the organization with a model to follow in setting up and operating themanagement system. This model incorporates the features that experts in the field have agreed upon asrepresenting the state of the art. A management system that follows the model — or "conforms to the



standard"—is built on a firm foundation of state-of-the-art practices.

Both ISO 9000 and ISO 14000 are actually families of standards. Both families consist of standards andguidelines relating to management systems, and supporting standards on terminology and specific tools, suchas auditing (the process of checking that the management system conforms to the standard). ISO 9000 isprimarily concerned with "quality management." The standardized definition of "quality" in ISO 9000 refersto all those features of a product (or service) that are required by the customer. "Quality management" meanswhat the organization does to ensure that its products conform to the customer's requirements.

If a business or organization has invested time, energy and money to meet the ISO criteria, it obtains an ISO9000 certificate. While the IA department will probably not seek the certificate unless the entire organizationdoes, the principles of ISO 9000 can guide IA into becoming a world-class IA function.

f. Baldrige National Quality Program/Baldrige Award [8]

The Malcolm Baldrige National Quality Award was created by Public Law 100–107, signed into law onAugust 20, 1987. The award program, responsive to the purposes of Public Law 100–107, led to the creationof a new public-private partnership. Principal support for the program comes from the Foundation for theMalcolm Baldrige National Quality Award, established in 1988. The award is named for Malcolm Baldrige,who served as secretary of commerce from 1981 until his tragic death in a rodeo accident in 1987. Hismanagerial excellence contributed to long-term improvement in efficiency and effectiveness of government.

The Baldrige National Quality Program (BNQP) is supervised by the National Institute of Standards andTechnology, and it makes awards each year. Applicants must meet stringent self-assessment criteria beforebeing selected for the Baldrige Award. The Award criteria, continually improved since 1988, include sevencategories:

Leadership1. Strategic planning2. Customer and market focus3. Information and analysis4. Human resource focus5. Process management6. Business results7.

The criteria are built on a set of core values and concepts that are embedded behaviors in well-managedcompanies. Such companies use the Baldrige criteria to assess their management systems and improveperformance in their most vital areas. Although BNQP applies only to organizations as a whole, the principlescould be followed without officially applying for the Baldrige Award with successful results.

g. Conclusions

An overlap in criteria between these programs is clearly evident (e.g., customer focus). It is recommended thatIA and the Director of Audit in conjunction with corporate management consider using one of these programs,or some other continuous improvement system, in addition to the quality assurance program in order toestablish and maintain a world-class audit function.


TITLE: Marketing the Audit Function PAGES:



[5]For the definitive book on Balanced Scorecard, read The Balanced Scorecard by R.S. Kaplan and D.P.Norton, Harvard Business School Press, 1996. Parts of this section are based on this book.

[6]According to TQM expert Richard Schonberger. See Total Quality Management: A Survey of Its ImportantAspects by C. Carl Pegels, from Boyd & Fraser Publishing Co., 1995.

[7]Much of this section was taken from the ISO web site at www.iso.org.

[8]For more information on Baldrige, see www.quality.nist.gov/.

9.5 Marketing the Audit Function

A series of books was published in the 1980s that examined what made successful companies so. Strengthsincluded an obsession with quality, building a family or families out of employee groups, sound long-rangeplanning, price value of products and services, and closeness to the customer. The need to be close to thecustomer and driven to satisfying the customer are basic principles learned in business school — butsometimes businesses or operations, such as audit functions, lose this focus.

Audit departments need to be addressing all of these areas of their operations. Should an audit department getclose to customers? Should IA have marketing functions? Do auditors produce products? Within the limits ofindependence and objective review of operations and financial position, the answers are yes. Who are yourcustomers as the IA department? There are many types, and they may not all want the same products.

The objective of this section is to remind auditors to think about who their customers are, what products areproduced, and to attempt to improve the delivery of the products by using some basic marketing concepts.

a. What Is Marketing?

A conventional definition of marketing includes all the steps to place a product in the hands of a consumer.Marketing should be involved when the product is being developed to consider whom the different customersare and how the product should be delivered to each. For instance, the audit department produces auditreports. Who reads the audit reports? The answer may include divisional financial managers and controllers,divisional operations managers, corporate financial managers and the CFO, corporate managers and the CEO,the audit committee, and the independent auditors. These are all customers, and they may want differentproducts.

The audit report is discussed in Section 8.1 and includes a two-level reporting process that allows for someproduct differentiation and divides the product logically to allow for different combinations for differentcustomers. Marketing involves studying the customers' wants and satisfaction with the product. Does thecorporate CEO want the same level of detail as the divisional controller? There is a very good chance theCEO does not.

The audit report product has been designed, as discussed in Section 8.1, to allow for a summary audit reportand a detailed audit report. To respect the time commitments of the CEO-type customer, the summary reportis limited to two pages. The reader of the summary report is always offered the full detailed report on request.To help differentiate this important report from others arriving on the customer's desk, a color banner issuggested to highlight the product.



http://www.iso.org

http://www.quality.nist.gov/

b. Understanding the Customers

Marketing requires understanding the needs of customers and assessing their understanding of the product andtheir satisfaction with the product. Marketing and successful acceptance of products can be enhanced bystudying and understanding customers' profiles, including age, background, time commitments, priorities, andneed for information. For example, most financial managers have a financial background that enables them tounderstand more fully financial audit reports; however, corporate financial managers may not have the sametime available for every division and may only want summary information on non-problem audit reports.

Operations managers may not understand as fully the implications of the audit findings. Consider adding aseparate background report or glossary when applicable. To respect the time availability of customers and theneed to commit the audit department to clear reporting of results, an opinion paragraph is included in thesummary audit report. Some audit departments include a quantified score or grade for each audit. Therefore,by considering the customer, the audit department adds value to its product by constructing products thatcustomers (users) want and with which they will be satisfied.

c. Getting the Audit Message Out

In addition to audit reports, the Audit Department produces many products including written reports such as:reports to the Audit Committee, reports to management, and budget reports. The preparation of all reportsshould include the study and evaluation of the intended customer and how the product could be developed anddelivered in a better, more comprehensive, and more highly productive way.

Audit Department brochures are marketing tools that can help the department improve the understanding ofthe IA function and improve its image. This brochure is a form of adverting, the objective of which is to showthe product or service in a positive way while still respecting the professional image. The brochure becomes arecruitment tool as well as an orientation tool for new Audit Committee members and corporate and othersenior management. The department brochure could include a message from the CEO and the Chief Auditor,and sections on Audit Department objectives and services, management's requests, who to contact, staffqualifications and organization, the role of the Audit Committee, what to do if a fraud is suspected, and otherimportant information.

Audit staff should be encouraged to be professionally active to develop professionally, to gain solidknowledge of emerging developments and solutions, and to promote the audit department. High visibility inthe audit profession will also enhance the Audit Department image. Reports on professional activities shouldbe included in reports to management and reports to the Audit Committee. As discussed above, these aredifferent customers with different information needs, which should be considered as the product (report) isdeveloped.

Issuing control-related brochures to improve the organization's system of internal control can add value andreduce the negative reporting image of internal audit. For example, a brochure on basic personal computercontrols (backups, password security, etc.) can improve individual employees' control awareness and improvethe overall system of internal control. (See Chapter 3 for more details on internal controls that might be usefulin developing such a brochure.) This approach markets the Audit Department in a positive way.

d. Human Resources

As discussed in more detail in Chapter 5, audit departments are developers of people. The department can beused as a training ground for financial and operational managers. If this approach is taken, human resourcedevelopment becomes a significant Audit Department product. To manage this program, a summary should bekept of all audit personnel hired each year with information on promotions, transfers, and separations. Fromthis summary (see Exhibit 9.6), statistics can be developed on number of personnel transferred and promoted.



Using the Audit Department as a training ground also helps address the issues of career-path opportunities forthe Audit Department. It produces a tangible additional and positive audit product for the organization. Ofcourse, it requires more work on the part of audit management. Planned turnover will result, and staffscheduling becomes more complex. If the Audit Department is going to be used as a training ground, a formalManagement Development Training Program should be developed outlining the plan's objectives andguidelines.

e. Summary

Marketing considerations are important elements in every business operation, including the audit function.Constantly be on the look-out for opportunities to market the audit function and produce positive deliverablesand new products and services.

Endnotes

1. Much of this section comes from the IIA's "Recommendations for Improving Corporate Governance," aposition paper presented to U.S. Congress, April 8, 2002. It is available online atwww.theiia.org/ecm/guide-pc.cfm?doc_id=3602.

2. Global Investor Opinion Survey: Key Findings, 2002, McKinsey. Available online atwww.mckinsey.com/practices/corporategovernance/PDF/GloballnvestorOpinionSurvey2002.pdf.

3. Corporate Governance Center, Kennesaw State University, 21st Century Governance and FinancialReporting Principles for U.S. Public Companies, 2002. The University of Delaware also sponsors a Center forCorporate Governance at www.be.udel.edu/ccg/staff.htm.

4. For the definitive book on Balanced Scorecard, read The Balanced Scorecard by R.S. Kaplan and D.P.Norton, Harvard Business School Press, 1996. Parts of this section are based on this book.

5. According to TQM expert Richard Schonberger. See Total Quality Management: A Survey of Its ImportantAspects by C. Carl Pegels, from Boyd & Fraser Publishing Co., 1995.

6. Much of this section was taken from the ISO web site at www.iso.org.

7. For more information on Baldrige, see www.quality.nist.gov/.



http://www.theiia.org/ecm/guide-pc.cfm?doc_id=3602

http://www.mckinsey.com/practices/corporategovernance/PDF/GloballnvestorOpinionSurvey2002.pdf

http://www.be.udel.edu/ccg/staff.htm

http://www.iso.org

http://www.quality.nist.gov/

Index

A

AICPAFounding, 7SysTrust, 78–83Association of Information Technology Professionals (AITP), 41AuditingFraudsCOSO Study (SEC fraud violations), 99, 115–117, 344–345Equity Funding, 1973, 19–20Ivar Kreuger, 1932, 8McKesson & Robbins, 1938, 8–9South Sea Bubble, 6Ultramares, 1925, 7Risk Assessment, 97–104, 230–231StandardsAICPA—GAAS, 52IIA—SPPIA, 46–48, 97, 227, 263, 265ISACA—Standards, 48–52SDLC, 53–57, 90

Index 1

2 Index

2 Index

IndexC

COSO (Treadway Commission)COSO, 13COSO Model, 72–74, 85, 243Computer CrimesCriminals/Intruders, 70, 92, 123Denial of Service/Distributed DoS, 100, 106Financial Fraud, 122Misappropriation of Assets (theft), 122Unethical E-Mail, 94, 102Viruses/Worms, 94, 100–101Virus Hoaxes, 94, 101–102, 106

Index 1

2 Index

2 Index

IndexE

Ethics, 41–45IIA Code of Ethics, 42–44ISACA Code of Professional Ethics, 44–45

Index 1

2 Index

2 Index

IndexF

Federal LawsCopyright Laws, 30, 87–88Foreign Corrupt Practices Act, 1977, 30, 87Income Tax (Sixteenth Amendment), 1913, 7, 29,61Sarbanes-Oxley Act, 2002, 31, 88–89, 342Securities Act, 1933, 7–8, 29, 61, 87Securities Exchange Commission Act, 1934, 7–8, 29, 61, 87

Index 1

2 Index

2 Index

IndexG

GAOYellow Book, 15

Index 1

2 Index

2 Index

IndexI

Information Systems Audit & Control AssociationCobiT, 74–75Founding, 1969, 21–22, 48Institute of Internal AuditorsFounding, 1941, 10–14SAC Study, 20–21, 76–77Internal AuditAnnual Staff Meeting, 214–216Audit Recommendations, 275–283, 311, 318–320Budget Planning, 232Continuous ImprovementActivity-Based Costing, 358, 630Balanced Scorecard, 356–358Baldrige National Quality Program, 361–362ISO 9000, 360–361Total Quality Management (TQM), 360Value-Based Metrics, 358Coordinator of Education, 192Corporate Audit Charter, 144–147Corporate Audit Training Model, 193–195CPE, 197Department PoliciesConfidentiality, 177–178Days Off for Extensive Travel, 179Orientation/Training, 178–179Professional Certification, 180Job Descriptions, 149–176Marketing, 363–365Mission Statement, 136–137Orientation, 217–220Outsourcing, 139–141Performance Evaluation, 204–213Personnel Files, 199–203Planning Memo, 269–275Preliminary Survey, 236–269Professional Certification, 185, 336Quality Assurance, 347–355RecruitingAids, 184–185Management Development Programs 185Sources, 182–184ReportingExpense Reporting, 256Time Reporting, 250–255Scope, 314TypesCompliance Audits, 241Contract Audits, 241–242

Index 1

Desk Review, 242–243E-Commerce Audits, 249Financial Audits, 238–240Follow-Up Audits, 243High-Level Review of Procedures, 238Information System Audits, 243–248International Audits, 249Operational Audits, 240Workpapers, 284–294Internal AuditingAudit Committee, 31, 114–119, 331–336, 342–346Control Self-Assessment, 141–142Corporate Governance, 114–119, 342–346IT Governance, 119–120Independence, 60–61Materiality, 235–237Responsibilities, 59–61Internal ControlsBasic Assumptions, 69–70Business Recovery/Disaster Recovery, 94–96, 245–246CAATTsAuthentication, 124–125Biometrics, 124–125Call-back Modems, 125Computer Logs, 120Firewalls, 126–127Generalized Audit Software, 127–128Internet Storm Watcher, 105–106Intrusion Detection Systems (monitoring), 126Passwords, 92–93, 124CobiT, 74–75Computer Controls, Application, 112–113, 244, 246–248Computer Controls, General, 111–112, 243–244COSO Model, 72–74, 85, 243COSO Study (SEC fraud violations), 99, 115–117, 344–345Cost-Benefit Analysis, 71Definitions, 65–66Models, 68, 91PDC Model (expanded), 105–108Physical Controls, 109–111, 244–245PoliciesBusiness Recovery/Disaster Recovery, 94–96Computer Usage, 92E-Mail, 94Password, 92–93Privacy, 95SDLC, 90Security, 92Risk Assessment, 97–104SAC/eSAC, 76–77Sarbanes-Oxley Act, 88–89Segregation of Duties, 121SysTrust, 78–83

2 Index

2 Index

Index 3

Index 3

4 Index

4 Index

IndexS

Sarbanes-Oxley Act (2002)Corporate Governance, 342Internal Controls Requirements, 88–89Legal Requirements, 31SEC, 7–8, 29, 61, 87, 114–115COSO Study (SEC fraud violations), 115–117, 344–345Sarbanes-Oxley Act, 31, 88–89

Index 1

2 Index

2 Index

List of Tables


Sam Pole Company Corporate Audit Department Three-Year Audit Plan


Financial Highlights For the six months ended June 30 ($000's omitted)

List of Tables 1

2 List of Tables

2 List of Tables

List of Exhibits

Chapter 2: Auditing Standards and Responsibilities

Exhibit 2.1: ISACA Auditing Standards GuidelinesExhibit 2.2: SDLC Steering Committee/Cross-Functional Team MatrixExhibit 2.3: SDLC Guidelines

Chapter 3: Internal Control System

Exhibit 3.1: Internal Control Environment ModelExhibit 3.2: Controls Decision Making OverviewExhibit 3.3: COSO ModelExhibit 3.4: eSAC ModelExhibit 3.5: SysTrust ModelExhibit 3.6: Comparison of Internal Control ModelsExhibit 3.7: Internal Control System ModelExhibit 3.8: Password PolicyExhibit 3.9: E-Mail QuestionnaireExhibit 3.10: Disaster Recovery PlanExhibit 3.11: Anti-Virus System/ModelExhibit 3.12: A Basic Vulnerability PlanExhibit 3.13: Sample Questionnaire/InquiryExhibit 3.14: SANS Institute: Top 20 Most Critical Internet Security Vulnerabilities (ver. 2.502)Exhibit 3.15: IS Model of ControlsExhibit 3.16: Physical ControlsExhibit 3.17: Audit Committee Oversight Areas—In Order of ImportanceExhibit 3.18: Commonalities of Fraud Entities from COSO StudyExhibit 3.19: Model of Attributes for Effective Audit Committee

Chapter 4: Department Organization

Exhibit 4.1: Sample Corporate Audit CharterExhibit 4.2: Sam Pole Company Organization ChartExhibit 4.3: Sam Pole Company Audit Department Organization Chart

Chapter 5: Personnel, Administration, and Recruiting

Exhibit 5.1: Interview Questionnaire for New Internal AuditorsExhibit 5.2: Overview of Corporate Audit Training ModelExhibit 5.3: Continuing Professional Education (CPE) RecordExhibit 5.4: Corporate Audit Department Background Information FormExhibit 5.5: Corporate Audit Department Interest Questionnaire FormExhibit 5.6: Performance Evaluation Review FormExhibit 5.7: Group Discussions Instruction SheetExhibit 5.8: Orientation Checklist


Exhibit 6.1: Corporate Audit Planning, Scheduling, and StaffingExhibit 6.2: Sample Three-Year Audit Plan

List of Exhibits 1

Exhibit 6.3: Time System Codes: Audit Type Codes and Task CodesExhibit 6.4: Sample Corporate Audit Time Summary Form


Exhibit 7.1: Corporate Audit Performance Process MatrixExhibit 7.2: Sam Pole Company Corporate Audit Department Assignment ChecklistExhibit 7.3: Sample Notice to AuditeeExhibit 7.4: Sample Planning MemoExhibit 7.5: Recommendation Worksheet ExampleExhibit 7.6: Permanent Files Index

Chapter 8: Audit Reporting

2 List of Exhibits

2 List of Exhibits