P. 1
Managing the Audit Function 3rd Edition - John Wiley & Sons

Managing the Audit Function 3rd Edition - John Wiley & Sons

|Views: 373|Likes:
Published by Freddie5


Table of Contents
Managing the Audit Function—A Corporate Audit Department Procedures Guide, Third Edition........1 Foreword..............................................................................................................................................................1 Preface..................................................................................................................................................................1 Standing at the Rubicon! ........


Table of Contents
Managing the Audit Function—A Corporate Audit Department Procedures Guide, Third Edition........1 Foreword..............................................................................................................................................................1 Preface..................................................................................................................................................................1 Standing at the Rubicon! ........

More info:

Published by: Freddie5 on Oct 09, 2011
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less







Table of Contents
Managing the Audit Function—A Corporate Audit Department Procedures Guide, Third Edition........1 Foreword..............................................................................................................................................................1 Preface..................................................................................................................................................................1 Standing at the Rubicon! .........................................................................................................................1 Part I: Fundamentals of the Internal Auditing Function ................................................................................1 Chapter List.............................................................................................................................................1 . ..........................................................................................................................................................1 Chapter 1: Background......................................................................................................................................1 1.1 Introduction.......................................................................................................................................1 1.2 History of Auditing [1]......................................................................................................................1 1.3 History of Internal Auditing ...............................................................................................................4 1.4 Auditing Government Agencies........................................................................................................8 1.5 History of Information Systems Auditing.........................................................................................8 a. Birth of Information Systems Auditing........................................................................................9 b. Commercialization of Computers................................................................................................9 c. AUDITAPE: Breakthrough for Information Systems Auditors.................................................10 d. Equity Funding Scandal: Abuse of Information Technology....................................................11 e. Systems, Auditability, and Control Research Study—Institute of Internal Auditors .................12 f. Electronic Data Processing Auditors Association......................................................................13 g. Emerging Technologies ..............................................................................................................14 1.6 History of Federal Regulations Related to Auditing ........................................................................19 a. Income Tax Law (Sixteenth Amendment): 1913.......................................................................19 b. Securities and Exchange Commission Acts: 1933, 1934...........................................................20 c. Foreign Corrupt Practices Act: 1977..........................................................................................20 d. Copyright Laws: 1976 et al........................................................................................................21 e. Sarbanes-Oxley Act: 2002..........................................................................................................21 1.7 Professional Organizations Related to Internal Auditing................................................................21 a. Institute of Internal Auditors......................................................................................................22 b. Information Systems Audit and Control Association .................................................................22 c. American Institute of Certified Public Accountants ...................................................................23 d. American Accounting Association .............................................................................................24 e. Financial Executives International.............................................................................................24 f. Association of Government Accountants...................................................................................25 g. Association of Certified Fraud Examiners.................................................................................25 Endnotes .................................................................................................................................................26 Chapter 2: Auditing Standards and Responsibilities......................................................................................1 Overview.................................................................................................................................................1 2.1 Introduction........................................................................................................................................1 2.2 Ethics.................................................................................................................................................1 a. Institute of Internal Auditors (IIA) [2].........................................................................................2 b. Information Systems Audit and Control Association (ISACA) [3].............................................3 2.3 Professional Auditing Standards........................................................................................................4 a. Institute of Internal Auditors........................................................................................................4 b. Information Systems Audit and Control Association [5].............................................................6 c. American Institute of Certified Public Accountants .....................................................................8 2.4 Systems Development Life Cycle Standards.....................................................................................9 2.5 Professional Development...............................................................................................................12 i


Table of Contents
Chapter 2: Auditing Standards and Responsibilities 2.6 Responsibilities of a Corporate Auditor..........................................................................................12 a. Nature.........................................................................................................................................13 b. Objective and Scope...................................................................................................................13 c. Responsibility and Authority......................................................................................................13 d. Independence..............................................................................................................................13 e. Regulatory Issues ........................................................................................................................14 Endnotes .................................................................................................................................................15 Chapter 3: Internal Control System.................................................................................................................1 Overview.................................................................................................................................................1 3.1 Definition...........................................................................................................................................1 3.2 Fundamental Assumptions in Establishing an Internal Control System ............................................2 a. Business Reasons for a Strong Internal Control System..............................................................3 b. Legal Reasons for a Strong Internal Control System...................................................................3 c. Basic Assumptions for the Internal Control System....................................................................4 d. Evolution of Attacks and Intruders' Technical Knowledge.........................................................4 e. Cost-Benefit Analysis of Controls ................................................................................................5 3.3 Effective Internal Control Models.....................................................................................................5 a. The COSO Model (AICPA, AAA, FEI, IIA, and IMA)..............................................................5 b. The CobiT Model (ISACA).........................................................................................................7 c. The SAC and eSAC Reports (IIA)...............................................................................................8 d. SysTrust (AICPA and CICA).......................................................................................................9 e. Conclusion: Comparing and Contrasting the Models .................................................................13 3.4 Regulations......................................................................................................................................15 a. Securities and Exchange Commission (1933, 1934)..................................................................15 b. Foreign Corrupt Practices Act (1977)........................................................................................16 c. Copyright Laws (1976 et al.)......................................................................................................16 d. Environmental Laws (Various)..................................................................................................16 e. Sarbanes-Oxley Act (2002)........................................................................................................17 3.5 Policies [7].......................................................................................................................................17 a. Systems Development Life Cycle Policy...................................................................................18 b. Systems Usage Policy (End Users)............................................................................................19 c. Security Policy ............................................................................................................................19 d. Password Policy.........................................................................................................................19 e. E-Mail Policy ..............................................................................................................................20 f. Business Recovery Policy...........................................................................................................20 g. Privacy Policy .............................................................................................................................21 3.6 Risk Assessment..............................................................................................................................22 a. Risk Assessment: Internal Perspective.......................................................................................23 b. Risk Assessment: External Perspective ......................................................................................24 3.7 Control Strategies............................................................................................................................28 a. Fourfold Perspective of Controls Model....................................................................................28 b. Information Systems and Controls Model.................................................................................30 . c. An Internal Audit Function .........................................................................................................34 d. Corporate Governance ................................................................................................................34 e. Logs and Auditability.................................................................................................................38 f. Segregation of Duties..................................................................................................................38 g. Investigation Procedures............................................................................................................38 3.8 Malicious Activities.........................................................................................................................39 a. Crime and Misappropriation of Assets.......................................................................................39 b. Unauthorized Access and Authentication..................................................................................41 ii


Table of Contents
Chapter 3: Internal Control System 3.9 Specific Controls/Caatts..................................................................................................................43 a. Monitoring Systems ....................................................................................................................43 b. Firewalls.....................................................................................................................................43 c. Generalized Audit Software.......................................................................................................43 d. Other Potential Controls/CAATTs.............................................................................................44 References..............................................................................................................................................45 Endnotes .................................................................................................................................................45 Part II: Management and Administration.......................................................................................................1 Chapter List.............................................................................................................................................1 . ..........................................................................................................................................................1 Chapter 4: Department Organization...............................................................................................................1 Overview.................................................................................................................................................1 4.1 Introduction........................................................................................................................................1 a. Strategic Objectives......................................................................................................................1 b. Essence of Internal Auditing........................................................................................................2 c. Quality Assurance Reviews of Internal Audit..............................................................................3 d. Outsourcing Internal Audits.........................................................................................................3 e. Control Self-Assessment..............................................................................................................5 f. Integrating the Auditing Process...................................................................................................6 4.2 Corporate Audit Charter....................................................................................................................6 4.3 Company Organization......................................................................................................................8 a. Audit Department Organization...................................................................................................9 b. Job Classifications and Descriptions..........................................................................................10 4.4 Audit Department Policies...............................................................................................................24 a. Confidentiality............................................................................................................................24 b. Orientation (Training)................................................................................................................25 c. Days Off for Extensive Travel Policy........................................................................................26 d. Professional Certification Policy................................................................................................26 Endnote..................................................................................................................................................26 Chapter 5: Personnel, Administration, and Recruiting..................................................................................1 Overview.................................................................................................................................................1 5.1 Introduction........................................................................................................................................1 a. Sources of Personnel....................................................................................................................1 b. Recruitment Aids ..........................................................................................................................3 c. Management Development Programs..........................................................................................5 d. Certifications................................................................................................................................6 5.2 Personal Development.......................................................................................................................6 a. Introduction..................................................................................................................................6 b. Objectives.....................................................................................................................................7 c. Coordinator of Education.............................................................................................................7 d. Corporate Audit Training Model .................................................................................................7 . e. Core Program ................................................................................................................................8 f. Advanced Program ........................................................................................................................9 g. Record-Keeping ............................................................................................................................9 5.3 Personnel Files.................................................................................................................................11 a. Corporate Audit Department Background Information Form....................................................13 b. Corporate Audit Department Interest Questionnaire ..................................................................13 5.4 Periodic Performance Evaluation Review.......................................................................................13 iii

........................................... E-Commerce Audits........................................................................................................................24 Part III: Technical Procedures...................................................................................................................................................................................................................19 a...2 iv ................................................................................................................................................................................................................................................................17 f................ Two-Month Staff Schedule.....................................................................................................................................5 6. Desk Review........................................ Operational/Managerial Audit...... e............................................................................ 5...................1 Chapter List.................................................................................................................... Report for the Period Ending .......................1 a......................................................................... ......................................................................................................... Annual Budget and Plan...................16 c...................................................................11 i................................. and Staffing .............................................1 Overview.............................. Summarizing Time....................................... Financial Audit....8 b............................................................. Audit Codes............................... Contract Audit........16 a.................................................................... Information Systems Audits [3].......................... Productive Time............................................................................................................................................5 f.................................................16 d........................................................................... Scheduling........................19 6..............................................1 7......................19 5............ Travel Expenses ....................................................................................................................................5 6..........................................................................................................1 Overview.........................................................................................................................16 ............................................................................................................................................................................................. Nonproductive Time......................8 a.........................................20 Chapter 7: Audit Performance.......................................................................................................................................................................................................1 Chapter 6: Audit Planning.........................20 Endnotes ...................................................................................6 Expense Reporting.....................................................................18 j.............11 h.. Task Codes............................................ Hours.10 ..............................................16 b............................2 Internal Controls.................................................... Administration......19 a........................................5 Time Reporting............ and Recruiting a............................................4 Types of Audits...........................................................................1 Corporate Audit Performance Process Matrix...................................................... Form: Corporate Audit Time Report......................................................3 c.......................................................................................................... Job Number......................................................................................................18 h.................................21 Endnotes ................................................................................5 Annual Staff Meeting/Conference......................................18 g...........................................................................................................................................................................3 Materiality........................6 New Staff Orientation....................................................................................................... International Audits........................................................................................................18 i................................... Three-Month Audit Schedule.....................................1 6...............................................................................................................................1 Corporate Audit Planning............... Three-Year Operating Plan ........................................................................... Group Discussions...................... High-Level Review of Procedures......................... Compliance Audit......................................4 d.... Auditor's Name/Employee Number......6 6..................................15 6.............................................................17 e................................................................................................................................................11 (g) Follow-Up Audits...............8 c............................................................................................9 d............15 j.................................................................................................................toc Table of Contents Chapter 5: Personnel....................................................................10 f......................................................................................5 e........1 a........... Six-Month Audit Plan.............................. Risk Analysis . Performance Evaluation Review Guidelines for Preparation of Report..................................... Assignment Log and Checklist........................................................................................1 .....................................................................................................................2 b....................................................................................................

...18 c..........................................................................................................................4 d.................... Draft Reports......................................................................................................1 Introduction.....................................................3 c...........................11 7..................................1 8.......................................................................................................... Issue Final Report to Management ................................................................................................................................................................................................................................................................................................. Draft to Auditee.......1 9.............................................. Description of Notice to Auditee ...................12 d........................................................................................................................ Summary of Review......................................................................... ......13 .... Responsibility........... Open Audit Results and Comments ..........................................1 Chapter List................1 Overview....................2 Corporate Governance [1].............................................................................................................19 e..........................4 Continuous Improvement Systems for Internal Auditors.............................................. Current Files: Contents and Format.............................3 Audit Objectives..................10 9..................................1 a... Audit Status Report............................ Indexing and Cross Referencing............................................................................................................................................................................................................................. Standard Tick Marks.................................................... Value-Based Metrics.............23 j.....................................................................................................................................21 i.........................................................5 b...................................................................................................................... Control................3 Quality Assurance................................................................20 h...............................................................................15 ............................................................................................................ 8...........5 c.............................................................................................................. General Organization................................................................................................................................................................................................................................................................................................................................... Quality Assurance Checklist............................................ 9.....................17 a..................20 ....................................... Total Quality Management .................1 Corporate Audit Report Process...........3 c.....................................................................17 b.................................................................................................................................................................................................20 g......24 Endnote.....................2 Workpapers............... f.....................3 Report to Audit Committee ..........................................................................23 7................ Preliminary Survey.......................................................................... e.........26 Chapter 8: Audit Reporting..............10 b............................................................................................................................................................................................................................................. Referencing.......................................................................................................................................................12 c.............. Objective ...................................toc Table of Contents Chapter 7: Audit Performance b................................2 Report to Management................................................................................................................... Method................4 a.................................. Reports ..... Detailed Workpaper Section Organization ........................................................ Planning Memo............................................................ Balanced Scorecard [5] ......................................................................................................... Activity-Based Costing ....................1 Chapter 9: Managing the Effectiveness of the Audit Department. Retention.......................9 e...............11 f............................4 d.........................................2 b..................................................................................1 9.........................................................................................................................................9 f......................................................................18 d. Developing Audit Recommendations............24 Cash........................................................................................................1 Overview.................................................7 e...............................................................10 a................................................... Headings....................................1 ............................................. v ...........................................................................................................................................................18 Part IV: Long-Term Effectiveness......................................7 ......................................................................................................................................1 ...........................................................5 d. Permanent Files: Contents and Format..................................................................................................................................................................................................................... Inclusion of Auditee Comments.......................14 8...........

..................................... and Recruiting................................................................ What Is Marketing?......................................................................................................................................................................................................................................................................................1 Chapter 6: Audit Planning...........................................................................2 Chapter 8: Audit Reporting ........5 Marketing the Audit Function ................15 a.......................................................................1 G ..................................16 c.........................................................................................................................................................................1 Chapter 6: Audit Planning..........................................................................................................1 Index...........................15 b..............................................toc Table of Contents Chapter 9: Managing the Effectiveness of the Audit Department e............................................................................................................1 Chapter 4: Department Organization.........................................................................................................................................................................................1 Chapter 2: Auditing Standards and Responsibilities...............................................14 g...................................................... Getting the Audit Message Out....................................14 9.....................................1 I........................................................................................................................................... Human Resources...............................................1 S..............................1 E..................................................................................... Baldrige National Quality Program/Baldrige Award [8]....................................................................................................................................................................................................................................................................................................................1 Chapter 5: Personnel......................................................................1 Chapter 7: Audit Performance...........................................................................................17 Endnotes ................................................................................................................................................................................................................................................................................ Conclusions..................................................................2 vi ....................................................1 List of Tables...............................................1 C.................................................................................................................................................................................................................1 Index..........................................................................................13 f....................................................1 Index................................................................................... ISO 9000 Family [7]........17 Index.................1 A .................................................................1 Index.....................................1 Chapter 7: Audit Performance.........................................................................................................................1 F...................................................................................................1 Index...........................................................................................16 e..................1 List of Exhibits......................................... Administration.........................................................................................................................................................................................................................1 Index.......................................................................................................................................... Summary ....................................................................................................................................................................................................................... Understanding the Customers...........................................................................................................................................................16 d...................................................................................................................................1 Chapter 3: Internal Control System.............................................................................................................................................................................................................................................

Library of Congress Cataloging-in-Publication Data: Cangemi. they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. Some content that appears in print may not be available in electronic books.&"isbn">ISBN 0-471-28119-0 (pbk. For general information on our other products and services. outside the United States at 317-572-3993. except as permitted under Section 107 or 108 of the 1976 United States Copyright Act. fax 978-750-4470. Third Edition Michael P. Third Edition 1 . or technical support. scanning or otherwise. Cangemi.com. MA 01923. visit our web site at www. electronic. Published by John Wiley & Sons.. Inc. consequential. e-mail: <permcoordinator@wiley. 978-750-8400. : alk. without either the prior written permission of the Publisher. stored in a retrieval system. 201-748-6011. Cangemi Tommie Singleton John Wiley & Sons. or other damages. For more information about Wiley products. photocopying. Inc. 111 River Street. Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book. fax 201-748-6008.wiley. Hoboken. or on the web at www. Michael P. incidental. John Wiley & Sons. This text is printed on acid-free paper. Inc. paper) Managing the Audit Function—A Corporate Audit Department Procedures Guide. or transmitted in any form or by any means. Inc... You should consult with a professional where appropriate. No warranty may be created or extended by sales representatives or written sales materials. or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center. All rights reserved. The advice and strategies contained herein may not be suitable for your situation.copyright. recording. Published simultaneously in Canada. Requests to the Publisher for permission should be addressed to the Permissions Department. No part of this publication may be reproduced. please contact our Customer Care Department within the United States at 800-762-2974.com. NJ 07030. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages. Tommie Singleton. or fax 317-572-4002. Danvers.. Hoboken. mechanical. Inc.com>. 222 Rosewood Drive.Managing the Audit Function—A Corporate Audit Department Procedures Guide. Copyright © 2003 by John Wiley & Sons. 1948Managing the audit function : a corporate audit department procedures guide/by Michael P. New Jersey. Wiley also publishes its books in a variety of electronic formats. including but not limited to special.

ABOUT THE AUTHORS Michael P. I. Maria. Cangemi received his Bachelor of Business Administration in Accountancy Practice degree from Pace University. Internal—Handbooks. He is currently servi Mr.C37 2003 657' .25 . Cangemi and his wife. Singleton received his Bachelor of Science in Accounting (1977) and MBA (1979) from the University of North Alabama. Singleton has earned several accounting certifications: Certified Public Accountant (CPA). Tommie and his wife Rebecca reside in Muscle Shoals. Michael Jason and Marc Ignatius. Certified Information Systems A Dr. 2 Managing the Audit Function—A Corporate Audit Department Procedures Guide. AL. Third Edition . Sin HF5668. Datamation. etc. Dr. They have three grown children: Shayne. H Dr. Third Edition 1. Singleton has been eminent scholar (1996–1997). etc. Singleton has published numerous articles related to auditing and systems in publications such as EDP Auditor Journal. Singleton has led several seminar sessions on systems and auditing subjects. manuals. New Acc Mr. He is a member of the Financial Ex Mr.. Cangemi is President and Chief Executive Officer and Director of Etienne Aigner Group Inc. and AJ. Corporations— Auditing—Handbooks.2 Managing the Audit Function—A Corporate Audit Department Procedures Guide. Cangemi has published many articles that have appeared in publications including Internal Auditing. Dr. manuals. New Jer Tommie Singleton is professor of Accounting and Computer Information Systems (CIS) at the University of North Alabama ( Since becoming an academic in 1994 at UNA. Chair—Department of CIS Dr. Krissie. and two children.458—dc21 2002153133 Printed in the United States of America 10 9 8 7 6 5 4 3 2 1 Dedicated to our mutual friend Belden Menkus for always providing encouragement and confidence in us. Mr. Cangemi is a Certified Public Accountant and a Certified Information Systems Auditor. In 2000. have residences in both Edison. 2. a leading designer o Mr. many for CPE credit. Inf Over the last few years. Auditing. Cangemi has served as Director of the New York Region Computer Audit Program at Ernst & Young.

" This was the result at Phelps Dodge Corporation.Foreword At the turn of the century. Foreword 1 . to assist him and the Company in meeting the challenges ahead. preparing status reports. By the early 1900s. More importantly. Audit conferences were serious training and key team-building events. His audit personnel team was designed to be capable of advancing with the Company into the information age. Based on his work as Director. Contract audits alone have saved the company millions of dollars a year in contracting fees. Phelps Dodge Corporation had already achieved a proud heritage. Michael Cangemi had the personal traits we were looking for. with the help of his audit team. much had changed. Michael was fond of saying that "good people using good procedures will produce an audit product with a reliable. Michael proceeded. The audit group was also assigned to activities such as contract. Audit reports containing a summary report limited to two pages that give the scope of the report. Internal auditing is a difficult function to develop in a company. Michael decided to integrate EDP audit and financial audit. The demand for wiring throughout the country seemed endless. initiative. My background as a Public Accountant and Chairman of BDO Seidman CPAs helped me to recognize the need for a strong internal audit function. To allow it to contribute to the company. to produce an audit methodology that resulted in a most successful audit function at Phelps Dodge Corporation. Michael Cangemi joined Phelps Dodge as Director of Internal Audit. This book outlines the methodology that was implemented. The director of audit must possess integrity. Michael was promoted to General Auditor of Phelps Dodge Corporation. then Chairman and CEO. he was one of the youngest officers in the history of the company. Computer Audit at the New York Office of Arthur Young & Company (now Ernst & Young LLP). Personnel development was a very high priority of the new audit program. In addition. By the late 1970s when I joined Phelps Dodge Corporation as Chief Financial Officer. Over the next two years. Detailed reports were prepared for use by those responsible for implementation. it wisely invested its profits in the copper mining business. and that the reputation of the audit function and the results of its efforts could be improved. he had gained the respect of the senior management team and the board of directors. he had a program to ensure that all audit personnel would be trained in the areas of information technology and the application of the technology to the audit function. This was a high honor in a company that had a very lean corporate management structure. Developing budgets for each audit assignment. and disposition audits. and excellent communication skills. high-quality level. Formed in the early 1800s as a trading company. After those two years. George and I found that the audit resource should be more consistently applied across company operations. George B. and a conclusion and summary of findings in a concise bulleted format were created for directors. Munroe. They were growth plays at the dawn of the new age of electricity and communications. Procedures properly implemented produce the guideposts necessary to ensure that a function such as audit stays on course. key background information. I was asked by my good friend. and planning documents are essential to efficient audit performance. and much more. copper mining companies such as Phelps Dodge Corporation were the darlings of Wall Street. acquisition. the internal audit management must be empowered with wide-ranging authority. The Management Information Systems (MIS) operating areas and the Internal Audit function were to receive special attention. At the age of 33.

DC 2 Foreword . L. You can take the methodology outlined in this book and improve your own company's audit program or use it as a basis for forming a new. modern audit program.2 Foreword Once Michael had the audit function organized and had built a team that was capable of proper succession. CPA November 1995 Washington. WILLIAM SEIDMAN. Any chapter in this book provides ideas that are worth the price of the entire publication. he moved on to become a successful corporate vice president with responsibility for all of the company's information systems and benefit plans as well as internal audit.

the law had requirements that adequate systems of internal control be maintained. The first thing that all successful audit organizations have done is to organize themselves. have continued to satisfy their management. Auditing is as exciting as the world in which we audit. The theme of this book is very simple. at times. Passed to address the practices of paying bribes in foreign countries. Auditors met at conferences and shared information and best practices in a way that should be the envy of all professional groups. WorldCom. with technological leaps and global expansion leading the way. anticipating and preparing for the changes that constantly take place in the business world makes auditing even more challenging.Preface Standing at the Rubicon! The Emperor Julius Caesar had to cross a river to launch a civil war against General Pompey in the year 49 B. Preface 1 . Internal audit's role in management rose to new heights. reactive world. internal control was redefined. Is internal auditing a core capability? Can professionals from outside the organization perform studies of internal control without a thorough understanding of the personality of the organization? The debate on outsourcing is an interesting challenge for the profession of internal auditing.. The world of internal auditing is now at the Rubicon! The first edition of this book was published in 1991. During these decades. internal auditing has been evolving for less than one hundred years. was destined to change to address the issues and complexities of the modern day. The 1990s also saw the profession of internal auditing as a candidate function for outsourcing. It has always been my hope that this book would help audit departments improve their organization and operations so that they can improve their overall performance. They searched for new requirements. All audit functions addressed information technology in one way or another.C. for the first time ever.'s accounting issues were discovered by an internal auditor. provides a significant interpersonal and intellectual challenge. Those internal audit departments that were capable and proactive produced solid returns on investments for their organizations. Many branched out into operational audit areas that were heretofore only discussed. and ways to contribute to their organization. as it was known. The first wake-up call came in 1977 with the passage of the Foreign Corrupt Practices Act. At that point. The Committee of Sponsoring Organizations (COSO) issued its landmark definitional study of internal control. Could this trend have been a symptom of the decline in corporate governance and the rise of aggressive accounting to boost earnings? Enron Corp. Quality internal auditors utilizing tested and proven procedures in a proactive way will produce beneficial tangible results. The product amounted to a five-volume publication which has. attempted to define all of the intricacies and the subtleties of internal control and achieve agreement among leading professional organizations. The business community was changing dramatically. many auditors have attempted to live in a slow-paced. internal auditing groups that were proactive and worked hard to create excellent internal audit programs. However. In fact. Coexisting with other management and partnering in the company's mission. The profession continued to grow steadily through the 1950s and into the 1960s. internal auditing outsourcing was on the rise. outsourced their internal audit functions. Inc. As a profession. responsibilities. The internal auditing professionals reacted swiftly and implemented new programs to strengthen internal controls and checks and balances. In the 1990s. Internal control. while maintaining a healthy dose of skepticism. The description of that act has become a metaphor meaning standing at a point at which there is no turning back or new beginnings.

and I attended all audit committee meetings. I am currently the President and Chief Executive Officer of the company. Separately. All corporate managers have a desire to run a well-controlled operation. This third edition of Managing the Audit Function greatly expands on the prior edition. risk assessment. After rising to General Auditor. the audit function does not have the same performance measurements available to them as do other line functions within the organization. However. In addition to a general update.S. I then spent a number of years in public practice at Ernst & Young before joining a large corporation as Director. I am now further convinced of the need for the audit department to be proactive and seek out ways to contribute positively to the corporate mission. Internal Audit. This chapter defines internal control. After a career in industry. I moved out of internal auditing and into a financial officer position. As the finishing touches were being made to this edition of Managing the Audit Function. Tommie Singleton went back to school and devoted himself to accounting and auditing all the way to the PhD level. To add new dimensions and perspective to this methodology. I am certain that the methodologies suggested in this book are essential principles of internal audit management. the audit department can focus more of its energies on the delivery of internal audit services. it requires the adoption of standards for independent auditors to attest to management's report on internal control. Senior management can use this book as a primer on the elements of a modern internal audit function. and specifically the internal auditing profession! I first observed internal and external auditing as a member of the operations staff of a brokerage house in my college years. Congress passed the Sarbanes-Oxley Act of 2002. This act makes reporting on internal control a requirement for public companies registered with the Securities and Exchange Commission (SEC). These issues have come more clearly into view. there is little doubt that I am fascinated with auditing in general. 2 Preface . a new chapter on internal controls has been added. especially dollars that are not spent in the direct pursuit of revenue. Inc. and as a result of my current position. and once the fundamentals of an audit organization are established through the development of a policies and procedures manual. I am also now more aware than ever of the need for cost justification for every dollar spent. My current position affords me one of the best views from the standpoint of how internal auditing should fit in to and contribute to an organization. As pointed out in this book. a section on the history of audit was greatly expanded and integrated into the background materials. We need to be able to rely on the integrity of the data and results of our operations. in a senior management position and after eight years as CFO. The subject should be studied and understood not just by internal auditors but all managers and board members as well. control strategies and malicious activities. As the original author.2 Preface As noted above. We met while working on publishing segments of his dissertation on the history of IS auditing in the IS Control Journal. He added tremendously to this book as co-author. where I am to this day the Editor-in-Chief. Singleton is Professor of Accounting and Computer Information Systems at the University of North Alabama. the act requires a company's CEO and CFO to certify quarterly and annual reports. internal auditing is a very challenging profession. Internal auditing continued to report to me during this period. giving his insights and knowledge on the complex subject of internal control and sharing his vast acumen on our profession's history. In addition. I asked Tommie Singleton to join with me on this third edition. I have seen internal control and auditing from a number of interesting vantage points. The law requires annual reports to contain an assessment of the effectiveness of internal control over financial reporting. Internal audit departments must have the disciplines and measurements proposed in this book. I joined Aigner Group. These developments will focus senior management's attention on ensuring the adequacy and effectiveness of their internal audit department to assist management with these requirements. The recent developments with accounting irregularities demonstrates a clear need for an education on the complex subject of internal control! In addition. Dr. the U. I then rejoined the public practice at BDO Seidman as National Director of EDP Auditing and Internal Audit Services.

New Jersey Preface 3 . two. Finally. who guided me through editions one. who care so much about the profession's response to technological developments and who work to make IS Control Journal a significant contributor to the expansion of the professional literature. I would also like to thank my associates at ISACA. We would especially like to thank Deb Urquhart. Susan Caldwell. our editor. MICHAEL P. We owe a debt of gratitude to our colleagues at the IIA and ISACA who keep us connected to this interesting world of auditing.Preface 3 We are both very active with professional associations. CANGEMI November 2002 Edison. for her untiring efforts and dedication to this book project. I'd like to thank Sheck Cho. last but certainly not least. and now three and is always there for support and encouragement. Jennifer Blader and Jane Seago. We are also very busy with our "real" jobs and rely heavily on our co-workers. which keeps us at the forefront of developments affecting internal auditing. my Executive Assistant.

4 Preface 4 Preface .

Part I: Fundamentals of the Internal Auditing Function Chapter List Chapter 1: Background Chapter 2: Auditing Standards and Responsibilities Chapter 3: Internal Control System Part I: Fundamentals of the Internal Auditing Function 1 .

2 Part I: Fundamentals of the Internal Auditing Function 2 Part I: Fundamentals of the Internal Auditing Function .

The "modern" era of accounting dates from the year 1494. audit planning. when a monk named Luca Pacioli published the first book on accounting. "Audit Reporting"). This section will review the history of auditing before information systems (IS). Other programs can be added to your manual. "Audit Performance". He became known as the "Father of Accounting" because of the widespread dissemination of his book and its information.C. It will be the basis for establishing methods to ensure the highest level of performance and quality in the department. Italy. Through these processes. and in particular the management of a world-class audit function. Thus this chapter is written to familiarize auditors with historical events that directly relate to audits. Beginning with Chapter 2. from 1397.500 B. All Pacioli really did was to explain existing Chapter 1: Background 1 . "Department Organization". "Managing the Effectiveness of the Audit Department"). Subsequently. These procedures should be evaluated and updated on an ongoing basis to keep pace with changing conditions.Chapter 1: Background 1.1 Introduction It is the goal of this manual to provide a broad scope of information in assisting you in developing your auditing function into a well-respected contributor to the company's mission and a world-class audit department. "Background". "Audit Planning". In fact. a brief overview of historical events affecting the audit is beneficial. The technical chapters all begin with a matrix that outlines the various tasks or functions addressed in that chapter. Chapter 7. the revision number (if you choose to keep track of the number of changes made in a particular section). including arithmetic. if appropriate). the material contained in the methodology was analyzed and improved over a 10-year period. "Auditing Standards and Responsibilities". "Personnel Administration and Recruiting"). the title of the manual (Corporate Audit Department Procedures Manual. the book itself contains more than accounting. but possibly did predate the invention of writing. The earliest surviving records in double-entry form are those of the Medici family of Florence. In order to achieve the above goals. Chapter 5. the section number. each page has a heading consisting of the company name. 1. and the date of the revision. However. Part Two: Management and Administration (Chapter 4. Chapter 3. Part Three: Technical Procedures (Chapter 6. Chapter 2. The manual is based on a methodology employed very successfully at Phelps Dodge Corporation. "Internal Control System"). the history of IS auditing. This book has been set up in the format of a procedures manual. Much of the text has been written so that it can be considered boilerplate and be used with your modifications to easily create your own manual. This manual will serve to document approved departmental procedures. the history of federal regulations related to auditing.2 History of Auditing [1] The ancient history of accounting and auditing left sparse documentation. and professional organizations related to auditing. the methodology was used as a basis for audit management workshops and consulting projects. The methodology is broken down into four main components: Part One: Fundamentals of the Internal Auditing Function (Chapter 1. and Part Four: Long-Term Effectiveness (Chapter 9. Chapter 8. Pacioli was a typical monk of the fifteenth century—educated in a wide variety of disciplines. circa 8. and served as tutor and mentor to the wealthy. An understanding of these events and organizations should provide substantial benefits in managing your auditing function.

For example.S. major auditing events. Thus. and Arthur Young & Company.500 years ago. Thus when the company crashed. Eventually. auditors. and Cicero make mention of accountants. In 1896. is one of the oldest professions. Thus it was the British who built the infrastructure for professional auditing in the United States. it had a membership of more than 1. The same industrial revolution was occurring across the Atlantic in the United States. the British firm Price Waterhouse was sending over auditors as early as 1873. Hence. in 1853. In most cases. New York offices existed for British firms Price Waterhouse. Soon. but in 1917 the American Institute of Accountants began preparing a uniform CPA examination that could be used by all states. a form of internal auditing existed among the manor houses of England where the lord served as manager of the audit function. The total market value of the South Sea Company. and the result was an auditing profession that was viewed by outsiders as more clerical than professional. By the late nineteenth century. the industrial revolution in England resulted in factory systems that were financed by stockholders. as bankers became major users of audited financial statements. both internal and external. many. To protect the public. items omitted from the records were overlooked by the auditors. which was written by Robert Montgomery. As early as the Middle Ages. chartered in 1710. Then in 1880. This view was to change between 1900 and 1917. eventually exceeded the value of all money in England. Initially. experienced practitioners were "grandfathered" in by being granted CPA certificates without having to take the examination. This event set a precedent in the history of auditing. the British Companies Act of 1844 provided for mandatory audits. Another early event of note is the 1913 passage of the Sixteenth Amendment legalizing income taxes. This situation necessitated the need for auditors. The audits of the late 1800s and early 1900s were largely devoted to the accuracy of bookkeeping detail. all states passed CPA laws. One of the first key events in the history of the U. Soon afterward. At first. audit profession was the establishment of what was the forerunner of the American Institute of Certified Public Accountants (AICPA) in 1887. The change in philosophy mirrored the recommendations in the leading auditing book of the time. Chapter 1: Background Auditing. all vouchers were examined and all footings verified.2 accounting principles. British auditors were being sent to audit American companies. Writing was invented in part to satisfy the need for audits. organizations of chartered accountants were formed in Scotland. and standards tend to follow public exposure of scandals and/or fraud.000 members. because bankers became more important as sources of financing and because practice began to catch up with the auditing literature. Early Greek and Roman writers such as Aristophanes. This new direction culminated in the 1917 issuance of Uniform Accounting. [2] One provision of the law required all companies to maintain adequate accounting records. Zenon papyri record the application of audits on the Egyptian estate of the Greek ruler Ptolemy Philadelphus II as early as 2. Later. if not most. even small firms that did not need accounting for management control purposes suddenly had to have accounting records. Bankers were less concerned with clerical accuracy than with balance-sheet quality. improvements. By 1881. The earliest external audit by an independent public accountant was in 1720 by Charles Snell as a result of the South Sea Bubble scandal in England. a joint publication of the 2 Chapter 1: Background . In fact. five organizations were melded into the unified Institute of Chartered Accountants in England and Wales. Fictitious entries were discovered in the books. and auditing accounts and audit rooms. Peat Marwick & Company. Thus. Caesar. each state prepared its own CPA examination. too. the objective of the audit became more concerned with the valuation of assets on the balance sheet. it was an extremely significant public event in the English economy. New York law provided for the issuance of CPA certificates to those who could pass a qualifying examination.

the only companies needing audits were those that depended on banks for capital. a Swedish match conglomerate. which also had the endorsement of the Federal Reserve Board. instructions for auditing specific account balances. Thus. This liability was further expanded at the federal level in the securities acts of 1933 and 1934. Fred Stern and Company filed for bankruptcy. or a major fraud case. but not a particularly large profession. gross negligence could be construed as fraud. financial disaster. Inc. stockholders based their investment decisions solely on dividend payments. he committed suicide in March 1932.S. Thus. Financial reporting as we know it today was in its infancy. some amount of secrecy was needed because he was often dealing with foreign kings and dictators about government monopolies and taxes on wooden matches. which opened up the auditor to lawsuits even though there was no way of knowing who was going to rely on the misleading financial statements. even companies listed on the New York Stock Exchange often did not issue audited financial statements. In 1929. In other words. By the time of the 1929 stock market crash. It outlined a complete audit program. only for fraud. Subsequently. the timing of the bankruptcy and the corresponding media coverage made it politically expedient to pass laws that would make similar schemes difficult in the future. and a standardized audit report. One of the earliest important auditing cases was that of Ultramares Corporation v. in 1925. This publication was reissued. The company was founded and headed by Ivar Kreuger. another revision included more emphasis on the income statement and internal controls. The New York Court of Appeals agreed that third parties could not hold an auditor liable for ordinary negligence. Newspaper articles kept U. Still another revision in 1936 placed equal emphasis on the balance sheet and income statement. Thus. A single event. not profits. Subsequently. Touche. Kreuger was essentially operating a giant pyramid scheme. which was hidden from the investing public by Kreuger's insistence that financial statements not be audited. accounts receivable had been overstated. Niven & Company (1931). The 1917 document and its revisions became the bible of the auditing profession for more than two decades.. Chapter 1: Background 3 . citizens aware of the extent of Kreuger's fraud at the same time that Congress was considering passage of the federal securities laws. A lower court found Touche guilty of negligence. it was discovered that many of his companies' assets were in the form of intangible monopolies. the corruption of Ivar Kreuger. Kreuger's securities were popular because they sold in small denominations and paid high dividends and interest (often 20% annually). but the firm was declared not liable to Ultramares because there was no privity of contract between the auditor and Ultramares. That was to change because of Ivar Kreuger—one of the greatest swindlers the world has ever seen. He advocated that financial secrecy was paramount to corporate success. Ultramares had loaned money to Fred Stern and Company in 1924 on the basis of financial statements prepared by Touche. out of capital. Companies that depended on stockholder financing were not required to have audits. However. however. Consequently. little has occurred in recent years that was not brought about by some catastrophic event such as a lawsuit. The stock market crash of 1929 made it more difficult for Kreuger to sell new securities to fuel his pyramid scheme. Since bankers were the primary users of financial statements. supposedly the richest man in the world. This document was the first formal declaration of generally accepted accounting principles and auditing standards. the auditor became subject to almost infinite third-party liability. Kreuger's dividends were paid. his companies were in bankruptcy as it became apparent that there were few assets to support the unaudited financial statements that had been issued over the years. with minor changes. The most widely held securities in the United States—and the world—during the 1920s were the stocks and bonds of Kreuger & Toll. external auditing had become a somewhat standardized profession. had shaken investors' confidence and provided the media event of the decade. Within three weeks. in 1918 under the title Approved Methods for the Preparation of Balance-Sheet Statements. In Kreuger's defense. On those statements. The bankruptcy was the largest on record up to that time and resulted in numerous changes in financial reporting.Chapter 1: Background 3 American Institute and the Federal Trade Commission. The recent history of external auditing is more events-oriented.

The McKesson & Robbins case was a turning point in auditing history. No longer was the auditor responsible for auditing the accounts of management." The EDP Auditor Journal. but there was no requirement for these procedures. [3] 4 Chapter 1: Background . responsibility was extended to an audit of the business itself. pp. Romans. and McKesson & Robbins. Supreme Court. A Securities and Exchange Commission (SEC) investigation concluded that Price Waterhouse & Company had adhered to generally accepted auditing procedures as recommended in the 1936 Institute pronouncement. Dale Flesher for the use of his article. The auditors had obtained management assurances as to the value of the inventories and had test-checked the inventories to purchase orders (which were fabricated to conceal the fraud). 38–47. 1 that required auditors to observe inventories and confirm receivables. Interestingly. Vol. the recent history of auditing has been centered on reacting to adverse events affecting the profession.3 History of Internal Auditing Some types of internal audits date back thousands of years.4 Chapter 1: Background As a result. This lack of a requirement for inventory observations and receivable confirmations proved to be an embarrassment to the profession when the McKesson & Robbins scandal surfaced in 1938. and the New York Stock Exchange issued rules mandating audits of listed companies.S. [1]Special thanks to Dr. Many auditors had long opposed observing inventories under the theory that CPAs were not skilled appraisers and that a statement that they had physically inspected inventories might be construed as a guarantee of the inventory valuation. the scope of these early audits was in many ways akin to that of modern internal audits. And the profession began to issue promulgated statements and standards related to the specific procedures and standards of audits. but none to the extent of the frauds associated with Ultramares. the Securities Act of 1933 was passed. But the SEC concluded that although general accepted procedures had been followed. III. Kreuger. The senior management of McKesson & Robbins had used a facade of false documents to conceal the fact that $19 million in inventory and receivables were nonexistent. 1. in 1939 the American Institute issued Statement on Auditing Procedure (SAP) No. Kreuger did more good than harm for the financial community. Emphasis was on improving management control over the activities of the organization. the Greeks. A person of his ilk was needed to show the world that auditors are necessary and can make a contribution to a regulated securities market. As a result. 1993. and Egyptians were conducting audits before the birth of Christ. [2]Interestingly enough. The 1936 version of the American Institute's 1917 joint pronouncement with the Federal Trade Commission on auditing standards suggested that auditors might want to observe inventories and confirm receivables. Such broad emphasis was not to reappear on a wide scale until after World War II. both included an examination of the correctness of accounting records and an evaluation of the propriety of activities reflected in the accounts. The overriding conclusion of all of this activity is that the (external) auditing profession has long been reactive rather than proactive. some might say that because of the resulting improvements to financial reporting. Other cases have influenced auditors in recent years. Auditors thus owe much of their livelihood to the fraud perpetrated by Ivar Kreuger. In fact. "A History of Accounting and Auditing Before EDP. Most of this section came from this article. On the whole. Continental Vending Machine Corporation (1968) was unusual in that it marked the first instance of an external auditor being criminally convicted for fraud. Even a movement toward uniformity in accounting principles can be laid at the feet of Kreuger. a similar law was passed during the Civil War but was later ruled to be unconstitutional by the U. those procedures were inadequate. As mentioned earlier.

" to protect organizational assets. the auditors are to make suggestions for the improvement of existing facilities and procedures. The first U. and their duty was to visit the railroads' ticket agents and determine that all the accounting for all monies was properly handled. the need for an audit function was recognized. Thus. internal auditing (IA) was essentially a clerical function with no organization and no standards of conduct. auditors were needed to check the records after they were created for accuracy—for errors in postings or footings. Because of the nature of accounting record keeping at the time (i. Although the roots of internal auditing do date back into the nineteenth century. etc. and demands on senior executives' time were neither so numerous nor so urgent. which includes the following provisions: • The auditors are to determine whether laws. The auditor's job. 1875. and certify the balances. the internal auditor was a verifier. In fact. It was during the latter part of the nineteenth century that these first real internal auditors became commonplace. There were not so many levels of authority separating policy makers from production workers. The National Industrial Conference Board's study of internal auditing explained the early motives as follows: • Protection of company assets and detection of fraud were the principal objectives. Despite the aforementioned early references. contracts. The objectives of early internal auditors were primarily built around the protection of assets. criticisms of contracts with suggestions for improvement. the auditors concentrated most of their attention on examinations of financial records and on the verification of assets that were most easily misappropriated. Auditors were also concerned with the possibility of fraud. In this connection. The major factor in the emergence of internal auditing was the extended span of control faced by management in business employing thousands of people and conducting operations in many locations. examine them. Defalcations and improperly maintained accounting records were major problems. there was no need for the pioneer internal auditor to perform all of the functions that are handled by today's internal auditors. railroad companies are usually credited with being the first modern employers of internal auditors.Chapter 1: Background 5 In the United States. real expansion did not occur until the early part of the twentieth century with the growth of the large corporate form of business. Krupp apparently employed some type of internal audit staff at least as early as 1875 since there is a company audit manual dated January 17. The title applied to these employees was traveling auditors. of course. A popular idea among management people a generation ago was that the main purpose of an auditing program was to serve as a psychological deterrent against wrongdoing by other employees. was to receive all public accounts. • In less complicated times. or a "cop. however. That same study recognized the internal auditor of yesteryear did not perform the same duties as the modern-day internal auditor. basically a clerical function. Prior to 1941. Consequently. management frequently maintained control over company operations by personal supervision. accounting textbooks of the period never referred to the subjects of internal auditing or internal control. and the growth in the volume of transactions resulted in a substantial bill for public accounting services for the organization that tried to maintain control by continuing the traditional form of audit by the public accountant. and an auditor. policies and procedures have been properly observed and if all business transactions were conducted in accordance with established policies and with success. Chapter 1: Background 5 . In addition. Congress in 1789 approved an act that included a provision for the appointment of a secretary of the treasury.e. a comptroller.. there was little need for internal auditing in the colonial period because there was little in the way of large industry. manual). In government. Other early industries to use internal auditors included the large Krupp Company in Germany.S.

internal auditors began to expand their audits to encompass more than the traditional financial audit. the 1957 Statement stated that the auditor should be concerned with any phase of business activity. During the 1940s. Whereas the 1947 Statement said that an auditor might also deal with operating matters. was the first article to describe the expanded-scope audit. The growth in the internal auditor's scope of responsibility can be observed through a comparison of the 1947 Statement of Responsibilities of the Internal Auditor and the 1957 revision of the same document. internal auditors are an integral link in the management process and are just as concerned with waste and inefficiency as with fraud. Arthur H. and technical publications.6 Chapter 1: Background The old concept of internal auditing can be compared to a form of insurance: The major objective was to discover fraud more quickly than it could be discovered by a public accountant during an annual audit. others were using the term in speeches. and records became subject to automatic checking procedures once performed by internal auditors. Thus. 24 individuals joined together to form The Institute of Internal Auditors (IIA). Also. Brink's doctoral dissertation was published in January 1941 by Ronald Press. Kent's work. Management became more concerned with production scheduling. The shift to a war economy in the early 1940s was the primary cause for the expansion of internal audit scope. As a result. shortages of materials and laborers. there were two significant events in 1941—the publication of the first major book on internal auditing and the founding of the IIA. As accounting became mechanized and computerized. The 1957 Statement included these internal auditor (IA) duties: • Reviewing and appraising the soundness. cost reporting became more important than external reporting. That trend was reflected in the 1957 Statement of Responsibilities of Internal Auditing. Also in 1941. instead of operational subjects. adequacy. the need to check every transaction declined. The term operations or operational auditing was adopted to describe the expanded activity. and operating controls • Ascertaining the extent of compliance with established policies. records became subject to automatic checking procedures. internal auditors began directing their efforts toward assisting management in whatever way possible. At about the same time. Interestingly. The 1947 version stated that internal auditing dealt primarily with accounting and financial matters but may also properly deal with matters of an operational nature. The modern concept of internal auditing is that of an arm of management. articles. Brink's Internal Auditing. Mints. Following the war. In March 1948. Part of the development probably can be attributed to the change in technology. "Audits of Operations. Kent made frequent mention of an operations audit. and procedures • Ascertaining the extent to which organizational assets are accounted for. By the mid-1950s. published by the IIA. That is. One of those events was the publication of the first major book on the subject—Victor Z. and application of accounting. the latter event was related to the former. The IIA described the broad role of internal auditing with its 1957 Statement of Responsibilities of the Internal Auditor. accounting became more mechanized and computerized. losses of all kinds • Ascertaining the reliability of accounting and other data developed within the organization • Appraising the quality of performance in carrying out assigned responsibilities As previously mentioned. That emphasis was to change in just one decade. financial. Victor Z. The year 1941 marked a turning point in the development of internal auditing as two significant events occurred. The first technical paper to use the phrase operational auditing in the title was published in The Internal Auditor in June 1954 and written by Frederic E. plans." published in The Internal Auditor. Today. but had referred to non-accounting matters. John 6 Chapter 1: Background . the internal auditor was performing a function similar to a police officer or detective. In that piece. Other authors had discussed the subject. the benefit of the auditor's assistance was so obvious to management that there was no consideration of reducing the auditor's scope to prewar levels. giving internal auditors time to reach beyond the historical clerical limits. and compliance with regulations. and safeguarded from. At the same time.

what was needed was an independent organization for internal auditors. The commission was formed to study the cause of fraudulent financial reporting. Check on the reliability of the accounting and reporting system 5.Chapter 1: Background B. was begun in September 1944. 7 Only 11 members were present at the first annual meeting of the IIA. one trend caused a change in the way the IA function was carried out. effectiveness. Thurston was elected as its first president. The Board concluded with five primary objectives: 1. In 1963. and to 3. Chicago. The Commission was organized by five accounting organizations—IIA. Report findings to management and recommend corrective action where necessary In 1975. and prevent or discover fraud 4. Thus the shift from financial to operational had become profound and permanent. A director of research approved in January 1942 the first book published under the IIA auspices. By the end of 1947. to 1. with 20% of the latter figure located outside the United States. The internal auditor had also become an integral part of the management team. Instead. The committee concluded: (1) an internal audit function should exist in every public corporation. Also in the 1990s. internal auditor for the North American Company in New York. The modern work of the internal auditor had become auditing for efficiency and effectiveness more than financial propriety. Los Angeles. and it was issued in March 1943. The Internal Auditor. Cleveland. the IIA found that 95% of all respondents to a survey conducted operational audits for purposes of judging efficiency. The first chapters outside North America were formed in London and Manila in 1948 to begin the trend toward true internationalization. like it had been before 1941. Other developments would further focus IA on operational audits. The role of the IA function was served by public accounting and other providers. when the New York chapter was formed. Thurston and Robert B. and Financial Executives International (FEI)—known as the Committee of Sponsoring Organizations (COSO). 19 chapters operated throughout North America.018 at the end of five years. the first outside the United States. the two men got together and found they had a mutual interest in furthering the role of internal auditing. the National Industrial Conference Board studied 177 organizations' objectives for their internal auditing programs. When Brink's book came to the attention of Thurston. Another dramatic change in the IA function in the United States occurred in 1987 with the Treadway Commission report. The IIA Standards and Statement have evolved further and now have the cornerstone of risk assessment. Membership was divided into local chapters beginning in December 1942. Determine the adequacy of the system of internal control 2. Investigate compliance with organizational policies and procedures 3. Membership grew quickly. and economy. and Toronto. The same study found that 51% of the total audit time was spent on operational auditing activities. Outsourcing became a popular way for organizations to employ the IA function. A journal. Verify the existence of assets. Thurston. These two had decided that further progress in bringing internal auditing to its proper level of recognition would be difficult in the two organizations. ensure that proper safeguards for assets are maintained. The Detroit.700 by 1957. AICPA. These conclusions not only enhanced the IA profession but also brought fraud to the forefront of IA functions. and Philadelphia chapters followed in 1943. and (2) there should be a corporate audit committee composed of non-management directors of the corporation. Chapter 1: Background 7 . Institute of Management Accountants (IMA). had been contemplating establishing an organization for internal auditors. American Accounting Association (AAA). Additional chapters were formed the following year in Dayton. The new group was quick to begin its activities to further the development of its members. The original 24 increased to 104 by the end of the first year. Milne had served together on an internal auditing subcommittee formed jointly by the Edison Electric Institute and the American Gas Association.

The IA staff of today is considered a good training ground for management-level personnel. These new systems led to radically different audit trails. Programs. Altamonte Springs. These are operational auditing techniques. and 3.g. by Dale L. if one at all. Economy and efficiency.. the General Accounting Office (GAO) has played a major part in broadening the role of the auditor. and handled. retrieved.4 Auditing Government Agencies Various governmental audit agencies throughout the world have played a role in the movement toward the modernization of internal audit procedures. Governmental audits. go a step beyond those standards that are applicable to audits of financial statements. (2) the introduction of AUDI-TAPE. Basically. the recommended standards encompass those standards that have been adopted by the AICPA for use in audits to express an opinion on the fairness of financial statements. other IT-related events have also had a profound effect on the auditing profession and the way audits are conducted. Copyright 1991 by The Institute of Internal Auditors. These events included: (1) the commercialization of computers. however. Reprinted with permission. 2. Financial compliance. The revolution became a dynamic evolution as the computer industry sustained continuous.8 Chapter 1: Background The internal auditing function has undergone significant changes in the last century. rapid technical innovations. The typical definition of a financial audit would not include elements 2 and 3. IIA. an audit of or for a government agency) is composed of three elements: 1. In addition to the introduction of computers to the business world. governmental auditing now is also concerned with whether governmental organizations are achieving the purposes for which programs are authorized and funds are made available. 1. The scope of a governmental audit (e. Activities and Functions (commonly called the "Yellow Book" because of the color of its cover) explains the metamorphosis in the following manner: • This demand for information has widened the scope of governmental auditing so that such auditing no longer is a function concerned primarily with financial operations. In the United States.. Information technology (IT) changed the way accounting data was stored. 1. are doing so economically and efficiently.5 History of Information Systems Auditing The technology revolution in accounting and auditing began in the summer of 1954 with the first operational business computer. [3]Some of the material from this section was taken from The Institute of Internal Auditors: 50 Years of Progress. Flesher. 247 Maitland Avenue. Instead. (4) the 8 Chapter 1: Background . The GAO's publication. Inc. (3) the Equity Funding scandal. Program results. Standards for Audit of Governmental Organizations. but many organizations have out-sourced the entire IA function. and are complying with applicable laws and regulations. FL 32701-4201. The main objective of the IA function has moved from that of fraud detection to assisting management in making decisions beginning with a risk assessment.

the auditing profession struggled to develop a new set of tools. Up until then. the U. That will never happen again! The effects of IT on auditing have culminated in a set of knowledge. that is.C.g. The program even evaluated the effectiveness of inventory operations in various departments and determined which supervisors were doing the best job of counting inventory. Chapter 1: Background 9 . described how an organization used the computer to reconcile inventory counts to books. skills. all of the computers were mainframes. member of the Auditor General's staff for the United States Air Force (USAF) in Washington. Several organizations had begun to manufacture computers to be used in business during the late 1950s and early 1960s. systems designers. D.A. and keypunch operators. "Using a Computer to Reconcile Inventory Counts to Books. the computer) as an audit tool. It was possible for an auditor to retire in the 1950s having used similar audit programs throughout one's career. and Control (SAC) studies by the Institute of Internal Auditors (IIA). because few people knew enough to violate the systems. In the beginning. in the summer of 1954. a UNIVAC computer. affecting the body of auditing standards. (5) the Systems. Information technology affected. It also provided its own form of security. and continues to affect. Not all creative tools and techniques were delivered using emerging technologies. The audit process itself has become different from traditional audits prior to 1954 (e. From 1955 to the mid-1960s. As early as 1961. b. became major suppliers of business computers. one early effect of information technology was to provide the very tools auditors would need to adequately audit accounting data. IT itself provided an inherent protection. Some nascent articles and discussions deliberated the possibility of using information technology (i. It became necessary to add new standards. and systems knowledge—and the training and standards to accompany them. audit tools and techniques). Air Force adapted traditional separation of duties between programmers. techniques. such as Singer and General Electric. the escalation of computer usage in accounting systems caused auditors to think about how they were going to deal with this new technology. In the article.. This situation prevented most accountants from preparing programs to audit through the system. this idea was radical and innovative. General Electric is attributed with the first operational electronic accounting system.C. and standards necessary to conduct the contemporary audit that were nonexistent in 1954. auditing.. this technique was being used as early as 1955. This notable example of early innovation was an article.e. Because of the new knowledge necessary to understand computers and electronic data processing (EDP).A. During this time. Auditability. The cost of these machines made it prohibitive for most companies to purchase one. the author. Taking into account the length of publication cycles.Chapter 1: Background 9 emergence of Information Systems Audit and Control Association (ISACA). This effect became perpetual as future technologies would also be used as tools in audits of EDP systems. Others. at the beginning of IT history. such as Burroughs and IBM. the computer world included only mainframes. and (6) constant emerging technologies. Bulletin (National Association of Cost Accountants) in June 1956. Commercialization of Computers Beginning in 1963. few people had the knowledge and expertise to program a computer. A seminal event occurred very early in the history of business computers. Some manufacturers. Birth of Information Systems Auditing The introduction of computer technology into accounting systems disrupted the routine auditors had been able to establish to properly audit accounting systems..S. Thus. but Howell at the USAF was actually using technology as an audit tool. Other traditional auditing principles would be similarly altered to accommodate the effects of IT on auditing. The computer was programmed to print out major differences between counts and inventory records while automatically adjusting the books to the count for minor differences. a. At the time. Frank Howell. soon exited the computer market." published in N.

. Kenneth Stringer began to develop a statistical sampling plan. In 1968. Oregon. The development and use of GAS was a breakthrough in audit tools. AUDITAPE was born from a need to audit through the computers (information technology) in a simple. In the 1960s. even though it was without official standards or guidance. The AICPA added its contribution to EDP audits. That is. lower-cost computer by IBM—the IBM 360. Meanwhile. cheaper IT. Practitioners were excited when they saw the potential of AUDITAPE because external auditors who were not highly technical could now run the computer and use it as an audit tool. Together. also developed GAS packages. several GAS packages were developed from 1968 to the early 1970s. for the most part. in developing AUDITAPE. or even the primary motivation. specifically GAS. First. and continuously changing custom audit programs. In 1967. but it was not the only motivation. in EDP audits. Inc. To this day. H&S formerly adopted the plan. very few audit tools existed. The growth of computerized accounting systems would create an environment in which auditors would be unable to perform the audit steps once done manually. Although statistical sampling preceded AUDITAPE by several years. A series of events and projects at Haskins & Sells (H&S) led to the initial GAS package. CARS software) and. The introduction of AUDITAPE in October 1967 by Haskins & Sells at the American Accounting Association (AAA) annual meeting in Portland. In the late 1950s. difficult to examine) drove the need for better audit tools. AUDITAPE affected the use of statistical sampling as much as it affected anything. access to data was gradually slipping away from auditors. (Joseph Wasserman.10 Chapter 1: Background The use of computers in accounting began to escalate in 1963 with the introduction of a new. time-consuming. and a rapid increase in sales of commercial-use computers ensued. Stringer and the management at H&S were also motivated by the fact that the more clients computerized their accounting. For example. Thus. While 75% of these were effective. Probability Proportional to Size Sampling (PPS). the more dependent auditors would become on computer expertise. and smaller-size IT was off and running.J. In 1962. AUDITAPE was the impetus that led to the development and use of audit tools. and effective manner. Information technology's effect on access to data by external auditors (i. PPS was a precursor to AUDITAPE. Keagle Davis undertook a study at Touche Ross that showed that their programmers had written 150 to 250 customized audit programs in 1967 alone. president of the AICPA. these needs drove the development of generalized audit software (GAS). in the late 1970s. external auditors had a difficult time in auditing through the computer. Panaudit software). Every Big Eight public accounting firm developed its own proprietary GAS package during this time. Independent organizations. The need for skills required to handle the audit of computerized data significantly increased beyond those of an EDP technician.e. was a key event for external auditors in particular (at that time). the majority of auditors audited around the computer ignoring. c. those auditors who audited through the system had to rely on expensive. And the spiral of better IT. P. and there was a meager use of the tools that did exist. the number and variety of financial accounting systems and clients with computers greatly increased in the last half of the 1960s. The IBM 360 accomplished this objective. efficient. and internal auditors (later). This increase in computer sales was instrumental in creating a greater need for EDP auditing concepts in businesses and a need for auditors skilled and knowledgeable about EDP. AUDITAPE also affected other aspects of auditing. 80% required major programming changes the next year because of changes in the computer system or changes in audit needs. the effect of EDP on the audit. AUDITAPE: Breakthrough for Information Systems Auditors From the beginning. Corum (later Pansophic. Very few auditors had yet acquired a high level of technical skills in 1967. Robert Trueblood of Touche Ross. pursued the theme of computers in 10 Chapter 1: Background . The plan at IBM was to introduce smaller machines at more affordable costs to businesses. As a direct response to the introduction of AUDITAPE. such as Computer Audit Systems. GAS is perhaps the most valuable tool an auditor has to audit data embedded in IT.

The Equity Funding financial fraud scandal jolted both the accounting profession and management—including audit management—from a stodgy. not a financial audit. the chapter recommended that an evaluation of internal control be made to both review and test the system. Dr. The Auditing & EDP project led to several changes in the auditing profession. The audit took two years to complete. the abuse of information technology—to falsify accounting data and hide a fraud—was one of information technology's most significant influences on auditing. Managers who believed that the computer was a black box and it did not really matter what went on inside began to change their minds.Chapter 1: Background 11 accounting during his term. the auditors were trying to prove that the insurance policies did not exist. Another result of the Auditing and EDP Task Force was the establishment of a permanent EDP auditing committee within the AICPA. and yet the fraud was a better-kept secret than some of our military secrets of the time. Trueblood used his influence to have the AICPA hire Gordon Davis to both assist CPAs in the use of computers and codify EDP auditing. was ripe for change. The company used another deceptive tactic during confirmation of receivables. When the external auditing firm tried to confirm receivables (policies) by phone. d. Perhaps the most important chapter was one dedicated to explaining when and how to audit around the computer. accepted the responsibility and took a leave of absence to be de facto chairman of the committee appointed by the AICPA. 3. The committee's efforts eventually led to the issuance of several audit guides and SAS No. One was to use different external auditors in order to confound the audit process and prevent detection of the fraud. The major result of the project was a book entitled Auditing & EDP. The atmosphere. Managers at Equity Funding Corporation of America used a series of frauds beginning in 1964 to show false profits. Chapter 1: Background 11 . Each of the Big Eight firms was invited by the AICPA to participate on the committee in the development of this project. it did present a number of audit and control concepts and procedures as an unofficial document. In the 1960s. Auditors could not simply ignore the presence of EDP in the accounting system. EF employees were in on the fraud and actually provided external auditors with false information. the Equity Funding switchboard operator simply patched them through to Equity Funding employees in the building. in general. Equity Funding Scandal: Abuse of Information Technology Oddly enough. promulgated six years later in December 1974. The most amazing fact of the case is that it went undetected for so long. it was not promulgated standards). This recommendation was essentially the context of Statement on Auditing Standards (SAS) No. Touche Ross found about $2 billion of phony insurance policies—two-thirds of the policies Equity Funding claimed to have in force. It included examples of how to document an EDP audit and a sample questionnaire for processing internal control review. the SEC suspended trading of Equity Funding stock. a professor at the University of Minnesota. That is. thus increasing the company's stock price. 3: The Effects of EDP on the Auditor's Study and Evaluation of Internal Control. Many people inside the company knew about the fraud. Audit managers who believed the computer was a fad or a fancy calculator began to take more seriously the implications of using EDP in accounting. Touche Ross auditors used the opportunity to apply a variety of new techniques to satisfy audit requirements in terms of information and how the system reports and files data.e. Davis. If auditors did choose to audit around the computer. The subsequent audit by Touche Ross was definitely not traditional. Second. First. traditional audit ideology. Although the book itself did not present the official position of the AICPA (i. The fraud was exposed when a disgruntled ex-employee blew the whistle. This popular book went through many printings and a revision in 1983. In March 1973.. and seven firms provided representatives. The primary fraud was the use of phony insurance policies. auditors could officially audit input and output and still be in compliance with AICPA standards. Equity Funding used several tactics to perpetrate the fraud. it was a fraud audit.

Big Eight firms.e. and IIA. Between 1973 and 1977.12 Chapter 1: Background For the most part. The popular press treated the fraud as a computer fraud. auditors. Harold Weiss was credited with providing the only major EDP auditing training during the late 1960s and early 1970s." The auditors also did not review system flowcharts or program code but treated the computer as a black box. however. In 1965. more EDP auditor jobs) than any other single event. A comparison of the EDP auditing profession prior to 1973 and immediately thereafter leads to the conclusion that the Equity Funding scandal was the single most important event in EDP audit history. auditors were absorbed with accounting-related issues in EDP. however. but the SEC could be accused of the same thing. Security became an increasingly significant issue for all auditors—up until Equity Funding. numerous activities followed Equity Funding: publications. Not only did the external auditors overlook the clues. Equity Funding highlighted the need for audit standards that apply directly to EDP auditing (these were non-existent at the time). bank regulators. held by some corporate management. At least 12 different federal and state agencies were involved in the aftermath of exposure of the scandal. The public's perception of the part that the computer played in the fraud caused a new wave of interest in audit procedures where computers were a component of the accounting system. The attitude of isolating the computer system from the EDP auditors. management at IBM decided to make a substantive effort to change the image of the computer from a villain to a hero. He also said most of the managers that had previously told him "no" to his requests of EDP audits or the use of EDP audit techniques were now calling and asking for his help to institute computer controls and EDP audit techniques. Equity Funding did more for the rise of EDP auditing (i. postal inspectors. For example. The prevailing belief at this time was that traditional audits (those that audited around the computer) were sufficient to detect the existence of material and significant frauds. An SEC staff member wrote memos 15 months prior to Equity Funding's collapse reporting rumors of irregularities. These included insurance regulators. An analysis of citations prior to 1973 show an insignificant amount of research and publications on EDP auditing issues by such organizations as the AICPA. This financial fraud affected a wide range of constituencies. research.. and the U. and Control Research Study—Institute of Internal Auditors By 1973. changed after Equity Funding. had espoused the need for auditing through the computer. auditing procedures were being challenged. all bogus policies were coded to department "99. two chapters in a book. None of these institutions averaged two articles per year. Even IBM changed. and Auditing & EDP. Still. Auditing literature was also affected. IBM had established a close working relationship with the public accounting community. and seminars. State societies published 25 articles. The SEC. the fact is that Equity Funding management probably could not have perpetrated the fraud without the use of computers. He said that his activity increased so significantly after Equity Funding that he had trouble filling all of the requests. Systems. the external auditors before Touche Ross failed to follow up on numerous clues that indicated something was wrong. The use of audit software could have detected the fact that the policy file was fraudulent. according to Accountants' Index published by the American Institute of Accountants. From 1955 through 1970 (16 years). but it really was not—it was a management fraud. standards. dropped the investigation shortly after receiving the memos. Accountant Computer Users Technical Exchange (ACUTE). Others. the FBI. The Equity Funding scandal had a domino effect in the auditing community. In addition. Attorney's office. For example. These people were now receiving attention from accountants. Auditability. some of the customary policies and procedures that had been acceptable began to be questioned. the AICPA published only 21 articles. IBM helped establish a users group.S. The IIA published 10 articles and no books in the same period. and management. The more active Big Eight published about 40 articles (some overlap with the AICPA publications in The Journal of Accountancy and state society publications). primarily EDP auditors. such as the Equity Funding fraud. in New 12 Chapter 1: Background . e.

At that time. just before the exposure of the Equity Funding scandal. began in May of the same year. and 1992). Control Objectives underwent a major revision. At least up until the mid-1980s. the document goes by the title CobiT (Control Objectives for Information and Related Technology). IBM invited accountants to training. and the referrals from accountants led to sales. Sam Albert. and Control (SAC). The prestige of IBM. In 1977. Its first conference was held in January 1973. Since 1996. The publication was revised and updated frequently in the subsequent years (1980. SAC established what effective EDP audit shops were doing. The SAC study had the ambitious goal of making a definitive evaluation of EDP auditing. Due to this effort. SAC managed to define EDP auditing because SAC provided some prescription of how to approach EDP auditing. In return. read. SAC was published. IBM offered training that was less technical. the EDPAA's Foundation (EDPAF) published its first edition of Control Objectives. and procedures also suffered from a lack of exposure and codification. accepted. about the possibility of IBM's financial support for the SAC research. State-of-the-art tools. As a result of these relationships. a compilation of guidelines. standards. up-to-date. f. Auditability. It was intended to provide a normative model for EDP auditors in performing their duties. the notoriety of the individual members of the Advisory Committee. there was no authoritative source for EDP audits that would provide information. IBM established a liaison position to cooperate with the public accounting community. Auditors benefited from these guides when conducting their audits. and standards for conducting EDP audits. every IBM computer had a technical guide on the security and auditability features of that particular computer. After Equity Funding. In 1977. no entity had been able to define EDP auditing precisely and communicate that definition nationally. IBM instituted auditability and security programs for its computers and for auditors. Others believed SAC legitimized the need for an EDP auditing staff and function. Between 1992 and 1996. Auditors were assisting IBM. techniques. Also. SAC was a landmark study in changing the audit profession and controlling computer systems. and techniques. and its first regular publication. 1994. and thus more useful to accountants. and available online from the IIA.000 from IBM. For example. tools. 1983. The EDP Auditor. even if they did not own an IBM computer (IBM normally required training attendees to be owners of IBM equipment). and applied publication that encapsulated a comprehensive set of principles for EDP auditing. procedures. That is. While other computer manufacturers were offering only technically oriented training. to some degree. and eSAC 2001). a two-way communication line intended to benefit both parties. The IIA and IBM gave away hundreds and thousands of copies for free. 1990. Albert unilaterally decided it was in the best interests of IBM to be the sole sponsor of the project. international set of generally accepted Chapter 1: Background 13 . in becoming the leading manufacturer of computers. SAC codified tools and techniques into a benchmark or standard. the Electronic Data Processing Auditors Association (EDPAA) was organized in 1969. Albert eagerly agreed to pursue possible financial support from IBM and was able to convince IBM management to invest in the project. Members of the IIA staff had been planning a large-scale research project into information systems and auditing called Systems. especially best practices. and is available on CD-ROM and online. feedback from auditors led to improvements in the security and auditability features of IBM computers. In 1973. CobiT has become an authoritative. the IIA formally approached the IBM liaison. best practices. many EDP auditors were ready for an organization dedicated to EDP auditing. It is currently referred to as eSAC (Electronic Systems Assurance and Control). CobiT was revised in 1998 and 2000 (third edition).Chapter 1: Background 13 York City. and he secured a financial commitment of $500. moving EDP auditing forward significantly. From the efforts of a handful of interested auditors in Southern California. SAC was probably the most widely publicized. In 1975. Electronic Data Processing Auditors Association By the late 1960s. and the IIA lent credibility to SAC. SAC's contributions made an impact. SAC has been updated several times since its initial publication (in 1991. In addition.

In addition. Spanish. In 1991. and assumed sponsorship of Computer Audit. The activities of EDPAA/ISACA have contributed to the emergence of the large number of IS auditing experts today. database management systems. Chinese. India. The first CISA exam was given in 1981 and offered in two languages. At that time. with international members. g. In 2002. While the pioneers did blaze a trail for others to follow (in the mainframe area). Because of information technology. Audit and Control Association (ISACA) has become the only true international professional auditing organization. Hong Kong. In June 1978. German. When Control Objectives was translated into Japanese in 1986. it soon became a best seller—selling more than 10. Today. Malaysia. the international growth of the EDPAA began to accelerate. and the Philippines—was activated. Region 10—encompassing Japan. Information Systems Control Journal. but the proliferation of IT in the 1980s and 1990s drove the need for better IS products as well as new technology. Control and Security conferences (CACS) begun by Harold Weiss in the 1960s.000 professionals in dozens of countries have become certified through the CISA program. By 1988. more than 10.000 candidates around the world took the CISA exam in their choice of nine languages: English. and the walls around the data center were no longer secure. In 1989. The 1980s saw many new technologies incorporated into accounting systems. EDP auditing had even evolved into a separate function in many organizations. Japanese. For example. executive information systems (EIS). decision support systems (DSS) and group decision support systems (GDSS). the EDPAF issued its 10 worldwide General Standards for IS Auditing. Italian. electronic data interchange (EDI). Many international chapters were chartered beginning about this time. Singapore. information technology became portable and distributed. 14 Chapter 1: Background . some internal and external auditors wanted a separate certification for auditors of Information Technology. and international standards (applicable on an international scale)—all within a single entity. Emerging Technologies Technology continued to change at a rapid pace until the introduction of the microcomputer in the late 1970s. artificial neural systems (ANS) or neural networks. the EDPAA elected its first international president living outside North America—Deepak Sarup. The introduction of the CISA certification program brought a standard for IS auditors that came to be respected throughout the auditing profession. ISACA is known today for its CobiT project. enterprise resource planning (ERP).000 members internationally in more than 100 countries. carrying with it new control problems. online analytical processing (OLAP). users of IT.000 copies. By 1984. Some had been in the process of developing. and its first two worldwide Statements on IS Auditing Standards. or at least a separate position in IA: audit manager/IS audit. more than 27. In June 1994. EDPAA/ISACA has held training seminars. the EDP Auditors Foundation (EDPAF) introduced its certification program—Certified Information Systems Auditor (CISA). the EDPAA formally changed its name to Information Systems Audit and Control Association (ISACA). international chapters. changes in telecommunication technologies affected nearly all accounting information systems. in 1985. The emerging technologies included microcomputers or personal computers (PCs). the CISA exam and other documents were also translated into foreign languages. sponsored technical journals.14 Chapter 1: Background IT control objectives for day-to-day use by business managers. In addition. CISA certification. training. information—topics such as corporate governance and Global Knowledge Network (Global Information Repository)—and it continues to publish its technical journal. French. Dutch. and IS auditors. expert systems (ES). all the trails seemed to change by 1979. The Information System. bar coding. Over the years. The EDPAA began to translate key documents into foreign languages. and—most important of all—the Internet and World Wide Web (WWW). The breadth of IT also began to compound the knowledge and expertise needed to perform audits and audit projects. or Korean. its services. ISACA has more than 26. the CISA provided the vehicle.

Technology continues to change and expand rapidly. Information system auditors quickly determined the need for new tools to audit the data that were resident on microcomputer systems. computer processing.. Bill Gates) who built the first microcomputer called the Altair. and doing it so often. however. end users saw a way to achieve their goals much quicker. The 1980s also saw the growth of networked PCs. Microcomputer software advances (financial accounting) had led to many installations on PCs. sniffers. and the locus of control for data processing continues to expand. too. followed in 1979 with Radio Shack's TRS-80. driven by IS auditors.g. Because of this situation. In the fall of 1981. IS auditors were becoming concerned about the controls in microcomputer systems (e. gave end users the ability to perform tasks previously restricted to the IS group: that is.Chapter 1: Background i. FoxBase. in fact. However.g. which had once at least been centralized at the mainframe computer in a single room. Thus. It was not until 1979 when VisiCalc (an electronic spreadsheet) hit the market. The automation of work papers and micro-driven analytical tools were major innovations. ii. The introduction of products such as the series of DBASE products. the network a manager brings up in the morning may not be the same one brought up yesterday. they could develop their own applications. Data integrity problems existed because several different applications (and users) had access to the same information. This potential led to the birth of the need for micro-based computer-assisted audit tools (CAATs). such as databases. Maintaining the security of the users connected to the network and their physical location (nodes) was also difficult because users could be frequently added or moved on a network. That is. spreadsheets used in accounting and financial accounting packages). Xerox developed a microcomputer with a mouse. IBM began to sell its version of the microcomputer—the personal computer (PC). This phenomenon drove end-user computing (EUC). microcomputers (and CAATs developed for them) have also provided a powerful tool that IS auditors can use to improve or facilitate the audit process. was now distributed throughout much of the organization. Yet the micro also provided IS auditors with the opportunity to develop new tools to take advantage of the power of micros for audit purposes. Several attempts to mass market microcomputers followed from then-maverick companies such as Apple and Commodore. Information System auditing had to address these issues. Microcomputers and Networks 15 Microcomputers date back to 1975 with a group of young experts (e. One result of micros was a loss of control of the security of computing activities. several applications and numerous users have access to the same data and resources. that micros really began to sell. Early in the 1980s. The PC was a greater tool for auditors than for just spreadsheets and word processing. In 1977. Meanwhile.. Chapter 1: Background 15 . ACCESS. expanded the scope and exposures of information systems. and so on. The expanding base of PCs created a new market for application software. This volatility creates havoc for the network manager and can be a nightmare for IS auditors—it is virtually impossible to audit an environment when the environment keeps changing. graphical display. EUC. instead of needing an IS expert as a go-between. Database Management Systems Use of relational databases grew in the early 1980s. and traditional companies like Radio Shack. Databases (and PCs) eliminated much of the traditional separation of duties that had been established for mainframe systems. databases were popular with users. Apple introduced its Apple II. Also in 1977. a major turning point because these tools enabled IS auditors to start doing their own micro work.g. the growth of PC-based CAATs was. and other "windows"-like features. These two developments (PCs and networks) have resulted in information systems that have become more difficult to audit. That is. During transmission along network lines.. With much of IS programming suffering from large backlogs. the structure of the organizational system has drastically changed (exactly where are the data and controls?). again leading to changes in IS auditing. data often were exposed to loss or theft (e. With networks. The widespread use of PCs dispersed the IS function within organizations. hackers).

the two most popular packages dominate IS in the larger businesses. and security for the systems. Systems such as DB2 (from IBM) and Oracle began to dominate the market in the 1990s. Therefore. Because internal auditing is supposed to review the reliability and integrity of financial and operating information. Universal product code (UPC) bar coding was first used in 1973 in grocery stores. control. Many times. Electronic Data Interchange and Electronic Commerce EDI technology provided users with many benefits in the delivery and production of products and services. Bar coding and scanning had advantages to management beyond inventory control.16 Chapter 1: Background The proliferation of databases as the foundation of Accounting Information Systems (AIS) caused both problems and a simplification. but it is now virtually open to exposure to anyone in the external environment who has enough knowledge and criminal intent to disrupt the information traveling over phone lines and networks. the emergence of new EIS has had an impact on internal auditors. ANS emulate the functioning of the human brain in model building and decision-making. Toys 'R Us uses bar coding and scanning for sales analysis: to know the hot toy first and order the entire supply! Quick response systems integrate EDI. Artificial neural systems (ANS) are a special type of AI systems. The good news is that if an IS auditor understands database management systems concepts and technical issues. Internal controls should be "seamless" to ensure the flexibility necessary. Because of incompatible EDI systems. and security. One good example of an emerging technology and how it affects IS auditing is executive information systems (EIS). sometimes as a competitive edge. EIS are computerized systems that support top management in their strategic decision-making. Wal-Mart has fine-tuned its quick response system so well that its system has become one of its major competitive advantages. bar coding. The basic element of the JIT philosophy is to carry only enough inventory to meet customers' orders for a short time frame (ideally one day). the elimination of local warehouse storage at branch locations reduced costs enough to pay for the quick response system in about six months. The security of data has not only escaped the confines of the IS central location within an organization. some organizations use a third party to provide EDI services and introduce another source of exposure. EDI (computerized) audit trails have become even more difficult to follow. iv. All of these emerging technologies led to constantly changing systems. Encryption and virtual private networks (VPN) became some of the controls used for these risks and exposures. with new information technologies being implemented frequently. Bar coding increased input accuracy and permitted fast data capture. there is a good chance the organizational data resides within one. The basic concepts among database systems are fairly common. Artificial Intelligence and Decision Support Systems Other major innovations in information technology provide additional opportunities for its use. An EIS must be easy to use by relatively unskilled users. and nonlinear forecasting. however. The use of EDI. The increase in users of EDI has expanded the risks to transmission of data. exposes data during telecommunications between the two systems. Management and staff are often so enthralled with the features of the new IT that it can be easy to overlook important control and auditing attributes. Thus. For example. and just-in-time (JIT) inventory management. Information system auditors should define the control risks and internal controls of EIS—as well as all other information technologies. auditability. and group decision support systems (GDSS). iii. decision support systems (DSS). IS auditors can contribute to the development of EIS in a variety of ways—but especially in defining controls. by management in the area of artificial intelligence (AI). Also. For example. But if IS auditors do participate in the systems 16 Chapter 1: Background . nonlinear feature detection. systems are changed with input from IS auditors regarding audit. classification. Neural nets appear to be well suited to problems of pattern recognition.

with better response to customer needs and expectations. v. Suddenly. The increased risk of fraud and damage is considerable. and sales systems are interfaced with the accounts receivable system. Electronic commerce makes it possible to better compete on a global scale and find the best suppliers without regard to geographic location. e-commerce has become a critical success factor for modern business.6 billion. an increase of 19% from 2001. The Internet and WWW have changed commerce worldwide in both the nature of transactions and AIS. Expanded Interfacing/Scope of Accounting Systems Other advances caused significant changes in existing accounting information systems (AIS). the number of consumers using online account management will more than double.3 billion in 2001. For example. With the legal system not ready to handle these types of crimes. auditability. supply chain management (SCM). During the last decade. The growth of commerce over the Internet has been phenomenal. data needs resulted in software such as online analytical processing (OLAP). For example. with a total of $29 billion. with a total of $37 billion. new risks. One problem that arose with telecommunications was computer crime. Again. In addition. of the other systems in the organization. human resource systems are interfaced with the payroll system. data warehousing. The 1980s saw global competition begin to affect many more organizations. sales grew 92% from 1999 to 2000. and improved customer service. ERP is being expanded to include customer relationship management (CRM). hackers also vandalized information systems. and security probably will be adequate. the controls. vandals—hackers and crackers—began to steal or corrupt data from long distance. e-commerce transactions increased 17% from 1999 to 2000. But the military had been aware of viruses since 1978 (according to the head of information security at SRI International. Firms are changing their organizational and commercial processes to take full Chapter 1: Background 17 . improve customer relations. It also facilitates more efficient and flexible internal operations. strategic needs. if not impossible. driving a need for telecommunications. adult population. It has been estimated that between 2002 and 2005. With it have come new security problems. On the retail sales side business-to-consumer (B2C). and other functions. Telecommunications In the mid-1960s. The Internet and the World Wide Web The most dramatic of advances has been the proliferation of the Internet and the World Wide Web (WWW). Indeed. It is estimated that viruses cost companies $12. It is estimated that sales for the year of 2001 were $32. Using viruses. to identify computer criminals. the impact of viruses has grown and is now considered dramatic. better (closer) relationships with suppliers. in which AIS was interfaced with all. electronic commerce. Modern accounting systems. One major change was enterprise resource planning (ERP). many organizations could do nothing even if they caught the criminal. and achieve other business objectives. and a host of extraction software to create value and draw benefits from AIS and operational data captured over time in systems.S. or e-commerce. In the service sector. On the wholesale side business-to-business (B2B). [4] Viruses entered the public limelight in the fall of 1987. CISA guidelines suggest that a CISA be involved in every systems development life cycle (SDLC) project. vii. especially due to the expansion of telecommunications. reaching 45% of the U. and economical development. vi. with a total of $213 billion. With this expansion of telecommunications came risks and exposures. The nature of telecommunications and information technology makes it difficult. it was the growth of the PC that propelled the use of this technology. are vulnerable to the detrimental effects of viruses. data mining. sales increased 48% from 1999 to 2000. Donn Parker). Retail sales for 4Q 2001 were up 13% over 2000 at $10 billion. data is exposed to the entire world! Organizations want to use the 24/7 access to increase sales. modems and acoustical couplers began to appear. in common ERP systems. Most auditors are convinced viruses present a real threat to IS security and control that must be addressed by IS auditors.Chapter 1: Background 17 development. and new challenges for auditing. In recent years. or most.

steal. operational audits. decentralized the control points. Emerging technologies. and internal controls have a very difficult task managing the risks associated with the Internet. data can be accessed by anyone. and information assets. and service providers. misuse. the most common adverse consequences include the following types of exposures: • Financial loss as a result of a fraud • Destruction of important financial records • Compromise of valuable confidential information to an unauthorized party • Loss of business opportunities through a disruption of service • Unauthorized use of resources • Loss of confidentiality or customer relationship Some of these consequences can be minimized through appropriate practices of internal control within the organization. Mailing lists such as those from BugTraq. Risks extend to all connected parties: merchants. security threats have become a ubiquitous problem and an ever-evolving challenge for those responsible for information systems. the role and responsibility of the IA is crucial in establishing auditing procedures and IS specifications that will. firms are exposed to a plethora of possible attacks if they are connected in any way to the Internet. For example.g. In order to respond to these and other critical factors within the implementation strategy of electronic commerce. especially the Internet. it includes those objects whose intent is to clog bandwidth: urban legends. Risks from attacks range from hackers who are on a cyberspace joy ride to crackers who are out to kill. The rate of the growth of the Internet and e-commerce may have slowed. from new viruses to vulnerabilities in operating systems and browsers. On one hand. The Computer Security Institute and FBI conducted a study of organizations that experienced security breaches. minimize risks. but the scope of this exposure is approaching 100% because it affects both suppliers (hosts/servers) and users (clients). On the other hand. and chain letters. extranets. and destroy. customers. Those responsible for information security (InfoSec). The costs of these security problems appear to outweigh even those of Internet fraud. However. or just access to the Internet (clients/browsers). This distribution and multiplication of control points exasperated the audit process.18 advantage of the opportunities that e-commerce offers. the risks may not always be minimized through the traditional security and/or preventative methods. Whether it is web servers (hosts). No longer could an auditor go to a single location and audit the major control points of an EDP system—usually a mainframe in a single. data. Paradoxical Evolution of Information Technology The effects of emerging technologies have been paradoxical. contingency planning and physical security measures could be taken. CERT. and failure. distributed denial of service (dDoS) agents). To a lesser extent. An example of hindrances caused by emerging technologies is distributed data. auditors have managed to use emerging technologies as audit tools and thus become more effective and efficient. e-commerce systems. Chapter 1: Background Yet the electronic systems and infrastructure commensurate with effective e-commerce present significant exposures and risks related to abuse.. emerging technologies have created a more difficult system to audit effectively. Coupled with the scope change 18 Chapter 1: Background . Obviously. The risks also include viruses and intelligent agents (e. in order to minimize possible losses because of disruption of service. In general. glass-enclosed room. viii. The microcomputer innovation in the early 1980s epitomizes this phenomenon. at least. those firms with servers (hosts) have a much greater risk. and SANS Institute put out a continuous stream of warnings about emerging risks. Respondents who could put a dollar amount on the cost of a security breach averaged more than $2 million in financial losses. hoax viruses. Theoretically. In addition. There is a seemingly endless barrage of attacks from computer criminals with the intent to destroy systems. finance entities.

This change meant a need for more accountants and internal auditors—who had to review travel and business expenses for income tax returns and who would respond if the Internal Revenue Service solicited audit reports during their examinations. Vol. Congress was the Sixteenth Amendment in 1913. special training. Despite the existence of IDEA. Thus. "Stop Fraud Cold With Powerful Internal Controls" by Tommie Singleton. and. Income Tax Law (Sixteenth Amendment): 1913 One of the first major regulations that was passed by the U.Chapter 1: Background was new technology. 2002. [4]See Journal of Corporate Accounting & Finance. The increased volume of data being handled. a. This tool would amount to 100%. experience to be efficiently accomplished.6 History of Federal Regulations Related to Auditing A review of relevant federal regulations follows to provide the IA department and its members a general understanding of these laws. Today several computer-assisted audit tools (CAATs) already exist that perform a 100% verification. fraud or irregularity is suspected. ACL. these tools are apparently greatly underutilized at present. 19 One current. Each regulation has had an impact on audits. Sound familiar? This statement was written decades ago (USAF. the expertise to use them effectively. One thing the future holds for certain is more rapid change in information technology. Unlike the auditors of the early 1900s. One developing example is embedded audit modules: For example. This situation is attributed to serious cost constraints within audits. today's auditor is faced with a dynamic situation in which time is of the essence. but parallel its future growth. 13. never interrupting daily operations (Weber. an artificial neural system (ANS) could be developed to "sit" in the IS and warn auditors of transactions or events that are "outliers"—that is. of course.S. One provision of the law required all companies to maintain adequate accounting records. combined with a misconception that CAATs are cost effective only for large audits. 29–39. 1. This type of warning system is possible because ANS can "learn" to recognize errors and possible fraud by exposing the system to actual errors and frauds. 1966)! The challenge is to use the lessons of the past to solve problems of the present and future. but they became different because the technology changed. real-time. Issue 4. the speed with which these data are processed and the centralization of accounting functions have by no means reached their zenith. nor will the pace in technology diminish. 1994). Thus general controls and application controls were significantly different. Not only did the control points move away from a central location and expand in numbers. even small firms that did not need accounting for management or financing purposes suddenly had to maintain accounting records for income tax purposes. on-line verification. Panaudit Plus and other micro-based CAATs. actual example of using emerging technologies is the use of laptops and customized generalized audit software to audit credit unions long distance using telecommunications. for more on viruses. if not futile. This law legalized income taxes and had a direct impact on internal auditing. The modern-day auditor must not only meet the challenge quickly. pp. To do otherwise will render the role he plays ineffective. Chapter 1: Background 19 . One source says: • The task will require ingenuity.

then it would be guilty of having a system of internal controls that could not uncover illegal payments. that is. GAAP). and accounts. FCPA required two things that affect auditing and IA: 1. c. d. Essentially." The purpose of the acts was to make accountants liable for purchases of securities containing material misstatements in the portions of the registration statement for which the CPA is responsible. b. The acts also require all corporations that report to the SEC to maintain a system of internal control that is evaluated as part of the annual external audit. the SEC acts provide impetus for financial accounting responsibilities for publicly traded companies. The Supreme Court has made it clear that the plaintiff must prove more than mere negligence to impose liability on the CPA. Perhaps the most significant fact about the SEC acts is the legal authority it gives the SEC for setting accounting and standards. management could not (supposedly) escape conviction by claiming a lack of knowledge. The responsibility for this system of internal control generally falls on the IA function. SEC registrants must establish and maintain adequate books. some have referred to this legislation as the "full employment acts for external auditors. This purpose was a result of the Ivar Kreuger scandal mentioned previously. 2. The registration had to include audited financial statements. If a plaintiff establishes those elements of proof. Securities and Exchange Commission Acts: 1933. In fact. The SEC has in effect delegated that authority to the Financial Accounting Standards Board (FASB). Transactions are executed in accordance with management's general or specific authorization. Because of its membership makeup and the influence the AICPA tends to have in the rule-making process.S. The SEC does issue Staff Accounting Bulletins that are authoritative for publicly traded companies. Foreign Corrupt Practices Act: 1977 Although the primary purpose of the Foreign Corrupt Practices Act (FCPA) in 1977 was supposedly to eliminate payments by U. Most criminal cases brought against CPAs involve this section. records. the SEC has basically delegated rule making to the accounting profession. 1934 The main impact of the Securities Act of 1933 and the Securities Exchange Act of 1934 was on public accounting.. the secondary purpose of enhanced internal controls is more important to internal auditors. SEC registrants must maintain an internal control system that provides reasonable assurance the organization's objectives are being met: a. the organization would be out of compliance with a federal law. Internal controls are capable of detecting illegal foreign payments. corporations to foreign officials. allowing it to monitor and police itself generally. Plaintiffs must prove scienter [5] ("a mental state embracing intent to deceive. Recorded assets are compared with existing assets at reasonable intervals. manipulate. plaintiffs must only establish that they suffered investment losses and that the relevant financial statements contain material errors or omissions. the defendant auditor assumes the burden of proving that its employees used "due diligence" in performing the audit. Thus. Access to assets is permitted only in accordance with management authorization.20 Chapter 1: Background b. or defraud")—Section 10(b).e. 20 Chapter 1: Background . and to maintain accountability. Transactions are recorded as necessary to prepare financial statements (i. if a corporation was guilty of making an illegal payment. Organizations were required to have sufficient internal controls so that any illegal payments would be uncovered by the accounting system or internal controls. If a corporation tried that approach. Rule 10(b)-5 of the 1934 SEC Act. c. For IA. e.

but without complete success (especially in areas of the Far East and Middle East). The scope of this section was amplified by the NYSE when it actually required. both. Section 406 (Code of Ethics for Senior Financial Officers) requires a code of ethics for certain executive officers and requires disclosures when a code does not exist. The new law requires the committee to have a great deal of interaction with major facets of audit.S.4(e) and 9. even if executives did not know of any illegal activities. e. Section 407 (Disclosure of Audit Committee Financial Expert) adds further requirements of the audit committee. Also affecting internal auditing is the series of copyright laws beginning in 1976. A summary of each organization—mostly derived from information at their web site—follows. and the law is therefore good news for the IA profession.S. an internal audit function for all NYSE-listed companies (Section 303A.usdoj.) [5]Per [6]See case: Ernst & Ernst v. Hochfelder (First Securities Co. [6] d. • Management is legally responsible for violations of the organization. imprisonment (up to five years).7(c)). full text of FCPA at www. Section 301 (Public Company Audit Committee) requires an audit committee for listed companies and describes the functions and oversight the audit committee should have over the audit processes. Copyright Laws: 1976 et al.gov/criminal/fraud/fepa/fepastat. Organization Chapter 1: Background Certification Web Site 21 . including IA auditors. It also requires members of the committee to be independent.2 for more on the Sarbanes-Oxley Act. • The U. government has continually sought international agreement on terms for protection of intellectual property globally. This section requires an annual report to management of the internal controls and their effectiveness. Fulfilling this regulation is an excellent motivation to have an IA department in house. and. Sarbanes-Oxley Act: 2002 The Sarbanes-Oxley Act passed by the U. 1. Internal audit is clearly in the optimum position to deliver this required service. The acts have the following implications for IA: • U. • The acts have been amended numerous times.S.htm. for the first time. specifically that at least one member should have financial accounting expertise.7 Professional Organizations Related to Internal Auditing Several organizations furnish professional services. (See also Sections 3. Section 302 (Corporate Responsibility for Financial Reports) calls for the certification of financial reports submitted to the SEC by the principal executive officer and principal financial officer. certification. of Chicago) 1976. relating to intellectual property. and continuing education that relate to IA. in some cases. intellectual property is protected. Congress in the summer of 2002 will have a dramatic effect on both external and internal auditing. The following list summarizes some of these major organizations. But it is Section 404 (Management Assessment of Internal Controls) that will have the greatest impact on internal auditing.Chapter 1: Background 21 Penalties for violations include fines (up to $2 million).

education. It is dedicated to the profession of IS 22 Chapter 1: Background ." In December 2000.org www. The world's leader in certification. executive management. CFSA. and technological guidance for the profession. CGAP. Suite 1010 Rolling Meadows. education. in the first major revision to the "Red Book" since it was introduced a quarter century ago (i. IT audit. CITP n.e.org www. producing leading-edge educational products.org www. Established in 1941.org> Web: www. certifying qualified auditing professionals. The IIA also provides internal audit practitioners.22 Institute of Internal Auditors (IIA) Information Systems Audit and Control Association (ISACA) American Institute of Certified Public Accountants (AICPA) American Accounting Association (AAA) Financial Executives International (FEI) Association of Government Accountants (AGA) Association of Certified Fraud Examiners (ACFE) CIA.org www. Presenting important conferences and seminars for professional development. IL 60008 Phone: (847) 253-1545 Fax: (847) 253-1443 Web: www. providing quality assurance reviews and benchmarking.fei.agacgfm. guidance. and conducting valuable research projects through the IIA Research Foundation are just a few of the Institute's many activities. FL 32701-4201 Phone: (407) 830-7600 Fax: (407) 831-5171 E-mail: <iia@theiia. governance and internal control. b. The history of internal auditing has been synonymous with that of the IIA and its motto. the IIA's Internal Auditing Standards Board approved the issuance of new standards. "Progress Through Sharing.theiia.000 members in internal auditing.aicpa..theiia.isaca. and security from more than 100 countries. CCSA CISA CPA. and information on best practices in internal auditing.cfenet.a.org The IIA focuses on the internal audit function. It is a dynamic international organization that meets the needs of a worldwide body of internal auditors. Its certification is the Certified Internal Auditor (CIA).com a. n. Standards for the Professional Practice of Internal Auditing (SPPIA)). research.a.org www.org www. Information Systems Audit and Control Association Information Systems Audit and Control Association 3701 Algonquin Road.org The Electronic Data Processing Auditing Association (EDPAA) was formed in 1969 and later changed its name to Information Systems Audit and Control Association (ISACA). boards of directors and audit committees with standards.isaca. the IIA serves as the profession's watchdog and resource on significant internal auditing issues around the globe. Institute of Internal Auditors The Institute of Internal Auditors 247 Maitland Avenue Altamonte Springs.aaa-edu. CGFM CFE Chapter 1: Background www. the IIA serves more than 75.

and electronic resources to assist enterprise leaders in their responsibility to make IT successful in supporting the enterprise's mission and goals. Generally Accepted Accounting Principles (GAAP). the American Association was succeeded by the Institute of Public Accountants. the American Society of Certified Public Accountants was formed in 1921 and acted as a federation of state societies. The organization sponsors international conferences. standards.150. Its certification is CISA (Certified Information Systems Auditor). control. An affiliated foundation undertakes leading-edge research in support of the profession.aicpa. control. and assurance of information. and promotion of research. The AICPA oversees the Certified Public Accountant (CPA) designation that is actually administered and awarded by individual states (the examination is common to all states). control. case studies. Separately. provision. and technology. when the name was again changed to the American Institute of Certified Public Accountants. administers the globally respected CISA designation earned by more than 27. and how-to information.org The AICPA is the professional organization that represents external auditors. The IT Governance Institute. 23 With more than 26. ISACA is a recognized global leader in IT governance. original research. whose membership numbered 1. The AICPA and its predecessors have a history dating back to 1887. and practices for the effective governance. offers symposia. The Society was merged into the Institute in 1936 Chapter 1: Background 23 . and • A code of professional ethics to guide members' professional activities and conduct c. ISACA's vision is to be the recognized global leader in IT governance. American Institute of Certified Public Accountants American Institute of Certified Public Accountants 1211 Avenue of the Americas New York. ISACA members residing in more than 160 chapters throughout more than 100 countries around the world unite through: • One set of standards used as guidance for IS audit and control activities worldwide • A respected certification program that is recognized internationally in the IS audit.000 professionals worldwide. NY 10036-8775 Phone: (212) 596-6200 Fax: (212) 596-6213 Web: www. systems. Internal auditors must be familiar with their duties. and security fields • A professional development program on critical managerial and technical topics • Award-winning technical publications providing the latest research. established by the association and foundation in 1998. when the American Association of Public Accountants was formed. ISACA's mission is to support enterprise objectives through the development. and develops globally applicable information systems auditing and control standards. presentations at both ISACA and non-ISACA conferences. and other financial reporting criteria in order to perform their duties effectively.Chapter 1: Background auditing. It has a strict code of ethics that it enforces. In 1916. The name was changed to the American Institute of Accountants in 1917 and remained so until 1957. control and assurance. competencies. and assurance.000 members in over 100 countries.

FEI provides peer networking opportunities. It has no separate certification. New York. the Institute agreed to restrict its future members to CPAs. treasurers. Over time the role of the financial executive expanded and it adopted its broader present name in 1962. Membership is limited to individuals holding senior management positions. Membership driven.org> Web: www. Box 1938 Morristown. 2000. FEI was the driving force in forming the International Association of Financial Executives Institutes in 1969. In total. Its largest chapters are in Boston. research. personal and professional development. and director of tax. assistant treasurer. subsidiary CFO or controller. its 85 chapters and its 9 technical committees.org FEI represents the financial profession and community. the Financial Executives Institute became what is now Financial Executives International. tax executives.fei. The AAA provides a wealth of resources for IA in doing research and in communicating education needs back to the classrooms. its present name was adopted in 1936. FEI Canada was established in 1973 to serve the needs of its Canadian members and consists of 11 chapters. FEI proactively helped design the CFO Act and has a history of supporting legislation that enhances the business climate.000 individuals. Other typical titles held by FEI members include assistant controller. e. As the global economy developed. There is no separate certification associated with the AAA. Founded in 1916 as the American Association of University Instructors in Accounting.O. NJ 07962-1938 Phone: (973) 898-4600 Fax: (973) 898-4649 Web: www. FL 34233-2399 Phone: (941) 921-7747 Fax: (941) 923-4093 E-mail: <office@aaahq. and practice. in fact. American Accounting Association American Accounting Association 5717 Bessie Drive Sarasota. 24 Chapter 1: Background . Santa Clara Valley. it has fewer practitioners as a percentage over time. controllers. On November 6. Interaction between IA and AAA should lead to a synergistic relationship. Financial Executives International Financial Executives International 10 Madison Avenue P.aaa-edu. FEI was founded in 1931. and Chicago. finance and accounting professors in academia. FEI also has a special rate and status for academics. and advocacy services to chief financial officers. The AAA promotes worldwide excellence in accounting education. FEI has 85 chapters across the United States and Canada.24 and. Chapter 1: Background d. FEI is the preeminent professional association for senior financial executives representing 15. at that time. FEI does this principally through its strong Internet community. but the organization allows many other finance professionals to join if they meet certain criteria. emerging issues alerts.org The American Accounting Association is dedicated to accounting education with most of its membership comprised of accounting academics.

the AGA has been&"para">AGA has been instrumental in developing accounting and auditing standards and in generating new concepts for the effective organization and administration of financial management functions. More than 13. AGA conducts independent research and analysis of all aspects of government financial management.org The Association of Government Accountants specializes in public financial management. loss prevention specialists.cfenet. Texas. CFEs gather evidence. Texas 78701 Phone: (512) 478-9070 (800) 245-3321 (USA & Canada only) Fax: (512) 478-9297 Web: www. AGA sponsors the CGFM (Certified Government Financial Manager) certification. experience and ethics requirements have served to elevate the most seasoned financial professionals. including auditors. including the passage of the Inspector General Act of 1978 and the Chief Financial Officer's Act of 1990. Certified Fraud Examiners come from various professions. the CGFM has become the standard by which government financial management professionals are measured.Chapter 1: Background Vision: FEI will continue to be the association for the corporate finance profession. 25 f.000 individuals have received the designation so far. Since its inception in 1994. and deterring fraud and white-collar crime. Each member of the association designated a Certified Fraud Examiner has earned certification after an extensive application process and upon passing the uniform CFE examination.000-member professional organization is dedicated to educating qualified individuals (Certified Fraud Examiners). fraud investigators. educators. and assist in investigating fraud in its varied forms. and sponsors the CFE (Certified Fraud Examiner) certification. Since 1950. established in 1988. Association of Certified Fraud Examiners Association of Certified Fraud Examiners The Gregor Building 716 West Avenue Austin. The 26. who are trained in the highly specialized aspects of detecting.com The Association of Certified Fraud Examiners (ACFE) specializes in anti-fraud activities and white-collar crime detection. CFEs are employed by most Chapter 1: Background 25 . and criminologists. g. investigating. VA 22301 Phone: (703) 684-6931 (800) AGA-7211 Fax: (703) 548-9367 Web: www. These studies have led AGA to be recognized as a leading advocate for improving the quality and effectiveness of government fiscal administration. accountants. attorneys. ACFE. take statements. is based in Austin.agacgfm. Its education. write reports. Association of Government Accountants Association of Government Accountants 2208 Mount Vernon Avenue Alexandria.

Interestingly enough. 4. IIA.26 Chapter 1: Background major corporations and government agencies. Dale Flesher for the use of his article. and others provide consulting and investigative services." The EDP Auditor Journal. 2.. Vol. Altamonte Springs. 38–47. The association sponsors approximately 100 local chapters worldwide. Hochfelder (First Securities Co. Reprinted with permission. Vol. Some of the material from this section was taken from The Institute of Internal Auditors: 50 Years of Progress. "Stop Fraud Cold With Powerful Internal Controls" by Tommie Singleton. FL 32701-4201. pp. 5. "A History of Accounting and Auditing Before EDP. 29–39.usdoj. a similar law was passed during the Civil War but was later ruled to be unconstitutional by the U. pp. 6. by Dale L. Copyright 1991 by The Institute of Internal Auditors. See full text of FCPA at www. CFEs in more than 100 countries on four continents have investigated more than 1 million suspected cases of civil and criminal fraud. for more on viruses. Supreme Court. 26 Chapter 1: Background . 13. III. 247 Maitland Avenue. Per case: Ernst & Ernst v. 2002. Most of this section came from this article.htm.gov/criminal/fraud/fepa/fepastat. Flesher. 3. of Chicago) 1976. Issue 4. Inc. 1993. Special thanks to Dr.S. Endnotes 1. See Journal of Corporate Accounting & Finance.

The good achieved by technology must outweigh any harm or risk in its use. Professionally. and decisions. Those affected by the technology should understand and accept the risks associated with that use. ethics related to information technology (IT) should at least be considered while conducting reviews and audits.2 REV NO: DATE: PAGES: 2. who answers to the chief executive officer (CEO) or. a toll-free phone line that goes to a special group responsible for corporate ethics).Chapter 2: Auditing Standards and Responsibilities Overview SAM POLE COMPANY Corporate Audit Department Procedures Manual NO: 2. The benefits and burdens of the technology should be distributed fairly. for developing international ethics). • Justice. Companies should consider ethics training and an ethics system for reporting suspicious activities or events (e. technology should be implemented to eliminate all unnecessary risk. and the responsibilities for auditors both individually and professionally.. guidelines. internal auditors have an ethical responsibility to perform their duties with integrity. The Association of Information Technology Professionals (AITP) provides the following guidelines for becoming a responsible end user [1]: Chapter 2: Auditing Standards and Responsibilities 1 .. principles. SAM POLE COMPANY TITLE: Ethics Corporate Audit Department Procedures Manual NO: 2.1 REV NO: DATE: PAGES: TITLE: Introduction 2. Individually. Managers and business professionals alike should use ethical principles to evaluate their activities. Because the work of auditors is inexorably melded with technology. better yet. • Minimized Risk. there are standards that must be considered.g. Companies may even hire ethics consultants when necessary (e.g. Ethical principles for responsible use of IT include: • Proportionality. chairman of the board. To the extent that any risk is judged acceptable by the preceding three guidelines.2 Ethics Every company should have its own ethics officer.1 Introduction The internal audit function is guided by auditing standards. One area of concern for organizations today is the potential harm or risks from the use of information technologies. behaviors. • Informed Consent.

It extends beyond the definition of internal auditing to include two essential components: 1. unless there is a legal or professional obligation to do so. and candidates for those certifications. For auditors. 2. privacy. These rules are an aid to interpreting the principles into practical applications and are intended to guide the ethical conduct of internal auditors. Exactly what constitutes the ethical standards for internal auditing as a profession? A code of ethics is necessary and appropriate for the profession of internal auditing. • Competency. avoid conflicts of interest. • Do not attempt to use the resources of an employer for personal gain or for any purpose without proper approval. skills. recipients of IIA professional certification (CIA. Accept responsibility for your work. Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority. and governance. The integrity of internal auditors establishes trust and thus provides the basis for reliance on their judgment. • Advance the health. Rules of conduct that describe behavior norms expected of internal auditors. 2 Chapter 2: Auditing Standards and Responsibilities . and communicating information about the activity or process being examined. "internal auditors" refer to IIA members. Internal auditors exhibit the highest level of professional objectivity in gathering. • Do not misrepresent or withhold information that is germane to a situation. The above ethics principles can be used to govern ethical conduct by managers and users. Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by their own interests or by others in forming judgments. and general welfare of the public. CGAP. and CFSA). One of the hallmarks of any profession is having and following a basic set of ethical standards. • Protect the privacy and confidentiality of any information you are entrusted with.2 Chapter 2: Auditing Standards and Responsibilities • Act with integrity. breaches of the Code will be evaluated. • Confidentiality. Internal auditors apply the knowledge. • Set high standards for your work. and experience needed in the performance of internal auditing services. Principles that are relevant to the profession and practice of internal auditing. However. ii. it matters how "doing what is right" is defined and by whom. Applicability This Code of Ethics applies to both individuals and entities that provide internal auditing services. i. • Do not exploit the weakness of a computer system for personal gain or personal satisfaction. iii. CCSA. Institute of Internal Auditors (IIA) [2] The Institute of Internal Auditors has a Code of Ethics that applies to its members and Certified Internal Auditors (CIA). and ensure your employer is aware of any potential conflicts. Purpose The purpose of this Code is to promote an ethical culture in the profession of internal auditing. Principles of the IIA Code of Ethics Internal auditors are expected to apply and uphold these principles: • Integrity. • Objectivity. a. evaluating. founded as it is on the trust placed on its objective assurance about risk management. more specific standards of conduct are needed to govern ethical use of information technology. For the IIA. and enforcement administered according to the IIA's bylaws and administrative guidelines. For internal auditors. control.

appropriate standards. their independence or objectivity. and (c) shall disclose all material facts known to them that. • Competency. • Objectivity. and (b) shall not use information for any personal gain or in any manner that would be contrary to the law or detrimental to the legitimate and ethical objectives of the organization. in disciplinary measures. Internal auditors (a) shall perform their work with honesty. Applicability The Code applies to members of ISACA and/or holders of Certified Information Systems Auditor (CISA) and/or the Certified Information Security Manager (CISM) certifications. b. Purpose The purpose of the ISACA Code is to guide the professional and personal conduct of members of the association and/or holders of the professional certifications from ISACA. i. • Confidentiality. • Serve in the interest of relevant parties in a diligent. (c) shall not knowingly be a party to any illegal activity. • Maintain the privacy and confidentiality of information obtained in the course of their duties unless disclosure is required by legal authority. (b) shall not accept anything that may impair or be presumed to impair their professional judgment. and experience. skills. (b) shall perform internal auditing services in accordance with the Standards for the Professional Practice of Internal Auditing. Such information shall not be used for personal benefit or released to inappropriate parties. Rules of Conduct This Code says members and CISAs [4] shall: • Support the implementation of. Information Systems Audit and Control Association (ISACA) [3] The Information Systems Audit and Control Association (ISACA) also has a Code of Professional Ethics. iii. and controls for information systems. if not disclosed. ultimately. Failure to comply with the Code can result in an investigation into one's conduct and. diligence. and responsibility. (b) shall observe the law and make disclosures expected by the law and the profession. loyal and honest manner. and (c) shall continually improve their proficiency and the effectiveness and quality of their services. Internal auditors (a) shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased assessment.Chapter 2: Auditing Standards and Responsibilities iv. Internal auditors (a) shall be prudent in the use and protection of information acquired in the course of their duties. may distort the reporting of activities under review. and (d) shall respect and contribute to the legitimate and ethical objectives to the organization. and shall not knowingly be a party to any illegal or improper activities. Chapter 2: Auditing Standards and Responsibilities 3 . and encourage compliance with. or engage in acts that are discreditable to the profession of internal auditing or the organization. Rules of Conduct The rules of conduct include: 3 • Integrity. ii. this participation includes those activities or relationships that may be in conflict with the interests of the organization. procedures. Internal auditors (a) shall engage only in those services for which they have the necessary knowledge. • Perform their duties in an independent and objective manner and avoid activities that impair. or may appear to impair.

isaca. The document used in this manual was adopted by ISACA on July 1.org and search for "ethics"). www. standards exist from authoritative sources that impose certain requirements and/or structures to the tasks and duties of the internal auditor. a. • Support the education of clients.isaca. • Maintain high standards of conduct and character and not engage in acts discreditable to the profession. ISACA is revising the Code of Professional Ethics to accommodate its new certification—CISM. • Inform the appropriate parties of the results of information systems audits and/or control work performed.org/ecm/guidance. and boards of directors in enhancing their understanding of information systems auditing and control. • Perform their duties with due professional care. The purpose of SPPIA is to: • Delineate basic principles that represent the practice of internal auditing as it should be • Provide a framework for performing and promoting a broad range of value-added internal audit activities • Establish the basis for the measurement of internal audit performance 4 Chapter 2: Auditing Standards and Responsibilities . planning. colleagues. for possible changes effective since this writing.3 REV NO: DATE: TITLE: Professional Auditing Standards PAGES: [1]According to the Code of Ethics and Standards of Conduct by AITP from its web site at www.4 Chapter 2: Auditing Standards and Responsibilities • Maintain competency in their respective fields of auditing and information systems control. • Agree to undertake only those activities that they can reasonably expect to complete with professional competence. and competence. 2001.isaca.org/codeofethics. management. These standards come from professional accounting organizations and proven systems theory.theiia. Please visit the web page. Please check the web page for any changes.cfm?doc_id=92 (or www. independence. The document used in this manual was adopted by the IIA Board of Directors on June 17. Check the web page for any changes.htm. which if not revealed could either distort reports of operations or conceal unlawful practices.org.org/codeofethics. revealing all material facts known to them. 2000. [4]At the time of this writing. Institute of Internal Auditors The IIA's authoritative standards document that is applicable to IA is known as the Standards for the Professional Practice of Internal Auditing (SPPIA). the general public. There is great deal of overlap from accounting organizations regarding auditing standards. 2.htm (or www.3 Professional Auditing Standards Like ethics.org and search for "ethics"). It also is under review at the time this chapter was written for changes related to the CISM certification. for example. [2]The SAM POLE COMPANY majority of this section comes from the IIA's Code of Ethics web page at www.aitp.theiia. Corporate Audit Department Procedures Manual NO: 2. [3]The majority of this section comes from the ISACA's Code of Professional Ethics web page at www.

and Responsibility • The purpose. • 1200—Proficiency and Due Professional Care • Engagements should be performed with proficiency and due professional care. While there is one set of the two former standards. the later may be multiple sets—a set for each of the major types of internal audit activity. • 2500—Monitoring Progress • The chief audit executive should establish and maintain a system to monitor the disposition of results communicated to management. authority. evaluate.g. Implementation Standards related to assurance include an "A" in the number (e. • 2300—Performing the Engagement • Internal auditors should identify. consistent with the Standards.C1). The Standards consist of Attribute Standards (the 1000 series). analyze.. and approved by the board. 1130. The program should be designed to help the internal auditing activity add value and improve the organization's operations and to provide assurance that the internal audit activity is in conformity with the Standards and the Code of Ethics. • 1100—Independence and Objectivity • The internal audit activity should be independent.g.. Performance Standards (the 2000 series). If the decision regarding residual risk is not resolved. • 2400—Communicating Results • Internal auditors should communicate the engagement results promptly. and governance systems. the IIA's Internal Auditing Standards Board approved the issuance of new standards in the first major revision of the so-called "Red Book" since it was introduced a quarter century earlier. • 1300—Quality Assurance and Improvement Program • The chief audit executive should develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity and continuously monitor its effectiveness. and record sufficient information to achieve the engagement's objectives. • 2600—Management's Acceptance of Risks • When the chief audit executive believes that senior management has accepted a level of residual risk that is unacceptable to the organization. Performance Standards • 2000—Managing the Internal Audit Activity • The chief audit executive should effectively manage the internal audit activity to ensure it adds value to the organization. Authority. and standards related to consulting include a "C" in the number (e.A1). and responsibility of the internal audit activity should be formally defined in a charter. The following is a brief summary of the main categories of the Attribute Standards and Performance Standards from the most recent version of the SPPIA: Attribute Standards • 1000—Purpose. 1130. and Implementation Standards (nnnn. and internal auditors should be objective in performing their work. the chief audit executive should discuss the matter with senior management. Mandatory implementation date for these Standards was January 1. 2002. the chief audit executive and Chapter 2: Auditing Standards and Responsibilities 5 . control. • 2100—Nature of Work • The internal audit activity evaluates and contributes to the improvement of risk management. • 2200—Engagement Planning • Internal auditors should develop and record a plan for each engagement.Chapter 2: Auditing Standards and Responsibilities • Foster improved organizational processes and operations 5 In December 2000.Xn).

it will be the auditor's responsibility to justify the way in which the work is done. the Standard. The Procedure examples show the steps performed by an IS auditor and are more informative than IS Auditing Guidelines. and the skills necessary to perform such audits. and the name changed later to Information Systems Audit and Control Association (See Section 1. they also establish best practices for procedures to be 6 Chapter 2: Auditing Standards and Responsibilities . The framework for the IS Standards. maintenance. is governed by standards developed by a number of professional organizations. and be prepared to justify any departure. group of procedures or test. Information Systems Audit and Control Association [5] The concept of a professional association of computer auditors originated in Los Angeles. both internal and external. including related non-automated processes. the auditor's mission may include auditing the development. The Information Systems Audit and Control Foundation (ISACF) has determined that the specialized nature of information systems (IS) auditing work. and Guideline (see Exhibit 2. IS Auditing Guidelines and Procedures are detailed guidance on how to follow those Standards in most situations. and Procedures for IS Auditing (Standards) provides multiple levels of guidance. Procedures should not be considered inclusive of any proper procedures and tests or exclusive of other procedures and tests that are reasonably directed to obtain the same results. b. and operation of components of automated systems (or such systems as a whole) and their interfaces with the non-automated areas of the organization's operations. use professional judgment in their application. ISACF has developed its Standards in order to inform (1) IS auditors of the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA Code of Professional Ethics. California. IS auditors review and evaluate the development. Such systems affect control over many of the assets—including the very valuable corporate data—and operations of an organization. IS Auditing Standards are brief mandatory requirements for CISA holders' reports on the audit and its findings. when the auditor will not follow that guidance. The objectives of such auditing generally are to assess the extent to which such systems or components produce reliable and accurate information and to determine if such information is in conformity with management's requirements and any applicable statutory provisions. First. but do not set requirements. and the interfaces between them. Second. The work of auditors. Standards define mandatory requirements for IS auditing and reporting. The entity was named the Electronic Data Processing Auditors Association. maintenance. The IS auditor should consider them in determining how to achieve implementation of the Standards. There will be times however. and operation of the systems. In determining the appropriateness of any specific procedure.6 Chapter 2: Auditing Standards and Responsibilities senior management should report the matter to the board for resolution. Development and support of such systems may require a significant portion of an organization's total resources. Procedures provide examples of procedures an IS auditor might follow in an audit engagement. IS auditors should apply their own professional judgment to the specific circumstances presented by the particular information systems or technology environment. Last. IS auditing is defined as any audit that encompasses the review and evaluation of all aspects (or any portion) of automated information processing systems. Guidelines provide guidance in applying IS Auditing Standards. When these conditions exist. The examples are constructed to follow the IS Auditing Standards and the IS Auditing Guidelines and provide information on following the IS Auditing Standards. To some extent. Guidelines. and their concomitant number. The Standards. Computer-based systems are pervasive tools used by management in almost all organizations. each of which seeks to assure the quality of auditing work being performed.5(f) for a detailed history of EDPAA/ISACA). In such a case. are divided into three areas: Standard Category. For the purposes of these standards. There are eight Standard Categories and 12 overall IS Auditing Standards. The procedure documents provide information on how to meet the standards when performing IS auditing work. require the development and promulgation of auditing standards that apply specifically to IS auditing. and (2) management and other interested parties of the profession's expectations concerning the work of practitioners.1). in the late 1960s with a small group of auditors who were working in the area of computerized systems.

030—Risk Assessment . and Accountability .020—Outsourcing .020—Due Professional Care 040—Competence . Reprinted with permission. . these Standards are effective for all information systems audits with periods of coverage beginning July 25. Exhibit 2.020—Evidence 070—Reporting 080—Follow-Up Activities .NNN—etc. Authority.020—Application Systems Review .020—Continuing Professional Education .010—Materiality .070—Use of CAATS . Chapter 2: Auditing Standards and Responsibilities 7 .050—IT Governance .010—Responsibility.080—Use of EXPERTS .010—Supervision .010—Follow-Up Source: ISACA.010—Report Content and Form .010—Code of Professional Ethics .040—Audit Sampling . For ISACA.010—Audit Documentation .010—Audit Charter .htm.Chapter 2: Auditing Standards and Responsibilities followed.040—Effect of Third Parties .020—Due Professional Care .010—Irregularities and Illegal Acts 050—Planning .010—Reporting 060—Performance of Audit Work .010—Nonaudit Role Impact 7 020—Independence 030—Professional Ethics and Standards .010—Professional Independence .020—Organizational Relationship .isaca.010—Audit Planning Guideline .020—Planning .030—Audit Evidence .060—Pervasive IS Controls . from web site www.010—Skills and Knowledge . 1997.org/stand1.010—Audit Considerations for Irregularities .1: ISACA Auditing Standards Guidelines[6] Standard Category 010—Audit Charter Standard .

the information systems auditor is to be independent of the auditee in attitude and appearance. American Institute of Certified Public Accountants The AICPA has long-established Generally Accepted Auditing Standards (GAAS) that are related to internal auditing—it is at least tangential when external auditors come to the IA's firm to conduct financial audits. • 030—Professional Ethics and Standards • The information systems auditor is to adhere to the Code of Professional Ethics of the Information Systems Audit and Control Association. and any restrictions on circulation. The basic Standards fall into three categories: General Standards. The report is to identify the organization. and accountability of the information systems audit function are to be appropriately documented in an audit charter or engagement letter. • 060—Performance of Audit Work • Information systems audit staff are to be appropriately supervised to provide assurance that audit objectives are accomplished and applicable professional auditing standards are met. It is the third guideline listed under Audit Planning (030). authority. objectives. beginning with "1. • 040—Competence • The information systems auditor is to be technically competent. and procedures for a complete listing of those documents available online from ISACA's web site. The first three digits in a document number represent one of the eight standards categories. It provides guidance in the fifth standard category (050). During the course of the audit. c. The information systems auditor is to maintain technical competence through appropriate continuing professional education. Procedures are numbered consecutively as they are issued. the intended recipients. having the skills and knowledge necessary to perform the auditor's work.010. and recommendations and any reservations or qualifications that the auditor has with respect to the audit are to be stated in the report. conclusions. conclusions. Audit Planning. IS Auditing Standards begin with 0 and Standards for IS Control Professionals begin with "5. Planning. • 020—Independence • In all matters related to auditing.030 is a guideline (see Exhibit 2. • 070—Reporting • The information systems auditor is to provide a report. and Reporting 8 Chapter 2: Auditing Standards and Responsibilities . Audit findings. guidelines." Refer to the latest index of IS auditing standards. in an appropriate form. The audit findings and conclusions are to be supported by appropriate analysis and interpretation of this evidence. and recommendations to determine whether appropriate actions have been implemented in a timely manner.8 Chapter 2: Auditing Standards and Responsibilities The eight categories and a brief summary description of each follow: • 010—Audit Charter • The responsibility. period of coverage. relevant. • 080—Follow-Up Activities • The information systems auditor is to request and evaluate appropriate information on previous relevant findings. to intended recipients upon the completion of audit work.1). and useful evidence to achieve the audit objectives effectively. The Guidance applies to the first standard in that category (010). Standards of Field Work. Procedures are listed separately and numbered consecutively by issue date. reliable. document 050." The standards numbers are the second three numbers in the document (12 standards to date). and the nature and extent of the audit work performed. • 050—Planning • The information systems auditor is to plan the information systems audit work to address the audit objectives and to comply with applicable professional auditing standards. The audit report is to state the scope. the information systems auditor is to obtain sufficient. The third set of three digits in a document number is the number of the guideline. The information systems audit function is to be sufficiently independent of the area being audited to permit objective completion of the audit. For example.

the risks and exposures associated with the organization's objectives and its information systems. The auditor must exercise due professional care in the performance of the audit and the preparation of the report. Further.1 "Planning Considerations" in part: • The IS auditor should gain an understanding of . For the complete list. 3. Corporate Audit Department Procedures Manual NO: 2.htm. The auditor must state in the report whether financial statements were prepared in accordance with generally accepted accounting principles (GAAP). or unauthorized processing of data.htm. competent evidence.3 states in part: • Application level risks at the system and data level include such things as: system integrity risks relating to the incomplete. the ISACA standard 060. The auditor must obtain sufficient.4 REV NO: DATE: TITLE: Systems Development Life Cycle Standards PAGES: [5]Much of this section was taken from ISACA's web page on Standards located at: www. it is also true that proven systems development life cycle (SDLC) standards are relevant.020 (IS Auditing Guideline: Applications Systems Review) states in section 2.020. The auditor must gain a sufficient understanding of the internal control structure. [6]The SAM POLE COMPANY list illustrates the Standards for Information Systems Auditing issued by ISACA. The report must identify those circumstances in which GAAP were not applied.1. The report must identify any items that do not have adequate informative disclosures. The AICPA also issues Statements of Auditing Standards from time to time. untimely. Audit work must be adequately planned. see www.org/stand1.4 Systems Development Life Cycle Standards While the standards from the IIA.org/stand1. The first two groups are similar to many of the standards from the IIA and ISACA.Chapter 2: Auditing Standards and Responsibilities Standards. 2. 3. and is not comprehensive.. 3.isaca. inaccurate. The report shall contain an expression of the auditor's opinion on the financial statements as a whole. section 2. ISACA. 4. and system Chapter 2: Auditing Standards and Responsibilities 9 .. and AICPA are obviously relevant to the IA function. Standards of Field Work 1. 2. The auditor must have independence of mental attitude. The auditor must have adequate technical training and proficiency. For instance. 2.1. General Standards 9 1. 2.isaca. Reporting Standards 1.

Project planning includes identifying users' needs. The members of this group follow a similar makeup as the "matrix" view of cross-functional teams. and that depicted in Exhibit 2." By not following SDLC procedures in systems changes or purchases. select the best solution. evaluating proposals. For example.10 Chapter 2: Auditing Standards and Responsibilities maintainability risks relating to the inability to update the system when required in a manner that continues to provide for system availability. . It includes a project proposal and project schedule document. One proven effective approach to systems planning is to use a steering committee to manage the process. The same would be true for users/operations. and audit/accounting (see Exhibit 2. All of the above portions of the Standards are directly related to the proper use of SDLC techniques. Exhibit 2. Another key SDLC standard is the use of a cross-functional team in developing any major system. prioritizing individual projects. and scheduling work. the team will develop alternative systems that satisfy the system requirements identified during system analysis. a mid-level person. preparing proposals. 10 Chapter 2: Auditing Standards and Responsibilities . and other fact-gathering steps. and auditors or accountants (limited to design functions. It includes a feasibility study. focusing on application controls). . if system updates are done online (LAN or Internet) rather than taken offline. programmers. in general terms. The SDLC procedures for new systems include these steps: Identify the process. A dynamic strategic systems plan is certainly better than no plan at all.3 "integrity risks relating to incomplete . . Part of the responsibility of this team or steering committee is to ensure an appropriate linkage between the project and the strategic objectives of the firm. and maintain the solution. although it is tempting for the IS technicians to skip—usually due to time pressures. cost-benefit analysis. end users. activate or implement the solution. and the system selection report (documentation). The step is documented by the system analysis report. whether new or a major change. 2 =>1 =>1 =>1 =>1 =>1 =>1 =>1 =>1 =>1 The SDLC has two pre-requisite documents and steps: a preliminary feasibility study and project authorization.2: SDLC Steering Committee/Cross-Functional Team Matrix Departments = > Executive Management Middle Management Operations Personnel IA =>1 =>1 =>1 IS Dept. test the solution. updated. tested. the result can be these very risks. and integrity.2 for a matrix view of this technique). consider using a manager from IS. • Phase 3—Conceptual Design • In this phase. • Phase 4—Systems Evaluation and Selection • This process seeks to identify the optimal solution from among the alternatives. and someone from the operational level of IS. Many a system has been updated online only to cause extra costs or other loss due to the extra or unnecessary problems this process created. understand what needs to be done. The same is true for the phrase from section 2. That is. etc. 1 Dept.1. Another effective technique is to include different levels of the organization within the different functions. then restored to live access. security. if necessary. The specific phases of the SDLC cycle are described in the following. The team should include: systems professionals (analyst. consider alternative solutions. • Phase 2—Systems Analysis • This phase includes surveys.3—which includes a list of the documents or reports that are involved with the phases: • Phase 1—Systems Planning • Systems planning has proven to be cost effective. risks are greater according to SDLC standards. It includes both the strategic systems planning (long-term planning) and project planning (short-term planning).2. and pictured in Exhibit 2. management. This phase includes a data flow diagram (DFD).).

and the new system is installed. the database structures are created and populated with data. DFD (detail). Once the final tests have been conducted. reported in the financial statements. During this phase. relational model. It also should include a budget variance analysis. Therefore. Some of the questions internal auditors should ask include: • How can audit verify that SDLC activities are being applied consistently? • How can audit verify that systems are free from material errors and fraud using SDLC principles? • How can audit verify that the purchase or development of a system is justified? • How can audit verify that system documentation is adequate and complete? • How can audit verify that a library control is effective for original source code (or original copies and licenses of commercial software) and data (backups)? That is. which will then be incorrectly. Exhibit 2. the system is documented. entity-relationship (ER) diagram. applications are coded and tested (prior to going live). and the user acceptance report. Because about 80% of the total cost of the system will occur during this phase. data dictionary.Chapter 2: Auditing Standards and Responsibilities 11 • Phase 5—Detailed Design • This phase will produce a detailed description of the proposed system that satisfies system requirements identified during systems analysis and is in accordance with conceptual design. program documentation. It will include some sort of testing. This phase then would provide a post-implementation review. and materially. technical specifications (documentation). the system is placed in active use. normalized data. It involves numerous reports and some of the most important documentation of the processes and system. and other documentation. there is plenty of opportunity for cost savings based on activities such as the data dictionary [7] developed in the detailed design phase. A minimum of four controls are needed in maintenance: formal authorization for changes. • Phase 6—Systems Implementation • At this point. and updating of the documentation (especially the data dictionary).) Chapter 2: Auditing Standards and Responsibilities 11 . Examples include: detailed design report. The post-implementation review and budget analysis are critical follow-up processes that will be valuable to management decisions and future projects. equipment is purchased and installed. the system is changed to accommodate changes in user needs. retesting (offline first). program flowcharts. the accuracy and integrity of these information systems directly affects the accuracy of the client's financial data.3: SDLC Guidelines A materially flawed financial application will eventually misstate the financial data. • Phase 7—Maintenance • The maintenance phase is the longest in time. and therefore the efficiency and effectiveness of this phase are highly dependent on the documentation of the previous steps. such as a simulation or walkthrough. employees are trained. what controls exist to protect original software and backup data? (See page 109 for a description of library control.

The IIA Code of Ethics states the same requirement for competence in its "Principles" and "Rules of Conduct" sections.6 Responsibilities of a Corporate Auditor In addition to the various standards to be followed. in addition to other educational options. an adequate level of knowledge (for the area under certification). 12 Chapter 2: Auditing Standards and Responsibilities . the corporate auditor and the IA function have responsibilities that must be fulfilled for IA to have successful results.5 for details. (See Section 5.) This manual also recommends an annual staff meeting or conference for training and education of the staff auditors. technology and systems are constantly evolving at a rapid pace.010—Competence/ Skills and Knowledge) and also specify that IS auditors are to maintain their technical competence through appropriate CPE (040.) Most of all. effective internal audit department.12 SAM POLE COMPANY Chapter 2: Auditing Standards and Responsibilities Corporate Audit Department Procedures Manual NO: 2. (See Section 5. but are also excellent tools to use in audits.2 on personal development for details on professional development. such as conflict resolution and leadership.5 Professional Development One of the critical success factors in internal audit (IA) is professional development.5 REV NO: DATE: TITLE: Professional Development PAGES: [7]A data dictionary will include all of the fields in all of the files used by the system with details on the characteristics of the field and places it is used in the applications. 2.020—Continuing Professional Education). are vital to IA. For instance. Another benefit of certification is the mandatory Continuing Professional Education (CPE) credits that must be earned each year in order to maintain one's certification. the ISACF Standards state that IS auditors are to be technically competent. professional development is a key to quality audits and an effective IA function. Therefore. Not only do accounting and auditing rules change. they not only house the accounting information. Life-long learning. is a necessity. but other relevant matters also change. Management issues. having the skills and knowledge necessary to perform auditor's work (040.) Certification is an important element in a successful. (See Section 5. professional development. and a willingness to submit to a professional code of ethics. SAM POLE COMPANY Corporate Audit Department Procedures Manual NO: 2.6 REV NO: DATE: TITLE: Responsibilities of a Corporate Auditor PAGES: 2. Major benefits are that certification is a sign of professionalism.1(c) i for more on certification.

appraisals. adequacy. or engage in any other activity that would normally be the subject of a review Chapter 2: Auditing Standards and Responsibilities 13 . The attainment of this overall objective involves such activities as: • Reviewing and appraising the correctness. corporate auditors should not develop and install procedures. and application of accounting. any of the activities that they review. The internal auditor is concerned with any phase of business activity where he/she may provide service to the organization. and by maintaining a vigilant watch over risks. Nature Internal auditing is an independent appraisal activity within an organization for the review of operations as a service to management. and procedures • Ascertaining the extent to which company assets are accounted for and safeguarded from losses of all kinds • Ascertaining the reliability of management data developed within the organization • Ascertaining the quality of performance in carrying out assigned responsibilities • Recommending operational improvements c. plans. recommendations.Chapter 2: Auditing Standards and Responsibilities 13 a. Responsibility and Authority The responsibilities of corporate auditing within Sam Pole Company are clearly established by management policy. procedures. The internal auditor's responsibilities should be: • To inform and advise management and to discharge this responsibility in a manner that is consistent with the codes of ethics of the IIA and the ISACA (IS audits) • To coordinate his/her activities with others so as to best achieve audit objectives and the objectives of the organization Corporate auditors have neither direct responsibility for. b. and records. financial. Objective and Scope The objective of internal auditing is to assist all members of the organization in the effective discharge of responsibilities by furnishing them with analyses. Therefore. This scope involves going beyond the accounting and financial records to obtain a full understanding of the operations under review. This independence is obtained primarily through organizational status and objectivity: • The organizational status of the corporate auditing function and the support accorded to it by management are major determinants of its range and value. Therefore. The related authority provides the corporate auditor full access to all of the organization's records. the corporate audit review and appraisal do not in any way relieve other persons in the organization of the responsibilities assigned to them. It improves managerial control by measuring and evaluating the effectiveness of other controls. prepare records. properties. and pertinent comments concerning the activities reviewed. Independence Independence is essential to the effectiveness of corporate auditing. nor authority over. plans. Objectivity is essential to the audit function. and other operating controls and promoting effective control at reasonable cost • Ascertaining the extent of compliance with established policies. d. and personnel relevant to the subject under review. The head of the corporate auditing function should be responsible to an officer whose authority is sufficient to assure both a broad range of audit coverage and the adequate consideration of and effective action on the audit findings and recommendations. The corporate auditor should be free to review and appraise policies.

to maintain a system of internal control that is evaluated as part of the annual external audit. Relevant laws include income tax. internal auditors do not have the same contractual or fiduciary obligations. the auditee will normally do so in the response to the audit report. the entire Board of Directors. we must perform our audits with the same extreme care as the external auditors. The Securities Act of 1933 and Securities Exchange Act of 1934 require all corporations that report to the SEC. or the firm did not issue an accurate audit report on the financial statements. The SEC and other regulatory entities are looking in that direction due to the improved image of the profession and the greater reliance upon internal auditors' work by management and the public accountants. certain information required by the Securities and Exchange Commission (SEC) or other regulatory body that could influence shareholders and/or the general public in financial planning decisions). 14 Chapter 2: Auditing Standards and Responsibilities . which was created by the acts. Although similar situations specifically addressed to the internal audit profession are rare. The Director of Auditing reports directly to the Audit Committee of the Board of Directors of Sam Pole Company for the purposes of audit scope. and it affects internal auditors.g. Don't be alarmed! Unlike the public accountants. If improved controls for reporting of travel and other business expenses are recommended. requires. any corrective action taken should be indicated.) protect intellectual property. Auditors' objectivity need not be adversely affected by their determination and recommendation of standards or controls to be applied in the development of the systems and procedures under review. We do have similar responsibilities. the Income Tax Act was passed (Sixteenth Amendment). and confidentiality is maintained. Regulatory Issues Due care is required in reporting comments related to regulatory bodies and federal laws. passed in 1977. it is essential that the situations are clearly described and the number of instances noted be reflected in the detailed section of the audit report. or the firm did not ensure adequate disclosures (e. In 1913. the possibility does exist. For example. Copyright laws (1977 et al. the Internal Revenue Service can and does request copies of audit reports during their examinations of tax returns. e. copyright laws and the Foreign Corrupt Practices Act. audit steps need to be included to audit for unlicensed software and other potential violations of this law. situations are promptly and carefully reported. and the general public. GAAS are followed.) The company's legal responsibilities can be attained if due care is used.6 for a history of federal regulations related to auditing. Also. Otherwise. and management is to inform them promptly of significant situations disclosed by audits so that they can meet their obligations to the shareholders. The company's reporting should be objective and factual to reduce further extensive tests of expense reports. The Foreign Corrupt Practices Act. (See Section 1.14 Chapter 2: Auditing Standards and Responsibilities and could reasonably be construed to compromise one's independence. Why? Usually because the firm allegedly did not follow Generally Accepted Auditing Standards (GAAS).. It is common to read in the financial section of a newspaper or other publication that a public accounting firm has been sued or censored. Therefore. and in accordance with GAAS. regulatory bodies. which usually affects audit programs—that is. that managements ensure good systems of internal control in their companies. under penalty of law. SEC. The Director's responsibility to the Committee.

org/ecm/guidance. Much of this section was taken from ISACA's web page on Standards located at: www. Check the web page for any changes.org/stand1. 6. for possible changes effective since this writing. The document used in this manual was adopted by ISACA on July 1. A data dictionary will include all of the fields in all of the files used by the system with details on the characteristics of the field and places it is used in the applications. Chapter 2: Auditing Standards and Responsibilities 15 . 2001. www.isaca. 2000.theiia. It also is under review at the time this chapter was written for changes related to the CISM certification.theiia.isaca.org.htm.cfm?doc_id=92 (or www.htm. The majority of this section comes from the ISACA's Code of Professional Ethics web page at www. The majority of this section comes from the IIA's Code of Ethics web page at www. The document used in this manual was adopted by the IIA Board of Directors on June 17.org/codeofethics. 4. At the time of this writing.Chapter 2: Auditing Standards and Responsibilities 15 Endnotes 1. Please check the web page for any changes.org and search for "ethics").org and search for "ethics"). 3.isaca. According to the Code of Ethics and Standards of Conduct by AITP from its web site at www.isaca. 5.htm (or www.aitp. ISACA is revising the Code of Professional Ethics to accommodate its new certification—CISM.org/codeofethics. Please visit the web page. 2.

16 Chapter 2: Auditing Standards and Responsibilities 16 Chapter 2: Auditing Standards and Responsibilities .

Chapter 3: Internal Control System
SAM POLE COMPANY Corporate Audit Department Procedures Manual NO: 3.1 REV NO: DATE: PAGES:

TITLE: Definition

3.1 Definition
Executives and auditors alike understand the importance of a strong internal control system in relation to financial audits and reliable financial reports. But a sound internal control system also has the potential to enhance corporate strategies and thus provides internal auditors with the opportunity to express their value as business partners. Corporate objectives generally include the provision for reliable, timely information in effective decision-making. There is a need to protect assets, to communicate internally, and to analyze events and transactions. A strong internal control system can enhance all of these strategic objectives and assist in operational control. Exactly what is an internal control system? The Information Systems Control & Audit Association (ISACA) defines it as: • The policies, procedures, practices and organizational structures, designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented, or detected and corrected. This definition demonstrates the link between the internal control system and business objectives. According to the Committee on Sponsoring Organizations (COSO), internal control is: • A process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in (1) the effectiveness and efficiency of operations, (2) the reliability of financial reporting and (3) the compliance of applicable laws and regulations. According to the Institute of Internal Auditors (IIA), the control system is: • The attitude and actions of management and the board regarding the significance of control within the organization. The control environment provides the discipline and structure for the achievement of the primary objectives of the system of internal control. The control environment includes the following elements: integrity and ethical values, management's philosophy and operating style, organizational structure, assignment of authority and responsibility, human resource policies and practices, and competence of personnel. The bottom line is that an effective internal control system is a critical success factor for any organization in the long term, and that internal auditors should ensure they are inexorably melded with corporate strategies. Internal controls have become more than accounting guidelines. They are indispensable tools for the ever-increasing risks, exposures, and threats to accounting systems, data, and assets. Therefore, this manual will use the following definition for internal control system, and provides the basis for the discussion in this chapter: Chapter 3: Internal Control System 1


Chapter 3: Internal Control System • Internal control system is the policies, practices, procedures, and tools designed to: (1) safeguard corporate assets, (2) ensure accuracy and reliability of data captured and information products, (3) promote efficiency, (4) measure compliance with corporate policies, (5) measure compliance with regulations, and (6) manage the negative events and effects from fraud, crime, and deleterious activities.

It goes without saying that corporate data, and the files that contain them, are an asset and do have value. The same is true for systems and the value is proportionate to the degree the organization is dependent on information systems (IS) or information technologies (IT) in delivering products or services. Thus the safeguarding of corporate assets includes the data and systems of the organization—even system availability. This chapter will attempt to provide information to strengthen the internal control system. There is a discussion of related management policies, related regulations, risk assessment, some control activities, the employment of proven resources (i.e., computer-assisted audit tools and techniques), related fraud and crime, various applicable models, and some specific examples of tools and documents for internal auditors.


Corporate Audit Department Procedures Manual NO: 3.2 REV NO: DATE: TITLE: Assumptions in Establishing an Internal Control PAGES: System

3.2 Fundamental Assumptions in Establishing an Internal Control System
Federal law and business wisdom require management to exert a conscientious effort to maintain an effective system of internal controls and to build a strong internal control system. Management, with the aid of the internal audit IA function, should identify what needs protecting (i.e., assets), what risks exist to compromise those assets, and the extent of those risks (probability and impact cost). With those factors in mind, management, along with the assistance of the IA function, then should see that appropriate policies and strategies are developed concerning organizational structure (i.e., segregation of duties); physical, general, and application controls; and transaction processes. One key to safeguarding assets is personal accountability, whether it is enforcing policy violations by employees or tracking down and prosecuting crackers and hackers. It also extends to management to make sure controls are operating effectively as designed. That accountability means management must make sure error logs, monitoring reports, and so on, are being read and responded to timely. Management should employ the skills and abilities of professionals in designing internal controls and auditing their effectiveness. That includes technicians in the IS function and audit professionals in the IA function. If the company is conducting business over the Internet, that would include IS professionals such as Certified Information System Security Professional (CISSP), Certified Information Technology Professional (CITP), or Certified Information Systems Auditor (CISA) who understand both computer technologies and security. For the IA function it would include Certified Internal Auditor (CIA) or CISA. Internal control professionals should also be involved in all new systems development—CIA, CISA, or CITP. The specific tools and techniques used to develop specific controls should be used in conjunction with the expertise of IA personnel. Management should also encourage the use of proven resources, such as the Internal controls models identified herein. Most of all, management should pursue an effective audit committee in which members are qualified and independent (i.e., effective corporate governance).


Chapter 3: Internal Control System

Chapter 3: Internal Control System


An important step in building an effective internal control system is to make sure the organization has adequate relevant policies, accompanied by an effective monitoring and reporting system to make sure management's objectives are being met. Another step, sometimes chronologically preceding policy development, is for the organization to identify the risks to which it is subject and the corresponding loss if that risk came to pass; that is, a thorough risk assessment. Also, the organization should use proven resources to determine and implement the actual controls necessary to manage the risks. Exhibit 3.1 depicts a model of an effective internal control system to illustrate these elements, and most of the detail processes described in this chapter. Some basic assumptions constrain the implementation and effectiveness of any internal control system, no matter how well it may be designed. It is also important to think about the evolution of intruders in order to design effective controls. Controls are affected by laws and regulations. Exhibit 3.1: Internal Control Environment Model

But first, reasons will be given for a strong internal control system. There are business reasons, legal reasons, and audit reasons.

a. Business Reasons for a Strong Internal Control System
The business reasons have to do with management objectives. Sound internal controls enhance corporate strategies by maximizing the reliability and timeliness of information in making effective decisions. Management, in general, desires to safeguard assets thoroughly, to communicate efficiently and effectively internally, to analyze events and transactions timely, and to promote operational efficiencies universally. Strong internal controls have the potential to help meet these objectives. For example, the Committee on Sponsoring Organizations (COSO) says this about internal controls: • ... a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in (1) the effectiveness and efficiency of operations, (2) the reliability of financial reporting and (3) the compliance of applicable laws and regulations.

b. Legal Reasons for a Strong Internal Control System
The last statement brings up the second point about compliance with applicable laws and regulations. Controls help to assure such compliance, especially for laws regarding the system and intellectual property. (See "Regulations" in this chapter for more details.)

Chapter 3: Internal Control System



Chapter 3: Internal Control System

c. Basic Assumptions for the Internal Control System
The first basic assumption is that of management responsibility. The responsibility for an effective internal control system is not that of internal auditors, external auditors, management accountants, or any other group except management. The second assumption is that of reasonable assurance. There is no such thing as a perfect internal control system. Controls can generally be compromised under the right conditions. No computer system is impervious to attacks or malicious activities. In addition, controls have a cost and following the cost-benefit concept used in accounting, it must be applied even to controls. After all, if it costs $1 million to implement a control and the risk assessment shows a risk of loss of $200,000, then the control does not pass the cost-benefit test. The result is an exposure—a weakness in the control system. Internal control does not guarantee that an entity will meet management objectives, or even that the firm will survive. Rather, internal controls are designed to provide management with reasonable assurance regarding the achievement of these objectives. The third assumption is independence from the method of data processing. That is, the control objectives should be designed without regard for the specific type of data processing. Certain control objectives may be peculiar to information systems or information technologies, but generally, a strong control objective should be just as applicable to a paper-based system as a computer-based system. The specific controls will vary with different technologies, but the objectives should be process independent. The fourth assumption deals with limitations, of which there are several. First, there will always be a possibility of error in any accounting system. There will always be the possibility of circumvention of controls by a determined and talented attacker. There is certainly always the possibility of management override of controls. Last, there is the simple passing of time—conditions change. With changing conditions, effective controls may become obsolete or ineffective and thus need constant re-evaluation (raison d'être for the internal audit function!).

d. Evolution of Attacks and Intruders' Technical Knowledge
Attacks have grown from simplistic to complicated, while simultaneously the technical knowledge needed by intruders has gone from a high level to a very low level. For example, in the 1980s, attacks were mostly password guessing ("war dialers"), password cracking, some self-replicating code, and exploiting known vulnerabilities—all of which required a high level of technical skills at the time. Then, there was not the widespread communication of vulnerabilities and hacker tools that we have in the twenty-first century—making it much easier today to do these kinds of attacks. Then attacks became a little more sophisticated, such as hijacking sessions, back doors, sweepers, sniffers, and stealth diagnostics. The technical knowledge became moderate instead of the high level of technical skills needed earlier. In fact, the term "hacker" really evolves from a complimentary term applied to those who had a lot of technical knowledge, knowing the administrative types of functions, commands, and intricacies of operating systems. By 1995, attacks became even more sophisticated. They included packet spoofing, use of intelligent agents, denial of service, and a combination of the two—distributed denial of service. Yet the level of knowledge diminished. In fact, there is such an abundance of malicious code, and so easy to obtain, that by the end of the twentieth century, many intruders were called "script kiddies"—so named because young teenagers were downloading scripts files and conducting attacks, all without a prerequisite high level of technical knowledge. Therefore, the level of risk today is much higher than 20 years ago. It is necessary for the IA function and other security personnel to understand the profiles of intruders and the types of popular tools being employed, in order to be best prepared to defend the corporate assets. (See Section 3.8 for more details.)


Chapter 3: Internal Control System

Chapter 3: Internal Control System


e. Cost-Benefit Analysis of Controls
An important constraint in developing internal controls is the use of cost-benefit analysis on controls. Control activities are subject to the same cost-benefit analysis of other management activities. But a 2 × 2 model of risk probability and cost provides additional guidance in decision-making related to security and controls (see Exhibit 3.2). For example, those risks that have a low probability and low cost should simply be ignored. But for those with high probability and high costs, control activities need to be implemented to prevent the risk from occurring. For example, a disaster may have a low probability but it has a high cost (see Exhibit 3.2); therefore management should employ insurance and/or backup plan as an appropriate control activity. This model requires management to identify what needs protecting, what the risks are for those assets, and the level of cost impact and probability for each risk. Input from internal auditors and IS professionals most likely will be necessary to perform these steps appropriately. Exhibit 3.2: Controls Decision Making Overview


Corporate Audit Department Procedures Manual NO: 3.3 REV NO: DATE: TITLE: Effective Internal Control Models PAGES:

3.3 Effective Internal Control Models
There are numerous proven internal controls models that internal auditors can rely on in developing and maintaining an effective internal control system. These come from reliable professional organizations such as COSO, ISACA, IIA, AICPA, and the Canadian Institute of Chartered Accountants (CICA).

a. The COSO Model (AICPA, AAA, FEI, IIA, and IMA)
The COSO Model was developed by the Committee of Sponsoring Organizations (COSO), [1] originally known as the Treadway Commission. Organizations in COSO include American Institute of Certified Public Accountants (AICPA), American Accounting Association (AAA), Financial Executives International (FEI), Institute of Internal Auditors (IIA), and the Institute of Management Accountants (IMA). The final promulgated model on internal controls was published in 1992. The model contains five elements: the control environment, risk assessment, control activities, monitoring, and information and communication (see Exhibit 3.3). This particular model has been widely accepted and used by internal auditors and financial executives with equal success, and provides an effective model for designing, implementing, evaluating, and managing an effective internal control system. Exhibit 3.3: COSO Model

Chapter 3: Internal Control System


operating activities. The Communication subsection discusses conveying internal control matters. COSO recognizes that people are involved with internal control as members of the board of directors (especially the audit committee). as well as the dynamic nature of risk assessment. and the guidance provided by the board of directors. and other personnel. but not a substitute for. Objectives are categorized by COSO as operational. and other entity personnel such as internal auditors. financial reporting. This model uses only one classification scheme for IS control procedures (by contrast. SAC uses five different schemes). COSO suggests the identification of external and internal risks to the entity and to individual activities. The cost-benefit consideration is a part of the COSO Model. It uses an internal perspective for monitoring." COSO addresses the risk of failing to meet financial reporting objectives. management. "Control Activities" and procedures are discussed throughout the entity in the COSO Model. designed to provide reasonable assurance regarding the achievement of objectives in the following categories: effectiveness and efficiency of operations. Information systems are covered in the "Information and Communication" segment of the COSO Model. The COSO Model considers management's analysis of risk and their ability to override and adjust the internal control system. COSO's "Internal Control Environment" covers factors such as integrity and ethical values of management. COSO discusses the "Monitoring" aspect by recognizing the need for management to monitor the entire internal control system through the internal control system itself and through special evaluations directed at specific areas or activities. Under "Risk Assessment.3). management. Although the report defines internal control as a process. effected by an entity's board of directors. This area covers the need to capture pertinent internal and external information. management and that controls should be built into. economic. failing to meet compliance. it recommends evaluating the effectiveness of internal control as of a point in time. rather than built onto. 6 Chapter 3: Internal Control System .6 Chapter 3: Internal Control System The COSO report defines internal control as "a process. the potential of strategic and integrated systems. reliability of financial reporting. and gathering competitive. how authority and responsibilities are assigned. management philosophy and operating style. competence of personnel. and the need for data quality. and compliance with applicable laws and regulations. and legislative information. and failing to meet operational objectives. and compliance (see Exhibit 3." The report emphasizes that the internal control system is a tool of. and covers them in broad terms.

and a set of Audit Guidelines. CobiT combines the principles embedded in existing reference models in three broad categories: quality. CobiT adapted its definition of control from COSO: The policies. confidentiality. 55: Consideration of Internal Control in a Financial Statement Audit. as they relate to the Framework and to individual control objectives. The 1983 version was intended to be a complete overhaul of delineating the discharge of IS auditors' responsibilities. the researchers were challenged to examine each domain and process in depth and suggest new or modified control objectives applicable to that particular IT process. integrity. to meet the needs of IT governance and ensure the integrity of information and information systems applied on an international basis. The role and impact of IT controls as they relate to business processes are emphasized in CobiT. This book provided a normative model for IS auditors in performing their duties. Control Objectives provided IS auditors a benchmark to measure audit effectiveness and emphasized best practices. compliance. Consolidation of the results was performed by the CobiT Steering Committee and the Director of Research of ISACF. The researchers were charged with the compilation. The document outlines platform and application independent IT control objectives that can be applied internationally. Other revisions would occur in 1990 and 1992 (the fifth version of the document). quality standards. Research for the first (1996) and second (1998) editions included the collection and analysis of identified international sources and was carried out by teams in Europe (Free University of Amsterdam). CobiT also classifies IT processes into four domains: planning and organization. procedures. In 1977. Thus. CobiT includes definitions of both internal control Chapter 3: Internal Control System 7 . from international input. assessment and appropriate incorporation of international technical standards. After collection and analysis.Chapter 3: Internal Control System COSO emphasizes the desirability of integrating control activities with risk assessment. The CobiT Model (ISACA) The CobiT Model [2] is the culmination of the evolution of ISACA's Control Objectives. the report extracts seven overlapping categories of criteria for evaluating how well IT resources are meeting business requirements for information. [4] CobiT provides an Executive Summary. the ISAC Foundation revised the tools in Control Objectives into a new guidance publication known as Control Objectives for Information Technology—CobiT. the United States (California Polytechnic University) and Australia (University of New South Wales). These criteria are effectiveness. availability. Control Objectives included not only objectives related to controls. These processes follow the system development life cycle applicable to IT processes in any IT environment. and technical issues. acquisition and implementation. review. and industry practices and requirements. SAS 78 revised SAS No. efficiency. a Framework for control of IT. and makes the COSO model part of external audit standards. and security. and reliability of information. b. professional standards in auditing. The guidelines underwent revisions in 1980 and 1983 (second edition). and organizational structures are designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected. It was a compilation of techniques and procedures for conducting IS audits covering various information technologies. The publication matched a particular IT with certain controls that ought to be addressed when conducting IS audits in that area or technology. codes of conduct. control needs. CobiT helps bridge the gaps between business risks. 78. but also audit procedures. in 1996. or framework. Then. It is a control model. [3] The current edition is the third (2000) and is available on CD-ROM and online from ISACA. and monitoring. fiduciary responsibility. The latter two are reference works for the Framework. 7 The AICPA has adopted the COSO Model officially by incorporating it into Statement on Auditing Standards (SAS) No. CobiT adapts its definition of an IT control from SAC: a statement of the desired result or purpose to be achieved by implementing control procedures in a particular IT activity. practices. delivery and support. From these broad requirements. the Electronic Data Processing Auditors Foundation (forerunner of ISAC Foundation) published the first Control Objectives. a list of Control Objectives.

describes its components. four domains of processes and 32 high-level control statements for those processes. and control procedures. In 1977. telecommunications. Audit Practices.4: eSAC Model The eSAC report defines the system of internal control. describes control objectives and risks. mostly because of the numbers of copies distributed by the IIA to members. The control environment includes organization structure. and mitigate technology risks. SAC enjoyed a high degree of dissemination. The report provides guidance on using. policies and procedures. SAC was published in three separate documents: Control Practices.4). communities. assess. corporate governance entities. the International EDP Audit Committee (later known as the Advanced Technology Committee) codified and published best practices among IT shops related to EDP audits in a document entitled Systems Auditability and Control (SAC). provides several classifications of controls. Based on empirical evidence from around the world and from a committee of experts. and people who are grouped together or consciously segregated to ensure the effective achievement of objectives and goals. manual and automated systems. application. Control procedures consist of general. The system of internal controls consists of three components: the control environment. to weigh costs and benefits. The eSAC report defines a system of internal control as: "a set of processes. and external influences. including customers. the financial sponsor of the project. subsystems. and protecting IT resources and discusses the effects of end-user computing. Exhibit 3. and by IBM." The report emphasizes the role and impact of computer-based information systems on the system of internal controls. It stresses the need to assess risks. activities. and emerging technologies. functions. monitor. and again in 1994 by the IIA Research Foundation. and auditors new information to understand. It brings executive management. Automated systems consist of systems and application software. The eSAC report discusses the control risks associated with end-user and departmental systems.8 Chapter 3: Internal Control System and IT control objectives. and audit guidelines linked to the control objectives. The SAC and eSAC Reports (IIA) The SAC report also has a long history of development and evolution. but neither describes nor defines manual systems. c. SAC was revised in 1991. control framework. After 11 printings of the original document. competitors. and defines the internal auditor's role. and owners (see Exhibit 3. in 2001 the IIA Research Foundation issued a completely revised set of guidance. regulators. and Executive Report. In order to emphasize both e-business impact and electronic delivery of the new material. These guidelines examine and assess risks that accompany each organizational component. managing. Electronic Systems Assurance and Control (eSAC). and to build controls into systems rather than add them after implementation. 271 control objectives references to those 32 processes. and 8 Chapter 3: Internal Control System .

SysTrust focuses on providing assurance of the reliability of the controls of a system. and especially evaluating an internal control system—in particular. and standards—are identified and documented. who imposes the need for the control. and other service-level agreements and applicable laws and regulations. The SysTrust model is another potential model to use in designing. integrity. 9 A1. security. and program security controls. where there is a high reliance on IS and IT for business operations.3 The entity has defined and communicated performance objectives. policies. the AICPA and Chartered Accountants of Canada (CICA) developed SysTrust and introduced it in December 1999. and monitoring. SysTrust (AICPA and CICA) In response to the increased dependence on IS. output. business interruptions. and compliance. In a SysTrust engagement. The documented system availability objectives. A1 A1. To evaluate the reliability of a system objectively. The system availability requirements of authorized users—and system availability objectives. Internal audit professionals now perform financial. the reliability of data. policies. policies. integrity.Chapter 3: Internal Control System compensating controls.2 A1. the CPA reports on the availability. Internal auditors are also to be concerned with preventing and detecting fraud. and standards have been communicated to authorized users. and where in the software the control is implemented. The system is available for operation and use at times set forth in service-level statements or agreements.5 Chapter 3: Internal Control System . policies. and maintainability of a system. legal. security. (2) discretionary and non-discretionary. Risks in eSAC are defined as fraud. and corrective. and inefficient and ineffective use of resources. Information integrity is guarded by input. and standards are consistent with the system availability requirements specified in contractual. Their responsibilities include ensuring the adequacy of the internal control system. (4) manual and automated. d. whether the control can be bypassed. implementing.4 A1. The documented system availability objectives. and coordinating activities with external auditors. and standards for system availability. The integration of audit and IS skills and an understanding of the impact of IT on the audit process are necessary for internal auditors. Compliance controls ensure conformance with laws and regulations. (3) voluntary and mandated. Control objectives reduce these risks and assure information integrity. 9 The eSAC report provides five classification schemes for internal controls in information systems: (1) preventive. Responsibility and accountability for system availability have been assigned. Security measures include data. detective. and (5) application and general controls. and IS audits.5 for a list of the criteria). operational. and standards are communicated to entity personnel responsible for implementing them. communication. These schemes focus on when the control is applied. how the control is implemented. physical. the CPA evaluates SysTrust's four essential principles [5]—availability. policies. and software quality controls. accounting and auditing standards. The role of internal auditors is also defined in eSAC. security.1 A1. procedures.5: SysTrust Model[6] SysTrust Principles and Criteria Availability. processing. and maintainability—individually against four categories of criteria—policies. Documented system availability objectives. and the efficient use of the organization's resources. errors. and internal policies and procedures. The system must meet all of SysTrust's four principles and 58 criteria to earn an unqualified SysTrust report (see Exhibit 3. Exhibit 3.

malicious codes.1 A3. The system is protected against unauthorized physical and logical access. implementation. configuration. and management of system components related to system availability are consistent with documented system availability objectives.4 A3 A3. policies. There are procedures to restrict access to files on off-line storage media to authorized users. S1. S2. and standards.3 S2.1 A2. policies.1 S1. development.3 The entity has defined and communicated performance objectives.4 S1. and standards and to take appropriate action. There is a process to identify potential impairments to the system's ongoing ability to address the documented system availability objectives. The documented system security objectives. policies. and management of system components related to system security are consistent with documented system security objectives. and infrastructure to achieve system availability objectives in accordance with established policies and standards. implementation. The system security requirements of authorized users and the system security objectives.6 There are procedures to protect external access points against unauthorized logical access. terrorism.2 S2.3 A2. System availability is periodically reviewed and compared with documented system availability objectives. configuration. There are procedures to restrict access to computer processing output to authorized users. implementation. Continuity provisions address minor processing errors.5 S2 S2.10 A2 A2. Security. There are procedures to grant system access privileges to users in accordance with the policies and standards for granting such privileges. and standards have been communicated to authorized users. minor destruction of records. data.3 Chapter 3: Internal Control System The entity utilizes procedures. and unauthorized software. Acquisition.5 S2.2 A2. and standards are consistent with system security requirements defined in contractual. people. There are procedures to protect the system against potential risks that might disrupt system operations and impair system availability. policies. Environmental and technological changes are monitored and their impact on system availability is assessed on a timely basis. There are procedures to ensure that personnel responsible for the design. Documented system security objectives. policies. and standards for system security. policies. Documented system security objectives. and operation of system availability features are qualified to fulfill their responsibilities. policies.4 S2.7 There are procedures to protect the system against infection by computer viruses. software. vandalism.1 S2. and other service-level agreements and applicable laws and regulations.9 10 Chapter 3: Internal Control System . The entity utilizes procedures.2 S1. There are procedures to identify and authenticate users authorized to access the system. software. and standards are communicated to entity personnel responsible for implementing them. and major disruptions of system processing that might impair system availability. legal. people. policies. S1 S1. policies. and standards.2 A3. Acquisition. S2. S2. Responsibility and accountability for system security have been assigned. and standards. and other physical attacks have been considered when locating the system. and standards are identified and documented. policies. The entity monitors the system and takes action to achieve compliance with system availability objectives. and infrastructure to achieve system security objectives in accordance with established policies and standards.8 Threats of sabotage. data. and standards.

S3. and standards have been communicated to authorized users. Integrity. I1.2 documented processing integrity objectives.3 Environmental and technological changes are monitored and their impact on system security is periodically assessed on a timely basis. I1 The entity has defined and communicated performance objectives. development. policies.2 The information processing integrity procedures related to information inputs are consistent with the documented system processing integrity requirements I2. legal.1 system processing integrity requirements of authorized users and contractual. configuration. I1. implementation.Chapter 3: Internal Control System 11 There are procedures to segregate incompatible functions within the system through security authorizations.3 Documented system processing integrity objectives. data. There is a process to identify potential impairments to the system's ongoing ability to address the I3. and standards are identified and documented.5 Documented system processing integrity objectives. S3. policies.1 The system processing integrity requirements of authorized users and the system processing integrity objectives. people. policies. and management of system components related to system processing integrity are consistent with documented system processing integrity objectives. timely. policies. policies. System processing is complete. policies. and standards for system processing integrity. and standards and to take appropriate action. and other service-level agreements and applicable laws and regulations. and standards are consistent with system processing integrity requirements defined in contractual.5 and operation of the system are qualified to fulfill their responsibilities.6 and vice versa. S3. and standards. legal. and standards and take appropriate action. and other service-level agreements. System processing integrity performance is periodically reviewed and compared to the documented I3. I2. I2. implementation. I2. I2 The entity utilizes procedures. and authorized. The entity monitors the system and takes action to achieve compliance with system processing integrity I3 objectives. policies. development.10 There are procedures to protect the system against unauthorized physical access. timely. policies.1 Acquisition.2 There is a process to identify potential impairments to the system's ongoing ability to address the documented security objectives. and standards. S3 The entity monitors the system and takes action to achieve compliance with system security objectives. There are procedures to enable tracing of information inputs from their source to their final disposition I2. accurate. and other service-level agreements. S2. policies. and standards.11 There are procedures to ensure that personnel responsible for the design. S2. accurate. and infrastructure to achieve system processing integrity objectives in accordance with established policies and standards. Chapter 3: Internal Control System 11 . policies. and operation of system security are qualified to fulfill their responsibilities.3 There are procedures to ensure that system processing is complete. software. There are procedures to ensure that personnel responsible for the design. implementation. I2. and authorized.4 The information processing integrity procedures related to information outputs are consistent with the documented system processing integrity requirements. I1.4 Responsibility and accountability for system processing integrity have been assigned. legal. I1. I1. and standards are communicated to entity personnel responsible for implementing them.2 Documented system processing integrity objectives.1 System security performance is periodically reviewed and compared with documented system security requirements of authorized users and contractual.

12 I3.3

Chapter 3: Internal Control System

Environmental and technological changes are monitored and their impact on system processing integrity is periodically assessed on a timely basis. Maintainability. The system can be updated when required in a manner that continues to provide for system availability, security, and integrity. M1 The entity has defined and communicated performance objectives, policies, and standards for system maintainability.

M1.1 Documented system maintainability objectives, policies, and standards address all areas affected by system changes. M1.2 Documented system maintainability objectives, policies, and standards are communicated to authorized users. M1.3 Documented system maintainability objectives, policies, and standards are consistent with the requirements defined in contractual, legal, and other service-level agreements and applicable laws and regulations. M1.4 Responsibility and accountability for system maintainability have been assigned. M1.5 Documented system maintainability performance objectives, policies, and standards are communicated to entity personnel responsible for implementing them. M2 The entity utilizes procedures, people, software, data, and infrastructure to achieve system maintainability objectives in accordance with established policies and standards. M2.1 Resources available to maintain the system are consistent with the documented requirements of authorized users and documented objectives, policies, and standards. M2.2 Procedures to manage, schedule, and document all planned changes to the system are applied to modifications of system components to maintain documented system availability, security, and integrity consistent with documented objectives, policies, and standards. M2.3 There are procedures to ensure that only authorized, tested, and documented changes are made to the system and related data. M2.4 There are procedures to communicate planned and completed system changes to information systems management and to authorized users. M2.5 There are procedures to allow for and to control emergency changes. M3 The entity monitors the system and takes action to achieve compliance with maintainability objectives, policies, and standards. M3.1 System maintainability performance is periodically reviewed and compared with the documented system maintainability requirements of authorized users and contractual, legal, and other service-level agreements. M3.2 There is a process to identify potential impairments to the system's ongoing ability to address the documented system maintainability objectives, policies, and standards and to take appropriate action. M3.3 Environmental and technological changes are monitored and their impact on system processing integrity is periodically assessed on a timely basis. The evaluation of a system's reliability begins by understanding the basic components of the system. A system is defined as a set of procedures used to accomplish specific results, and an information system consists of five basic components organized to transform data inputs (raw facts) into information outputs. These five basic components of a system are: (1) infrastructure, (2) software, (3) personnel, (4) procedures, and (5) data. A reliable system is capable of operating without material error, fault, or failure during a specified period in a specified environment. Availability is defined by the system being available for operations. Security is the protection of the system against unauthorized physical or logical access—including both the physical components and the data. Integrity refers to system processing being complete, accurate, timely, and authorized. Maintainability refers to the required updates of the system, and whether such updates will continue to provide for the other three 12 Chapter 3: Internal Control System

Chapter 3: Internal Control System aspects above.


For each of these aspects, the CPA practitioner uses four categories of criteria: Policies, Communication, Procedures, and Monitoring. For Policies, the CPA evaluates whether the entity had defined and documented its policies relevant to the particular principle. Communication refers to the fact that the entity has defined and communicated performance objectives, policies, and standards for the essential principle being evaluated (availability, security, integrity, or maintainability). Procedures refer to the entity using procedures that are in accordance with its established policies and standards. Monitoring is defined as the monitoring of the entity's activities and the surrounding environment of the system to identify potential impairments to the system's reliability and to achieve compliance with objectives, policies, and standards for the essential principle being evaluated. To further assist the practitioner in the evaluation of these criteria, the Systems Reliability Task Force developed a list of illustrative controls. This list is not intended to be comprehensive, so the practitioner must tailor the list to the circumstances of the particular engagement. See Exhibit 3.5 for a list of the illustrative controls.

e. Conclusion: Comparing and Contrasting the Models
Although the different control definitions contain similar concepts, the emphases are somewhat different (see Exhibit 3.6 for a comparison table). The CobiT Model views internal control as a process that includes policies, procedures, practices, and organizational structures that support business processes and objectives. The eSAC report emphasizes that internal control is a system—a set of functions, subsystems, people, and their interrelationships. The COSO Model accentuates internal control as a process—an integrated part of ongoing business activities. SysTrust emphasizes the reliability of IS in financial reporting and business activities. Exhibit 3.6: Comparison of Internal Control Models CobiT eSAC SYSTRUST Primary Management, users, Internal auditors External auditors Audience process owners, auditors Set of processes, Not explicitly defined: IC Viewed as a ... Process Set of processes subsystems, and Viewed similar to an including policies, assertion to which a CPA procedures, practices, and people organizational structures does an attestation Effectiveness of business IC Objectives Effective and Effective and efficient Effective and Organizational efficient operations operations efficient purposes and operations management's objectives Reliable financial Confidentiality, integrity, reporting. and availability of Reliable Reliable financial reporting information financial Compliance with reporting laws and Reliable financial regulations reporting Compliance with laws and regulations Compliance with laws and regulations Components or Control Planning and Control Availability Domains environment organization environment Security Risk management Acquisition and Manual and implementation automated Integrity Control activities systems Delivery and support Maintainability Chapter 3: Internal Control System 13 COSO Management

14 Information and communication Monitoring Overall entity Monitoring

Chapter 3: Internal Control System Control procedures

Information technology Information Information systems and overall entity technology IC Effectiveness At a point in time For a period of time For a period of At a point in time Evaluated time Responsibility for Management Management Management Management IC System Size 353 pages in four 664 pages in five 1,193 pages in A few online pages volumes volumes 12 modules Source: ISACA, from web site www.isaca.org/bkr_cbt3.htm. Reprinted with permission. Focus The use of the COSO Model components is one way to compare and contrast the four models. The following analysis, therefore, is based on these five components. 1. Control Environment. The eSAC report describes three components of internal control. COSO discusses five components. CobiT incorporates the five components of the COSO report and focuses them within the IT internal control system. CobiT further bridges the gap between the broader business control models such as COSO and highly technical IS control models—worldwide. SysTrust describes four principles measured by four categories. 2. Information and Communication Systems. CobiT's focus is the establishment of a reference framework for security and control in IT. It defines a clear linkage between IS controls and business objectives. In addition, it provides globally validated control objectives for each IT process that gives pragmatic control guidance to all interested parties. CobiT also provides a vehicle to facilitate communications among management, users, and auditors regarding IS controls. The eSAC report, however, focuses on automated IS. The document examines the interrelationships among internal control and systems software, application systems, and end-user and department systems. The volumes of eSAC provide guidance on internal controls in these areas. COSO discusses both information and communication, emphasizing the need to capture internal and external information, the potential of strategic and integrated systems, and the need for data quality. Communication focuses on conveying matters related to the internal control system. 3. Control Objectives. CobiT, eSAC, and SysTrust examine control procedures relative to an entity's automated IS. COSO discusses the control procedures and activities used throughout the entity. CobiT classifies controls into 32 processes naturally grouped into four domains. SAC uses five different classification schemes for IS control procedures. COSO only has one classification scheme, and emphasizes the desirability of integrating control activities with risk assessment. SysTrust classifies 58 controls into four classifications. 4. Risk Assessment. COSO identifies risk assessment as an important component of internal control. CobiT identifies a process within the IT environment as assessing risks, falling in the planning and organization domain and with six specific control objectives associated with it. CobiT addresses, in depth, several components of risk assessment in an IT environment. These include business risk assessment, the risk assessment approach, risk identification, risk measurement, risk action plan, and risk acceptance. It also deals directly with IT types of risk such as technology, security, continuity, and regulatory risks. Lastly, CobiT addresses risk from both a global and systems-specific perspective. Risk assessment is an explicit component of eSAC's system of internal control, and the document contains extensive discussions of the importance of risk assessment as foundational to internal controls. COSO and eSAC address risk concepts in a similar fashion. For example, both address the risks of failing to meet compliance and operational objectives. SysTrust stresses the entire attestation is to identify weak controls or other risks in the internal control system. Only one of the controls, however, specifically addresses risk. 14 Chapter 3: Internal Control System

Chapter 3: Internal Control System


5. Monitoring. In contrast to COSO, CobiT, and SysTrust, eSAC does not explicitly include monitoring as a component of the internal control system. SysTrust uses monitoring as one of the four categories that must be addressed in each of the four principal areas of investigation. COSO discusses monitoring activities in broad terms, and eSAC discusses specific monitoring activities that should be performed. CobiT, in an in-depth manner, defines specific monitoring requirements and responsibilities within the IT function. All the documents assign management the responsibility of ensuring the adequacy of the internal control system and its continued effectiveness. All of the models provide tools, usually explicit tools or controls, as guidance in managing the internal control system. There are some differences, but altogether, there are more similarities between the models. The more technology an entity uses, or the more reliance an entity had on technology, the more it needs CobiT, eSAC, or SysTrust. If the entity conducts e-commerce and is publicly traded, SysTrust makes a good choice. If an entity has only a modicum of technology and a low-to-medium reliance upon IT, COSO is probably the best choice. The final choice is up to the IA function, in matching the entity with the strengths of these individual models, or it may choose to develop its own unique model.


[1]See [2]See

TITLE: Regulations www.coso.org. www.isaca.org/cobit.htm.

Corporate Audit Department Procedures Manual NO: 3.4 REV NO: DATE: PAGES:

[3]This [4]See [5]An

paragraph is from the ISACA web page on CobiT at www.isaca.org.


exposure draft exists that will change the principles to: (1) security, (2) availability, (3) processing integrity, (4) online privacy, and (5) confidentiality.

exposure draft exists that will change the principles to: (1) security, (2) availability, (3) processing integrity, (4) online privacy, and (5) confidentiality. These new principles will cause this chart to change accordingly.

3.4 Regulations
Internal auditors know the importance of adhering to federal and state regulations. Some of them apply to internal controls. (See Section 1.6, "History of Federal Regulations Related to Auditing.")

a. Securities and Exchange Commission (1933, 1934)
The Securities Act of 1933 and the Securities Exchange Act of 1934 require all corporations that report to the Securities and Exchange Commission (SEC) to maintain a system of internal control that is evaluated as part of the annual external audit. The acts give the SEC authority to oversee the setting of Generally Accepted Accounting Principles (GAAP) for publicly traded companies. They also convey the authority to investigate cases of suspected financial fraud and to censure companies from trading (i.e., prevent the stock from being Chapter 3: Internal Control System 15


Chapter 3: Internal Control System

traded publicly). The SEC laws have a direct impact on companies that have publicly traded stock, especially regarding the need for a system of internal control and its evaluation.

b. Foreign Corrupt Practices Act (1977)
The Foreign Corrupt Practices Act of 1977 also requires SEC companies to maintain an internal control system with reasonable assurance that the organization's objectives are being met, and even providing penalties for violations.

c. Copyright Laws (1976 et al.)
The Copyright Laws of 1976 (and other years) protect intellectual property. One aspect of intellectual property crucial to internal controls is software. Illegal copies of software on organizational computers can lead to severe penalties and bad publicity. In addition, management will be held responsible by federal officials even if software piracy went on contrary to policy and without management awareness. Other intellectual property includes books, music, and copyrighted graphical images (e.g., logos). Therefore, management must first develop a policy against violations of copyright laws, such as software piracy, and make sure the internal audit function ensures compliance with the policy. A study of 121 Certified Information Systems Auditors (CISAs) showed that software piracy is a problem in relatively large firms—those with about 3,000 microcomputers. Although almost all (91%) indicated an organizational policy governing unauthorized duplication of software, they estimated that more than 20% of their firms' employees had illegally copied software in the previous 12 months. Sixty percent of the auditors reported that their typical audit program included a specific procedure that was designed to detect pirated software. In spite of this fact, the auditors indicated that less than one-fourth of the audits that were conducted in the previous 12 months actually included such a test. Surprisingly, over one-third of the sample indicated that none of their audits included a test for unauthorized software. Unauthorized software poses a legal and financial risk to firms. Risks (or exposures, as the case may be), such as civil and criminal penalties, exist for those who use unauthorized or pirated computer software. These risks also include significant monetary fines. Information systems auditors, in general, and CISAs, in particular, should be especially concerned with these risks. However, it has been reported that many managers and auditors are unaware of the potential legal liability from software piracy. According to ISACA, IS auditors have a responsibility regarding the risks of software piracy to: (1) be aware of such risks, (2) communicate these risks to management, (3) review software implementation, (4) develop adequate control procedures, and (5) incorporate appropriate techniques or tools in audit programs to detect unauthorized use of software. ISACA Standards (Section 030.010.010, Irregularities and Illegal Acts, paragraph 2.1.1) defines irregularities and illegal acts as "Other acts that involve noncompliance with laws and regulations, including the failure of IT systems to meet applicable laws and regulations." The Standard further clarifies that ISACA believes it is management's responsibility to prevent and detect irregularities and illegal acts, and not the IS auditor's, unless evidence exists that would indicate an irregularity or illegal act has occurred. ISACA Standards assert that IS auditors should be familiar with irregularities and illegal acts that are common to a particular industry or have occurred in similar organizations (paragraph 4.1.5).

d. Environmental Laws (Various)
In addition, there are federal laws regarding environmental issues that affect many organizations. Due to stiff penalties and negative public image that result from violations, internal auditors must be cognizant of any applicable environmental laws.


Chapter 3: Internal Control System

2 for more on the Sarbanes-Oxley Act. The subsequent rules and regulations by the Securities and Exchange Commission (SEC) and New York Stock Exchange (NYSE) will have a dramatic affect on internal controls for publicly traded companies. Exhibit 3. and they provide the benchmark for evaluating controls (i.Chapter 3: Internal Control System 17 e. management should provide oversight for enforcement to hold employees accountable for them in order to increase the effectiveness of policies. Congress. as much as $9 billion of fraud has since been uncovered. Because the law requires CEOs and CFOs to report on their internal control systems and sign off on—and therefore certify—their financial statements filed with the SEC. a former accountant. As a result of these frauds and related pressures brought on the U. e-mail. they are the foundation for building appropriate preventive techniques or tools. they set the tone for the internal control environment.) SAM POLE COMPANY TITLE: Policies Corporate Audit Department Procedures Manual NO: 3.5 REV NO: DATE: PAGES: 3. objectives shared with executive management. security. computer usage). the NYSE now requires an IA function in all listed companies. Internal auditors will need to consider the following areas (and maybe others) related to internal controls. this law will force top executives to assure the adequacy of their internal control systems. Vice President of Internal Audit. The role of internal controls and the system of internal controls has become more critical.7). These objectives should be methodically developed into cogent policies that protect the assets identified as important (see Exhibit 3. and (2) contain an assessment. as of the end of the issuer's fiscal year. For all policies.. tried to blow the whistle at Enron. the Sarbanes-Oxley Act was passed in the summer of 2002. and privacy of both employee and customer data.g. Other frauds were uncovered at Adelphia and Tyco. She later was recognized as Person of the Year by Time magazine—along with Sherron Watkins of Enron and Coleen Rowley of the FBI. Where applicable.. but the principal executive officers dismissed her claims of fraud. with the goal of providing valuable input into management's development of policies: computer system development. Sarbanes-Oxley Act (2002) Several public frauds carried out in the years prior to 2002 focused attention on all aspects of financial reporting. and auditability—ideally. WorldCom also filed for bankruptcy when an internal auditor. e-mail. affected companies are required to: (1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting. According to Section 404 (Management Assessment Of Internal Controls). For the first time.S. While policies in and of themselves are not preventive measures. to mention just a few from this time. Cynthia Cooper.e. the material in this chapter is an important resource for IA in performing this critical and required function.7: Internal Control System Model Chapter 3: Internal Control System 17 . employees should sign a copy of policies to indicate their commitment (e.6(e) and 9. Enron collapsed after what amounted to financial fraud by some of its executive managers.5 Policies [7] Internal controls should have objectives related to assets. passwords. measure compliance with the specifics of the policies). of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.8 billion in fraud. Sherron Watkins. Therefore. (See also Sections 1. She boldly identified the fraud and fraudsters to the board of WorldCom in June 2002. security. business recovery (also disaster recovery). the largest accounting fraud at the time. uncovered $3. computer system usage.

should state in broad terms the organization's objectives regarding areas such as those discussed and allow the details and specifics to evolve based on the expertise and knowledge of the internal auditors and maybe IS personnel. encryption) Business Recovery Plans: Disaster Recovery Plan (DRP). a. updates.g. DRP/IRP) Computer—General Controls Computer—Application Controls Physical Controls (e.g.. validation procedures Response Plan (IRP). and many others involved large sums stolen using techniques such as salami slicing. monitoring systems) Prevention (e.18 Chapter 3: Internal Control System Management Policy System Development System Usage Security (especially passwords) Privacy E-Mail Business Recovery Plans Regulations SEC FCPA Environmental Copyright (e..g. and so on. locked doors) Human Resource Procedures (e.) Corporate Governance: Audit Committee and IT Governance Specific Controls CAATTs Authorization: LAN.. but if so. and bringing them back online only after testing the 18 Chapter 3: Internal Control System . they are definitely affected by an appropriate risk assessment. et al. especially systems development and implementation.. Data (password systems) Fraud and Crime-Related Activities (e. There should be a written policy that segregates processes of systems development.g.. Systems Development Life Cycle Policy A key policy consideration is information systems. Therefore policies. Applications.g. Backups in applications) System Development Life Cycle Concepts Firewalls (multi-layered) Intrusion Detection Systems/Monitoring Policies may be developed before a risk assessment is formally conducted.. however. multi-layered firewall) Detection (e. Incident Data Integrity (e. A review of the organizational chart should indicate proper segregation of duties in the IS group. will need to be flexible and dynamic in order to accommodate evolving issues. There are many stories of programmers and systems people who operated without proper segregation and were able to build fraudulent codes into programs unnoticed.g. A well-written policy.g. software piracy) Risk Assessment Internal Threats: External Threats: Malicious Activities Remote Access Accidents Intruders: Disgruntled Employees Hackers/Crackers/Script Kiddies Ineffective Accountability Viruses Financial Fraud/Theft of Assets Computer Crime Control Strategies Prediction (e. At least one case involved millions of dollars stolen from ATM machines. usage (operations). One systems development life cycle (SDLC) concept that is often overlooked in actual practice is that of taking systems off-line for upgrades.. background checks) IA Function Computer Logs/Electronic Audit Trail Segregation of Duties (IS.. intrusion detection system) Correction (e..g. to some degree. and maintenance (see "Segmentation of Duties" in this chapter for more information).g.

unless permission is secured in writing from management.8: Password Policy Communication — Promote it. fraud. and other unauthorized activities. Multi-faceted — For example. or beeper personal identification numbers (PINs) in conjunction with remote logins. For example. then cracked the purchasing agent's password. and find ways to continue to raise awareness within the organization. A good method of developing this policy is to specifically identify all of the approved uses of systems and to state all other uses are prohibited. The company almost went bankrupt. Such a policy will help create a corporate culture that is security conscious. and user-defined procedures. 19 b. In a similar case. Systems Usage Policy (End Users) A second related area is computer usage. see Exhibit 3. For a good overview of why to have an InfoSec policy. It has been shown that an effective password system in operation prevents the majority of potential unauthorized activities. An effective password policy is a strategic advantage in maintaining strong internal controls and helps to minimize adverse events such as computer crime. a researcher stated that 80% of the fraud and malicious activities he found could have been prevented with an adequate password system. In one recent study. Therefore. He later logged onto the system with his regular password and proceeded to destroy live data and online backup data. then ordered materials and had them shipped to him at a remote location. (See Section 3. or no access per data field per user. The policy should also stipulate repercussions for violations. a former network administrator for a medium-size firm was terminated. One goal of the security policy is to emphasize to all stakeholders—employees in particular—that information and data are not just computer files—they are assets that have a value. use biometrics (such as fingerprints. a thorough written computer usage policy must be developed and communicated. a former AT&T employee stole thousands of dollars of materials after being terminated. c. The computer system usage policy should focus on identifying the authorized uses of company computer resources. One recent survey showed that a majority of employees use company computers for personal business while at work. A security policy will remind employees of the importance and value of information they handle. Password Policy A significant part of the security policy is a password policy.) Exhibit 3. including the immediate removal of passwords when an employee is dismissed. the passwords for the terminated employees should have been disabled immediately upon dismissal. the password policy needs to include a strong statement about authentication and authorization via access to systems using appropriate password schemes and structures. use multiple levels of access requiring multiple passwords.8 for additional guidance in developing an effective password policy. Security Policy Another critical policy is the security (or information security—InfoSec) policy. and the risks or exposures that exist. Obviously.8(b) for more details on passwords. smart cards. and how to develop it. view Computer Emergency Response Team's (CERT's) presentation. He used his password to get into the system. in both circumstances. [8] d. voice prints). use a password matrix of data to grant read-only.Chapter 3: Internal Control System new system thoroughly. In order to effectively manage distributed computer resources. Internal auditors need to assist management in establishing fundamental security objectives tied to business objectives and assets that need protection from identified risks. read/write. use it during employee training or orientation. Chapter 3: Internal Control System 19 . It is recommended that this concept be included as corporate policy. That simple procedure would have prevented both tragedies.

6(b) for discussion on a variety of e-mail issues that are unethical or detrimental. including bad press). and even ordinary backups of data. Eight characters provide an effective length to prevent guessing. the more difficult to guess or crack. Are there effective procedures and controls in place to prevent spamming? Has the enterprise determined which states have laws regarding spamming.k. Mix numbers. disaster recovery (natural or man-made cataclysmic events that wipe out systems). This process prevents a disgruntled employee from perpetrating malicious activities. Protection of individual passwords — Prohibit the sharing of passwords or "post-its" with passwords located near one's computer.20 Chapter 3: Internal Control System = > 6 characters — The more characters. Are there effective procedures and controls in place to prevent viruses from penetrating the IS of the enterprise via e-mail attachments (a thorough anti-virus system—see Exhibit 3.a. and have the details of applicable laws been incorporated into policy and controls? 5. all of which need to be considered in the e-mail policy. the harder to guess or crack.9 for a checklist or questionnaire about e-mail controls. Are there effective procedures and controls in place to prevent flamming by employees? 4. incident response plans (to deal with the effects of a deleterious event such as theft of credit cards. if combined with below.11)? 2. maybe even sue successfully. and mix upper and lower case.. business continuity). Make them case-sensitive. Exhibit 3. management will likely need to audit e-mail messages from time to time. management should make sure that such access is stated in the e-mail policy and that all employees are aware that their e-mail could be read by management or staff. Because disastrous events are so rare. Are there effective procedures and controls in place to prevent spoofing? f. Notification of significant employee changes — Make sure the IS department is notified immediately when an employee is terminated or reassigned where responsibilities require a change in system access. after systems become unavailable. See Exhibit 3. It should also be signed by every employee using corporate e-mail resources. minor disruptions).9: E-Mail Questionnaire 1. If there is ever a need to access an employee's e-mail messages. E-Mail Policy Internal auditors should also assist management in developing an e-mail policy that describes appropriate use of corporate e-mail resources. Are there effective procedures and controls in place to prevent employees from broadcasting hoax virus warnings to the employees of the enterprise? 3. Also see Section 3. Business Recovery Policy An indispensable policy is business recovery plans (a. make employees change their passwords. The policy should address the unethical activities discussed later in this chapter and procedures for opening attachments—because they could be viruses or other malicious codes. e. enterprise availability. many organizations 20 Chapter 3: Internal Control System . Lock the account after 1-3 false attempts to prevent hacking. Those plans include adequate planning for business recovery of systems (e. Regular forced changes — At regular intervals. In order to enforce the policy. special characters with alphabet — The more non-alpha.g. Otherwise employees rightfully could complain. Limited trials — Limit the number of attempts to access the system with invalid data to about three. for violation of privacy.

software malfunctions (14%). and to test it periodically (e. Privacy Policy Information about individuals. is generally considered private information. In addition. the simple truth is every organization will deal with business recovery in some form or the other. Data Backups — One key strategy in backups is to store copies of data backups away from the business campus. Hardware — Some vendors provide computers with their site. preferably several miles away or at the backup site. employees should be asked to sign the pertinent policy to ensure their Chapter 3: Internal Control System 21 . 2001). TEST! — The most important element of an effective Disaster Recovery Plan is to test it before a crisis occurs. The plan itself should cover backup measures for a site. system failures. Team — The specific team members and their roles should be written. human error (32%). Results from one survey show data losses were due to hardware or system malfunctions (44%). It serves this purpose and provides protection against other undesirable events. and natural disasters (3%). internal auditors should encourage management to have written policies about restoring or recovering systems and/or data before a detrimental event occurs. For example. Another key is to test the restore function of data backups before a crisis. or the attacks on the World Trade Center on September 11. the policy should include some basics of the disaster recovery plan.. floods. housing.g. system software. the company should protect the private information of employees wherever possible. application software. it can be taken as intrusive. Documentation — An adequate set of copies of user and system documentation. viruses (7%). make sure copies are available at the backup site. according to statistics) do not plan adequately for any of the recovery procedures. Critical Applications — Rank critical applications so an orderly and effective restoration of computer systems is possible. understood. make sure plan accommodates compatible hardware (e. supplies. When data is captured to ensure compliance with policies. Also. Exhibit 3. A cost-benefit analysis will also raise eyebrows to the necessity of having an appropriate set of business recovery plans.known as a "cold site. including appropriate furniture." When not available. the ability to recover critical operations with minimal downtime should be the objective of the plan and the foundation of the policy. the steps and elements of the plan itself should be documented with adequate detailed information. If not included in the site plan. Therefore. to some extent or scope. Not only can natural or man-made disasters disrupt the commercial affairs of an organization. hacking. either personal data or data about actions. g. Some do not provide hardware . it is critical when disasters actually occur (e. and documentation (see Exhibit 3. Another valid option is a mutual aid pact where a similar business or branch of same company swap availability when needed. known as a "hot site" or recovery operations center. System Software — Some hot sites provide the operating system. To survive such events with minimal losses. and rehearsed. a business needs to formalize recovery procedures into a business recovery plan. The team leader is a critical success factor of the plan. but system errors. computers. data.10: Disaster Recovery Plan Site — A backup site facility.g. hardware. in some cases. Supplies — A modicum inventory of supplies should be at the backup site or be able to be delivered quickly. the legal system considers it an invasion of privacy.. However. and usually goes beyond such ordinary business decisions as insurance. For disaster recovery. Obviously.Chapter 3: Internal Control System 21 (most organizations.g. If an entity observes an employee secretively. To protect the company from either of these injurious events. Application Software — Make sure copies of critical applications are available at the backup site.. ability to lease computers). hurricanes. and telecommunications. or other computer attacks can also cause disruption. the plan should include a means to develop a ranking of critical applications and to test for effectiveness.10). once a year).

22 Chapter 3: Internal Control System knowledge of this type of observation. The current definition of internal auditing by the IIA states: • Internal auditing is an independent. detection risk. It helps an organization accomplish its objectives by bringing a systematic. objective assurance and consulting activity to add value and improve an organization's operations. [8]www. 78: Consideration of Internal Control in a Financial Statement Audit. Then.9. (2) Risk Assessment.g. and business risk.. One model for investigating risks is to view them as internal risks and external risks.6 Risk Assessment Risk assessment is a critical step in building an effective internal control system that has the ability to manage undesirable events. and how they will function in order to make them comfortable in conducting business online. has become the preeminent method of guiding audits. primarily because it strategically focuses attention on the most likely trouble spots with the highest costs rather than general protection. The IIA focuses on risk assessment in IA activities and standards. SAM POLE COMPANY 3." In order to develop effective audit planning. some type of risk analysis is necessary because it provides strategic direction for limited resources.5 through 3.1 for a full diagram of Sections 3.cert. It is important for customers or potential customers to know how the entity will use their information. External auditors have long begun their process of financial audits with the audit formula—assessing inherent risk. control. a privacy policy should be developed for them regarding information collected by the entity (e. cookies).6 REV NO: DATE: TITLE: Risk Assessment PAGES: [7]See Exhibit 3.org/present/cert-overview-trends/module-6. The five major areas of internal control include (1) Control Environment." Risk analysis. consistent with the organization's goals. and (5) Control Activities. (3) Information and Communication. and the ramifications for violations. For entities that have interactions with customers or clients over the Internet. the IIA basically adapted risk assessment as the cornerstone of audits in its Standards. and governance processes. what the cookies will contain.pdf. Under the Performance Standards of the IIA's Standards for the Professional Practice of Internal Auditing. In 2000. In SAS No. This manual uses this simple model for discussing some of the more common risks that exist in the average organization. See 22 Chapter 3: Internal Control System . this policy should be easily found on the web site home page and accessible to all customers or prospects. In the Nature of Work section (SPPIA 2100). [9] the AICPA institutionalized as guidelines the Committee of Sponsoring Organizations (COSO) model of internal control. audit risk. or assessment. Lately. control risk. internal auditing has also put more focus on risk assessment. the type of data about the employee being captured. Corporate Audit Department Procedures Manual NO: 3. (4) Monitoring. the first topic is Planning (section 2010): "The chief audit executive should establish risk-based plans to determine the priorities of the internal audit activity. the first standard relates to Risk Management (SPPIA 2110). It states: "The internal audit activity should assist the organization by identifying and evaluating significant exposures to risk and contributing to the improvement of risk management and control systems. disciplined approach to evaluate and improve the effectiveness of risk management.

risks from within the organization).e. and an effective internal control system (e. but declining profits are driving stock prices down. Because of their unique position to override controls. These people can be motivated to cause extensive harm to the organization and. A sample of accidents using the internal view would include the following: inadvertent data destruction (e. accidents. Such neglect could encourage further violations or even extend the scope of violations. and other activities for the specific organization but perhaps put more emphasis on it than external threats—depending on the specific system. excessive lifestyle. well-designed systems provide error reports or logs where errors have been detected but not corrected. Such actions are indicative of ethical soft spots that can lead to fraud. A similar result can happen if management fails to enforce policies when violations occur. may be tempted to steal assets to cover personal losses..).. or material misstatements. Numerous reported frauds give credence to this particular set of risky circumstances internally. management itself is a risky group. and errors in accounting data. It is possible to create a strong set of appropriate internal controls only to have them fail to operate effectively. and other similar activities. unintentional IS interruptions (e. Despite the high-profile stories of hackers in the public press. Second. they have stock options. Second. An appropriate risk assessment would not only identify the specific risks associated with malicious activities. These conditions can motivate fraud. Another area of concern is ineffective accountability. if the error report has actually identified a fraudulent event. a person who has a severe deficit cash flow. coupled with weak controls or opportunity.. It is also possible someone in the firm will become an industrial spy. Because of the nature of internal audit. Risk Assessment: Internal Perspective An effective risk assessment must emphasize a good understanding of the internal risks (i. gambling." Even the normal aggressive nature of driven managers can become a risk if not mitigated by strong personal and corporate ethics. especially financial fraud.. If management is subjected to monetary pressures (e. risks. may cause very costly damage. depending on their knowledge and access to systems. One management accountant reported his dilemma when his boss wanted him to reverse a correct accounting transaction because it caused a department to miss its profit goals (budget variances) for the first time in months. Disgruntled employees as a group probably present the highest risk—even more than hackers external to the firm.g. but should be analyzed thoroughly by external audits during financial audits. especially as it relates to audit planning. errors in systems development. often with the intent to "pay back" the organization shortly.. or misuse of assets. data. for whatever reason (e.g. There are several groups to think about in assessing risk from internal sources. For example. etc. theft.1(b) of this manual for more about risk assessment. erasing a hard drive). theft.). First. Failure to review such reports on a timely basis and provide corrective action quickly not only fails to correct an existing error but may likely lead to further errors. 23 a. since employees would know that repercussions are not forthcoming. and assets. etc.g. audit committee). this oversight can inadvertently allow the fraud to be perpetrated without discovery. communications to outsiders that would be detrimental to the organization. research shows that about 75 to 80% of frauds and malicious activities actually originate from within the organization. Another dangerous group is the one of employees with personal problems. then obviously it will occur again when the circumstances are duplicated. or their bonuses are based on profits. they can more easily commit fraud. they may be tempted to "cook the books.g.. it is difficult to assess this risk.g.Chapter 3: Internal Control System Section 6. Malicious activities include destructive activities directed at the data or information system. theft or fraudulent activities related to assets. if the error is systematic. Chapter 3: Internal Control System 23 . infesting it with a virus or worm). For example. and threats.

causing its financial collapse. Some adverse activities have the objective of disrupting service (availability). denial of service (DoS) and/or distributed denial of service (DDoS) attacks are examples of crimes other than theft. Risk Assessment: External Perspective An effective risk assessment must also emphasize a good understanding of the external risks (i. COSO made a study of 200 randomly selected cases of alleged financial fraud investigated by the Securities and Exchange Commission—about two-thirds of the 300 SEC probes into fraud between 1987 and 1997. If the company has employed electronic commerce. 24 Chapter 3: Internal Control System . There are other reports of "crackers" (see "Types of Criminals" in this chapter for definition and description of cracker) stealing credit card data but always from files on the back office computers or web servers after the transactions were completed online. there is a risk that the data used in an e-commerce transaction might be stolen. and then held the firm hostage—threatening to post the credit card data on the Internet unless the firm paid the ransom. in which crackers bring down an e-commerce server with technically devised computer attacks. fraud. It is relatively easy to spread malicious code as attachments to e-mail. most of the financial frauds among public companies were committed by small corporations—well below $100 million in assets. there is a serious threat to anyone connected to the Internet today.g. one online storefront selling compact discs (CDs) took down its firewall to upgrade the system. Both serve as effective tools in preventing theft of data while online. For example. is not a government entity. there are a number of risks to consider. especially if the firm has a web server connected to its internal systems. For internal auditors of firms of this size.24 Chapter 3: Internal Control System One other observation must be made concerning internal controls. One series of attacks brought down eBay and Yahoo.).1 million. This also demonstrates the combination of risks: an accident (firewall not restarted) and crackers (stolen credit card data). it should be concerned about unauthorized access by users external to the organization.. The likelihood of these kinds of attacks depend on whether it occurs because of personal reasons (e. that means the level of risk is lower if the company has a low profile. or has a low level of online transactions. vengeance from disgruntled former employee or a computer whiz out to get your business) or because the organization is high-profile (e.. there were early warnings from certain groups that a DDoS attack was pending. including desktop computers of a firm. Yahoo. or has remote access to networks. It begins with security of data. the connection was restored but IS employees forgot to reactivate the firewall. amazon. It is after the online transaction is consummated that credit card data has been stolen.g.. these findings provide valuable input to a risk assessment. government entity.com. The highest risk associated with the Internet is neither hackers or crackers but viruses or worms. The average misstatement or misappropriation of assets was $25 million.. And while it is virtually impossible to activate a virus by simply opening an e-mail message. For instance. These risks being unique require some special expertise regarding internal controls.e. with a median of $4. Some companies committing fraud were experiencing net losses or were at close to break-even positions in periods before the fraud. If the company has remote access to its computer systems. eBay. Pressures of financial strain or distress may have provided incentives for fraud for some companies. Crackers broke through the system and stole files containing thousands of credit cards. b. Yet even here. among others. Nevertheless. While online. Almost all widespread viruses depend on the features of Outlook (e. In that decade. Unauthorized access would most likely eventually lead to some detrimental activities. The episode was devastating to the CD company. secure sockets layer (SSL) and secure electronic transaction (SET) have proven to be nearly invincible. in early 2000. Once the upgrade was completed. using encryption combined with public keys to protect data while exposed online. etc. For internal auditors.g. However. Top senior executives were involved in most of the cases (CEO and/or CFO in 83% of the cases). and management. Microsoft complicated that by allowing the automatic opening of attachments in Outlook. The size of the fraud relative to the size of the company is quite large. risks from without the organization).

CERT. Measures to prohibit propagation of hoax viruses (e. removal of floppy drives). Training of all employees (e. It can be a serious problem.11: Anti-Virus System/Model 1. Many states have laws against spamming. By centralizing broadcast warnings. or software) for potential viruses. [10] SANS. One is the fact that some virus warnings via e-mail are simply hoaxes. 4. Yet it only takes a minute to access one of the several hoax centers (e. 3. Such use of corporate e-mail should be prohibited. etc. Zdnet. For instance. if it involves sexual harassment or racial slurs. new viruses would not be included in the database/definitions of an anti-virus system.11 provides a model for an effective anti-virus system. They are a problem. trash talking. the enterprise can eliminate the waste of resources associated with hoax viruses (time to delete. Anti-virus software installed on all PCs (with online updates available). it is not considered spamming.g. 7. 8. but much less costly than real viruses. [11] and Zdnet. Spamming (junk e-mail) is a risk because it can clog bandwidth much like hoax viruses. 6. and even biased remarks). One relatively easy and cheap way to stop the spreading from a single infected computer is to add an e-mail address that will sort to the top with a bogus e-mail address.. clogging bandwidth with numerous bogus messages. daily warning system is necessary. Other measures as appropriate in particular enterprise (e. Thus. derogatory messages. Exhibit 3. [12] and IA should ensure the responsible party is subscribed to this kind of mailing list. Internal auditors should investigate Chapter 3: Internal Control System 25 .g. even leading to litigation. Regular virus scans of PC hard desktops and laptops (part of regular anti-virus maintenance). during orientation). But as long as the message has some mechanism to disable future messages. There are several other problem areas or risks associated with e-mail. whether the attack is another employee or the company. Responsible person or group subscribes to a credible virus alert mailing list (Cnet. firewalls. that person would be required to forward the message to the enterprise anti-virus person or group. [13] Norton Anti-Virus Center [14]) to authenticate the message before forwarding it to everyone you know—the hidden purpose of the perpetrator.. Another e-mail risk to consider is flaming (electronic smash mouth. and others — to identify emerging viruses that cannot be detected using existing anti-virus databases. This person or group can then authenticate any virus warnings and broadcast appropriate messages. including CERT. some sort of dynamic. Exhibit 3. The costs of damages created by viruses and worms in 2001 ran $12 billion—each of the several successful ones perpetrated costing millions. and to be able to get the newest anti-virus definitions when a new virus is released on the Internet). Several mailing lists offer this service.g. policy to not forward virus warnings except by executive designate).). Therefore.. Require regular desktop and laptop updates of virus definitions and databases (use e-mail reminders and/or policy). 5. computer incident advisory capability (CIAC). Filter e-mail servers (using routers. 2. One suggestion regarding policy is to forbid broadcasting virus warnings from anyone other than a designated person or group.Chapter 3: Internal Control System 25 automatically open attachments) and the address book on each computer. Norton Anti-Virus Center. although often such mechanisms do not work.. Anti-virus software alone is insufficient as a control. If a person receives a message and he/she thinks it is legitimate. it is very important for internal auditors and the internal control system to address this risk specifically and conscientiously.g.

2. or some other message. □ The updates are reviewed daily (weekly) for applicable ones. 2. Be sure the IS department has made the necessary precautions to prevent these objects from carrying out destructive code.9 provides a questionnaire for internal auditors that could be used to audit the e-mail services of an entity.12: A Basic Vulnerability Plan 1. □ Fixes and changes are first thoroughly tested on systems OFFLINE before being allowed online. Exhibit 3.14 for a list of the Top 20 vulnerabilities. For example. and corrections made. Crackers and script kiddies also take advantage of security holes in systems.502)[15] G1—Default installs of operating systems and applications G2—Accounts with no passwords or weak passwords G3—Non-existent or incomplete backups 26 Chapter 3: Internal Control System . an e-mail message could be broadcast to the enterprise's employees informing them of a day off. Spoofing (impersonating) can also be a risk. These holes allow outsiders to gain unauthorized access to systems and then they can do a wide variety of malicious activities. Security (SANS) and the FBI. List of probable vulnerabilities (broad scope of input).14: SANS Institute: Top 20 Most Critical Internet Security Vulnerabilities (ver. ALWAYS test all changes. Spoofing refers to e-mail messages that pretend to be sent (authorized) by someone who has no knowledge of the message. plugs OFFLINE before putting the system back online. all unnoticed. scripts. See Exhibit 3.26 Chapter 3: Internal Control System spamming legislation in the states where the enterprise has servers and promote an appropriate policy regarding the handling of spamming—received or sent.13: Sample Questionnaire/Inquiry □ There is a reputable source or list of applicable vulnerabilities to our information systems. □ Both processes are reported or checked off by a responsible party in InfoSec. Anti-spam software packages are available but some have problems making a consistent distinction between spam and legitimate e-mail. developed by SysAdmin. There are objects or code agents that pose threats similar to viruses or worms—be it applets. Audit. documents the most often used vulnerabilities by attackers and intruders. America Online (AOL) has a strict policy regarding spam and enforces it—as such AOL serves as a good model to follow. The latter. Controls and procedures need to be developed to effectively protect against such attacks and risks. Regularly use the alerts to plug emerging leaks. Exhibit 3.12 for a set of basic vulnerability controls. fixes. □ There is a credible source to update the list for emerging vulnerabilities. Network. or other objects. 3. Exhibit 3. Exhibit 3. 4. 5. and give the appearance of being authentic (such as the signature of an executive). Subscribe to security-related mailing list (security alerts).13 for a questionnaire related to vulnerabilities. Exhibit 3. yet be a bogus message. □ The system is tested on a regular basis for known vulnerabilities or potential exposures. Use list as checklist to plug applicable vulnerabilities. □ The list is reviewed on a regular basis to see that all applicable vulnerabilities have been corrected. ActiveX elements. and Exhibit 3.

55—the same topic.S. Chapter 3: Internal Control System 27 . 78 revised SAS No.com/avcenter/ or www. Department of Energy.norton. W = Windows Vulnerabilities. www. See www.7 REV NO: DATE: TITLE: Control Strategies PAGES: [9]SAS No.com.symantec.securityresponse.ciac. [10]See [11]See [12]See [13]See [14]See [15]G 27 SAM POLE COMPANY www.symantec.org. www.org.com.securityresponse.sans.org/top20.htm.com/avcenter or www. www.org/ciac by U. = General Vulnerabilities.sans.Chapter 3: Internal Control System G4—Large number of open ports G5—Not filtering packets for correct incoming and outgoing addresses G6—Non-existent or incomplete logging G7—Vulnerable CGI programs W1—Unicode vulnerability (web server folder traversal) W2—ISAPI extension buffer overflows W3—IIS RDS exploit (Microsoft Remote Data Services) W4—NETBIOS—unprotected Windows networking shares W5—Information leakage via null session connections W6—Weak hashing in SAM (LM hash) U1—Buffer overflows in RPC services U2—Send mail vulnerabilities U3—Bind weaknesses U4—R commands U5—LPD (remote print protocol daemon) U6—sadmind and mountd U7—Default SNMP strings Corporate Audit Department Procedures Manual NO: 3.norton. www.cert. U = UNIX Vulnerabilities.

They sent their logs to analysis sites. and technical publications such as ZDnet. They tested the program in multiple sites and they also let the FBI know of the attack. and posted for analysis at SANS.000 people warning them of the attack 28 Chapter 3: Internal Control System . and then they developed a computer program to determine which computers had been infected. Obviously. Lion stole password files from infected machines and sent them to a site in China. The infamous Berkley Internet Name Domain (BIND) attack is an example of how access to the ISC serves as a predictive control. [18] The latter uses a similar approach as the virus warning systems—to monitor the Internet in a broad manner to determine if any malicious activity is emerging. Attacks on port 53 are significant only because the software program called BIND [19] uses that port. Prediction The first area. where controls are able to detect undesirable events after they have occurred and in some cases automatically correct it—in others it provides the means to correct it. Specific controls. such a system is both "predictive" and preventive. prediction. a. [16] BUGTRAQ. Others include systems that are capable of generating accurate warnings regarding malicious activities. Two examples are certain mailing lists and Internet warning systems. and as such is critical to protecting assets (see Exhibit 3. Fourfold Perspective of Controls Model Before developing management policies. is the most difficult. management needs to have a general understanding of how to design effective internal controls. predictive and preventive measures are more efficient and less harmful and therefore should be premier in building the internal control system. some of the anti-virus manufacturers such as Norton. The second is preventive controls that will minimize the possibility of a risk occurring. Some kind of man-made. Control activities will be presented in two models and some other general areas of control activities. Since anti-virus software is vulnerable to a new virus.28 Chapter 3: Internal Control System 3. which is divided into four perspectives. The third and fourth are detective and corrective. Another type of predictive control is an Internet-wide monitoring system such as those employed by CERT. the analysts were able to send an alert to 200. But hundreds of intrusion detection sensors that were logging attacks had become part of regional and industry-specific security monitoring networks. i. Just 14 hours after the spike in port 53 traffic was first noticed. Analysts immediately saw a spike in the number of attacks on DNS Port 53. several organizations watch for them and publish early warnings via a mailing list. "electronic storm" (actually an electronic packet storm) was sweeping through the Internet. The management of undesirable events is one aspect. One good example is the early warning system of a mailing list for malicious activities such as viruses and security vulnerabilities. The two models are discussed to provide a way for internal auditors to think about developing general control activities and objectives. When a new virus is released on the Internet. [17] and the Internet Storm Center (ISC). Profiling and background checks are specific activities that serve to predict malicious behavior or actions. and it installed a distributed denial of service (DDoS) tool so that the infected machines could be used in denial of service attacks. On March 22. Control activities are developed at least in part from proven control strategies. These organizations include non-profit or government ones such as CERT.11 to illustrate the inclusion of a predictive step in an anti-virus set of controls). intrusion detection sensors around the globe logged an increase in the number of probes to port 53—the port that supports the domain name service. are identified in "Specific Controls/CAATTS" in this chapter.7 Control Strategies Effective control activities can help to mitigate the risks identified in the risk assessment. with specific illustrations. There the data was aggregated and charted automatically. The first is prediction. 2001. and versions of BIND that had not been recently updated had a vulnerability that attackers could use to take over the systems. The analysts determined what damage the worm did and how it was able to do it. [20] Thousands of organizations that had not updated their version of BIND were being infected with a worm called Lion. such as CAATTs.

The security alerts and mailing lists are excellent sources for predictive controls. Internet Storm Center is a free service to the Internet community.g. It is rapidly expanding in a quest to do a better job of finding new storms faster. Therefore. and only if. Only in the regional and global aggregates was the attack obvious which allowed the expeditious response to slow and then stop the attacks—and serve as a predictive control for many organizations. proxy servers. The work is supported by the SANS Institute from tuition paid by students attending SANS security education programs.e. such as a router with filters. Preventive controls are also necessary in software Chapter 3: Internal Control System 29 .. Some emerging technologies are being used to build predictive models with a relatively high degree of accuracy. earnings per share below street predictions). the Defense Advanced Research Projects Agency (DARPA) charged the SEI with setting up a center to coordinate communication among experts during security emergencies and to help prevent future incidents. For InfoSec and Internet resources. and the possible result is theft. that is.. Since then. Many past employee thefts have these traits in common. a federally funded research and development center at Carnegie Mellon University in Pittsburgh. CID's contribution the night of March 22 was sufficient to earn it a new title: Internet Storm Center. and developing information and training to help entities improve security at their site. A better control is a firewall that has multiple layers: a combination of routers. lifestyle is high or beyond means. this "control" is effective if. For financial fraud. software. Pennsylvania. CERT focuses on protecting systems against potential problems. the CERT/CC has helped to establish other response teams. However. filters. publishing security alerts. The technology. the professional judgment of auditors should be viewed as and used as a predictive control. The CERT Coordination Center (CERT/CC) is located at the Software Engineering Institute (SEI). "training" it by using actual past data. bankruptcy). economic woes of some sort). it could be predicted. which brought 10% of Internet systems to a halt in November 1988. Most major financial frauds of the past have these factors in common. weak personal ethics).. the internal auditors report directly to the audit committee. Technologies such as artificial neural networks (ANN) have been shown to be more accurate than other modeling tools at making predictions where the data is extensive or complicated. and so on. declining profits..g. It could be argued that the internal auditor's experience and professional judgment have predictive powers of sorts. This episode demonstrates the value of sharing intrusion detection logs in real time. a multi-layered firewall is a good control. reacting to current problems. and predicting future problems. The organization's work involves handling computer security incidents and vulnerabilities. it is opportunity (exposure) combined with personal weaknesses. researching long-term changes in networked systems. Prevention Secondly.g.Chapter 3: Internal Control System 29 in progress. it does take special skills to properly build such a system.. and there is a weakening or soft profitability (e. then there is a high risk of financial fraud. and advising what to do to avoid the worm.g. is a weak control (i. telling them where to get the program to check their machines. ii. If the company is experiencing a high degree of pressure in the stock market (e. For employees. and their incident handling practices have been adapted by more than 200 response teams around the world. becomes an exposure). That is. isolating the sites that are used for attacks. Studies have shown the ability of ANN to predict with a relatively high degree of accuracy such events as financial distress of a firm (e. people. [21] Another source that can serve as a predictive control is CERT. Therefore it is not beyond the realm of possibility to use an ANN to build a predictive model for control breaches. and networks that found the Lion worm were all part of the SANS Institute's Consensus Incident Database (CID) project that had been monitoring global Internet traffic since November 2000. declining revenues. declining stock prices. used to provide a shield that could be compared to an onion. activities should be implemented where the objective is to prevent malicious activities. Today Internet Storm Center gathers more than 3 million intrusion detection log entries every day. a single firewall control. Following the Morris worm incident. and providing authoritative data on the types of attacks that are being mounted against computers in various industries and regions around the globe. and personal weaknesses in executives (e. with all its layers of skin.

Detection It is much easier to develop controls for detection. IS performance).30 Chapter 3: Internal Control System applications to prevent errors in data. it does take special skills and knowledge. iii. For InfoSec. correction. There are more sophisticated intrusion detection systems. Computer control is subdivided into general and application controls (see Exhibit 3. the third perspective. 30 Chapter 3: Internal Control System .15). and incident response plans—all intended to correct the damage from major catastrophes. Monitoring systems that measure traffic on specific ports of the Internet and then graph it can produce an outcome that can detect an intruder hacking into a system. there are some developing.16). the Storm Watcher is able to spot it much like a weather system predicts a physical storm. For example. There is a need to make sure such a system does not seriously impede the processing of transactions in the corporate system (i. Again.e. Physical Controls Physical controls involve controls of a manual nature (see Exhibit 3.. When general attack is made. iv. Correction The last perspective. Other types of correction controls include disaster recovery plans. Some examples follow for illustrative purposes and are not exhaustive. Artificial neural networks mentioned above also have been shown to be able to detect fraudulent events or transactions.. effective means of detecting general Internet attacks. Studies have shown that a detective model can be built to recognize potential fraudulent transactions after having been trained by using actual past data (i. actual valid transactions and actual fraud transactions). the ANN would warn someone in IA directly. as well as a set of transactions to do the training. is another fruitful source of controls. logs that generate a list of detected errors and the procedures to correct them are a critical component of applications and systems. System access likewise needs preventive controls to prohibit unauthorized access of systems and data. but any enterprise with risks associated with the Internet needs a detection system commensurate with its level of risk. business recovery plans. giving IA and the firm a chance to detect a fraudulent or irregular transaction as it is being conducted. Information Systems and Controls Model A second model applies to controls in general: physical and computer. The Internet Storm Watcher [22] gathers information real-time from logs all over the Internet. rather than detecting it weeks or months later in an audit.e. Once a suspicious transaction is detected. Exhibit 3.15: IS Model of Controls Computer Controls General Controls Application Controls Passwords Input Controls Output Controls Locked Doors Processing Controls Batch Controls Physical Controls Independent Verification Accounting Records Segregation of Duties Transaction Authorization Supervision Access Control i. Such a system could potentially then "sit" on top of the processing systems and filter transactions looking for potential fraudulent ones. For instance. b.

Access controls (direct.16: Physical Controls 31 1. Some of the controls that illustrate proper segregation of duties in IS are: • Separate systems development from computer operations. and maintenance.. Some enterprises include original software and their licenses in the "library" as well. • Use of a data control group. including original source code. certain recurring transactions become a programmed procedure.) (authorization versus processing. manual controls) to ensure all material transactions are processed by the accounting system with integrity and in compliance with management policies and objectives. (2) separate custody of assets from record keeping. • Separate data library function from computer operations. If the enterprise stores data tapes. This group (or person) serves as a control between operations and end users—including management.g. This control should both deter fraud and increase the quality of documentation. Transaction authorization (manual procedures) 2. Segregation of duties is another important type of physical control. monitor data processing. salami slicing). The latter generally can be accomplished by separating steps of the process between different individuals. and in this case. That is. Documentation of in-house software. Using management decision rules.Chapter 3: Internal Control System Exhibit 3. data integrity) Transaction authorization needs physical controls (i. review and distribute computer output. and (3) create controls such that a successful fraud can only be perpetrated using collusion. systems analysis can be separated from programming. why. computer operations. indirect) 6. and an adequate audit trail of transactions (where the assets go. should also be housed in the library. Accounting records 5. For example. If this separation is not possible. make sure segregation of duties extends beyond the typical area of basic accounting functions. Supervision (compensating control when unable to use segregation of duties) 4. Independent verification (performance. the rotation of a person on an ad hoc basis should suffice as an adequate control. or operate under general authority. then a data librarian serves as custodian of the data asset. Other decisions of a non-routine nature need specific authority. strict procedures for checking assets in and out. and maintenance. or other centralized storage. leaving it open to possible malicious code (e. Three good rules of thumb for developing controls using segregation of duties controls is: (1) separate authorization of transactions from processing them. back doors. This alternate organizational structure could lead to weaker documentation and creates an exposure for programming. and Chapter 3: Internal Control System 31 . serve as liaison with end users. Software and data assets should be treated much like inventory assets when it comes to controls. which also should increase the quality of documentation. • Separate the database administrator (DBA) from other database and systems functions. custody versus recordkeeping. system integrity. their safe return). accounting processes. They perform tasks such as: review and test computer procedures. they need to have a custodian. • Separate new systems development from maintenance.. Segregation of duties (IS processes. Also. backups.e. etc. and such that fraud requires collusion) 3. If a permanent librarian is not feasible. segregation of duties has many applications in IS processes and database management. development. development.

and the identification of users. They would include controls such as locked doors for sensitive areas (e.) Supervision is a vital part of physical controls.8(b). This control includes formal reporting and procedures as well as physically supervising a person or process. and have already been discussed. When segregation of duties becomes impractical.. and to limit opportunities for concealment of fraud. ii. purchase orders. (See Section 3. Access controls (direct and indirect) are addressed in Section 3. etc.g.g.7(f) for more on segregation of duties. and other issues pertinent to the enterprise. There should be some kind of controls for the receipt of data for keying (if feasible) and for the distribution of output (e. Other library-related controls may be needed for data backups. That is. They should also include controls regarding the development of new systems. This section addresses general computer controls. Accounting records should be kept in such a way as to prevent unauthorized physical access. A classic control in this category is the comparison of physical assets with accounting records. the system should build a log of activities including application used. checks) and physical accounting records (ledger cards). Some operating systems have the ability to build this kind of log (see "Logs and Auditability" in this chapter for more information). Management also will assess the integrity of the computer system and data on an ongoing basis as a part of independent verification.g. data used.. or systems before activation online. Internal controls should also be implemented for independent verification of data. There should also be controls regarding computer operations. safeguard documents (e. but it also includes controls such as reviewing management reports. Computer Controls: General Computer controls are subdivided into general and application. Direct controls involve physical access to assets such as inventory or cash. supervision is the default compensating control. Segregation of duties should be used to build independence (cannot alter programs or data). size. Data backups (tapes or disks) should have controls for labeling (either internal or external labels). data control group).. Therefore. if employed. and manipulations made. Indirect controls relate to documents and processes that control such assets (e. how long the user used the data or application. Other segregations may be necessary depending on the circumstances.32 Chapter 3: Internal Control System review control logs from data processing. and are a part of physical controls.g. should be separated from operations and systems development. hardware. and • Requiring training of new applications before implementation Major changes to existing software systems should generally follow the same set of controls. this group. data storage. For example.). 32 Chapter 3: Internal Control System . mainframe room). These controls might include: • Requiring a written request with justification from user(s) • Requiring a written evaluation and authorization of this request by IS staff • Requiring the design of the application by a cross-functional team that includes a CISA or CIA (to ensure the inclusion of adequate controls during development) • Requiring adequate documentation procedures • Requiring a written report on the testing (probably re-introduce CISA or CIA to the process at this point) • Requiring full off-line testing for new applications.. Access to programs and data are critical and need controls. credit memos.

) ♦ Limit test (data is within range of valid entries for the particular field.. and output controls. error reports. and users to perform these control tasks (from most effective to least) Chapter 3: Internal Control System 33 . the computer itself. application controls should be employed to make sure data has not changed and data maintenance is validated. • (B) Converting data into computer files. which are more specific. where applicable (telecommunications) Example of output controls include the following: ♦ Controls to ensure reliability of computer output (e. complimentary master record(s) exist.Chapter 3: Internal Control System iii. etc. Examples of input controls include: • (A) Authorization. verification programs and controls • (C) Subsequent accountability. processing controls.. where applicable ♦ Record counts. reconcile output control totals with processing and input control totals ♦ Develop controls using error reports for data that does not meet certain validity checks. amount totals.) ♦ Controls to ensure outputs are distributed with appropriate custody to authorized personnel only ♦ If batch methodology is employed. computer editing controls. Computer Controls: Application 33 The next aspect of the IS controls models is application controls. etc.g. where applicable.g. printed reports. etc. hash totals. and that require special authorization (preferably from the credit department) to allow the invoice to be processed when the amount would put the customer over the credit limit. printed checks. Examples include: ♦ Transmittal controls ♦ Routing slips ♦ Control totals (hash. batch totals. Proper authorization procedures and controls are essential to an effective internal control system. data is reasonable) ♦ Self-checking digit. batch totals. Two basic control guidelines for authorization are: ♦ Controls should make sure transactions are properly authorized in accordance with management objectives and policies ♦ Embed controls where the computer performs the authorization An example of the latter would be credit limits.) Examples of processing controls include the following: ♦ Batch control where applicable (not likely to apply in real-time systems)—control totals. The fact the accounting system is a computer-based one does have some effect on these controls. Controls should be developed to ensure the validity of data entry from the point of data capture and/or input. record counts ♦ Validity check test (e. including control procedures for follow-up of error reports for corrections ♦ Develop effective controls such as data control group. valid data for the particular field. ♦ Use of batch control methodology. They include input controls. Subsequent to data entry. hash totals. The software should have built-in controls that verify a customer has sufficient credit to issue an invoice without going over the credit limit.

The rules are designed to improve disclosure related to the functioning of corporate audit committees and to enhance the reliability and credibility of financial statements of public companies. Companies that are not publicly traded but have a large number of stockholders are probably in need of an audit committee because of the fiduciary responsibility. if it is outsourced. qualifications. For example. above and beyond what the external auditors might do in a financial audit. An Internal Audit Function The most important general control activity is an internal audit function. Therefore. theft. Corporate Governance A key control strategy is an effective corporate governance structure. and a successful internal control system. The ruling [24] says in part: • The Securities and Exchange Commission is adopting new rules and amendments to its current rules to require that companies include in their proxy statements certain disclosures about their audit committees and reports from their audit committees containing certain disclosures. and management assertions—and liaison with external auditors. especially regarding security. i. the New York Stock Exchange and the IIA have asked the SEC to require an IA function for all companies with publicly traded stock. businesses that have a relatively large risk of fraud. auditability. Management should also expect the audit committee to assist them in ensuring the integrity of financial reports and in deterring fraud. related to audit committees. Audit Committee Another key major control activity is an adequate audit committee. and an adequate staff. the SEC issued a ruling that took effect January 31. The public expects no surprises in the financial health of the company. A significant responsibility of the audit committee is to deal with risks of the entity. are indispensable in effective control activities. In fact. management should be careful to maintain a maximum degree of independence. [23] This manual stresses the activities. or illegal activities should also have an audit committee. They also look for ways to identify adverse events. A qualified group of people. Major bankruptcies such as Enron have brought criticism to the possible lack of independence when the internal audit function has been outsourced to the external auditors responsible for the financial audit. risks. they might serve as a sounding board for employees who observe suspicious behaviors or outright fraudulent activities. The main reason is the fiduciary responsibility the company has to the shareholders. This strategy begins with the IA function and includes an effective audit committee and IT governance. and controls.34 Chapter 3: Internal Control System c. But having an audit committee is not the same as having an effective audit committee. For publicly traded companies. and duties that make the IA shop successful and productive. 2000. Therefore. d. financial institutions and other businesses that handle large volumes of cash daily are prime candidates for an audit committee because cash misappropriation is the highest of risks. Audit committees should be able to serve as guardians of the public interest. They interact with both these groups with the objective of ensuring data integrity in financial statements and the avoidance of fraud or illegal activities. The best situation is to have an IA department within the firm. For instance. The IIA argues that an internal IA shop is a critical success factor in effective corporate governance. Each enterprise must have an independent source for developing and verifying controls. security. The audit committee should have a willingness to challenge the internal auditor 34 Chapter 3: Internal Control System . and it expects to be able to trust the financial reports. Internal audit is much broader and more flexible in the tasks it performs. The audit committee serves as an independent "check and balance" with the internal audit function—serving as a watchdog over financial statements. The SEC basically requires publicly traded companies to not only have an audit committee but to include information on its activities in SEC reports. Companies need an audit committee for several reasons.

In 1998. The study develops several common factors about the companies (see Exhibit 3." covering 10 years and 200 randomly selected cases of alleged financial fraud investigated by the SEC from 1987 to 1997. The 200 randomly selected cases make up about two-thirds of all the SEC probes into fraud during the time period. Yet this large firm went bankrupt once it booked a $600 million entry to revise its earnings in late 2001.18). auditors. In fact. including financial and accounting policies 6. board members. Arthur Andersen. These events also show the need for effective audit committees. Key areas of business and financial risk 2. you cannot depend on your external auditors to detect fraud based on their size) Chapter 3: Internal Control System 35 . For those entities that employ outside auditors. but it is especially valuable in developing audit committees because of its applicability.17 for a list of audit committee oversight areas. Key personnel selection for critical financial/control positions Certain historical events remind managers. the audit committee should be best positioned to determine whether or not the provision of any particular service by the audit firm is inappropriate. "Landmark Study on Fraud in Financial Reporting. Internal audit activity 7. in whatever fashion is appropriate. they become an independent source of protection of the entity's assets from a variety of risks. The results of the study provide valuable information for any organization in protecting against fraud. Enron had $10 billion book value. COSO issued a report.e. Enron proved that large companies with billions of dollars in assets can go bankrupt under the noses of well-intended board members. Enron had an audit committee made up of distinguished members with financial accounting pedigrees. $60 billion market value. Tone at the top/code of ethics 3. Periodic financial reporting. Exhibit 3.17: Audit Committee Oversight Areas—In Order of Importance 1. and other stakeholders of the risks that exist even for those businesses that seem to be immune to fraud." according to its external auditor.18: Commonalities of Fraud Entities from COSO Study Smaller firms Lack of experience in board members Lack of independence of audit committee/board members Absence of audit committee or infrequent audit committee meetings Likelihood of involvement of executive managers in financial fraud Most of the auditors explicitly named in SEC enforcement releases were non-Big Five auditors Audit firms of all sizes were associated with companies committing financial statement fraud (i. See Exhibit 3. Exhibit 3. External audit activity and relationships 5. In general. they should be responsible for deciding which external auditor to hire.Chapter 3: Internal Control System 35 function as well as management when necessary. and $1 billion in profits in its latest financial reports that were "not materially misstated. based on a study by the Financial Executives International (FEI). Internal controls and systems 4..

or internal controls. auditing. strong. The entity should consider looking for outside directors. and behaviors of the group. exhibits. the chair sets the tone for the activities. and decisive. competence. experience being a board member for other organizations. questions the company's board asks the IA function each year: 36 Chapter 3: Internal Control System . SEC rules. and risk assessment/management. Whatever management can do to encourage reporting of these events and behaviors should be done. and security (see item 2 in Exhibit 3. organizational structure. Thus a member of the audit committee should probably be the most seasoned of the members of the board. which implied they were mere "babes in the woods. and locate people who are well qualified in the area of financial accounting. The same report suggests that audit committees need to challenge management assumptions and ask tough questions. and internal controls. The audit committee will then have the opportunity to possibly identify fraudulent activities before they adversely affect the firm. external auditors. internal controls. approach (proactive vs. However. but are essential for the audit committee to be effective. Such a committee therefore serves as an ethics committee for financial reporting.19: Model of Attributes for Effective Audit Committee Independence (outside directors) Competence (knowledge and understanding of accounting. fraud." The organizational structure of the committee is also important. strong (a capable leader and competent audit committee member). whistle blowers) Leadership (active. The chair needs to be active (proactive). audit committee directors. for the most part. and risks. risk. or illegal financial activities.19). and circumstances to ascertain possible questionable areas. and a proactive approach.36 Chapter 3: Internal Control System Cumulative amounts of frauds were relatively large in light of the relatively small sizes of the companies involved — the average misstatement or misappropriation was $25 million A model of attributes is presented based on the existing standards. and the COSO fraud report (see Exhibit 3. The recent study by the FEI mentioned earlier shows that more than half of the respondents polled—chief financial officers and corporate controllers—felt that the audit committee needed to be more proactive.17). Coca-Cola Company has a good set of such questions [26] that illustrate a proactive approach. But competence should also include critical thinking skills. Members should also be competent. As in most committees. Preferably experience also means experience as either a member of an audit committee or similar experience in auditing. Audit committee members need to be able to sort through facts. Leadership refers to the chair of the audit committee. auditing. decisive chair) Proactive Approach Audit committees need to be independent of management and even other board members in order to effectively assess events. The main ingredient for an effective independence is skepticism. fraud. one recent study [25] revealed just the opposite: • Unlike their counterparts. Exhibit 3. These attributes identify any good leader. They also need to ask tough questions and foresee situations that contain high risk. Lastly. The model attributes include independence. competence also includes experience. had served on significantly fewer other committees and for a shorter period of time on the corporate board. accusations. Lastly. leadership. critical thinkers) Organizational Structure (reporting channels direct from internal audit function. Outside directors make it easier to provide both an appropriate degree of skepticism and independence. security. the audit committee needs to be proactive. Some firms allow any employee to contact the audit committee anonymously to report suspicious behaviors. reactive). that is.

or put another way.2 for additional information on audit committees. reports.Chapter 3: Internal Control System 37 • Are there any significant accounting judgments made by management in preparing the financial statements that would have been made differently had the auditors themselves prepared and been responsible for the financial statements? • Based on the auditors' experience. One of the most effective techniques against fraud or crime is an internal audit function with a direct connection to an audit committee on the board.. with clarity and completeness. the method of attaining those objectives is outlined. where such committee members are able to understand and respond to audit evidence. That organization defines IT governance as: • the responsibility of the board of directors and consists of the leadership. The more an organization relies on IT. The primary goal is to ensure that expectations for IT are met and IT risks are mitigated. the more IT governance is necessary. organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategies and objectives. and generally managing risks. (2) ensure that the enterprise can sustain its operations.19) will hopefully assist internal auditors in providing input into the board's decision about its audit committee. Often board members were neither independent (e. ensuring the integrity of financial reports. and their knowledge of the Company. and (3) ascertain it can implement the strategies required to extend its activities into the future. and in providing information on how to effectively interact with the audit committee. or internal control weaknesses. related to executives or owners) nor capable of dealing with audits and internal controls. these two lists (Exhibits 3.g. There is also a list of attributes or situations to avoid—those that were common to the cases of financial fraud in the COSO study. The study mentioned that one consistent factor with the fraud cases was the absence of an effective audit committee. and their knowledge of the Company. and the manner in which performance will be monitored Chapter 3: Internal Control System 37 . (See Section 9.) ii. the Company's financial position and performance for the reporting period in accordance with GAAP and SEC disclosure requirements? • Based on the auditors' experience. do the Company's financial statements fairly present to investors. The objectives of IT governance are to (1) understand the issues and the strategic importance of IT. Together. inspecting suspicious behaviors or activities.18 and 3. IT governance should address the following: • Appropriate and adequate business and IT performance measures • Appropriate and adequate business and IT outcome drivers • IT strategic and alignment issues • Best practices in IT governance • Questions boards and management should ask Questions such as "Is IT doing the right things?" "Are they doing them the right way?" "Are they being done well?" and "Is the enterprise actualizing benefits from IT activities?" should be answered by IT governance processes. IT governance becomes an integral part of corporate governance. Information Technology Governance Information technology governance is similar to corporate governance in its objectives and is a prime service of ISACA. has the Company implemented internal controls and internal audit procedures that are appropriate for the Company? The model of attributes should empower the audit committee to serve its entity effectively in protecting the assets. IT governance should also lead to a structure through which the entity's overall objectives are set.

drove to a nearby city. and changes to the operating system. For example. child pornography). Hacking tools might be an indication of an employee preparing to hack into the organization's system. Logs are the enforcement control for policy.38 Chapter 3: Internal Control System is described. and any series of transaction processing steps such that a collusion of individuals would be necessary to commit fraud. and authorization of the credit memos should have been separated from the processing. changes in an application). When electronic logs cannot be generated.e. One salesman stole tires. time spent on the Internet. Investigation Procedures Management must also consider what specific procedures should be employed to protect against internal threats. and have in the past (i. even though 75% of all credit memos came from one individual (proof that management must review reports). it is imperative that the internal control system has an adequate degree of controls related to electronic audit trails. the sales force). sold them to an acquaintance.. record-keeping from asset custody.) g. automation.e. If the entity is connected to the Internet. and especially organizational structures was developed by accountants and auditors. One performance measurement system being used is Balanced Scorecard (see Chapter 9).. [27] To promote IT governance. paper ones should be considered (e. Where segregation of duties is not feasible. Key positions. and computers. (See "Physical Controls" in this chapter for more information. or other types of files that are contrary to organizational policy or federal regulations. Segregation of Duties Another primary objective of internal controls is the effective use of segregation of incompatible duties. Three rules to observe are to separate transaction authorization from transaction processing. access and use of data.. One effective control is the implementation of computer logs..e. ISACA sponsors the IT Governance Institute and provides various support documents and services. logs become even more important. computer usage). Logs should be developed and implemented that will assist in safeguarding assets and ensuring compliance with policy (e. one large tire reseller did not segregate duties. f. hacking tools. the more invisible audit trails tend to become. Detailed computer logs should be evaluated (i. Evidence of the need for IT governance is the number of chief executives who have criticized the benefits of IT. files downloaded or uploaded. e. it made use of a central tire warehouse. The more an enterprise is dependent on systems. policies. 38 Chapter 3: Internal Control System . etc. Sites visited could reveal access to illegal sites. and covered his tracks with credit memos and phony invoices.. access and use of applications.g. may require a background search.. [28] This organization also promotes CobiT as another tool that assists management in IT governance. Files downloaded could reveal viruses. There was no security at the warehouse. management should compensate by adding adequate supervision. Logs and Auditability The last control activities area is that of logs. including executives. Therefore. are they necessary. Because the firm had several locations. and all salespersons had a key to it. No one suspected him. but the entity needs to make sure employees are told such actions are being recorded and even have employees sign policies that have this form of enforcement (e. how detailed the data should be) for access and log-in to the system.g. changes to data. Logs should be used to track data such as sites visited. The custody of the tires should have been segregated from record-keeping of tire transactions (i. This proven technique for designing internal controls. illegal software.g. changes to applications. e-mail policy).

[19]BIND is one of the name services on the Internet—typically on Unix. S7-22-99. [26]Connie McDaniel. from a speech presented to the AAA. [28]See www. cash flow problems). Almost all of these crimes are driven by (1) opportunity (control weakness). 1 (March 2001). 2001. etc. The page is located at www.gov/rules/final/34-42266. Visit the IIA site www.8 Malicious Activities A brief description of aspects of malicious activities will assist in the development of effective specific controls. File No. www. information for this paragraph came from a web page at The Internet Storm Center's web site. [20]See [21]The Internet Vulnerability U3 on the Top 20 List (see Exhibit 3.securityfocus. 3. [25]Nikos Vafaes. a.. [27]For example.com. Chapter 3: Internal Control System 39 .g. August 13.incidents.org or the SEC site www.org/isw/iswp.sec.org. But just as important.php." World Economic Forum. No. former chairman of General Electric.theiia.8 REV NO: DATE: PAGES: 39 [16]See [17]See [18]See TITLE: Malicious Activities www. The average dollar value of a computer crime is far greater than the average dollar taken in a bank robbery. though Windows XP does support BIND now. and (3) rationalization. said. See URL www.org. www. "IT has been the longest running disappointment in business in the last 30 years.sec." Auditing: A Journal of Practice and Theory.htm. theft/financial fraud. Crime and Misappropriation of Assets Computer crime is becoming popular among those with a criminal mind. "On Audit Committee Appointment.gov for clarification. and unauthorized access.incidents. (2) pressure (e. [23]Obviously. Vol.org. 1997.cert.org. Jack Welsh.Chapter 3: Internal Control System SAM POLE COMPANY Corporate Audit Department Procedures Manual NO: 3.12).incidents. [24]SEC Release No. Linux.itgi.-based systems. [22]See www. Areas to consider are computer crime. vice president and controller of Coca-Cola Company. 20. 34-42266. the SEC may or may not have adopted this ruling. internal auditors need to understand the subtle differences between various attackers and thieves as well as typical profiles of these perpetrators.

g. Management can come under pressure by such circumstances as economic problems in the firm (poor performance of stock on the open market). and are technically defined as "hackers. Such tactics can become the impetus (pressure) mentioned earlier. One typical area for fraud and theft is performance bonuses. The term "script kiddie" refers to young computer enthusiasts who usually download the malicious code (e. an estimated 19 million people worldwide have the skills to engage in malicious hacking. For example. A contract employee at Intel went beyond the scope of his work. Others come to play—possibly bringing a system down and making it unavailable.. and script kiddies. for which Intel dismissed the white hat employee and had him arrested. the temptation can become too great for the employee to resist stealing from the organization. it is virtually limited to executive management. If a weakness exists in the controls. or he/she is "borrowing" the money and plans to repay it. They usually begin malicious activities early. Most are not necessarily malicious. The rationalization is often that either the employee works hard and deserves the extra money. they can override controls. kill. Types of Criminals Criminals can be broken down into different groups with specific profiles. just bored. Types of Crimes Chapter 3: Internal Control System Crimes associated with the theft of assets typically are carried out by employees. [29] The profile of the authors of the typical DDoS (and other Internet security incidents) is a male. resulting in systems havoc. having created a way to tag the Internet (viral code). Some of these attackers come to steal. [33] 40 Chapter 3: Internal Control System . and the rationalization. By its very nature. having invented their own form of graffiti (web site defacements). The description of crimes includes a profile of the employee or manager who might commit a crime." [31] Even then. Mixter (a self-proclaimed "white hat") started learning computers at six and malicious activity at 14.g. These frauds are conducted by employees who have some pressure to steal (personal cash flow problems). and conduct mischievous exploits on unsuspecting entities. there are rouges in this group. As such they are considered computer crimes (e. The following describes the outside criminals. Hackers look for vulnerabilities and weaknesses. Lastly. the result can be fraud and theft. One way to think of the group of people who break into Internet systems is to subdivide it down by the objectives of the person: The groups are technically known as hackers. viruses. and if accompanied by personal weak ethics and an exposure. ii. rather than author it. accompanied with weak personal ethics. crackers. Traditionally. with a lot of computer intelligence (neon hair and body piercing optional!). The pressure to perform can be rationalized as perform at any cost and lead to financial fraud. and then communicate the "hole" to the entity. Another crime is financial fraud. Then why is the popular press always referring to the "bad guys" as hackers? Because of the media's ignorance of the technical definitions. and destroy. According to President Bush's Commission on Critical Infrastructure Protection. they are in fact technically different sub-groups. that is. 13 to 15 years old. DDoS) generated by crackers. a badge of honor regarding one's technical expertise. These people enjoy the intellectual challenge of their activities. they are always in the position to have opportunity.40 i. there are those who break in from the outside (see below). "hacker" was a term that carried a positive connotation. The true "hacker" (sometimes referred to as a "white hat" [30]) actually tries to do service to the Internet community. But all cause damages and bring about costs. These people are actually "crackers" [32] (sometimes referred to as "black hats") whose intent is to steal or destroy. It is the cracker who writes malicious code such as DDoS. the laws against spamming). They are similar to street gangs. Because of management's position. and having fought gang wars online (using thousands of remote PCs controlled by Internet Relay Chat (IRC) bots).. So although hacker and cracker are often used interchangeably.

the same person always accesses the system from the same phone). the greater the need to consider a multi-faceted access control system in order to maintain adequate security. and occasionally access cards or biometrics. on the other hand. the password needs to be reset and a new password must be created. [35] Fingerprint scanners come in a variety of Chapter 3: Internal Control System 41 . access control systems would do both. Verification is the process of confirming that the person carrying the token (badge. She says writing these viruses and DDoS programs is "a form of art. The former requires time and resources to reset passwords. The latter approach. Passwords are the first line of defense in authenticating access to systems and data. which is the claim of identity) is the rightful owner of the token. Identification.. They do not see any real harm to their victims and are in it for the personal pleasure it brings. they check a beeper for the most recent PIN and can only log in with both their password and the dynamic PIN. There is a difference between verification and identification. read/write (RW). password. etc. to biometrics (something you are).Net viruses. or other data element. One strategy is to create multi-faceted passwords. then this technique works well. and because they can be more reliable than the passwords or firewalls—especially stand-alone password or firewall systems. and (3) something you are. The cells are accessibility: read-only (RO). Since the human brain is not a perfect storage system when it comes to complicated and long letter-number combinations. one control might be the use of call-back systems. and verification controls are password systems. firewalls. The columns are fields. and serve as a reasonably effective preventive system. although facial and iris scanners and voice recognition systems are increasing in use. [34] Specific controls range from access cards/readers (something you have).e. one of the first .8 for a password model to assist in developing the access control system. The most common biometric devices used for access control are fingerprint scanners. or none. files. The weakness of these former two security methods is that they have been compromised. When remote users log in. resetting a password security system of a company with 100 workers would cost $3. Also. the same process would cost up to $38. with DDoS attackers. If the company has 1. The most general authentication. narrowing authorization and access. The more risk that exists. This cost usually happens in two ways: passwords that are forgotten and passwords that are stolen. (See Exhibit 3.. just like other hobbies. is the recognition of a specific individual from among all the individuals enrolled on the system. Another strategy is to combine passwords with network administration such that a matrix is developed for access. Where call-back systems are impractical. Ideally. has the potential to provide the greatest level of security because it involves something you are. Once a user logs in from remote location. sometimes less than a minute.) Although they appear to be much less expensive than biometric systems. to passwords or PINs (something you know). and intruders have caused great harm and significant financial losses. it's a fun way to practice programming. If remote access is stationary (i. authorization. multi-faceted password systems should be employed—maybe biometrics. The rows are users. b. password systems might cost an organization. the more sophisticated passwords might be forgotten. especially where remote access is frequent or e-commerce is employed. One current sophisticated approach is to generate password PINs over very short time frames. (2) something you know.850 per year. biometrics. the system hangs up the line and calls back on a pre-determined phone number. and demonstrates the problem. card. According to Mandylion Research Labs.500 per year! For remote access. In such situations. The latter is a security breach and can be much more costly if the system is compromised.000 authorized personnel.Chapter 3: Internal Control System 41 One example is a female (rare among script kiddies) from Belgium who authored Sharpei." This statement reflects the attitude. This matrix approach minimizes the exposure of data to internal users. Unauthorized Access and Authentication Access control systems are used to authenticate and verify usually by using one of three basic approaches to security: (1) something you have.

58–63." ZDNet Reviews.zdnet. The fingerprint option should be considered as part of a smart card plus fingerprint plus password method—versus a stand-alone fingerprint system (if the risks warrant such a sophisticated access system). See "Combating Cyberthreats: Partnership Between Public and Private Entities.com. something the biometric industry needs. such as notebook computers and computer keyboards.org/itpro/homepage/Jan_Feb/security3.display. Information Systems Control Journal. [33]According to ZDNet associate editor Robert Vamosi. Lee.com/TERM/h/hacker. 2002. from stand-alone devices to readers built into keyboards and mice. 3. For example. [30]They SAM POLE COMPANY are called "white hats" because (a) they have obtained prior permission to "hack. where feasible and applicable.com/cgi-bin/udt/im. and a relatively low level of cost. [36]Mark Kellner. and this progression leads to a potentially enhanced level of interoperability. In recent months. "A Practical Guide to Biometric Security Technology. Vol.com/cgi-bin/udt/im." E. 42 Chapter 3: Internal Control System ." Government Computer News.42 Chapter 3: Internal Control System formats. an increasing number of devices.display. May 15. the most practical—the best solution—for access control appears to be fingerprint recognition or keystroke recognition biometric systems. [36] But of all types of biometrics available. inexpensive. Online at www.html. Online at www. Because it is only software. Likely a reference to safe crackers.printable?client." SC Magazine.html. and into network access control systems.id=19565. online at www. (c) they have a contract to conduct a pen test (specific domain. See "Can We Stop Script Kiddies? Yes! Here's How. Keystroke recognition systems are trained to recognize the unique features of a person entering his/her password.computer.htm. they work. Of special importance is the emerging trend toward integration of biometrics into networks and systems. Corporate Audit Department Procedures Manual NO: 3. Online at www.id=gcn2&story. June 2002. They are also readily available in the market. and some with smartcard readers as well. now come equipped with integral biometric fingerprint readers.pcwebopedia.com/TERM/c/crack. specific time frame). 08/12/02. and. pp. "Digital Security.printable?client. essentially. and (d) they have an engagement letter to conduct the pen test.gcn. [34]Liu & Silverman. [37]Julian Ashbourn.gcn." Government Computer News." (b) hacking is a part of their job description and they are an employee. 08/12/02. the public benefits administrators in Texas and New York claim fingerprint identification has virtually eliminated fraud in their programs. [35]"The Lowdown on Biometrics.id=gcn2&story. More time is being spent on integrating biometrics into existing processes and applications. 2002. "Biometrics: Making the Right Impression. They are unobtrusive." IEEE Computer Society. [37] This area provides a lot of promise for all concerned with InfoSec. This system would provide a high level of reliability with a high level of user acceptance.id=19567. it is less expensive and easier to operate than fingerprinting and other biometrics.pcwebopedia.9 REV NO: DATE: TITLE: Specific Controls/CAATTs PAGES: [29]According to Computer Emergency Response Team. plus several variants of biometric mice. technical definition of cracker at www. Biometric systems are being relegated as a commodity item. [31]See [32]See technical definition of hacker at www.

Audit software is also valuable in auditing operations. Certified Information Systems Security Professional (CISSP from International Information Systems Security Certification Consortium—ISC2). and visually indicate potential problem areas. and traffic monitors.9 Specific Controls/Caatts One resource for internal auditors in developing an effective internal control system is proven controls and CAATTs. and manually reviewing the paper copy. or techniques that inhibit unauthorized activities from external users. a. producing a report (information). A firewall is one or more elements such as software. implementation.000 attempts a day detected at his site when a 15-year old hacker got mad at him. and should be done so with the level of risk in mind. IDEA. or relies on external auditors for the function. b. such as an audit committee made up of qualified people who are independent of owners and executive management. They simply graph certain technical aspects of Internet activities and traffic. c. Certified Information Technology Professional (CITP from AICPA). The Internet storm watcher is one example of a broader monitoring system—monitoring activity of the Internet as a whole. Management should require an appropriate certification of those to whom it entrusts its internal controls system. and others—has proven to be of immense value for internal auditors in detecting irregularities and fraud in computer systems. and indeed has for many IA shops. Some applicable certifications include: Certified Internal Auditor (CIA from IIA). Examples are intrusion detection systems. Using GAS can bring both effectiveness (quality of the audit) and efficiency (significant productivity increases) to the IA function. A variety of firewall defenses can be assimilated. People would include the use of experts and professionals in the IA function. Traffic monitors provide information to techies that will indicate adverse activity such as a denial of service attack. but he wrote an open letter to hackers and admitted that his system could not withstand a direct ongoing assault by hackers. Proven techniques include some already mentioned. Intrusion detection systems are designed to detect crackers or hackers as they try to gain unauthorized access to the company's system. Generalized Audit Software Using generalized audit software (GAS)—such as ACL. Certified Information Systems Auditor (CISA from ISACA). outsources the function. whether the corporation has a separate internal audit department. not just a sample. Steve Gibson reported 500. the internal auditor should follow these steps: Chapter 3: Internal Control System 43 . techniques. Using GAS and CAATTs is more than extracting data. Passive logs can provide data that could help detect or correct adverse attacks after the fact. hardware. which includes people. Monitoring Systems One of the best detective tools is a good monitoring system. and models. [38] His intrusion detection system worked better than most because he is an elite expert. One of the major benefits is the fact that auditors are able to examine all of the records. The higher the risk probability and cost. PanAudit Plus. Firewalls Any server connected to the Internet should also have a firewall as a preventive scheme. dumping the data into a spreadsheet. and examination of the corporate internal control system. Regardless. passive logs. CAATTs use these steps as the precursor to the real work: the critical analysis of data. sorting the data. and Global Information Assurance Certification (GIAC by Sans Institute). the more complex and expensive the firewall needs to be. To use CAATTs or GAS. development.Chapter 3: Internal Control System 43 3. management should make sure someone or some group is responsible for the internal audit tasks—primarily the design.

Analyze the data. which is not an exhaustive list. Once the data is fully imported and ready. In the sixth step. Create or build the input file definition of the GAS. 7. 4.grc. STATISTICS. especially if the auditor can establish those controls from the live data.44 1.10) • Incident response plan [38]Steve Gibson is the founder of Gibson Research Corporation. 3. and is considered a pioneer in the Internet and its technologies. 5. on the data set. Meet with the owner of the data and a programmer. Chapter 3: Internal Control System In the fifth step. it is helpful to ask for a printout of the first 100 records along with the data. An internal auditor might run these types of tests: • Reasonableness • Completeness • Gap • Duplication • Period-to-period (trends) • Regression analysis • Statistical analysis • Transaction matching d. 6.com. frequent writer and speaker on high-tech topics. Set the audit objectives. a review of these 100 records can establish some reasonable reliability of the data set. and so on. See Gibson's open letter to the hacker and his report of the incident at his corporate web site: www. Other Potential Controls/CAATTs Other CAATTs include the following. Gain an understanding of the data. verify data integrity. Verify data integrity for the data imported. this understanding can generally be gained by running some standard overview commands such as COUNT. and some of which have been discussed previously in this chapter: • Embedded audit modules • Artificial neural networks • System development life cycle • Librarian • Passwords • Biometrics • Intrusion detection system • Firewalls • Anti-virus software • Digital certificates • Digital signatures • Encryption • Proposed XBRL system • Disaster recovery plan/business recovery plan (see Exhibit 3. Formally request the data. STRATIFY. 2. The use of batch controls is very useful for this purpose. 44 Chapter 3: Internal Control System . CLASSIFY.

2. Singleton.org. No.org. Why and How. Vol. www. Singleton. "Biometric Security Systems: The Best InfoSec Solution?." EDPACS." EDPACS. South-Western College Publishing. XXX.isaca. Bowen.coso." EDPACS. Institute of Internal Auditors. 9–20. T. Standards for the Professional Practice of Internal Auditing (SPPIA).org. pp. "Stop Fraud Cold With Powerful Internal Controls" (Building an Internal Control Environment to Enhance Corporate Strategies).org/bkr_cbt3.htm.isaca." ISACA at www. 32–41.org/cobit. www. Singleton. Information Systems Auditing and Assurance. COSO.org. "A Comparison of Internal Controls: CobiT.1). T. www. Vol. Chapter 3: Internal Control System 45 . pp. 3.isaca." Information System Audit & Control Journal.org. SAC. See www. 2 (August 2002). and SAS 55/78. Journal of Corporate Accounting and Finance (Wiley). Institute of Internal Auditors. 22–30. This paragraph is from the ISACA web page on CobiT at www. See www. "Effective Audit Committees for Cooperatives: Part I—What. 1–11. Electronic Commerce. Singleton. Conn. See www. 2000. 5 (November 2002). "Managing Distributed Denial of Service Attacks. pp. Summer 2002.Chapter 3: Internal Control System 45 References Colbert. Singleton. Perry.org. and Paul L. Vol. James Hall. Endnotes 1. Issue 4 (May/June 2002). T.coso. pp. "An Empirical Investigation of IS Audits and Software Piracy.theiia. forthcoming (January or February 2003).cfm?doc_id=124.theiia." The Cooperative Accountant.org/ecm/guide-stand. 13. Singleton. T. Exhibit 3. VI. Schneider.isaca. pp. Committee on Sponsoring Organizations. 4. www. Janet L. Vol. 7. XXX.htm. 1997. T. T. Information Systems Audit and Control Association. 29–39.isaca. "Managing the Most Critical Internet Security Vulnerabilities: One Effective Approach. No. Gary P.James T. 2000. (2 × 2 security overview. Course Technology: Stamford.

Department of Energy.incidents. See www. 19. the SEC may or may not have adopted this ruling. 20. 14.htm.cert. vice president and controller of Coca-Cola Company. 1997.org/present/cert-overview-trends/module-6. from a speech presented to the AAA. According to Computer Emergency Response Team.com.incidents.symantec.incidents. See www. Connie McDaniel.ciac. 55—the same topic. 16. See www. though Windows XP does support BIND now. 46 Chapter 3: Internal Control System .5 through 3.1 for a full diagram of Sections 3.cert.com/avcenter or www. See www. S7-22-99. For example. File No. 3. See Internet Vulnerability U3 on the Top 20 List (see Exhibit 3. Vol.norton.org or the SEC site www. "On Audit Committee Appointment.sec. See "Combating Cyberthreats: Partnership Between Public and Private Entities. 78 revised SAS No.gov for clarification.com/avcenter/ or www. 22." Auditing: A Journal of Practice and Theory. 15. 21. An exposure draft exists that will change the principles to: (1) security. 10. 18. August 13.com. Nikos Vafaes.securityfocus. 2001. 9.sans." E. 25. www.org. said. 8. See www. 13. 24. and (5) confidentiality.-based systems. 34-42266. Obviously. 2002.org. "IT has been the longest running disappointment in business in the last 30 years.12).securityresponse.9.org. (4) online privacy.theiia. 23. Lee. 11. former chairman of General Electric. 20.norton.securityresponse." World Economic Forum.itgi.pdf. See Exhibit 3.cert. Vol. BIND is one of the name services on the Internet—typically on Unix. See www. (2) availability. (3) processing integrity.php.sec.org. See www. 12. 6. Linux. 26.org/isw/iswp. The information for this paragraph came from a web page at The Internet Storm Center's web site. See www.S. 1 (March 2001). See www. See www. 7.com.org/ciac by U.46 Chapter 3: Internal Control System 5. 27. SAS No. No. 17.gov/rules/final/34-42266. The page is located at www. etc. SEC Release No.org. See URL www.org. Information Systems Control Journal. Visit the IIA site www. Jack Welsh.symantec.

id=gcn2&story.com/cgi-bin/udt/im. According to ZDNet associate editor Robert Vamosi.id=19567. 58–63.htm. "Digital Security. pp. specific time frame). Online at www. 31.pcwebopedia. Mark Kellner. "Biometrics: Making the Right Impression.html. "The Lowdown on Biometrics." Government Computer News.grc. June 2002. 29. "A Practical Guide to Biometric Security Technology." Government Computer News. 36.printable?client. Online at www.printable?client.com/TERM/c/crack. 2002. 33. 08/12/02. May 15. frequent writer and speaker on high-tech topics.com/cgi-bin/udt/im. and is considered a pioneer in the Internet and its technologies. 32.display." (b) hacking is a part of their job description and they are an employee. See technical definition of cracker at www." SC Magazine.Chapter 3: Internal Control System 47 28.html.com/TERM/h/hacker. 30. See "Can We Stop Script Kiddies? Yes! Here's How.gcn. online at www. Steve Gibson is the founder of Gibson Research Corporation.computer. 35.id=19565. Julian Ashbourn. See Gibson's open letter to the hacker and his report of the incident at his corporate web site: www. 08/12/02.com. 34. Liu & Silverman." IEEE Computer Society.display." ZDNet Reviews. See technical definition of hacker at www. Online at www.pcwebopedia. They are called "white hats" because (a) they have obtained prior permission to "hack. Likely a reference to safe crackers.id=gcn2&story. and (d) they have an engagement letter to conduct the pen test. (c) they have a contract to conduct a pen test (specific domain.com.zdnet.org/itpro/homepage/Jan_Feb/security3.gcn. Chapter 3: Internal Control System 47 .

48 Chapter 3: Internal Control System 48 Chapter 3: Internal Control System .

Part II: Management and Administration Chapter List Chapter 4: Department Organization Chapter 5: Personnel. Administration. and Recruiting Part II: Management and Administration 1 .

2 Part II: Management and Administration 2 Part II: Management and Administration .

conducting efficient and effective audits. Strategic Objectives Internal audit consists of people and procedures. provides a place to state the department mission and document departmental procedures to attain that mission. a. These elements can all be documented in a procedures manual. from the merger on December 31. All organizations need a mission. best practices. In order to maximize the productivity of a group. the group needs a mission and consistent procedures to attain departmental goals. the IA department (in conjunction with management) should establish strategic objectives to reach the mission. and rewards. and regulators with reasonable assurance that the system of internal control achieves its objectives. 2002: • The General Auditor and his global team are the Corporation's independent control assessment function. Setting high standards will ensure that your department's work will be of sufficient quality to satisfy your mission and enable reliance by your independent auditors. Mission Statement While each organization will need to personalize its own mission statement. Auditing's mission is to foster a continuous self-checking control environment in partnership with Chapter 4: Department Organization 1 . Another example is the actual mission statement of JPMorganChase. resources and training.1 Introduction In order to achieve the goal of a world-class internal audit (IA) organization.Chapter 4: Department Organization Overview SAM POLE COMPANY Corporate Audit Department Procedures Manual NO: 4. and this chapter in particular. the following is a general statement that might apply or could be modified to apply: • The internal audit department will enhance corporate viability and/or profitability by providing management with expertise in developing and maintaining an effective control environment. senior management. and building a quality IA department that will contribute to the corporate mission. One example is: The department will strive to achieve world-class procedures and quality of services by adhering to professional standards. i. standardized procedures must be developed and followed by the staff.1 REV NO: DATE: PAGES: TITLE: Introduction 4. From the mission statement. the Chairman. and proven quality improvement techniques. They also need goals—short-term and long-term—that can be linked directly to the mission of the organization. accountable for providing the Audit Committee. This procedures manual. Development of each auditor's individual professionalism can be greatly enhanced by understanding the company's expectations and being evaluated on compliance with approved departmental procedures. Other elements of management include feedback and mentoring.

It should not be to catch company units or individuals in violation of control procedures. with itself. Major Challenges of the Department We have said that internal auditing involves people and procedures. a high degree of professionalism. correct. Budgets are important. Therefore. Auditors can reach beyond the negative aspects of the auditing business. It is critical that the audit department develop a "work with" attitude within the organization. Efficiency generally relates to measures of operations or delivery of services. it is obvious that the first step in establishing the internal audit department is to develop an appropriate mission statement. In most cases.4). efficiency. and the second factor relates to the potentially negative nature of the auditing business. and consistent (e. It will also document questions about issues such as travel and other policies. the procedures involve reviewing and evaluating controls. audit results may be more difficult to measure. Why a Procedures Manual The mission statement. and track management's corrective actions. or deliver the organization's products or services. Auditor and manager turnover is unavoidable. Mission statements are critical components of most quality improvement programs (see Section 9. and measurement techniques. effectiveness. b. ii. Will your function pass this test? Unlike functions that produce products or services. How does internal audit fit into the organization's mission? If audit programs were suspended. goals. An appropriate manual will allow for smooth transitions. A modern audit department proactively seeks positive deliverables from within the work of the organization. Effectiveness is a measure of how well the organization meets its goals. It is often noted that internal auditors do not create. especially as a ratio of inputs to outputs.. Both of these factors must be addressed in a progressive internal audit department. But it is also a dynamic entity. Auditor productivity requires the development of a proactive spirit.2 Chapter 4: Department Organization senior management to identify opportunities to ensure the adequacy of the risk management and internal control processes. iii. detect control deviations. The methodology contained in this manual includes a conscientious attempt to address all of these areas.g. and the recommendation of these to auditees before audits. with corporate policies and goals). Essence of Internal Auditing One of the major challenges of audit management is contributing to the organization's mission. find. How is productivity of the internal audit function measured? Does your audit function have the 2 Chapter 4: Department Organization . make. Auditing's primary objective is to identify emerging issues. what would be the short-term and long-term effects? Company management will periodically examine the contribution of the internal audit program. The overreaching goal of the audit program should be to improve the control environment within the company (refer to the mission statement). The first is the difficulty in measuring internal audit productivity. Effectiveness usually focuses on strategy and improvements to decision making. with professional standards. and should be updated with a conscientious approach to being current. A proactive spirit and professionalism must be instilled in all staff members through the department's professional development program. The review process creates at least two factors for audit management to consider. Time reporting—although a laborious task—is necessary to properly analyze productivity. objectives. This effort may involve the development of preventive control procedures. and other aspects of the business. and procedures of the internal audit department need to be documented in such a way that the resulting document can be used as a reference manual. including budgets and time reporting. Long-term and short-term goals should be linked to the mission statement.

a mission. are monitored and pushed to greater limits and improvements in quality. or outsourcing the function. month. All of these procedures and methodologies should be carefully developed. productivity measures. Then effectiveness becomes a measure of how well internal audit accomplishes the mission. sales sometimes daily. What happens if you become lax? Management does not look at internal audit every day. Failure to reach this understanding could result in the perception that internal audit is simply an obstacle to achieving production objectives. there is no simple measurement tool such as Chapter 4: Department Organization 3 . or ignoring outputs and simply quantifying inputs. Measuring the inputs—labor hours or some other quantitative measure—is relatively simple. This perception can result in underutilized audit services and ignored audit recommendations. or by eliminating. with appropriate accompanying goals and strategies (both must be measurable). Quality Assurance Reviews of Internal Audit Recently. Every dollar spent on internal audit is a dollar not earned on the bottom line. This internal or external review is a very positive development for internal auditing as a profession. These types of issues do not exist in other functions: shipping is measured monthly. as measured by how well it is reaching its goals associated with the mission statement. audit management becomes lax. quality assurance reviews. [1] It is imperative that IA staff members articulate the mission of the IA function to its stakeholders effectively to avoid this unproductive environment. and businesses in general. Outsourcing Internal Audits In the 1990s. or quarter. In many cases. and effectiveness (see definitions of each above). an impression is recorded on the effectiveness and efficiency of the internal audit function. management of internal audit should first establish a reasonable. Decisions to spread out and space out audits are all too easy. As noted earlier. Audit management needs to employ any and all tools and procedures to measure and improve productivity. internal auditing management requires a proactive approach. personal development programs.Chapter 4: Department Organization internal system to measure and improve internal audit productivity? Other areas of organizations. This measure is the one with which corporate management will be most concerned. However. efficiency. change is made in dramatic fashion by changing audit management. culture. short-term and long-term objectives.) d. Over time. this trend is encouraged by the very nature of internal audit and the concern on the part of management about internal audit effectiveness and efficiency. and relevant mission statement. The fact that all appears quiet may be only a warning for an impending storm. c. structured procedures. achievable. as is the case in other areas of the company? (Chapter 9 proposes a full quality assurance program administered by audit management. reducing. good personnel. and so on. To some extent. management's goals and objectives. internal auditors and the customers of audit services should possess a similar understanding of what makes internal auditing a value-added activity. accounting reports are issued monthly. documented in your procedures manual. Effectiveness is quite different. a manifestation of the concern of management about the effective use of corporate resources for internal auditing was the ever-expanding trend toward outsourcing the internal audit function. why not internal audit? All too frequently. 3 Measuring efficiency in internal audit is generally a simple and feasible process. and professional responsibilities. But outputs need to take on relevance to the organization rather than a simple number of audits conducted. and built into your audit culture. With audit management comes the responsibility to push for greater volume. This mission should be compatible with the organization. Based on the definition of effectiveness. Why not challenge the spending. To function effectively. quality assurance reviews of internal audit functions have been on the rise.

the economical and efficient use of resources. In fact. • Several common themes recur in control models. financial statements produced on time with accuracy each month. perhaps less expensive approach. the safeguarding of assets. but to their understanding of internal control and their direct knowledge of operating systems that are often in flux. That is. there are many factors involved in the decision to outsource all or part of an internal audit function. • Internal auditing by definition should be internal and integral to the organization. such as the Committee on Sponsoring Organizations (COSO) of the Treadway Commission. tone from the top is important. efficient. Is internal audit an organization's core competency? Can it be more efficiently and effectively implemented by the organization dedicated to internal audit as a core competency? These are questions currently being explored by many organizations. Audit contribution is very difficult to measure! Therefore. and so forth. In smaller organizations. and Cadbury Committee: "Internal control is management's responsibility. The Institute of Internal Auditors (IIA) issued a report entitled. Internal auditors can respond immediately to the concerns of senior management because they are familiar with their organizations' culture and processes. intrusion detection). In larger organizations. audit management should consider whether to outsource or develop the skill internally. if there is a need for technical competencies not immediately available in the staff (e. and accomplishment of goals and objectives. Internet. Clearly. • Most internal auditors are degreed professionals. Internal auditors provide management and the board of directors with competent evaluations of an organization's system of internal control and the quality of performance of assigned responsibilities regarding the reliability and integrity of information. and responsive to management. One of the best evidences of internal auditing competence is the Certified Internal Auditor (CIA) designation. it will be seriously considered. encryption. many hold advanced degrees and have acquired specialized skills related to the organization for which they work. The IIA states unequivocally that a competent internal auditing department that is properly organized with trained staff can perform the internal auditing function more efficiently and effectively than a contracted audit service. capacity utilization. • The key proficiency of internal auditors is internal control in its broadest sense. Outsourcing should be considered during the departmental planning process. • As long as internal auditing staffs are highly skilled. Enron was questioned for its outsourcing of the internal audit function. and the internal auditing department should be staffed with professional internal auditors who adhere to the Standards for the Professional Practice of Internal Auditing and the related Code of Ethics.. • Internal auditors are in touch with governance issues and are intimately acquainted with their organization's policies. and internal communication and people development are critical elements of the control framework. "Perspective on Outsourcing Internal Auditing. with IS audit staffs. comparable-store sales versus last year. and their status as employees ensures confidentiality and loyalty. outsourcing of general IS audit may be effective and efficient. operating practices. organizations are best served by keeping the internal auditing function internal." Internal auditors' value and effectiveness are linked not only to their attunement to management's philosophy and direction. units shipped. The Enron fraud and disaster (bankruptcy) of 2001 also lends credence to the IIA's stance. A major element is size and ability to maintain various specialized skill sets.4 Chapter 4: Department Organization units booked. They are able to devote their full attention and loyalty to the organization and to identify subtle changes and ambiguities that may signal trouble. when management is offered a simple. compliance with laws. procedures. Criteria of Control Committee of the Canadian Institute of Chartered Accountants (CICA). These professionals are aware of their responsibilities with regard to the organization and the Standards. and regulations." In it. controls must be built in not on. and personnel. the IIA takes the following view: • The IIA's perspective is that internal auditing is best performed by an independent entity that is an integral part of the management structure of an organization. such as information systems (IS) audit. and the possible loss of independence when its 4 Chapter 4: Department Organization . outsourcing certain very technical audits may be the advisable course of action.g.

as well as demands for greater accountability.1. Most line managers are concerned about controls over their operations and have a basic knowledge of control issues related to their function of operation. also known as self-audits. CSA reviews are performed by line managers under the direction of the internal audit program. In the current marketplace. CSA has arisen as a means of raising control awareness and coverage. locations or operations subject to CSA reviews can be considered for extended audit intervals or lower risk assessments in the three-year plan. Standard #010. what their responsibilities will be (completion of the self-audit appraisal questionnaire) and how the information will be used by the internal audit department. will only supplement. CSA programs are relatively new methods of delivery of the internal audit service. Arthur Andersen. At the same time. therefore. managers assume more ownership and accountability for controls and participate in the process of reviewing and improving control effectiveness. CSA programs are initiated by sending a letter about the program to line or operating managers explaining how the program will work. This process will have the effect of reducing the audit time and travel expenses. Another major benefit of this approach is that it allows the internal audit function to continue to evolve from the policing role to the facilitator of controls and policies role. more detailed definition. conclusions. In this period of rapid change." Thus outsourcing is something to be considered during the development of the audit charter (see "Corporate Audit Charter" in this chapter). are usually built around self-audit questionnaires or audit programs. Over time. Through CSA line or operations. Of course. CSA.Chapter 4: Department Organization external auditor firm. not replace." Section 2. Of course. These programs are changing business processes very rapidly. CSA is not performed by individuals independent of the operations under review and. these services should be included in the scope of the audit charter. and (3) report findings. internal audit activities. e. but will also be verified during subsequent audits. was awarded the outsourcing of the internal audit function. reducing the internal control systems. in reaction to the ever-expanding requirements for internal audit services and the need to control overhead costs. Control Self-Assessment In the 1990s. (2) carry out such audit work as is considered necessary regarding the outsourced function. It is advisable to assign a supervisor or manager who is acquainted with the subject operations and/or who will be assigned to subsequent audits. through the IIA and other professional organizations including the American Institute of Certified Public Accountants (AICPA) and the Financial Executives International (FEI). 5 ISACA Standards provide guidance in and issues related to outsourcing. adding to the work of internal audit.1. A member of the audit department at the supervisor or manager level will review the CSA response and follow up on noted significant control weaknesses immediately if deemed necessary. All less significant issues will be followed up at the point of the next audit. Customer-focused organizations are attempting to reengineer systems and eliminate activities that do not add value to customers. Chapter 4: Department Organization 5 . and recommendations to service user management. the profession of internal auditing. The CSA reports will also be integrated into the audit planning process. internal audit groups have been turning to control self-assessment (CSA) reviews. have redefined internal control with a broader. and in some cases.010. the quality of the CSA document and the seriousness with which local management implements the CSA program will be important factors. or self-auditing programs. all organizations are affected by global competition.2 further states: "The Audit Charter should explicitly include the right of the IS Auditor to (1) review the agreement between the service user and the service provider (pre-effect or post-effect). The letter should point out that the information will not only be reviewed. This innovative approach provides the internal audit department with an opportunity to meet its audit customers' (management's) needs while controlling auditing costs.1: "Where any aspect of the IS function has been outsourced to a service provider.020 says in section 2. Each organization will develop a program that fits its organization.

(See Exhibit 4. Audit departments do not need to implement all of these strategies. management may sometimes question the value of contribution of internal auditing. April 15. (See Section 9. duties. The Auditing Process—Performance (see Chapter 7) 3. quality audit product. locations.1: Sample Corporate Audit Charter[2] (a) Policy Statement 6 Chapter 4: Department Organization . and personnel. the implementation has resulted in a consistently high-level. The Planning Process (see Chapter 6) 2. and distributed to all company management. The auditing process is defined in this manual as consisting of three major aspects: 1.") The IIA Standards suggest the charter should (1) establish the department's position in the organization. updated periodically.) Exhibit 4. The Reporting Process (see Chapter 8) We have learned that there exists the ability to link these processes and leverage work performed in one process to benefit the auditors. Good planning leads to improved effectiveness and better quality results. There are no government or professional requirements for internal audit management to be so structured.5. 2002. it has been our experience that operating in an unstructured environment causes an erosion of management support and credibility over time. This core process is supplemented by tangent processes such as personal development and quality assurance. The audit department charter should be formally approved by the audit committee and the board of directors. An example of the leverage is the use of information from the planning process. SAM POLE COMPANY 4. they support the practice and provide management with a clear understanding of the process. and although at first it may appear overly structured. This methodology has been successfully implemented in a number of audit departments. and responsibilities of the function. Corporate Audit Department Procedures Manual NO: 4. SOBIE conference proceeding. or reduce their work and thereby increase their productivity in a subsequent process. in the resulting audit report.2 REV NO: DATE: TITLE: Corporate Audit Charter PAGES: [1]"Information Systems Personnel Express a Desire for Change in the Functioning of Internal Auditing.6 Chapter 4: Department Organization f." Dale L. Flesher and Jeffrey Zanzig. Without this process. including the scope and auditee profile.2 Corporate Audit Charter Audit departments should operate pursuant to a written charter indicating the purpose. however. the methodology involves paying a great amount of attention to planning so that proper objectives are set and work is directed to the higher-risk areas within the organization. In addition.1. "Marketing the Audit Function. and (3) define the scope of internal activities. (2) authorize access to records. authority. Integrating the Auditing Process The core process in an internal auditing function is the auditing process. however.

and/or the Board of Directors. including tests of existence and ownership as appropriate • The reliability. independent reviews and evaluations of any and all management operations and activities to appraise: • Measures taken to safeguard assets. therefore. and integrity of financial and operating information • Compliance with policies. operations. plans. (c) Reporting and Relationship of Audit Committee The Director of Auditing will report to the Audit Committee for approval of audit scope.Chapter 4: Department Organization 7 It is the policy of Sam Pole Company (the Corporation) to maintain an audit department as a means of providing the Board of Directors and all levels of management with information to assist in the control of operations and to assist senior management in reaching a conclusion concerning the overall control over assets and the effectiveness of the system of internal controls in achieving its broad objectives. and goals established for the Corporation's operations and projects Audit activities will be coordinated. and the content of audit reports. (b) Responsibility of the Director of Auditing The Director of Auditing is responsible for properly managing the department so that (1) audit work fulfills the purposes and responsibilities established herein. and Recruiting. data files. This objective shall include such matters as scope of audit programs. (d) Independence Independence is essential for effective operation of the internal audit function. records.5. Chapter 4: Department Organization 7 . Complementary objectives of the corporate audit department are to develop personnel (see Chapter 5. (2) resources are efficiently and effectively employed. to the extent possible. that all audit activities shall remain free of influence by any organizational elements. It is expected that Directors of Auditing and their staffs will exercise discretion in the review of records to ensure the confidentiality of all matters that come to their attention. Under appropriate circumstances. activities. Additionally. standards. free. (f) Access and Confidentiality In accomplishing activities. The Director will report in writing on all internal reviews conducted in the Corporation and will attend the Committee meetings to report on significant recommendations and the operations of the internal audit function. the Audit Department will review the effectiveness and efficiency of operations and organizational structures. the Director of Auditing is specifically authorized to communicate directly to the Chairman. and personnel. (e) Scope of Audit Activities Audit coverage will encompass. the Directors of Auditing and their staffs are authorized to have full. and (3) audit work conforms to the Standards for the Professional Practice of Internal Auditing. property. and unrestricted access to all Corporation functions. laws. and administration." and Section 9. Administration. computer programs. It is the policy of the Corporation. "Marketing the Audit Function"). as deemed appropriate by the Director of Auditing. "Personnel. President. consistency. policy. frequency and timing of examinations. and regulations that could have significant impact on operations • Economy and efficiency in the use of resources • Effectiveness in the accomplishment of the mission. objectives. with the public accountants so as to enhance audit efficiency.

Price Waterhouse. If the proper corrective action is not taken. or engage in any other activity that could be reasonably construed to compromise their independence. In addition to this structure. Thus ISACA Guidelines provide a lot of general guidance in developing the audit charter. However. Corporate Audit Department Procedures Manual NO: 4. 1981. In order to provide this background. internal audit review and appraisal do not in any way substitute for other activities or relieve other persons in the organization of the responsibilities assigned to them. This section can include a copy of the company's divisional or subsidiary organization structure. nor responsibility for.1. or site audited is responsible for either planning or taking corrective action on recommendations made or deficient conditions reported by the auditor.1: • The IS Auditor should have a clear mandate to perform the IS audit function.3 Company Organization Auditors should be aware of their company structure and management organization. Therefore.2.2. the Director of Auditing is responsible for presenting a report on significant matters to a senior financial officer and/or the Audit Committee. Exhibit 4. mission statement. prepare records. in connection with the complementary objectives of this audit function.010 states in section 2. the Director of Auditing and corporate audit staff members have neither direct authority over. unit. In Section 2. such as outsourcing mentioned previously. department. Standard #010." is an example of a high-level organization chart depicting the financial organization and the auditing 8 Chapter 4: Department Organization .010." Under responsibility. This mandate is ordinarily documented in an audit charter that should be formally accepted. SAM POLE COMPANY 4. The Information Systems Audit & Control Association (ISACA) Standards also address audit charters. Other ISACA Standards affect the development of the audit charter. The senior management organization chart should be included in the internal audit manual. Warren Gorham Lamont. Internal Audit will recommend accounting and information systems policies and procedures for approval and implementation by appropriate management.3 REV NO: DATE: TITLE: Company Organization PAGES: [2]Note: Adapted from Guide to Accounting Controls. authority and accountability. "Sam Pole Company Organization Chart. Internal auditors will not develop and install procedures. the first subtopic is mission statement. it is common to produce management organization charts. any of the activities reviewed.8 (g) Responsibility for Corrective Action Chapter 4: Department Organization The manager or head of the division. Where an audit charter exists for the audit function as a whole.1 it further states: "The audit charter should clearly address the three aspects of responsibility. make management decisions. and other organizational documents. (h) Limitation of Authority and Responsibility In performing their functions. a section of the audit manual should be devoted to a description of the company's activities. wherever possible the IS audit mandate should be incorporated.

The Sam Pole Company organization chart depicts the Director of Auditing reporting directly to the Board of Directors. Exhibit 4. it is beneficial to include the names of all the auditors in the department. This approach provides a level of personalization for the manual. Audit Department Organization The audit department organization chart should be included in the manual.3 is the "Sam Pole Company Audit Department Organization Chart. Exhibit 4.3: Sam Pole Company Audit Department Organization Chart Chapter 4: Department Organization 9 . There is a great debate in the profession that addresses the independence of internal auditing. the reporting relationship should be independent of the financial organization.2: Sam Pole Company Organization Chart 9 The positioning of internal audit within a company can vary. If practical. with a dotted-line responsibility to the Chief Financial Officer (CFO) and Audit Committee.Chapter 4: Department Organization organization. The job classifications/descriptions that follow have been developed in a format consistent with this organization chart. Most departments have organization charts which can be easily included in this section of the manual. In some companies. Whenever possible. Exhibit 4. This organization may be appropriate if the circumstances warrant this reporting relationship. This approach is unusual and was included in this version of the manual to provide a thought-provoking example. However. a. the internal auditing function reports directly to the CFO." The chart depicts an integrated audit department approach in which staff are available to managers of each audit discipline. this approach will require more frequent revisions.


Chapter 4: Department Organization

Another method for improving commitment and team spirit is to include the names of all the department members on a departmental routing slip. This routing slip can augment the organization chart.

b. Job Classifications and Descriptions
Job descriptions formally define the functions, duties, and responsibilities of a position. They also indicate the knowledge and skills required for successful performance. As such, they provide a vehicle for defining different levels on the audit staff and also provide criteria for performance evaluation. The Corporate Audit Department currently has three levels of professional job classifications, in addition to the Director of Auditing. They are: Manager/Director, Senior Auditor, and Auditor. In addition, there is one administrative position: executive secretary. Job descriptions for the current professional positions can be found on the following pages. These job descriptions reference responsibilities for the major procedures contained in the processes in other sections of the manual. Therefore, they document the responsibilities of each staff member related to these methodologies.

Senior Officer for Administration and the Board of Directors (usually through the Audit Committee) for audit scope and policy. The position is responsible for properly managing the department so that (1) audit work fulfills the purposes and responsibilities established in the department charter, (2) resources are efficiently and effectively employed, and (3) audit work conforms to the Standards for the Professional Practice of Internal Auditing. DUTIES AND RESPONSIBILITIES: To direct independent reviews and evaluations of any and all management operations and activities to appraise: • The reliability and integrity of financial and operational information 10 Chapter 4: Department Organization



Chapter 4: Department Organization • Compliance with policies, plans, standards, laws, and regulations that could have significant impact upon operations • Measures taken to safeguard assets, including tests of existence and ownership as appropriate • Economy and efficiency in the use of resources • Effectiveness in the accomplishment of objectives and goals established for corporation operations and projects To coordinate activities to the extent possible with the public accountants to enhance audit efficiency. To exercise discretion in the review of records to ensure confidentiality. To present to a senior officer and/or the Audit Committee, a report on significant recommendations or deficiencies on which audited management has not taken proper corrective action.


To ensure that the department does not develop or install procedures, prepare records, make management decisions, or engage in any other activity that could be reasonably construed to compromise its independence.

The Director must have an in-depth knowledge of the audit profession as well as the audit function at Sam Pole Company, from both conceptual and technical viewpoints. Therefore, the Director should maintain an expert knowledge of auditing and the auditing profession. The Director must have excellent written and verbal communication skills as well as excellent editing skills. He/she is responsible for monthly activity reports to senior management and updates to the Corporate Audit Procedures Manual. The Director will perform a final review of corporate audit reports. The Director should have excellent interpersonal skills. These skills are critical to develop and maintain effective working relationships with all levels of management, the external auditors, consultants, and various industry representatives. The Director will also need to counsel managers and audit staff members as to their performance and career development. International: Sam Pole Company is a dynamic company with significant operations all over the world. The Audit Director will be involved with audits in foreign and domestic locations. This involvement will lead to travel to foreign and domestic locations, where in some cases English may not be the first language. CONTACTS&"para">Internally, the incumbent deals directly with all levels of management in the company. The incumbent works with the corporate audit staff, managers, and senior officers of the company. Externally, the incumbent maintains close relationships with the Institute of Internal Auditors (IIA), the Information Systems Audit and Control Association (ISACA), and the American Institute of Certified Public Accountants (AICPA) in order to keep abreast of trends and developments in the auditing profession. The incumbent has regular dealings with managers and partners of the company's external auditors to obtain material including information that should be disseminated to the audit staff and management of the company. The Director of Auditing develops contacts with suppliers of materials and other supplies for the functioning of the Audit Department.



Chapter 4: Department Organization

This individual will have at least a four-year college degree and possess approximately 10 to 15 years of experience in internal auditing and external auditing, including at least seven years at the manager or director level. • A CPA or CIA certification and CISA is desirable. • Experience with financial, operational, and management auditing. • Experience in a manufacturing and/or distribution environment. • A good understanding of IS auditing. • The ideal candidate will also possess foreign language skills.

POSITION AUDIT MANAGER—INTERNATIONAL, PLANNING, AND CONTROL NAME: REPORTS Director of Auditing TO: FUNCTION: The position is responsible for overall audit planning, policies and procedures, coordination with external audit and consultants, and quality assurance. The position is responsible for ensuring that the overall audit function of the company monitors trends in the auditing field and applies them when appropriate to the practice of auditing in the company. The position is also responsible for coordinating/initiating all planning, quality assurance, and human resources-related functions for the Corporate Audit Department. Furthermore, the position is responsible for the preparation and implementation of a training plan for the department and the individual professionals therein and coordinating the activities of internationally based auditors. DUTIES AND RESPONSIBILITIES: The individual will have direct responsibility for preparing an Audit Department multi-year plan, and: • Coordinate input from the Director of Auditing as well as audit managers in developing the plan • Summarize input received from managers and Director of Auditing, with international plans, and produces a draft plan for discussion • Update drafts based on input received until final draft is approved • Prepare six-month and one-year plans for the three-year plan The individual will be responsible for the coordination and administration of the Audit Department, and: • Develop and maintain the Audit Procedures Manual of the Corporate Audit Department • Prepare the operating budget for the department for approval by the Director of Auditing • Monitor expenses by overseeing purchases and payment of invoices, and recommending viable alternatives to the audit management • Prepare annual summaries of external audit fees for the Director of Auditing • Prepare periodic reports for senior management for the Director's review; also oversee the preparation and production of periodic and biannual audit report summaries to the Audit Committee • Maintain a complete file on each member of the audit staff, with job descriptions, resumes, career actions, performance appraisals, training plans, and development records; produce and analyze reports on various personnel statistics • Advise Corporate Audit management on training needs and availability The individual will be responsible for developing and implementing the department's Quality Assurance Program, and:


Chapter 4: Department Organization

Chapter 4: Department Organization


• Maintain the department's policies regarding periodic reviews of entire assignments, summary reviews of all assignments, and external peer review • Schedule staff for reviews of entire engagements • Schedule staff for summary reviews of each engagement on an availability basis • Prepare reports for the Director of Auditing, discussing the areas where improvement is needed in the audit process Internationally Based Auditors: The individual will be responsible for coordinating the activities of the internationally based auditors, and: • Coordinate the development of the international audit plans and integrate them into domestic plans • Monitor the activities of the internationally based auditors • Provide guidance on company developments Audits: In addition to the significant administrative responsibilities discussed in the job description, the individual will be involved in selected audits, both domestic and international.

This position is responsible for maintaining expert knowledge of the auditing profession. The incumbent must keep abreast of new or proposed developments to the auditing function, and analyze their impact on the company. In addition, the incumbent is an authoritative source of information to the audit group regarding the practice of auditing. • The incumbent must have an in-depth knowledge of the audit profession as well as the audit function at Sam Pole Company, from both conceptual and technical viewpoints. Also the incumbent should have a good understanding of the company's primary lines of business and organizational structure—or if such knowledge is minimal, should be capable of quickly becoming familiar with these activities. • The incumbent must have excellent written and verbal communications skills as well as excellent editing skills. In addition, the incumbent must prepare monthly activity reports to senior management and update (as necessary) the Corporate Audit Procedures Manual. The manager must review and edit corporate audit reports and be able to effectively communicate departmental policies and procedures to staff. • The incumbent must have well-developed interpersonal skills. They are critical to develop and maintain effective working relationships with all levels of in-house management, the company's external auditors and consultants, and various industry representatives. The incumbent also needs to counsel audit staff members as to selected training and career development. • The incumbent must develop and maintain ongoing contact with peers in industry for the purpose of gathering information and exchanging ideas. • The incumbent must gather information on proposed legislation, analyze impact to the company, and draft statements for consideration by the Director of Auditing. • The incumbent must interact with associations and institutions to keep abreast of developments and trends in the auditing profession and ensure that both the Audit Department and business units are kept informed. International: Sam Pole Company is a dynamic company with significant operations all over the world. Audit managers and staff will be involved with audits in foreign and domestic locations. This involvement will include travel, for periods of time, to foreign and domestic locations where, in some cases, English may not be the first language.

Chapter 4: Department Organization



Chapter 4: Department Organization

Internally, the incumbent deals directly with all levels of management in the audit function to the company, in order to provide guidance when requested. The incumbent works with the Corporate Audit staff and senior officers of the company including cross-relationships with Human Resources, Officer Services, and Information Systems. Externally, the incumbent maintains close relationships with the Institute of Internal Auditors (IIA), the Information Systems Audit and Control Association (ISACA), and the American Institute of Certified Public Accountants (AICPA) in order to keep abreast of trends and developments in the auditing profession. The incumbent has regular dealings with managers and partners of the company's external auditors to obtain material including information that should be disseminated to the audit staff and management of the company. The Audit Manager develops contacts with suppliers of materials and other supplies for the functioning of the Audit Department. QUALIFICATIONS—MINIMUM KNOWLEDGE AND SKILLS: This individual will have a four-year college degree and possess approximately five to eight years of experience in internal auditing. • A CPA, CISA, or CIA certification is desirable. • The ideal candidate will also possess foreign language skills.

POSITION AUDIT MANAGER—FINANCIAL/OPERATIONAL AUDIT NAME: REPORTS Director of Auditing TO: FUNCTION: Responsible for properly maintaining the department so that (1) audit work fulfills the purposes and responsibilities established in the department, (2) resources are efficiently and effectively employed, and (3) audit work conforms to the Standards for the Professional Practice of Internal Auditing, published by the Institute of Internal Auditors (IIA) and the General Standards for Information Systems Auditing published by the Information Systems Audit and Control Foundation (ISACA). DUTIES AND RESPONSIBILITIES: To direct independent reviews and evaluations of any and all management operations and activities to appraise: • Reliability and integrity of financial and operational information • Compliance with policies, plans, standards, laws, and regulations that could have significant impact upon operations • Effectiveness in accomplishment of objectives and goals established for the corporation and projects • Measures taken to safeguard assets, including tests of existence and ownership as appropriate • Economy, effectiveness, and efficiency in use of resources (operational audits) • Effectiveness of organizational structures to achieve corporate goals and ability of management to plan, organize, direct, and control its function (management auditing) To coordinate activities to the extent possible with the public accountants to enhance audit efficiency. To exercise discretion in the review of records to ensure confidentiality of all matters that come to attention.


Chapter 4: Department Organization

The basis of memo contents. Plan and conduct audit closing conference. management training). review. • Performance Evaluation. Develop or review the following audit documents on audits assigned: ♦ Preliminary survey: Review planned survey. • Summary Memo. • Status Memo. Implement the department procedures for audit planning. Recommend action in coordination with other interested company and outside parties. Pursue professional development for self. as appropriate. International: Sam Pole Company is a dynamic company with significant operations all over the world. • Decision-Making Responsibility/Conclusions. Audit managers and Chapter 4: Department Organization 15 . and approve revisions before submitting reports to the Director of Auditing and Audit Committee. Prepare recommendations following field work and documentation of auditee position. Review results of audit regarding attainment of objectives. review survey results ♦ Audit time budget ♦ Planning memo ♦ Audit programs • Pre-Audit Conference. Provide direction to immediate assistants to enable them to counsel. approve reviewed workpapers for filing. • Workpapers. • Counsel/Guide/Motivate. Responsible for administrative and audit related decision making and conclusions based upon completed audits. Empower assistants to be effective. • Information Systems. may participate. At executive management level. establishing scope. • Report Preparation/Review. as appropriate. guide. Review and approve suitable program for departmental staff. courses to pursue certification. Perform a limited review. IIA. Demonstrate superior performance and direction in all attributes of professional conduct of self and staff.g. as appropriate (e. and motivate staff. • Auditee Relationship. including professional codes of ethics (e. • Interim Recommendations. • Closing Conference. • Continuing Education. Review and follow up on all profit center responses to the public accountants' Audit Management Letter.. Have sufficient basic IS knowledge to be able to discuss and determine application of IS audit resources. consider appropriateness of original audit plan and scope or need to modify to attain audit objective. Develop. identify and develop audit opportunities to provide a more effective audit service to management. Other Matters: • Special Investigations.Chapter 4: Department Organization For All Assigned Audits: 15 • Scope and Procedures. and report work of assistants. Prepare evaluation of senior auditors and conduct review. Participate directly in these activities when appropriate. Pursue regular program for continuing education for self (related to certifications held).g. AICPA. • Document Development/Review. review and approve comparison of actual to budgeted hours and explanation for variance. As assigned. and determining appropriate audit procedures. • Professionalism. based on senior detail review of workpapers. Review results. review. Perform or review field work. Direct. including a report to the Audit Committee. systems seminar in area of emerging systems development within the company.. Establish audit objectives to be discussed at the conference. ISACA) and corporate ethics. • Audit Management Letter. Provide direction and guidance. • Field Work. evaluate. • Special Projects.

if applicable. and management auditing Responsible for properly maintaining the department so that (1) audit work fulfills the purposes and responsibilities established in the department. and regulations that could have significant impact on IS or operations • Effectiveness in accomplishment of objectives and goals established for IS • Measures taken to safeguard IS assets. the incumbent deals directly with all levels of management in the audit function to the company. operational. plans.16 Chapter 4: Department Organization staff will be involved with audits in foreign and domestic locations. effectiveness. (2) resources are efficiently and effectively employed. including tests of existence and ownership as appropriate • Economy. laws. for periods of time. in order to keep abreast of trends and developments in the auditing profession. or CIA certification • Experience in a manufacturing and/or distribution environment • Experience in a supervisory capacity and the ability to direct and develop others • Experience with financial. standards. and the American Institute of Certified Public Accountants (AICPA). Contact with organizations specializing in operational and management auditing must be maintained. the incumbent maintains close relationships with the Institute of Internal Auditors (IIA). CONTACTS—INTERNAL AND EXTERNAL: Internally. and (3) audit work conforms to the Standards for the Professional Practice of Internal Auditing. published by the Institute of Internal Auditors (IIA) and the General Standards for Information Systems Auditing published by the Information Systems Audit and Control Foundation (ISACA). DUTIES AND RESPONSIBILITIES: This individual will have primary responsibility for reviews of the company's information systems (IS) environment: • Reliability and integrity of information systems (IS) • Compliance with policies. providing for internal audit input at key points in the process including the use of continuous assurance techniques including embedded audit modules and 16 Chapter 4: Department Organization POSITION NAME: REPORTS TO: FUNCTION: AUDIT MANAGER—IS AUDIT Director of Auditing . This involvement will include travel. The incumbent has regular dealings with managers and partners of the company's external auditors to obtain material including information that should be disseminated to the audit staff and management of the company. CISA. The incumbent works with the Corporate Audit staff and senior officers of the company especially with the accounting functions. to foreign and domestic locations where. and efficiency in use of IS • Involvement in systems development audits to ensure controls are built in during the systems development life cycle (SDLC) process To develop an audit program to address systems in development including: • Analyses of SDLC methodology. English may not be the first language. the Information Systems Audit and Control Association (ISACA). QUALIFICATIONS—MINIMUM KNOWLEDGE AND SKILLS: • A degree in accounting or other qualified discipline • CPA. in order to provide guidance when requested. in some cases. Externally.

review survey results ♦ Audit time budget ♦ Planning memo ♦ Audit programs • Pre-Audit Conference. The individual must keep abreast of new and proposed developments in the IS auditing field and analyze the impact on the company. • Status Memo. • Interim Recommendations. • The incumbent must have excellent written and verbal communication skills as well as excellent editing skills. as appropriate. Consideration should be given to attending IS Steering Committee meetings. and approve revisions before submitting reports to the Director of Auditing and Audit Committee. The position will be responsible for working on selected financial and operational audits. For All Assigned Audits: • Scope and Procedures. approve reviewed workpapers for filing. • Field Work. Develop. These will supplement the primary area of responsibility of IS auditing. To coordinate activities to the extent possible with the public accountants to enhance audit efficiency. • Workpapers. and determining appropriate audit procedures. • Report Preparation/Review. Perform a limited review. • Document Development/Review. • Closing Conference. To exercise discretion in the review of records to ensure confidentiality of all matters that come to attention. consider appropriateness of original audit plan and scope or need to modify to attain audit objective. The individual should be an authoritative source of information to the audit group as regards the practice of auditing. as appropriate. Plan and conduct audit closing conference. establishing scope. Perform or review field work. Develop or review the following audit documents on audits assigned: ♦ Preliminary survey: Review planned survey. Establish audit objectives to be discussed at the conference.Chapter 4: Department Organization 17 intelligent agents • Planning of audits of development projects (or ongoing audit involvements) to provide critical input while the project is in process The individual will be responsible for taking a leadership position in expanding the use of computers by the audit staff: • Expand use of computer-assisted audit techniques (CAATs) to support audit projects • Monitor the department's data processing requirements for microcomputer based tools including audit software and administrative packages • Establish and maintain an automated time and expenses reporting system The position is responsible for maintaining an expert knowledge of the IS audit profession. Interim recommendations following field work and documentation of auditee position. Chapter 4: Department Organization 17 . The individual must prepare monthly activity reports to senior management on IS auditing activities. Implement the Department procedures for audit planning. review. • The incumbent must have a good working knowledge of the information systems development at Sam Pole Company. based on senior detail review of workpapers. The basis of memo contents.

At executive management level. Empower assistants to be effective. guide. Provide direction to immediate assistants to enable them to counsel. and motivate staff. the incumbent maintains close relationships with the Information Systems Audit and Control Association (ISACA). courses to pursue certification. The incumbent works with the Corporate Audit staff and senior officers of the company. Provide direction and guidance. • SDLC/Systems Projects. AICPA. This involvement will include travel. for periods of time. The individual maintains contact with audit software vendors to stay abreast of developments in the field. may participate. Review results of audit regarding attainment of objectives. management training). evaluate. Preferably ensure that a CISA (or staff member if a CISA is not available) is a part of any systems development teams or projects. Prepare evaluation of senior auditors and conduct review. • Auditee Relationship.g. Other Matters: • Special Investigations. including a report to the Audit Committee. identify and develop audit opportunities to provide a more effective audit service to management.. • Counsel/Guide/Motivate. • Decision-Making Responsibility/Conclusions. Review and approve suitable program for departmental staff. • Information Systems. ISACA) and corporate ethics. • Special Projects. in some cases. to foreign and domestic locations where. Have sufficient IS knowledge to be able to discuss and determine application of IS audit resources. As assigned. Review results. especially with Information Systems. Pursue regular program for continuing education for self (related to certifications held). where applicable. • Continuing Education. Direct. IIA. CONTACTS—INTERNAL AND EXTERNAL: Internally. Participate directly in these activities when appropriate. Demonstrate superior performance and direction in all attributes of professional conduct of self and staff. and the American Institute of Certified Public Accountants (AICPA). and participate in systems development projects. Review and follow up on all responses to the public accountants' Audit Management Letter. in order to keep abreast of trends and developments in the IS auditing profession. including professional codes of ethics (e. • Performance Evaluation. systems seminar in area of emerging systems development within the company. the incumbent deals directly with all levels of management in the audit function to the company. Recommend action in coordination with other interested company and outside parties. the Institute of Internal Auditors (IIA). Externally. Pursue professional development for self. review and approve comparison of actual to budgeted hours and explanation for variance. review. QUALIFICATIONS—MINIMUM KNOWLEDGE AND SKILLS: 18 Chapter 4: Department Organization ..g. Audit managers and staff will be involved with audits in foreign and domestic locations. in order to provide guidance when requested. to judge effectiveness of computer controls. • Professionalism. International: Sam Pole Company is a dynamic company with significant operations all over the world. as appropriate (e.18 Chapter 4: Department Organization • Summary Memo. and report work of assistants. English may not be the first language. Responsible for administrative and audit-related decision making and conclusions based upon completed audits. The individual has regular dealings with managers and partners of the company's external auditors to obtain material including information that should be disseminated to the audit staff and management of the company. • Audit Management Letter.

• Decision-Making Responsibility/Conclusions. review and evaluate assistants' recommendations. • Auditee Relationships. Prepare or review final summary memo based on review and evaluation of input by assistants. develop audit programs necessary to promote effective audit coverage. • Closing Conference. • Identifying System Control Points. and evaluating performance and variance. and efficiently in sensitive. adequacy of workpaper documentation and auditee position (if known). Provide evidential support for all report recommendations. Develop or supervise assistants in planning the scope of audits and selection and development of appropriate audit procedures for manager approval. Prepare or review draft and finalize status memo for presentation to manager. preferably both micro-computers (PCs) and either mainframe or mini-computers (mid-range) • Experience with local area networks (LANs) or wide area networks (WANs) • Experience in a supervisory capacity POSITION NAME: SENIOR AUDITOR REPORTS TO: Internal Audit Manager FUNCTION: Plan. Submit future audit planning recommendations. completing work on time.Chapter 4: Department Organization 19 • A four-year degree in accounting and/or an IS degree • A Certified Information Systems Auditor (CISA) certification. • Pre-Audit Conference. • Summary Memo. Prepare selected workpapers and review assistants' workpapers. • Interim Recommendations. Complete timely performance evaluations for assistant on audit and review evaluations with them (if applicable). Direct the development and preparation of the survey approach. • Special Investigations. • Audit Programs Development/Changes. DUTIES AND RESPONSIBILITIES: • Planning Scope and Procedures. • Planning Memo. Participate and oversee work by assistants. effectively. • Company Audit Procedures. Prepare or review agenda of recommendations and comments. considering materiality. Responsible for completeness and accuracy of entire report subject to manager approval. Prepare recommendations for auditee consideration. pertinence to audit and documentary evidence. • Field Work. Chapter 4: Department Organization 19 . • Preliminary Survey. Possess ability to carry out assignments discreetly. conduct. organize. Demonstrate complete comprehension and ability to (1) assess validity of existing policies and procedures. Ensure that audit objectives have been clearly and completely set forth to the auditee before the audit. Ensure continuing development of effective professional relationships with auditee personnel. Perform all field work in a competent and professional manner. Demonstrate capacity and evidence for effective decision making and drawing sound conclusions. if applicable. • Audit Time Budget. CPA or CIA is not essential but is an advantage • Experience in a manufacturing and/or distribution environment • Experience with computers. in appropriate circumstances. Apply. Review assistant input and document thorough and complete approved plan for specific audits after obtaining general guidelines from manager. and (2) recommend sound alternatives. With manager approval. supervise. • Report Preparation/Review. Conduct with support from assistants. confidential circumstances. • Performance Evaluation. and formally report on a scheduled audit. Prepare or review detailed recommendations and comments for materiality and relativity of items. • Information Systems. • Status Memo. Ensure establishing a practical budget. Document controls or perform expert review of work by assistants. • Workpapers. knowledge of basis IS audit techniques.

Externally. English may not be the first language. This involvement will include travel. International: Sam Pole Company is a dynamic company with significant operations all over the world. • Field Work. Provide evidential support for all report recommendations. organize. Perform all field work in a competent and professional manner. Participate. Document controls. for periods of time. Develop and prepare the survey. conduct. and formally report on a scheduled audit. and develop others in those skills • Have apparent management potential POSITION NAME: AUDITOR REPORTS TO: Senior Auditor FUNCTION: Plan. • Professionalism.20 Chapter 4: Department Organization • Awareness of the State-of-the-Art. Pursue departmental-approved program for continuing education for self and recommend suitable programs for department associates. develop audit programs necessary to promote effective audit coverage. • Preliminary Survey. train. Ensure that audit objectives have been clearly and completely set forth to the auditee before the audit. and recommend PD for department. • Pre-Audit Conference. based upon experience and/or need. 20 Chapter 4: Department Organization . department management and associates. most levels of auditee management. Pursue professional development (PD) for self. Demonstrate superior performance in all attributes of professional conduct. CONTACTS—INTERNAL AND EXTERNAL: Internally. DUTIES AND RESPONSIBILITIES: • Planning Scope and Procedures. Provide input and document plan for specific audits after obtaining general guidelines from senior/manager. Demonstrate clear understanding of current developments. • Continuing Education. completing work on time. ISACA) and corporate ethics. Ensure establishing a practical budget. Meet requirements and recommend improvements and alternatives to ensure timely. With senior approval. to foreign and domestic locations where. effective realization of the department audit plan. where appropriate. in some cases. • Travel. Develop the scope for audits and selection and development of appropriate audit procedures for senior/manager approval. QUALIFICATIONS—MINIMUM KNOWLEDGE AND SKILLS: • Have achieved or work toward certification by examination • Have a four-year degree in accounting (or qualified discipline) • Have achieved high academic standing • Have special skills or knowledge and the ability to instruct. IIA. including professional codes of ethics (e. associating that understanding with company audit applications. as assigned. • Planning Memo. as appropriate. Recommend adaptation. Encourage others toward comparable performance. • Audit Programs Development/Changes. Audit managers and staff will be involved with audits in foreign and domestic locations.g. Recommend special projects. in our audit approach. technical and other business professionals through societies and association memberships. AICPA. • Identifying System Control Points. • Audit Time Budget.. and evaluating performance and variance. • Special Projects.

train. Recommend adaptation. review. technical and other business professionals through societies and association memberships. • Summary Memo. Pursue departmental-approved program for continuing education for self. in some cases. • Interim Recommendations. Complete timely performance evaluations for assistants on audit and review evaluations with them (if applicable). CONTACTS—INTERNAL AND EXTERNAL: Internally. as appropriate. • Auditee Relationships. This involvement will include travel. QUALIFICATIONS—MINIMUM KNOWLEDGE AND SKILLS: • Have achieved or work toward certification by examination • Have a four-year degree in accounting (or qualified discipline) • Have achieved high academic standing • Have ability to supervise and get along with people • Have special skills or knowledge and the ability to instruct. Apply. Prepare preliminary agenda of recommendations and comments. Meet requirements and recommend improvements and alternatives to ensure timely. AICPA. including professional codes of ethics (e. Encourage others toward comparable performance. • Performance Evaluation. • Awareness of the State-of-the-Art. Demonstrate complete comprehension and ability to (1) assess validity of existing policies and procedures. • Status Memo. Demonstrate superior performance in all attributes of professional conduct. Demonstrate capacity and evidence for effective decision making and drawing sound conclusions. and develop others in those skills • Have apparent management potential Chapter 4: Department Organization 21 . • Professionalism. Ensure continuing development of effective professional relationships with auditee personnel. knowledge of basis IS audit techniques. Prepare detailed recommendations and comments. considering materiality. ISACA) and corporate ethics. confidential circumstances. • Special Investigations. associating that understanding with company audit applications. in our audit approach. and efficiently in sensitive. and (2) recommend sound alternatives. department management and associates. English may not be the first language. for periods of time. IIA. • Information Systems. Externally. Recommend special projects. Prepare selected workpapers. most levels of auditee management.Chapter 4: Department Organization 21 • Workpapers. as assigned. • Travel. Prepare draft status memo for presentation to manager. Prepare preliminary summary memo. pertinence to audit and documentary evidence. • Decision-Making Responsibility/Conclusions. Submit future audit planning recommendations. • Closing Conference. Possess ability to carry out assignments discreetly. based upon experience and/or need. Audit managers and staff will be involved with audits in foreign and domestic locations. Demonstrate clear understanding of current developments. International: Sam Pole Company is a dynamic company with significant operations all over the world. effectively. • Report Preparation/Review. in appropriate circumstances. effective realization of the department audit plan. where appropriate. • Continuing Education. • Company Audit Procedures.. Pursue professional development (PD) for self.g. to foreign and domestic locations where. Participate. Prepare recommendations for auditee consideration. • Special Projects.

Participate and oversee work by assistants. Responsible for completeness and accuracy of entire report subject to manager approval. considering materiality. Provide evidential support for all report recommendations. reports on these developments will be made to the Manager—Planning and Control. • Planning Memo. Perform all field work in a competent and professional manner. With manager approval. Direct the development and preparation of the survey approach. Prepare or review draft and finalize status memo for presentation to manager. Review assistant input and document a thorough and completely approved plan for specific audits after obtaining general guidelines from manager. if applicable. completing work on time. • Field Work. • Summary Memo. For All Assigned Audits: • Planning Scope and Procedures. pertinence to audit and documentary evidence. • Identifying System Control Points.22 Chapter 4: Department Organization POSITION SENIOR AUDITOR—EUROPE (INTERNATIONAL LOCATION) NAME: REPORTS TO: Audit Manager—Planning and Control FUNCTION: This position is responsible for performing audits in Sam Pole's European operations. Complete timely performance evaluations for assistants on audit and review evaluations with them (if applicable). Prepare or review final summary memo based on review and evaluation of input by assistants. develop audit programs necessary to promote effective audit coverage. Corporate audit procedures established in the United States. • Audit Programs Development/Changes. This process will involve monitoring periodic management reports and staying apprised of economic developments in each country. Prepare or review agenda of recommendations and comments. for all European operations. Periodically. for approval in the United States. Develop the scope for audits and selection and development of appropriate audit procedures for senior/manager approval. • Status Memo. • Report Preparation/Review. The individual will maintain contact and develop lines of communication with auditees throughout the European operations. • Closing Conference. annual. • Interim Recommendations. Ensure establishing a practical budget. Prepare or review detailed recommendations and comments for materiality and relativity of items. The individual will prepare drafts of expense budgets for one-year plans as appropriate. Conduct with support from assistants. and multi-year audit plans for approval in the United States. • Preliminary Survey. Submit future audit planning recommendations. to the extent possible. review and evaluate assistants' recommendations. Ensure that audit objectives have been clearly and completely set forth to the auditee before the audit. The individual will maintain a copy of the Corporate Audit Policies and Procedures Manual of the Corporate Audit Department for use in Europe. • Audit Time Budget. DUTIES AND RESPONSIBILITIES: The individual will have direct responsibility for preparing preliminary. • Pre-Audit Conference. 22 Chapter 4: Department Organization . adequacy of workpaper documentation and auditee position (if known). • Performance Evaluation. The individual will attempt to maintain knowledge of developments in the various European operations. Perform expert review of work by assistants. • Workpapers. Prepare selected workpapers and review assistants' workpapers. and evaluating performance and variance. Prepare recommendations for auditee consideration. will be followed by the Senior Auditor—Europe.

associating that understanding with company audit applications. including professional codes of ethics (e. Demonstrate superior performance in all attributes of professional conduct. based upon experience and/or need. as appropriate. ISACA) and corporate ethics. • Auditee Relationships. Demonstrate complete comprehension and ability to (1) assess validity of existing policies and procedures. effectively.S. AICPA. and develop others in those skills • Have apparent management potential Chapter 4: Department Organization 23 . where appropriate. QUALIFICATIONS—MINIMUM KNOWLEDGE AND SKILLS: • Have achieved or work toward certification by examination • Have a four-year degree in accounting (or qualified discipline) • Have achieved high academic standing (i. headquarters and considered during the planning process. Demonstrate capacity and evidence for effective decision making and drawing sound conclusions. in our audit approach. Recommend adaptation..e. Externally.Chapter 4: Department Organization 23 • Information Systems. effective realization of the department audit plan. honors) • Have fluent command of English and other language skills • Have experience in the multinational auditing environment • Have ability to supervise and get along with people • Have special skills or knowledge and the ability to instruct. confidential circumstances. in appropriate circumstances. The incumbent will have regular dealings with managers and partners of the company's external auditors. and (2) recommend sound alternatives. • Decision-Making Responsibility/Conclusions. IIA. • Awareness of the State-of-the-Art. • Continuing Education.. International: Sam Pole Company is a dynamic company with headquarters in the United States and significant operations all over the world. • Special Investigations. Requests for audit assistance by the operating units should be communicated to U. where. in some cases. Recommend special projects. Apply. • Travel. Pursue professional development (PD) for self. Meet requirements and recommend improvements and alternatives to ensure timely. Participate. Encourage others toward comparable performance.g. • Company Audit Procedures. where appropriate. Ensure continuing development of effective professional relationships with auditee personnel. and efficiently in sensitive. knowledge of basic IS audit techniques. and recommend programs for the department. All audit managers and staff are involved with audits in foreign and domestic locations. Demonstrate clear understanding of current developments. This involvement includes travel to foreign locations. The Senior Auditor—Europe will possess multi-language skills and/or recommend alternative audit approaches. language differences may be encountered. as assigned. • Special Projects. CONTACTS—INTERNAL AND EXTERNAL: Internally. Possess ability to carry out assignments discreetly. including use of outside accountants or other company personnel. train. the incumbent should be a member of the Institute of Internal Auditors (in the United Kingdom) and other appropriate audit institutes in Europe. Pursue departmental-approved program for continuing education for self and recommend suitable programs for the department. The position works closely with the Director of Finance for European Operations. • Professionalism. the incumbent deals directly with all levels of management in the European headquarters and country operations.

and every effort should be made to document policies on a case-by-case basis as they arise. Policy All information known to require or deemed to (by a reasonable person test) require confidentiality should be kept so. 24 Chapter 4: Department Organization . as being overheard in public places. travel. Confidentiality is defined as to "hold secret. elevators. "in accomplishing his activities. and past employees. and personnel. the Director of Auditing and his staff are authorized to have full. i. data files." The only exception is to report to audit management and others on a defensible need-to-know basis.4 REV NO: DATE: PAGES: 4. Confidentiality In accordance with the approved Corporate Audit Department Charter under subsection Access and Confidentiality. ii. activities. transfers. Discussion Corporate Audit Department management is forced to guard their responsibility for staff confidentiality to protect the department's reputation and credibility. Breaches of confidentiality may be either intentional or by accident.24 • Independent thinker Chapter 4: Department Organization SAM POLE COMPANY TITLE: Audit Department Policies Corporate Audit Department Procedures Manual NO: 4. These would be the minimum policies. This section can be used as the area to record all department policies: • Confidentiality • Orientation (Training) • Days Off for Extensive Travel • Professional Certification a. property. records." This access exposes the staff to confidential corporate information either by examination or discussion. The privileged permission to be informed of confidential information carries a responsibility for the Audit Department staff's confidentiality. This protection includes present staff. However. or restaurants. and entertainment policies. All departments should have confidentiality.4 Audit Department Policies In addition to the specific department procedures and administrative programs (see Chapter 5). The examples of these policies include those in this chapter. computer programs. and unrestricted access to all corporation functions. operations. the department should have various policies. free. these should not be considered all-inclusive by any means.

(See "Responsibilities of an Auditor" in this chapter. iii.6) • Information about Sam Pole Company • Information about the Internal Audit Department of the Company • Introduction to audit staff personnel and other employees with whom the auditor will work • Discussion of duties and responsibilities • Control of work: ♦ Hours of work ♦ Time reports ♦ Paycheck distribution ♦ Travel regulations ♦ Expense report preparation ♦ Supplies • Readings: ♦ Audit manual ♦ Standards ♦ Literature on modern internal auditing ♦ Recent audit reports ♦ See recommended reading list Chapter 4: Department Organization 25 ." So beware of the person who asks a lot of questions. A lawsuit could result from third-party damage as defamation of character from a libelous or slanderous statement. Objective Provide reasonable assurance that the new employee will become promptly productive. Many people on the company grapevine feel creditability is given to their conversation if they can include. "I heard it from an auditor. Orientation (Training) i. and special investigations that require good judgment and limited exposure of details.Chapter 4: Department Organization 25 We are involved in and knowledgeable of a number of sensitive company situations including union agreements. Responsibility Orientation is the responsibility of the manager to whom the new employee reports.) b. It should be clear to current or past employees of the Corporate Audit Department violations of confidentiality or gossip may result in: • Immediate termination • Probation • Suspension without pay • Warning • Lawsuit The consequences will be at the judgment of the Director of Auditing and/or Audit Committee. different pay scales. Another area of which the auditor must be constantly aware is gossip. company politics. ii. Orientation Outline (See Section 5.

preferably. In order to encourage employees to attain professional recognition by passing an exam certification. Flesher and Jeffrey Zanzig. the Certified Fraud Examiner (CFE). the Certified Information Systems Auditor (CISA). • One day for the first 14 consecutive days of domestic (North American) travel may be taken off with pay. the Certified Public Accountant (CPA). The successful completion of these written examinations will result in a demonstration of personal achievement and enhance the professional posture for the department. 3. Professional Certification Policy In order to encourage professional development within the Corporate Audit Department at Sam Pole Company. Fifty percent of the cost for recognized preparation (review) courses to a maximum of $750. Staff assignments to projects will consider review course attendance. • Such days must be utilized by the end of the calendar year or they are automatically forfeited. Attendance at classes is to be scheduled during non-working hours (Monday through Friday) or. To avoid misunderstanding. on weekends. the following policy for the Internal Audit Department will apply: • One day for each seven consecutive nights in an international location may be taken off with pay. The cost of registration and fees for the initial sitting for the examination.26 Chapter 4: Department Organization c. 26 Chapter 4: Department Organization . The programs currently being supported include the Certified Internal Auditor (CIA). "Information Systems Personnel Express a Desire for Change in the Functioning of Internal Auditing. the Company will assist staff members by providing: 1. selected courses should be approved by the Director of Auditing prior to registration and payment of fees. one additional day off may be taken." Dale L. For every additional seven consecutive and contiguous days thereafter. SOBIE conference proceeding. 2. April 15. 2002. and the Certified Information Systems Security Professional (CISSP). but Sam Pole work must take precedence in cases where staff members are required to fulfill Company commitments. d. It is anticipated that the Company will benefit from the attainment of certifications through increased professional knowledge and adherence to professional standards and codes of conduct. Therefore. the Company will support employees who wish to attain a recognized professional certification. Days Off for Extensive Travel Policy No specific corporate policy has been set forth on this subject. Endnote 1. Time for sitting for examinations will be considered authorized excused leave. the Certified Management Accountant (CMA).

Administration. In addition. and Recruiting 1 . Colleges and universities develop students' basic skills and most include an auditing course in the accounting curriculum—a requirement in most degree programs. and procedures. have pyramid structures. audit does not produce the primary product or service. some entry-level auditors will consider audit a stepping-stone in their career progression. a percentage of auditors will choose to remain and progress to audit management positions. Organizations should not lose sight of the support role of audit. Chapter 5: Personnel. however. most colleges and universities try to accommodate the 150-hour rule for the Certified Public Accountant (CPA) exam by offering graduate courses in accounting. and Recruiting Overview SAM POLE COMPANY Corporate Audit Department Procedures Manual NO: 5.Chapter 5: Personnel. Staff can be obtained from a number of sources. The audit function exposes auditors to a large number of areas in a company's operations. Direct Recruitment from Colleges To develop a professional-level internal audit program. it is considered an excellent training ground. The audit mission (as defined in the audit department charter). However. this interest is combined with a desire to gain a good understanding of many business functions. Because most organizations. these career path issues must be managed effectively to promote audit staff development and progression. Talented people following well-thought-out. If the audit department is successful and well respected. In order to attract and maintain qualified staff.1 REV NO: DATE: PAGES: TITLE: Introduction 5. information systems. Administration. Consequently. which include: • Direct recruitment from colleges • Transfers from other company functions • Outside hires i. Therefore. the corporate Audit Department has put in place a personnel development program (see "Personal Development" in this chapter). the selection of the best individuals is the first step in the process. a. In many cases. Like the accounting department and other important groups in an organization. Sources of Personnel Internal auditors are typically accountants who have an interest in auditing. tailored methodologies will produce consistent quality audit products. providing independent review and constructive advice. is crucial to the organization's success. most functions require a college degree for new hires. A second auditing course is normally offered for those pursuing a master's degree. including audit departments.1 Introduction Internal audit consists of people.

Many professors or department chairs will also work with companies one-on-one. All universities encourage professionals. saving the audit department time and resources. Audit functions should always attempt to hire the best possible candidates and never "settle" or accept an individual as an accommodation to another department. and internal auditing. And together. [1] The first step in recruiting from colleges and universities is to identify the schools with which you may want to work. for example. especially if one is fairly close by. Such a system is extremely helpful in locating people with the interest and abilities related to internal auditing.e. For example. and thus if your organization is using this type of system. then the department will probably be willing to partner with the audit department (company) and provide specialized services concerning recruitment. to visit campus to speak to either classes (e. either on campus or in the local area. The Institute of Internal Auditors (IIA) has a "Model Curricula for Classroom Use" that was carefully constructed considering the Certified Internal Auditor (CIA). such as internal auditors. and considering the standards of the American Assembly of Collegiate Schools of Business (AACSB). Transfers from Other Company Functions In some cases. Accounting academics will appreciate any internal auditor who contacts them to schedule speaking engagements. Most companies have sophisticated human resource (HR) programs that can assist audit management with hiring and career progression issues. Administration. Schools benefit tremendously by bringing the "real-world" professionals and their experience and views into the course.. public accounting. and Recruiting . the university is an endorsed IIA program and if an audit department wanted to hire regularly over time. If. Recruiting activities could include: • Campus job placement department • On-campus interview • Job fairs • Partnering with accounting department and its faculty • Speaking to a class or accounting student club Most schools encourage on-campus recruitment activities and have structured means to accommodate them. 150-hour model curriculum. Once you identify a school. Most schools today are associated with some sort of job fair. Approximately two-thirds of all entry-level auditors will leave public accounting within three years. it is beneficial to develop a relationship with the accounting department and its students. and are being educated more precisely (i. and the American Accounting Association (AAA). many universities are forming specialty degrees in systems. iii. and forward applicable student resumes. and Recruiting Even more importantly.. management consulting. The IIA maintains information on its "IIA Academic Program" online including a 120-hour model curriculum. candidates may be available within the company. probably better qualified than other accounting students) for internal audit jobs. CPA. the corporate audit department needs to ensure coding is compatible with its needs. Students in these programs have already expressed an interest in internal audit. Outside Hires An excellent source of outside candidates is from public practice. the International Association for Management Education. training. most schools have a department that specializes in job placement—typically called "Career Services" or a similar name. screen candidates based on the audit department's criteria. All of these resources are valuable to recruitment because each one causes some of the work of the recruitment process to be transferred to the school. computer sciences. Administration. auditing) or student clubs in accounting. many firms are employing elaborate systems that gather individual skills. and review their curriculum and program for compatibility. etc. ii.2 Chapter 5: Personnel. For instance. Public accounting firms recruit primarily accounting 2 Chapter 5: Personnel. and abilities. they can expose the audit department to the best and brightest students for entry-level jobs.g. One resource might be the IIA's list of Endorsed Internal Auditing Programs. This group is one important contact because they can facilitate conducting interviews. These systems allow easy retrieval of people who fit a certain profile. and a list of Endorsed Internal Auditing Programs all online at their web site. These activities are opportunities to observe first-hand potential job candidates before getting involved with interviews.

Of course. provide them with formal hands-on training programs in the early years of the person's employment. In most cases. Exhibit 5. large internal audit departments are capable of organizing and providing similar professional development programs. Some audit departments develop brochures describing functions. 3 b. experience in many company operations. The development of a summary of the current staff with qualifications may also add value. and Recruiting 3 . Exhibit 5. Some departments that encourage career development in the audit department and within the company develop career summaries on current and preceding members of the department. activities. travel. Candidates will be favorably impressed when presented with company structure charts. and potential career progression). Recruitment Aids Forethought and planning will improve recruiting results. and Recruiting graduates and. in most cases. Some also provide industry and computer training. An interview questionnaire for new internal auditors should be developed and used to summarize interviews and results. and a schematic of the personnel development program similar to the one presented in the manual. and benefits (e. Administration. however.1: Interview Questionnaire for New Internal Auditors Chapter 5: Personnel. they cannot provide the diversified experience available in public practice.g..1 is a sample form. Administration. organization charts.Chapter 5: Personnel.

4 Chapter 5: Personnel. Administration. and Recruiting . Administration. and Recruiting 4 Chapter 5: Personnel.

new college graduates can be hired by internal audit and assigned to other company operations for portions of the year. and Recruiting 5 c. After two or three years. Chapter 5: Personnel. This process will add work to the audit management function. These programs can involve internal audit as an initial or mid-career step. and it will also create a positive deliverable or product. Administration. In some notable examples. and added to the audit department function directly in the audit charter. For instance. they transfer to another unit on completion of a successful project. Management Development Programs People can be products too! Some audit departments develop or participate in management development programs. and Recruiting 5 . Administration. personnel development programs have greatly enhanced the reputation of the audit function through the addition of a tangible measurable product: former audit personnel rising to higher level positions in the organization.Chapter 5: Personnel. Such programs would be discussed with senior management and/or the audit committee.

6 Chapter 5: Personnel.2 Personal Development Internal auditing consists of quality people employing quality procedures and quality systems in an independent and proactive manner. he becomes increasingly thwarted. and provide evidence of basic skill levels and knowledge. 6 Chapter 5: Personnel. Administration. Certifications Certifications. which should be seriously considered in reviewing new-hire qualifications. Certified Public Accountant (CPA). SAM POLE COMPANY 5. He/she will work closely with the staff and managers to achieve the objectives of the Professional Development Program and report periodically to the Director of Auditing on the status of the program. In today's business environment. and Recruiting d. there is intense pressure on the individual to keep up with the generalized pace. Corporate Audit Department Procedures Manual NO: 5. change is so swift and relentless in the techno-sciences that yesterday's truths suddenly become today's fictions. the Certified Fraud Examiner (CFE) and Certified Information Systems Security Professional (CISSP) have become both valuable and relevant. As Coordinator of Education. Policies can be developed to encourage staff members to attain certifications. So long as the society in which he is embedded is stable or slowly changing.theiia. the responsibility for coordination has been assigned to the Manager of Policies and Control. correlates with the pace of change. and Certified Management Accountant (CMA) are significant personal achievements. To the degree that it lags. Consider the following quote from Future Shock. Introduction In order to ensure that the Corporate Audit Department's education plan is implemented. Today. His model must be updated. Thus. to bring them in line with the latest knowledge available in society.cfm?doc_id=209 or www. a professional development program becomes a critical component of the internal audit practice. and Recruiting . ineffective. and the most highly skilled and intelligent members of society admit difficulty in keeping up with the deluge of new knowledge—even in extremely narrow fields. there might be little pressure on the individual to update his own supply of images.org and do a search. in some way.2 REV NO: DATE: TITLE: Personal Development PAGES: [1]See www. to cope with swift and complex change. the individual must turn over his own stock of images at a rate that. In order to sustain the implementation of the most appropriate procedures and to provide for the continuing improvement of the auditors.org/ecm/iiaap. [2] a. Any of these certifications also add to internal audit's image. including Certified Internal Auditor (CIA). the Manager of Policies and Control will assist in the development of the departmental education plan and individual auditors' educational plans.theiia. But to function in a fast-changing society. Certified Information Systems Auditor (CISA). Administration. the images on which he bases his behavior can also change slowly. his responses to change become inappropriate. by Alvin Toffler: If society itself were standing still.

• Develops and implements evaluation programs for all training activities involving Internal Audit. The program is intended to provide a vehicle for the individual to accomplish this requirement. Objectives The Corporate Audit Department Training Program has been designed to improve and maintain the professional competence of the corporate auditors so that they can effectively perform their function to the fullest extent. c. daily reading of the general financial press is essential. The model goes on to suggest a training program for auditors beyond the basic core programs. is intended to provide a basis for advancement in the Audit Department.2) includes a structured approach to core training critical for first. The program will be as successful for you as you make it. to develop strong business acumen. • Develops policies and procedures for maintaining and using the staff library. it is intended to provide for personal professional growth and job satisfaction. Every professional has a responsibility to maintain and advance his or her basic skills. and Recruiting 7 . or for potential placement in key financial or general management positions within the company. Assures audit management that the library is adequately stocked and keeps staff informed of new acquisitions pertinent to their particular needs. • Assists auditors in developing individual goals and training programs. Duties include: • Assists the Director and audit managers in surveying staff and analyzing training needs. Administration. • Investigates specific training programs as requested by other members of the staff and authorized by the Director of Auditing.Chapter 5: Personnel. Administration. Additionally. on their audit assignment. • Recommends comprehensive. The program. and a comprehensive evaluation process. and Recruiting 7 b. if any. Coordinator of Education The Coordinator of Education is responsible for overseeing the educational needs of the department. • Coordinates the training activities for corporate auditors and makes staff aware of all training opportunities. to ascertain the importance. d. • Assists in the evaluation of training programs and review regular (quarterly) training reports on staff members for the Director of Auditing. Exhibit 5. and should always be cognizant of current trends in business and finance." for the third year and thereafter. Corporate Audit Training Model The Corporate Audit Training Model (Exhibit 5. Additionally. Auditors are generalists.2: Overview of Corporate Audit Training Model Chapter 5: Personnel. combined with on-the-job experience and training. to a large degree.and second-year auditors. The Coordinator reports to the Director of Auditing regarding plans and resources needed to obtain and maintain an adequate level of knowledge and skills individually and corporately in the department. and ensuring that those needs are adequately met. systematic training program for the Corporate Audit Department. These are labeled as "advanced.

control. The program is two-fold: the Core Program covering new auditors. The Core Program requires a minimum of two weeks. research. on-the-job training. and the use of the library. • Attendance at various outside seminars.&"listitem"> Availability of a library of texts and reference materials covering internal auditing. public records. The Advanced Program requires a minimum of one week. e. The following schedule will be followed. These minimum requirements do not include self-study courses. [3] the AICPA (Auditing Standards). construction. etc. workshops. • Teaching or speaking engagements to help broaden one's knowledge and communications skills. and Recruiting . Core Program First Year: During the first year of employment. [4] ISACA's K-net and CobiT. and security practitioners. providing a framework for management. Administration. contracts. etc. news. or 80 hours. specially designed to meet the internal auditor's needs. • Routing of selected educational material to the Internal Audit staff to maintain current knowledge in the field. purchasing. Lexis/Nexis provides authoritative legal. users. • Online services: Examples include Lexis/Nexis. • Specialized courses. as well as specific areas of business management. and business information online. interfaced with on-the-job training: 8 Chapter 5: Personnel. attendance at various structured courses is required. taxation. and assurance. finance. lectures. control. per year of formal education or teaching. per year. outside professional meetings. CobiT is a generally applicable and accepted standard for information technology (IT) security and control practices. Administration. and information systems (IS) audit. when available and/or practical. [5] and other providers of reference materials. covering education for career-minded internal auditors for periods beyond two years of work experience. and Recruiting The core of the Corporate Audit Program is on-the-job training through effective supervision and constructive evaluations covering areas of need.8 Chapter 5: Personnel. On-the-job training is supplemented with the following types of formal and informal education: • In-house seminars and self-study training through the use of audio and visual training courses. and conferences. and online courses via the web. and the Advanced. or 40 hours. K-net is a global knowledge network for IT governance.

The professional development program can be tailored for each individual. Computer-Assisted Audit Tools and Techniques. or provided by outside trainers. and/or requested by individuals in their career planning meetings. and Recruiting • All new hires will attend an orientation program on the company and the Corporate Audit Department.3. that is. American Institute of Certified Public Accountants (AICPA). statistical sampling. Administration. Included in the advanced stage of the program is an anticipation that the staff member will increase his or her involvement with professional organizations such as the IIA. There may be a need for auditors to develop specific skills further. fraud detection. By the end of the second year. to help meet departmental. American Management Association (AMA). Record-Keeping Each auditor is responsible for maintaining a chronological record of his/her training or educational accomplishments while on the Corporate Audit staff.e. Second Year: 9 The training program will continue into subsequent years. systems auditing. This subject could be administered in-house by experienced corporate auditors. and Recruiting . • There will be mandatory attendance at all staff meetings and in-house internal audit seminars on a regional and centralized basis. (See Exhibit 5.") Exhibit 5. be considered as continuing education endeavors. Internet security. provision should be made for the attendance at Internal Audit management training and conferences. This record will be forwarded quarterly to the Coordinator of Education. These decisions must be made by audit management. As the internal auditor's career progresses.to two-week course on Introduction to Corporate Auditing Procedures. • All staff members will attend audio/visual courses on audit-related topics during the year. the following should have been attained: • Continuation of Corporate Auditing procedures at the Intermediate Level as well as attendance at courses relating to the evaluation of internal controls • Attendance at an in-house or outside seminar on advanced computer audit techniques or software (i. or CAATTs) • Participation in audio/visual courses on specific topics to be announced. Administration. Staff members. in some cases. For instance. should be strongly encouraged to develop their own expertise in specific areas and provide training courses to these organizations. goals. Information Systems Audit and Control Association (ISACA).. and participate in their educational programs. • All auditors will attend at a minimum a five-day Introduction to Computer Auditing course. Committee assignments can. decisions need to be made regarding the individual's long-term objectives. and so on • Attendance at in-house Corporate Audit seminars (one week) and regularly scheduled staff meetings f. and documented in the individual's professional development plan. g. Advanced Program The Advanced Program will involve specific tailoring to meet each individual's development needs. as well as individual.Chapter 5: Personnel. • All entry-level auditors will attend a one. If those objectives lie in the Internal Audit area. "Continuing Professional Education (CPE) Record. at this level. operational auditing or IS auditing skills may be required by the department.3: Continuing Professional Education (CPE) Record NAME_________________________ DATE ORGANIZATION PERIOD________________ CPE HOURS COURSE INSTRUCTOR PREPARATION TEACHING ATTENDE 9 Chapter 5: Personnel.

using the CPE record and/or the section on development needs as shown on the performance evaluations. and also placed in the file. The Director and Audit Managers will periodically assess the auditor's training needs. 10 Chapter 5: Personnel. and Recruiting TOTAL The coordinator will review the forms quarterly and submit them to the Director of Auditing for inclusion in each Auditor's personnel file. Certain continuing education credits needed to maintain various professional certifications should be pursued by each individual auditor and will be retained in his or her personnel file. Training records will be used as a reference in scheduling staff members to various assignments.10 CPE Provider # Chapter 5: Personnel. Administration. both individual and staff training goals and programs will be further developed as required. Individuals should keep copies of course outlines as required by various certifications for CPE requirements. These assignments will help reinforce the retention of course curriculum obtained from the training programs. so that needs analysis can be made to determine what additional education is required to maintain each staff member's proficiency. Performance evaluations will be conducted after each assignment or periodically by each level of supervision. Administration. and Recruiting . After training assessments are made.

www.com and lexisnexis. [3]See [4]See [5]See SAM POLE COMPANY lexis.4: Corporate Audit Department Background Information Form Chapter 5: Personnel. Administration.3 Personnel Files In order to properly manage the audit profession's department. www. Bantam Book.org. Alvin Toffler.4) Exhibit 5. August 1971. Audit Department personnel files should be multi-partition files and include. and Recruiting 11 . complex environment.isaca. personnel files will be maintained.Chapter 5: Personnel. Periodic performance appraisals 3. Administration.org. and Recruiting The results of this training program should improve the professional competence of all staff members.3 REV NO: DATE: TITLE: Personnel Files PAGES: [2]Future Shock. 11 Corporate Audit Department Procedures Manual NO: 5. Summary of salary history and promotions 4. thus providing the knowledge to function and cope with our fast-changing. 5. but not be limited to: 1.com. Corporate Audit Department Background Information Form (Exhibit 5. Employee resume and a copy of the original Company application (if appropriate) 2.aicpa.

Administration. Corporate Audit Department Interest Questionnaire (Exhibit 5. and Recruiting . and Recruiting 5.12 Chapter 5: Personnel.5: Corporate Audit Department Interest Questionnaire Form 12 Chapter 5: Personnel. Administration.5) Exhibit 5.

The form also serves to reinforce interest in certifications and professional activities and provides a feedback mechanism for information related to these activities. These forms are: • Corporate Audit Department Background Information Form • Corporate Audit Department Interest Questionnaire a. The form should be kept in the inside cover of each personnel file. and Recruiting 13 These files should be maintained by the Audit Department in addition to files maintained by the Human Resources (HR) function. prepared accordingly.5) expands on the Corporate Audit Department Background Information Form by requesting additional information related to the audit professional's preferences. can then be expected to be fair and objective appraisals of Chapter 5: Personnel. and Recruiting 13 . SAM POLE COMPANY Corporate Audit Department Procedures Manual NO: 5. Corporate Audit Department Background Information Form This form (Exhibit 5. Administration. Administration.4) facilitates two-way communications and helps standardize the basic information required for each employee. To facilitate the development and maintenance of these audit departmental files and facilitate the gathering of specific information necessary to proactively manage the corporate audit function. Corporate Audit Department Interest Questionnaire The Corporate Audit Department Interest Questionnaire (Exhibit 5.Chapter 5: Personnel. two departmental forms should be completed by all employees and updated annually. Not all preferences can be granted.4 Periodic Performance Evaluation Review Periodic performance evaluation is an essential part of our personnel development program. b. It is expected that all staff members will become familiar with and understand the reporting requirements and instructive guidelines.4 REV NO: DATE: TITLE: Periodic Performance Evaluation Review PAGES: 5. Staff evaluations. but in some cases preferences can be considered in planning.

Exhibit 5. Administration. constructive interim feedback by the supervisor.14 Chapter 5: Personnel. Such feedback will help to shape the end-of-assignment evaluation and will expedite its completion and review in the shortest time. It cannot be emphasized too strongly the importance of timely. and Recruiting .6. Administration.6: Performance Evaluation Review Form 14 Chapter 5: Personnel. The Performance Evaluation Review Form is included as Exhibit 5. and Recruiting the person's performance. The report is to be prepared for staff personnel by the in-charge senior or manager promptly at the end of the assignment.

and Recruiting 15 . Administration. and Recruiting 15 Chapter 5: Personnel.Chapter 5: Personnel. Administration.

salary review and warning or other administrative action 16 Chapter 5: Personnel. will document the following: • Accurate. and Recruiting . The evaluation should be discussed with the Auditor in a constructive manner to encourage continuing efforts toward improvement in performance and the elimination of shortcomings. Administration. the Performance Review report should be prepared promptly by the Auditor's supervisor at the end of each assignment. complete record of the auditor's performance • Notification of observed strengths and weaknesses • Basis for assessing training and development needs (correlated with the auditor's departmental training record) • Basis for appraisal toward promotion or for transfer. and Recruiting a. Administration. To provide for that continuity.16 Chapter 5: Personnel. Performance Evaluation Review Guidelines for Preparation of Report Continuous and timely review and evaluation of performance is essential to effective personnel development. signed both by the preparer and the person evaluated. The completed report.

and Recruiting 17 . it is not appropriate. comment. Areas noted for improvement should include any recommendations for the individual's development. the evaluation should clarify this fact so as not to mislead the reader into concluding that several weaknesses exist. emphasizing constructive actions for improving performance. Criteria should include the nature of the work. It is expected that everyone will become familiar with the definitions and use them as explained. (A) Assignment Responsibilities and Circumstances. Although interim evaluations need not be in writing. The interim performance discussion should provide analysis of both strengths and areas for improvement. Administration. The form is designed to obtain specific answers to questions. Effectiveness levels are defined on the last page. The nature of the work. Unusually difficult or simple situations should be identified. or discussion. When one weakness impacts several qualification categories. and prior staffing of the assignments. the evaluation should assess the progress made in correcting those weaknesses during the course of the engagement. for the auditor's major responsibilities. When prepared by staff-level personnel. In situations when mitigating circumstances may have contributed to a weakness. amplified as appropriate by description. Preparation Report preparation is important. inventory: observation. This approval is required on all evaluations prepared by staff-level personnel. end-of-assignment review should be reinforced through effective interim oral or written feedback by the supervisor during the assignment. degree of supervision. Failure to provide timely feedback is a weakness in the supervisor's performance. senior. Regarding the level at which the person was used on the assignment. an integral part of the supervisor's functions. For example: internal control (sales. accrued liabilities: test for unrecorded liabilities. In discussing weaknesses. Although the ratings "OUTSTANDING" and "UNSATISFACTORY" should be clearly explained. and Recruiting 17 The periodic. i. Interim feedback is the continual process. and so forth. namely supervising senior. the auditor's experience level should be considered in evaluating his or her performance. appropriate details should be provided. to discuss budget overruns when it clearly was not within the control of the individual. indicate the level at which he or she functioned rather than the actual level. as both a basis for that evaluation and a reference point for the end-of-assignment evaluation. audit program. For example. the criteria for measuring a staff auditor's technical skills would differ significantly from those used in evaluating a senior. should be described in sufficient detail. Administration. Chapter 5: Personnel. specific comments should also be given for other effectiveness levels for informative reporting to the auditor and the reader. It is expected that completion of all categories will generally be appropriate except for the Development of Assistants category for evaluations of staff auditors. (B) Manager/Director Approval.Chapter 5: Personnel. it is recommended that the report be read by the Manager prior to review with the individual. pricing finished stock. and ample time should be allotted to prepare the report. (C) Comments Section. The boxes at the right margin are to be used to insert the abbreviation for the effectiveness level of each listed qualification. payroll): documentation. walk-through. Any Manager/Director comments should be included in the evaluation at the time the individual signs off on the report. However. Manager/Director approval should occur after the report has been discussed with the individual and finalized. Approval should be indicative of Manager/Director concurrence with the evaluation (see Manager/Director Comments section) and that it contains the appropriate information. When completing this section. cash receipts. for example. the evaluation form can serve as a checklist for areas to be considered and for notes.

There should be an emphasis on "praise" in the appraisal. ii. listen to the answers. Written comments should explain borderline decisions. The Audit Department is only as good as the personnel performing the work. The Manager/Director Comments section is required for all evaluations where that level of approval is necessary. The evaluator will be prepared with his or her comments. the best approach to mentioning a problem is to use the self-appraisal approach. it is important to create two-way communications. However. and efforts should be made to train supervisory staffs to better conduct performance review meetings. this method is not as good an alternative as actually having mentioned the problems as they occurred. To the extent that employees' performance can be improved. When this method is not used. It is important that adequate time be allowed to plan for and conduct a performance appraisal meeting. The Summary Evaluation section should be completed subsequent to the Comments section and should be supported by the written comments. The Manager or Director may also include other significant comments. Such meetings are a major element in a personnel development program. It is also important to emphasize the good work that the employee has accomplished. emphasis is again placed on the need to rate individuals on the basis of their experience level and standards normally expected at that level. Any criticism should be made in a positive manner. The meeting atmosphere should be informal and unhurried. Administration. This objective can be accomplished by meeting in a conference room or away from a manager or supervisor's desk. comments. The most appropriate rating must be chosen. Problems should be discussed with the staff when they are recognized. The meeting should be scheduled with the employee to reduce the anxiety usually associated with performance appraisal meetings. Because it represents a summary of the written comments. Where completing the sections dealing with Developmental Needs and Promotability. if possible. talk about how the person can make needed improvements. One of the objectives of the review process is to allow the employee to face up to any problems that might exist. The performance meeting presents an opportunity to review progress and priorities. and most importantly. One objective of the meeting is to get the employee to open up. the Audit Department culture should emphasize the importance placed on continuing personnel improvement and development. review of work papers or personal contact. It is very important to always discuss the performance—and not the individual's personality. At every opportunity. the supervisor or manager will ask the employee to discuss his or her performance from their perspective.18 Chapter 5: Personnel. and Recruiting . reasons. and the needs to meet them&"para">Conducting the performance review can be a challenging endeavor. and Recruiting (D) Appraisal Section. both interim and end-of-assignment. In rating an individual's effectiveness level. Ratings other than these should not be used. It is important that the reviewer probe and ask questions. The last page of the report summarizes the results of the performance evaluations. In some cases. and recommendations should be expressed clearly and constructively to provide reliable source information to audit management for future assignments and indicated training and development needs. specific examples should be raised during the appraisal review meeting. All attempts should be made to create a comfortable atmosphere and reduce or eliminate interruptions. The basis for approval may be discussions with the in-charge senior. Under the self-appraisal approach. There should be few surprises in the appraisal meeting. 18 Chapter 5: Personnel. resolve any problems with performance. the overall quality of the audit products will be improved. supervisors should refer to the definitions provided on the form. During the meetings. discuss future potential development needs. Performance Appraisal Meeting Performance appraisal meetings provide a very important opportunity to discuss and improve employee performance. This approach will provide ample time for the employee to discuss thoughts on his or her mind. For instance. This method will allow the supervisor to correct the problem earlier and also demonstrate by example the existence of the problem. Administration.

The meeting has many objectives. The role of the Group Leader and the Scribe should be set out in the Group Discussion Instruction Sheet. you should agree on a plan of action. One of the key programs in any audit department is the Annual Staff Meeting/Conference. including the quality assurance program and the personnel development program.Chapter 5: Personnel. personnel development is critical to the development and maintenance of a quality audit program. The Core and Advanced Personnel Development Programs are set out in Personnel Development in this chapter. In order to organize the group discussion. Each functional leader should also provide an update on their administrative activities. Plan for a sufficient amount of time—a minimum of two hours—for group discussions. and Recruiting 19 Before the meeting is concluded. Set objectives and goals. SAM POLE COMPANY Corporate Audit Department Procedures Manual NO: 5. Meetings should be planned outside the office for a maximum impact. The program can include a State of the Department Address by the Chief Auditor. and these sub-groups should be provided with private meeting space to hold these discussions. prepare a Group Discussions Instruction Sheet.5 REV NO: DATE: TITLE: Annual Staff Meeting/Conference PAGES: 5. Outline your thoughts on action points prior to the performance meeting. Group Discussions In order to provide a form for feedback from the staff. Presentations by department managers are also very important. Focus on facts and avoid general judgments.7 illustrates this document for a fictional meeting.7: Group Discussions Instruction Sheet Objective • To provide a forum for the staff to discuss their concerns and hear other members' concerns • To provide feedback to Audit Management as to what are the main concerns of the staff and what possible solutions they project Group Leader's Role Chapter 5: Personnel. including: • Setting aside some time for department-wide administrative updates • Discussions of company developments • Audit training • Reports on results of quality assurance reviews and related changes • Opportunity for feedback from the staff and for suggestions for improvement of department operations The location of the meeting is very important to the overall success of the meeting. and Recruiting 19 . and agree upon completion dates. Exhibit 5. These sessions would allow staff members to discuss any topic related to their department. Administration. a. Exhibit 5. consideration should be given to holding group discussions. The staff should be broken down by groups. The groups should have a Group Leader and a Scribe. it may be combined with a social or sports activity to help build morale and camaraderie among the staff. Administration. In addition.5 Annual Staff Meeting/Conference As pointed out in this manual.

there should be sufficient time allotted before this list is introduced to ensure that the staff has an opportunity to bring their own thoughts and ideas. Explain that there is a scribe to take notes on what is said. not who said it. How much of a factor should evaluations of performance be in determining raises and promotions? 5. etc. In many group discussion meetings.20 Chapter 5: Personnel. Other: ♦ Annual Staff Meetings ♦ IS Audits/Training Participation in Audits ♦ Job/Career Future ♦ Audit Staff. etc. if simple issues or ideas are brought up that could be acted upon immediately. suggestions. Administration. suggestions. Group discussions require feedback from Audit Management. ask questions to clarify the issue. The list should not indicate who made what recommendation—anonymity adds credibility to comments by mitigating "groupthink" problems. Ask the group to begin and wait a few minutes. Travel. Should we require certification of some kind (CPA. The purpose of the meeting is not to provide answers but to develop questions of interest and proposed solutions. ask to move on to another topic. The role is to listen in on a portion of each meeting to gain an understanding of the temperament and direction of each meeting. Having someone perform this role frees the Group Leader to concentrate on the Leader's role—keeping the meeting moving. CIA. If you don't understand what someone is trying to say. Observer's Role • Listen in on a portion of each meeting Potential Topics 1. Administration. If too much time is spent on a topic. CDP) within a given time frame? 4. For instance. How important is audit planning? Is our approach adequate? How should we approach it? 2. The Leader's role is to set the stage by informing the staff that this meeting is their time and that they could talk about anything related to the department's organization or activities. However. an Observer is also involved. Give the group a good chance to start on their own. The Scribe will produce a list that should be provided to audit management. The Scribe's individual meeting summaries should be combined for review by Audit Management at a subsequent meeting or responded to at the conclusion of the Annual Staff Meeting/Conference. the better. Administrative Matters. The Observer should not speak at any meeting. The Observer could be the Chief Auditor or Audit Management. Accommodations. and Recruiting • Set the stage by informing the staff that this is their time to talk about anything related to the Corporate Internal Audit Department's organization or activities. items of interest. Should we employ management by objectives and goal setting? 3. Keep the meeting moving. and that we will provide feedback later in the day. CISA. The role of the Scribe is to listen carefully and make notes of key concerns. Advances. The Leader should be provided with a list of some potential items of interest to generate conversation if necessary. Scribe's Role • Listen carefully and make notes of key concerns. and Recruiting . Tell them you have a list of some items of potential interest you will use to generate conversation when there is none or to improve the productivity of the conversation if it gets way off course. and items of interest. these responses 20 Chapter 5: Personnel. The sooner the feedback is reviewed.

6 REV NO: DATE: PAGES: 5. Administration. if proper attention is paid to planning and arrangements. and Recruiting 21 should be included in the closing remarks of the Chief Auditor. people on the staff will be happy to help you. A general description is provided here for each item on the orientation checklist.8. orientation will give you a more detailed explanation. The checklist is to be signed off by you and the person making the orientation presentation. These welcoming remarks are often used when new personnel join the department. However. SAM POLE COMPANY TITLE: New Staff Orientation Corporate Audit Department Procedures Manual NO: 5. This form will be retained in your personnel file. A sample orientation checklist can be found in Exhibit 5.6 New Staff Orientation Welcome to Sam Pole Audit. Exhibit 5. We hope you find your position with us beneficial and rewarding.Chapter 5: Personnel. Orientation is designed to formally introduce you to our company and significant department policies and procedures. A checklist has been provided to ensure your orientation is thorough and that you receive all materials.8: Orientation Checklist DATE Introduction to Staff _______________ Facility _______________ Parking _______________ Key Personnel/Organization Review _______________ Annual Report Issued _______________ Employee Benefits _______________ Job Description _______________ Performance Evaluation Review _______________ Three-Month Probation _______________ Working Hours/Salary/Overtime _______________ Vacations _______________ Sick Leave _______________ Personal Leave _______________ Time Reports _______________ Travel _______________ INITIALS _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ 21 Chapter 5: Personnel. Those issues and suggestions that require more careful attention should be thought through and summarized in a memorandum to all participants in the Annual Meeting. and Recruiting . One of the first projects necessary to acquaint you with Sam Pole and Corporate Audit is orientation. Please ask any questions you may have. We encourage you to ask questions. Annual Meetings usually prove to be very productive. Administration. or many questions can be answered by reading the procedures manual. Many of these items may already have been discussed during your interview with Sam Pole.

You will be given a guided tour of the Corporate Audit Department and other nearby facilities. Job descriptions are available in the Procedures Manual. then at the discretion of audit management. • Employee Benefits.M. during your initial visit to the auditee's office. discuss them with Audit Department management. • Three-Month Probation. Administration. and if you have any questions. identify where you have parked and ask about their parking requirements. 22 Chapter 5: Personnel. • Facility. This procedure is for the evaluation of initial performance. to 5:00 P. You will be issued an employee benefits manual.22 Cash Advances Air/Rail Travel Expenses Keys (Sign Out) Library Data Processing Security/Badges Professionalism Procedures Manual Safety Equipment Issues • Hard Hat Chapter 5: Personnel. It is contained in Chapter 5 of the procedures manual. • Organization. Additional parking facilities are available at a cost to you. Normally. If we do not know the answers. and I have no further questions at this time. • Performance Evaluation Reviews. You will be issued employee benefit authorization cards that must be filled out and signed. • Parking. The form that is used for performance evaluations will be discussed with you. • Working Hours. If you have any questions. if you have any questions.M. When you are in the field. Administration. _________________________ __________ _________________________ __________ Orientation Supervisor Date Employee Signature Date • Introduction to Staff. You should study this report thoroughly. The exception to this standard is when auditing outside of your home location. If 40 hours can be accomplished Monday through Thursday by working 10-hour days. Parking will depend on the division where you work. Read it carefully. the office hours are from 8:00 A. we will obtain them from the Employee Benefits office or refer you to the Human Resources Department. • Annual Report. please see the Manager. along with major components of the Sam Pole organization. Your job description will be carefully discussed with you during orientation. Key officials are identified in the annual report. The person presenting the orientation will introduce you to members of the staff in the office. • Job Descriptions. That person will also identify those staff members who are not present and provide you with a list of the staff in the Audit Department. and Recruiting . All employees hired by the Corporate Audit Department are subject to a three-month probationary period. you may return home Thursday night. You will receive the current annual report of Sam Pole Corporation. Study the form. please ask them. Monday through Friday. and Recruiting _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ • Glasses All items listed above have been explained to me. Organization charts of the Corporate Audit Department and the Corporation are in Chapter 4 of this manual.

As professionals. when circumstances warrant. • Sick Leave. Chapter 5: Personnel. Advances must be shown on expense reports and accounted for monthly. is a concerted task-oriented profession. • Safety Requirements. A friendly. It is important to become familiar with the manual because we follow these procedures and are evaluated accordingly. In the division where visits to the factories are customary. and Recruiting 23 . Corporate Audit is striving to make our department a world-class department. outside auditors. • Expenses. the department issues a hard hat and safety glasses. Administration. Overtime is not paid. Unused advances must be remitted to the company monthly. may be conducted during working hours—if prior permission is obtained from the Manager of Corporate Audit. and you will be instructed on how to complete it correctly. • Advances. • Personal Leave. Where badges are required. • Salaries. You will see these. Time reports are required on a semi-monthly basis. There are times when personal business. however. • Keys." to be used with the exception of those items that are specifically provided for by the Corporate Audit Department. Administration. courteous relationship with auditees.g. A better option would be to keep an electronic copy of the manual on the Audit Department Intranet site for easier access (e. Professionals employed by the Corporate Audit Department are salaried personnel. The new employee will be given certain keys where appropriate. you are to notify the office and the in-charge auditor as early as possible in the morning. We consider ourselves professionals and should act and dress accordingly. With audit functions situated away from home offices. Try not to have extremes in either direction..Chapter 5: Personnel. There are occasions when we must work in areas that require safety equipment. • Time Reports. Typically. The Corporate Audit Department follows vacation schedules as set forth in the Sam Pole personnel policy manual. The master manual is retained in the office. in-charge auditors have a copy to be used at the work sites. such as studying for certification exams. "Reporting of Travel and Business Expenses. 24/7 availability to anyone). Sam Pole has issued a pamphlet. A form will be shown to you. • Library. expect to spend the necessary additional hours to accomplish our objectives in a timely manner. Other publications available for education or research are also in the office library. • Air/Rail Travel. • Travel. there is a need for travel to these locations. • Professionalism. This manual was developed for the benefit of new employees and to document procedures to be followed. and/or badges will be arranged through the Manager of Corporate Audit. Personal time is provided by the Corporate Policy providing three personal days per year. the location will provide the equipment. • Security Badges. and other Sam Pole employees is paramount in establishing and maintaining good public relations. Each division may make temporary cash advances for expenses. These must be signed out on the log maintained by the secretary at your location. computer/network passwords and log-in access. you will be evaluated on an as-needed basis before badges will be issued to you. as well as checkout procedure applicable to the local offices (see Recommended Reading List). If you are sick. Tickets for air/rail travel can be obtained from the travel department (and accounted for in the same manner as cash advances) or purchased directly by the auditor and reported on the expense report. The Corporate Audit Department will follow Corporate sick pay policy. refer to the Corporate Audit Department procedures manual—travel policies. • Procedures Manual. The department office library contains various Sam Pole manuals. Necessary security codes. Dress should be in good taste. • Vacations. and Recruiting 23 Auditing. You should become acquainted with these manuals. For travel information.

Administration.org. See lexis.com and lexisnexis.24 Chapter 5: Personnel.isaca. Administration. and Recruiting .aicpa. Bantam Book.com. 4. and Recruiting Endnotes 1. 24 Chapter 5: Personnel. August 1971.org/ecm/iiaap.theiia.cfm?doc_id=209 or www. 2. 5. Alvin Toffler.theiia.org and do a search. See www. See www. See www. Future Shock. 3.org.

Part III: Technical Procedures Chapter List Chapter 6: Audit Planning Chapter 7: Audit Performance Chapter 8: Audit Reporting Part III: Technical Procedures 1 .

2 Part III: Technical Procedures 2 Part III: Technical Procedures .

every aspect of the company's operations should be audited. and Staffing In January 2002. The audit "deterrent factor" should not be underestimated. 2040).010 [Audit Planning]). the first topic is Planning (section 2010): "The chief audit executive should establish risk-based plans to determine the priorities of the internal audit activity. and PAGES: Staffing 6. if appropriate. In this book. In formulating the three-year plan. This process would establish the overall strategy for auditing company locations.1: Corporate Audit Planning. the work investment naturally flows down to the planning for the shorter periods. and Staffing Three-Year Annual Budget Six-Month Audit Three-Month Two-Month Operating Plan and Plan Plan Audit Schedule Staff Schedule Document Forecast Plan detail of Schedule Notify 1 Purpose Chapter 6: Audit Planning . and two-month staff schedule. the Institute of Internal Auditors' (IIA) Standards for the Professional Practice of Internal Auditing (SPPIA) became effective. The extended cycle of audit coverage should be discussed with management and. It illustrates the flow and relationship of the three-year plan to the annual operating budget.1 REV NO: DATE: TITLE: Corporate Audit Planning. The long-term departmental operating plan will demonstrate an organized approach to systematically auditing all company operations. Scheduling. Scheduling. the IS auditor's work should be planned in a manner appropriate for meeting the audit objectives" (ISACA—IS Audit Guideline 050. The Audit Department is no exception. One Guideline states. Additionally. to some extent. on a formal rotation basis (see Section 6. To accomplish the responsibility for planning for internal audit activities. with the Audit Committee.Chapter 6: Audit Planning Overview SAM POLE COMPANY Corporate Audit Department Procedures Manual NO: 6. one should consider the subsequent shorter-term plans by developing a long term in six-month or other appropriate sub-periods to feed into the shorter-term planning process.1). Exhibit 6. Planning is a very basic element of all business activities. a planning matrix (Exhibit 6. In many companies. a three-year operating plan has been developed. three-month audit schedule. consistent with the organization's goals. Under the Performance Standards of the SPPIA. another ISACA guideline addresses planning related to day-to-day activities: "Before beginning an audit.1.1 Corporate Audit Planning. Scheduling. By beginning with the long-term planning exercise. Even small operations should be considered for audit visits. Here is where the chief internal audit executive looks for integration of activities to save work later on. These standards emphasize the need for planning (see section 2010 in particular). six-month audit plan." The Information Systems Audit and Control Association (ISACA) also has established a similar emphasis on planning. "The information systems auditor is to plan the information systems audit work to address the audit objectives and to comply with applicable professional auditing standards" (ISACA—IS Audit Guideline 050.3).1) has been developed as a tool.010. "The chief audit executive should establish policies and procedures to guide the internal audit activity" (IIA — SPPIA.2. One guideline states.

the number of personnel required on the staff to achieve this objective will need to be calculated. It also establishes the coverage of audits for a three-year cycle approach to total coverage of locations. administrative assistant to staff Revision: As required Primary -Manager Secondary . timing.Sr. Manager discretion. Audit management decision regarding rotation. Timing: Annually in August Specific implementation of each six-month period of the three-year plan. Owner's request to provide total coverage of principal audit areas over a three-year cycle. a. Semiannually: 60 Beginning of first month for days prior to six-month period each three-month period Revision: As required Responsibility Primary - Primary - Primary Manager . traveling. Chapter 6: Audit Planning audit assignments: three-month nature of audit. Timing: Attainable audit objectives for three months based upon six-month plan. professional development and administration costs. Budget constraints. supervision and staff of assignment schedules. first half next year. The objective to audit all company operations over a period or cycle can be difficult to achieve. Three-month audit schedule. Management discretion. Timing: Timing: Beginning of first month of each two-month period. Secondary . Manager .Sr. six-month plan.P&C Secondary . Primary Manager . Exhibit 6.2) provides long-term forecasting.Sr. branches. manpower. segment of scope.P&C Manager .Sr. Audit management discretion. Basis Audit plans: Second half current year. Manpower. Three-Year Operating Plan One of the responsibilities designated by the Corporate Audit Charter is for the Director of Auditing of the corporation to establish a plan of audit.Sr.2: Sample Three-Year Audit Plan 2 Chapter 6: Audit Planning .2 department operating plan for Audit Committee and Management. Timing Revision Timing: Annually in August calendar-year audit plan as basis for financial budget.P&C Secondary . Audit management discretion.P&C Secondary . Coordinate audit coverage with public accountants. The three-year audit plan (Exhibit 6. or companies with the organization. Of course.

Thus auditors should try to limit procedures in low-risk areas and focus their attention on trouble spots. An audit unit can be a subsidiary operation. has become the preeminent method of guiding audits. the American Institute of Certified Public Accountants (AICPA) institutionalized as guidelines the Committee of Sponsoring Organizations (COSO) model of internal control. b.–June July–Dec. In Statement on Auditing Standards No. the IIA basically adapted risk assessment as the cornerstone of audits in its Standards. various audit units at a specific location will be combined to create a logical audit unit. or even an account. 2 × wt. (2) risk assessment. For example. Often. and governance processes. a company's auditable unit must be selected. External auditors have long begun their process of financial audits with the audit formula—assessing inherent risk. [1] Chapter 6: Audit Planning 3 . (3) information and communication. the XYZ Company may be audited. i. In 2000. Lately. and cash receipts systems) can be audited or its accounts receivable balance can be subject to audit verification. some type of risk analysis is necessary because it provides strategic direction for limited resources. the first standard relates to risk management (Standard 2110). The current definition of internal auditing by the HA states: • Internal auditing is an independent. The five major areas of internal control include (1) control environment. accounts receivable. A logical approach for each company must be developed based on infrastructure.–June July–D Number × wt. Risk Analysis Risk analysis. 3 20xx + l 20xx + l 20xx + 2 20xx+ The three-year plan optimizes staffing requirements and the cost effectiveness of the Audit Department. In many cases. combinations of audit types will result. detection risk. a system. It states: "The internal audit activity should assist the organization by identifying and evaluating significant exposures to risk and contributing to the improvement of risk management and control systems. objective assurance and consulting activity to add value and improve an organization's operations. a division. 1 × wt. Auditable Units In order to develop an audit plan. control risk. It helps an organization accomplish its objectives by bringing a systematic. system specifics. one published survey on best practices for audit efficiency concluded that correlating audit efforts to the levels of risk and materiality helped increase audit efficiency. resources. internal auditing has also put more focus on risk assessment. Consideration of Internal Control in a Financial Statement Audit. or assessment. and (5) control activities. a department. For instance. The COSO model has also become a common methodology used to design the internal control environment (see Chapter 3). Alternatively. Circumstances that affect change to the plan are management requests and detailed monthly planning.Chapter 6: Audit Planning Sam Pole Company Corporate Audit Department Three-Year Audit Plan 3 Audit Audit Risk Risk Risk Risk Jan. The three-year plan may be developed in detailed increments of six-month time periods.–June July–Dec. In the Nature of Work section (Standard 2100). the XYZ Company's sales cycle (sales. Jan. 78. and audit risk. disciplined approach to evaluate and improve the effectiveness of risk management. (4) monitoring. Estimated Audit Hours Unit Unit Factor Factor Factor Profile 20xx 20xx Jan. The plan is based on materiality and exposure to risk for establishing priorities of the audit entities and number of hours for the audits. and corporate strategies. control." In order to develop effective audit planning.

Care must be taken to analyze the cost versus benefit of a complex risk-based audit plan. divisions. and so on. a risk profile can be developed to support decisions of audit frequency or scope. employment fees. Since all risks are not equal. and a restatement of obvious objective criteria. For instance. the three-year audit plan. benefits. Each kind of plan is discussed in more detail in subsequent sections. Departmental budgets and plans include the annual departmental budget. salaries. The Director of Auditing must present the departmental budget as a corporate cost center to the Chief Financial Officer (CFO) and the corporate budget department after the Audit Committee has approved it. However if circumstances warrant a scope change. audit review and management judgment should be applied to the plan and risk assessment. conferences. Auditing. and several other expenses. The annual audit plan is principally a summary of the next two applicable six-month periods of the three-year plan. capital appropriations budgets. i. 5 = highest) Materiality 5 Results of Prior Audits 3 For each audit. along with all other departments within the company. a score for each risk factor should be developed and multiplied by the risk factor weighting. All audit managers should be encouraged to provide input and review. Local budgets consolidate into corporate budgets. each risk factor is assigned a weighting factor. discussions with the audit committee should be scheduled. such as materiality. production forecasts. travel. The following is an example: Risk Factor Weight Factor (1 = lowest. Finally. salary raises. Many risk analyses result in a potentially complex summary of mostly subjective criteria. Annual Department Budget The Audit Committee requests the annual departmental budget each fiscal year. Annual Audit Plan An annual audit plan is primarily developed from the three-year plan and becomes a determinant in preparing the department budget. and many other budgets. a scale of 1 to 5 can be used with 5 representing high risk and 1 representing low risk or a good control environment.4 Chapter 6: Audit Planning Depending on your company's specific operations and management concerns. The following is an example: Risk Factor Weight Factor (1 = lowest. The annual plan is used to support the manpower and travel expense estimates 4 Chapter 6: Audit Planning . and monthly staff assignments. 5 = highest) Risk Score Materiality 5 5 Results of Previous Audits 3 1 From this type of analysis. The annual departmental budget covers all facets of the department's expenditures for the following calendar year. This budget includes the number of personnel. c. must comply with these accounting practices. ii. Annual Budget and Plan The company utilizes many budgets to operate its various companies. annual audit plan. Once the budget is developed and approved. However. the various risk factors are identified in the plan. Departmental budgets and plans are the direct responsibility of the Director of Auditing. such as results of previous audits or the control concern level of management. a basic summary of risk analysis should be performed. it becomes difficult to substantially change the direction of the department when additional costs will be incurred. supplies.

Corporate Audit Department Procedures Manual NO: 6. f.2 Internal Controls Evaluating internal controls is such a significant part of Audit Planning that a separate chapter has been devoted to the subject. Most external auditors plan for the next annual audit in the spring (assuming a calendar year end). The schedules are required to be in place at the beginning of each three-month period. it may be possible to make other arrangements.2 REV NO: DATE: TITLE: Internal Controls PAGES: [1]September 2000 issue. This plan may inhibit coordination if the internal audit plan is fixed for the calendar year. The form is designed by listing staff along the left side of the form and days of the month across the top. the internal audit plan is projected for the year. e. SAM POLE COMPANY 6. The schedule allows the staff to plan the beginning of audits and project travel assignments for personnel purposes. Management may request an audit not previously scheduled or change the timing of others. not all circumstances can be anticipated. a Corporate Audit Staff Schedule form is completed two months in advance for distribution. This flexibility is also desirable in order to be able to plan audits consistent with changes in the company's direction. Two-Month Staff Schedule For the purpose of providing as much advance notice of pending audits as possible. Contact the Internal Audit Manager to see what can be worked out. Auditees may require or request different time periods for their audit than those scheduled.htm. Six-Month Audit Plan Most audit departments prepare an annual audit plan. It means that auditors must remain flexible. it is desirable that they be prepared at least 15 days before the beginning of the period. Assignments are written for each staff member across this matrix.aicpa." Found at www. Chapter 3 provides more information that is relevant to audit planning. Our example is broken down into six-month modules to provide for synchronization with external auditors (if applicable). Three-Month Audit Schedule The six-month plan is used to develop the department schedule for the next three months.org/pubs/jofa/sep2000/dennis. 5 d. Therefore. SAM POLE COMPANY Chapter 6: Audit Planning 5 . Although the best intentions and forethought go into developing the Corporate Audit staff schedule. "Best Practices for Audit Efficiency.Chapter 6: Audit Planning used in the annual budget. Nevertheless. but fixed in six-month modules to provide for some flexibility in the second half of the year. When scheduling changes affect your plans.

[2] From these definitions.6 Corporate Audit Department Procedures Manual NO: 6. and Financial Accounting Standards Board (FASB) stress materiality. The FASB defined "materiality" in Financial Accounting Concepts Statement No. The Bulletin contends that FASB's definition is similar to the interpretation of materiality upheld by the courts under federal securities laws. In forming this opinion.3 REV NO: DATE: PAGES: Chapter 6: Audit Planning TITLE: Materiality 6. The term "material. compliance with Generally Accepted Accounting Principles (GAAP) and consistency in the application of those principles. ." How is the auditor to determine what is material. In Matter of Howard et al. the Securities and Exchange Commission (SEC). it is material. Levinson. in the light of surrounding circumstances. the misrepresentation is material (Restatement of the Law of Contracts). C. (is) a fact which if it had been correctly stated or disclosed would have deterred or tended to deter the average prudent investor from purchasing the securities in question (Securities and Exchange Commission." when used to qualify a requirement for the furnishing of information as to any subject. . 485 U.S. 1988). limits the information required to those matters as to which an average prudent investor ought reasonably to be informed before purchasing the security registered (Securities and Exchange Commission. v. . Supreme Court held that a fact is material if there is "a substantial likelihood that the ." As a response to some concerns raised by Chairman Levitt. and 6 Chapter 6: Audit Planning . A material fact . Where a misrepresentation would be likely to affect the conduct of a reasonable man with reference to a transaction with another person. 1 SEC 6). the SEC issued Staff Accounting Bulletin (SAB) No." Regulations of the SEC require that the accountant express an opinion as to "any material differences between the accounting principles and practices reflected in the financial statements and those reflected in the accounts. In their pronouncements.3 Materiality A significant function of auditing is to express an opinion regarding the fair representation of financial statements and the adequacy of the system of internal controls or other audited areas. the American Institute of Certified Public Accountants (AICPA). 2. . auditing procedures. judgment must be exercised involving the materiality of exceptions to mathematical accuracy. makes it probable that the judgment of a reasonable person relying on the information would have been changed or influenced by the omission or misstatement. significant. including: A. 224. D. Regulation C. significant. Bulletins of committees of the AICPA relating to accounting and auditing procedure remind readers that they apply only to "items material and significant in the relative circumstances" and that "items of little or no consequence may be dealt with as expediency may suggest.S. consequential. 99 in August 1999.. B. If the probable effects of the item—whether through omission or commission—would be to give rise to misleading inferences by the person or class of persons whom it will logically reach. Inc. and the setting in which it will be used. of Securities Act Regulations). the setting in which the item appears. Rule 405. we may conclude that materiality depends on surrounding circumstances. fact would have been viewed by the reasonable investor as having significantly altered the 'total mix' of information made available" (Basic. The U. Qualitative Characteristics of Accounting Information: "The magnitude of an omission or misstatement of accounting information that. or of consequence? The courts and the SEC have furnished a few guidelines.

Items whose effect will continue into the future are more important than those with only current significance. If net pre-tax income fluctuates widely. • Evidence of a desire to mislead. • The nature of disclosure. Many accountants would consider a large amount important. balances. the percentage of accounts confirmed should normally be much higher than if they comprise a large number of small balances. Unfavorable ones are usually given more weight. Grant. even though the total may be the same.000 in the balance sheet of an enterprise with net assets of $40. If it is known that the report will be used for the sale of stock or for obtaining long. attaching material primarily to a dollar amount. • Use to be made of the report. • Absolute size of the item. not only in size and amount but also because of the greater number of ways in which they may be improperly handled. the auditor should keep these matters in mind: 7 • Relative size of the item. In spite of the importance of relativity. or qualification of an opinion would be of immense help to auditors. there will be borderline cases. Failure to disclose a liability of $5. even though it is only 3 to 4% of net assets. sound judgment is required in determining what is or is not material. or 3 to 4% of net income before taxes. Clearly. as mentioned earlier. unusual items are more important. For this purpose. These will require all the good judgment that the auditor can summon. "Earnings Management and the Abuse of Materiality. size alone may be important.. The fact that a company has pledged its accounts receivable as security for a loan is significant because it discloses that the company is using a comparatively expensive form of financing and is therefore a material fact—even though the amount may not be material in relation to the working capital. as a consequence. these four words are practically synonymous. Standards that would guide an auditor in determining whether or not a deviation would require correction. both physically and in the records. although some make a distinction between material and significant. it would ordinarily not be material. disclosure. Inventories of a manufacturing company are of greater relative importance that those of a personal service organization. generally wish to have errors or deficiencies corrected.000 would result in a material misstatement. • Stability of income.or short-term creditors would be considered. The existence of an incentive for error would be considered. In a balance sheet showing net assets of $3 million. • Favorable or unfavorable effect of adjustment or disclosure. Grant. Chapter 6: Audit Planning 7 SAM POLE COMPANY . Where accounts receivable consist of relatively few. In summary. there are degrees of materiality and.or short-term credit. 41–43. September 2000." Journal of Accountancy. but large.Chapter 6: Audit Planning important. C. No definition of materiality need deter you from recommending adjustments of errors or omissions on the books or financial statements. Research shows that the assessment of materiality differs among individual accountants and among public accounting firms and that it varies with the size and geographical location of the practice. Auditees.T. Corporate Audit Department Procedures Manual NO: 6. In arriving at these decisions. pp.4 REV NO: DATE: TITLE: Types of Audits PAGES: [2]C. Materiality may determine not only the need for exception or disclosure but also the extent of the audit work necessary to sustain an informed opinion. • Effect of future earnings. An accidental error would have less significance than a deliberate departure from accepted procedure. Depree Jr.H. and G. the effect the item might have on purchasers or long.M.

see Section 4. 36. turnover of inventory. mergers. If economic fluctuations called for entrenchment. Procedures for this review follow the general guidelines for external auditors.and short-term debt would be considered. overhead reductions. income statement.8 Chapter 6: Audit Planning 6. fixed assets. Regardless of the purpose of the audit. financial controls would always be of prime consideration in evaluating audit risk.4 Types of Audits The following descriptions are of the audit types performed by the Internal Audit Department. and periodic presentations of financial position.) The type of audit performed on a particular auditable unit can be any combination of the types described below. then purchasing practices. Depending on the purpose of the audit. In all financial audits. a review of the following reports would be 8 Chapter 6: Audit Planning . High-Level Review of Procedures A high-level review is a special type of review that measures general compliance with key corporate policies and with sound business practices. bank reconciliation. accounts receivable. Additionally. and inventory. (For a discussion of control self assessment (CSA) or self audits. Financial Audit A financial audit is a study of the current financial position of an operation to evaluate the fair presentation of the financial position as reported on the balance sheet. These procedures consist primarily of inquiries and analytical review concerning significant accounting matters related to financial information being reviewed. If current liquidity were of prime importance. the general ledger. The type of audit to be performed is determined in the initial planning process. and liquidation of accounts payable would be considered. economy fluctuations. 36: Review of Interim Financial Information. Compliance and some substantive tests are to be performed over certain areas of an entity. both long. debts. independent auditors. operational (managerial). credit. If expansion or acquisition were of prime importance. expansion ventures. full financial audits may be performed by Sam Pole's internal auditors. brand sales. and other operating costs would be considered. In some cases. acquisitions. and account analyses would be reviewed. The majority of audits performed by the department are financial. short-term investments. including cash. collectibility of trade receivables. the internal auditor should obtain an understanding of the entity's systems of accounting and internal controls. A financial audit would be appropriate before tax reporting. however. The approach to a financial audit would be governed by the purpose of the audit. The primary reason for a financial audit is to assure parties relying on financial statements that the data are presented fairly in accordance with GAAP. marketing variable. Our high-level review includes other tests outlined in greater detail than in SAS No. general and specific journals. product costing. disposal. These records would tell the auditor where the operation's assets were utilized and why. b. Full financial audits of significant company operations and subsidiaries are typically performed by external. and the statement of cash flows.1(e). inventory stockpiling. a. as specified in Statement on Auditing Standards (SAS) No. and information systems. voucher registers. travel and expense. The objectives of this review are to provide the auditor with an understanding of an operation and to determine the nature of detailed testing that may be needed in certain areas.

The prime records to be obtained in an operational audit are the organizational chart of the function/operation. The timeliness of an operational audit is determined by the reason for the audit and the areas to be audited. and purchasing coordination. its history. giving consideration to: • Objective of the audit • Time requirements • Staff requirements • Starting and concluding dates • Auditor assignments 9 c. production scheduling. In this sense. This step determines the extent of the audit. applicable policy guides. The reporting path is of prime importance because this path is the communication route along which audit results and conclusions will flow. the audit plan would then be devised. Given all the above factors.or under-staffing. imbalance in reporting path. (3) directing. noncompliance with corporate policies and procedures. The function's/operation's performance reports for at least one year prior to the audit should be reviewed to determine trends that have developed over the past year. To formulate the approach to an operational audit. an auditor must first establish the scope. The operational audit can be broken down further as a functional review. an operational audit tends to answer the questions why the entity is where it is and how it got there. or inadequate job rotations. where it is. There are several reasons for performing an operational: compliance with policies and procedures. its purpose in the total structure of the entity. over. the operational audit falls into the category of a management service by evaluating the four functions of management: (1) planning.Chapter 6: Audit Planning considered: • Accounts Receivable Aging • Accounts Payable Aging • Inventory Aging • Discount Income versus Discount Expense • Physical Inventory Reconciliations • Inventory/Receivable Turnover Ratios • Variance Analyses • Standard Cost Revisions • Transportation Costs • Capital Expenditures versus Return on Investments • Purchasing Cost Savings These records and reports would tell the auditor where the operation was. weaknesses in internal controls. equipment down time. Reports must be informative and timely. They would highlight efficiencies and inefficiencies in vital areas such as credit and collections. The next step is to become familiar with an auditee's operation. A financial audit tells where the entity was and where it is. These will outline each employee's responsibility and authority. capital investments. proposed product changes. and (4) controlling. and procedures directives. and how it got there. inventory control. These indications could aid the auditor in determining priorities as to depth of investigation and areas of potential improvement. adverse variances. These records and reports could indicate such trouble areas as segregation of duties. its staff. The auditor should advise the location's management in advance of a planned visit so that suitable working and living accommodations may be arranged. and directed to the proper levels of Chapter 6: Audit Planning 9 . or personnel turnover. Operational/Managerial Audit An operational audit can be defined as an extension of a financial audit. Purchasing as a department versus the overall Procurement operation in coordination with production scheduling and market forecasting. theft. and its reporting path. for example. (2) organizing. excessive customer returns.

• Controls exist to assure that construction or other costs. • A request is received from management (corporate or unit). • Actual expenditures exceed budget. maintenance. • Integrity of personnel is questioned. Contract Audit A contract audit is defined as the review and evaluation of a contract (terms. or a routine review of procedures. The terms construction and contracts are sometimes used interchangeably in the audit profession because a construction project requires a contract. increase in scrap. or even desirable. to determine the compliance Therefore. • Highlight problem/opportunity areas and make appropriate recommendations to management for the development of new operating and control procedures. Contract audit objectives are segregated into: Corporate Audit Objectives: • Assess the adequacy of internal accounting control systems and operating procedures.10 management. conditions. The nature and scope of the transaction against which the compliance is to be ascertained 2. types of issues: 1. quantity and locations of sites or levels of standardization. increase in bad debt write-offs. Contract Audit Objectives: • The contract specifically includes the right-to-audit clause. The degree to which it is practicable. manpower turnover. A compliance audit may be performed due to a recent history of excess customer returns. budgetary guidelines. • Control weaknesses are noted during a financial audit.) and its related financial transactions. Reasons for a compliance audit can vary with the size and complexity of the organization. • A unit experiences management turnover. and operating safeguards and controls. Contracts. • Monitor compliance with corporate policies and procedures. though closely related. cover a wide range of areas such as repairs. proposed realignment of responsibilities. 10 Chapter 6: Audit Planning . • Controls exist to assure that other charges to the project are proper and reasonable. rentals. Contract audits are appropriate on a continuing basis when: • Contracts are issued for significant amounts. are in accordance with the terms of the contract. unusual buildup of inventory. however. • Contactor controls and procedures are adequate to assure that the billed costs are proper and reasonable. market involvement. contractual provisions. which are billed by the contractor. type of product. Chapter 6: Audit Planning d. Compliance Audit A compliance audit involves two different. e. and consulting. a compliance audit can be defined as a rerun of a given task over a prescribed course that is monitored by various checkpoints to reach a desired conclusion. etc.

the Chapter 6: Audit Planning 11 . the "white box" technique [4] of financial audits is becoming more necessary and will become more and more common.Chapter 6: Audit Planning The approach to a contract audit includes the following steps: 11 1. In most cases. and status reports to audit management should also be issued from time to time. The nature of business systems changed dramatically in the 1990s. the internal auditor can determine if the auditee is currently in compliance with previous recommendations. 2. Desk Review In a desk review. Information Systems Audits [3] Information systems (IS). These audits are typically performed if the audit identified significant conditions. More and more businesses went to real-time. and security. electronic commerce). Review pertinent data (project expenditures) to determine test criteria. allowing them to gain an understanding of an entity's operations prior to doing a field audit. For those businesses that have some or all of their business transactions embedded within IS.. IS audits are becoming increasingly more important for data integrity. the desk review is ideal for training new internal auditors. f. 5. The COSO model is an excellent way of identifying such units. the availability of the system has become critical to the success of the firm. If considered necessary. Even for external audits. visit the contractor's office and review records to determine that charges to the company are proper. internal auditors can expand the coverage of their audits to nearly the entire organization without making trips to every location. mini-computer. and Internet hosts (servers. A related benefit is reduced travel time and travel expenses. A formal report is also required on completion of an assignment.. properly supported. Second. audits are the examination of significant aspects of the IS environment. The Internet expanded into the World Wide Web (WWW. electronic data interchange (EDI). such as: mainframe. electronic commerce). Perform a review to ascertain that all expenditures (included in test) are accurate. system availability. local area networks (LANs). to ensure that previously accepted audit recommendations have been effectively implemented. The internal auditor should have identified audit units for each of the IS environments above applicable to the firm. the internal auditor will obtain a package of financial and other documentary information from the auditee and perform limited procedures.1(e). Several benefits result from frequent desk reviews. Review the contract to determine that it is in accordance with established company policies (e. Therefore. wide area networks (WANs). 4. h.g. all procedures will be performed from corporate offices and not at the auditee location. and in agreement with terms and conditions of contract. A desk review can be combined with a control self-assessment review. In general. online systems. The company may have several different IS environments. or electronic data processing (EDP). Document and evaluate the system of internal control. Using both COSO and other sources. Finally. (g) Follow-Up Audits Follow-up audits are performed 6 to 12 months after a major audit has been completed. see Chapter 4. microcomputer (PCs). 3. more accounting functions are computerized and more business transactions are now entirely in digital form. First. Ongoing contract audits require the preparation of periodic interim reports to management advising on situations encountered so that prompt corrective action can be taken. competitive bidding). web) where a geometric growth of pure digital business transactions has occurred (i.e.

Hopefully. Application controls are embedded in the code. Linux.. although it is not comprehensive: • System Control Activities: General Controls Review. [5] The DRP starts with a written plan that also identifies the procedures for restoring operations with the DRP elements.g. purchases) ♦ Payroll cycle programs ♦ Inventory cycle programs ♦ General ledger ♦ All other financial applications • Physical Control Activities. The audit should have at least these objectives: ♦ Protect itself from users ♦ Protect users from each other ♦ Protect users from themselves ♦ Be protected from itself ♦ Be protected from its environment i. The plan also identifies the DRP team.. auditors will examine software systems' controls for processing applications such as: ♦ Revenue cycle programs (e. Audit specific to MVS operating system.g. They include controls such as: ♦ Transaction authorization ♦ Segregation of duties ♦ Compensating controls (often necessary in IS environments) ♦ Accounting records (especially audit trails) ♦ Independent verification (management's assessment of individuals. along with documented. tested procedures that will ensure the continuity of operations.e. Novell. Windows. A review of the DRP includes at least the following items: 12 Chapter 6: Audit Planning .12 Chapter 6: Audit Planning following is a list of major audit units to be considered for each environment. integrity of Accounting Information System (AIS)." RAC-F. General Controls: Disaster Recovery Review A Disaster Recovery Plan (DRP) is a comprehensive statement of all actions to be taken before. ACF-2 ♦ System Availability/Continuity of Operations ♦ Documentation Standards ♦ Program Development and Change Control ◊ Program change control—"PanValet" ♦ Disaster Recovery/Business Recovery • System Control Activities: Application Controls Review. during. internal auditors (such as CIAs or Certified Informations Systems Auditors. AS/400. Every organization needs an appropriate DRP. Basically. An examination of various physical controls. The procedures should rank critical applications for the restoring process so as to minimize the loss of critical transactions during the down time. Review of general control units such as organizational structure policies and controls related to all information systems or technologies. and integrity of the data in the records) • Detailed Examination of Operating System. This review could be done in conjunction with other audits (i. Unix. accounts receivable. accounts payable.. sales) ♦ Expenditure cycle programs (e. or CISAs) provided guidance in developing the controls as each application was being produced. An examination of general controls might include units such as: ♦ Access Security ◊ "Top Secret. integrated approach). etc. and after a disaster.

Applications and systems need expert design features to have adequate processing controls. such as the recovery operations center)... Input Controls.g.. The following is a list of some processing control areas for which to plan and investigate: ♦ Run-to-run controls (during posting. • Backup Software. • Backup Data. continuous forms for printing invoices or checks) and other supplies necessary for systems to function. Source document input requires human involvement and is prone to clerical errors. Processing controls are the most important and most difficult because they involve the computer processing steps inside the system. etc. accurate. There are several techniques for testing logic directly. etc. stored frequently and timely (e. etc. This process should have been tested for reliability. minimize human intervention. The ranking provides a way to prioritize DRP recovery processes. CISAs. Direct input employs real-time editing techniques to identify and correct errors immediately.g. with responsibilities for each member having been described in the written DRP.g. • Backup Resources. These should be stored offsite at the site backup or with the data backup. A. cold sites. An offsite facility equipped to restore operations (e. Any manuals or documentation that are necessary for operations. an in-depth understanding of the internal logic of the application being tested is imperative. which can be provided by CIAs. • Critical Applications. Again. • Backup Documentation.) ♦ Operator intervention controls (i. They are designed to ensure that the transactions that bring data into the system are valid. All of the DRP recovery processes should be made the responsibility of various team members with overlap or backups for personnel in case of the greatest tragedy—the death of a DRP team member..g. etc. Applications Controls Review: Further Guidance Application controls can be tested and examined using the system model: input controls. • Tested.. These items should be stored at or near the backup site. • Backup Team. The identification of the DRP team. hot sites. processing controls. online data vaulting and data sets such as tapes. and output controls. Data input procedures can be either source document-triggered (batch) or direct input (real-time). The following is a list of some input control areas for which to plan and investigate: ♦ Source document controls ♦ Data coding controls ♦ Batch controls (where applicable) ♦ Validation controls (e. and mutual-aid pact). stored at or near the backup site.e. Input controls would focus on maintaining the integrity of data entry and assertions such as completeness and existence (occurrence). disk packs.. or other qualified auditors. Has the plan been tested in a realistic manner? ii. build audit trails when they do) ♦ Audit trail controls (building an adequate digital audit trail of internal processing activities) ♦ Logic testing (formulas. with equipment backup separate. In order to conduct a white-box-type IS audit. A ranking of all applications to be restored.) The latter area is a real key to most systems and is extremely valuable for reviews of new or significantly revised applications. Backup copies of all relevant software and applications. stored in a fireproof vault. Chapter 6: Audit Planning 13 .Chapter 6: Audit Planning 13 • Backup Site. field characteristics) ♦ Input error correction controls B. An offsite receptacle for archived data.). and complete. Processing Controls. Items such as paper supplies (e.

internal auditors should plan for an examination of output controls. Lastly. and generates error files and reports for all exceptions. Batch systems are more susceptible to exposure and require a greater degree of control than real-time systems. Output Controls. Operating system audit trails and audit software (i. Determine that an application processes each record only once. The following is a list of possible tools and techniques. or a message attempting to access a system is authentic. obtain computerized results. GAS) can detect excessive or unusual file activity. and that privacy is not violated. or corrupted. a programmed procedure. With known variables and calculated results. In the case of the salami fraud..14 Chapter 6: Audit Planning These approaches use small numbers of specially and expertly crafted test transactions used to verify aspects of the application's logic and controls. • Rounding Error Tests. Rounding problems are particularly susceptible to so-called salami slicing. The following is a list of some output control areas for which to plan and investigate: ♦ Batch systems output controls ♦ Output spooling controls (print spooler) ♦ Print program controls ♦ Bursting controls (if applicable) ♦ Waste controls ♦ Data control group control ♦ Report distribution controls ♦ End user controls ♦ Real-time systems output controls Another key element to IS audits is the use of computer-assisted audit tools and techniques (CAATTs). Output controls are intended to ensure that system output is not lost. Ensure that the system processes only data values that conform to specified tolerances. The internal auditor should make an assessment of applicable tools and techniques for the specific unit and audit objectives. Ensure that the application prevents authorized users from unauthorized access to data. Each victim only sees one of the small pieces and is usually unaware of being defrauded. but is not fully inclusive: • Generalized audit software (GAS) • Embedded audit modules (EAM) • Generalized data input systems (GDIS) 14 Chapter 6: Audit Planning . and compare them against the objective set. Identify missing data within a single record and entire records missing from a batch or file. These controls are much easier to audit than processing or input controls. C. • Redundancy Tests. The type of processing method in use influences the choice of controls employed to protect system output. Failure to properly account for this rounding difference can result in an imbalance between the total (control) interest amount and the sum of the individual interest calculations for each account. The following list is indicative of the types of tests that could be run to test application logic: • Authenticity Tests. Ensure that the application creates an adequate audit trail. Verify the correctness of rounding procedures. • Access Tests.e. there would be thousands of entries into the computer criminal's personal account that may be detected using generalized audit software (GAS) or computer-aided auditing tools (CAATs). misdirected. but the harm to each is immaterial. Verify that an individual. • Completeness Tests. auditors can then conduct precise tests. • Accuracy Tests. This test should verify that the system produces complete transaction listings. • Audit Trail Tests. a criminal technique that tends to affect a large number of victims.

Some of the material in this section is from the following book: James A. an operational section. SouthWestern College Publishing. [5]James [6]More A.g. and a section addressing the unique characteristics of the location's customs and duties and governmental affairs. and passwords combined for access control(s).e. Depending on staff levels. The higher risks in e-commerce at the present are viruses.Chapter 6: Audit Planning 15 i. The audit of e-commerce will focus on controls. security. an IS section. Corporate Audit Department Procedures Manual NO: 6. and offline: almost all credit card theft over the Internet has been from files on the system.. although this list is not exhaustive: • Unauthorized access [6] • Firewalls [7] • Intrusion detection • Data encryption [8] • Transaction and access logs • Challenge-response activities • Authentication methods [9] • E-commerce protocols [10] • Non-repudiation controls • System availability. For example. International Audits An international audit is a full-scope audit of a particular division or subsidiary. black box). and activities intended to crash the system.6 for more on IS audits. E-Commerce Audits Electronic commerce (e-commerce) has some special considerations beyond those identified in the IS audits section because the IS audit is typically conducted on the "back office" system. hackers and crackers. [4]This SAM POLE COMPANY term refers to the approach where the auditor audits through the computer system rather than around it (i. Some CAATs provide auditors the ability to probe for weaknesses—to play the devil's advocate on their own systems (e. than passwords. Hall.. and availability. Chapter 6: Audit Planning 15 . [7]Overlaps [8]Online with unauthorized access and system availability. A review should include the following applicable units or areas. fail-safe controls • Anti-virus protection j. SAINT). These are performed on a regular basis or on request. 2000.5 REV NO: DATE: TITLE: Time Reporting PAGES: [3]See Section 3. access. international audits may be a good candidate for outsourcing. intrusion detection system. not from stealing them during transactions. Information Systems Auditing and Assurance. because secured access for e-commerce is usually multi-faceted. Information Systems Auditing and Assurance. a firewall. 2000. distance and capabilities. E-commerce is the "front end" system. Hall. These tools are extremely beneficial in doing e-commerce audits. South-Western College Publishing. The scope of this type of audit includes a financial section.

3. multi-faceted access methods (e. Time reporting provides the ability to monitor actual time spent on audits versus administrative and other lost productive time. Account for eight hours per day and 40 hours per week. Auditor's Name/Employee Number The auditor to whom the time report pertains should sign the time report. or manager. supervising senior. 6. SET. Report for the Period Ending The form is designed to be used for either the first through the fifteenth. an access ID and password. call-back modems. Record time accurately to within half hour. Time records aid these functions because they provide cumulative data regarding the actual time spent accomplishing specific assignments on previous or similar engagements. along with an evaluation of the procedures to be performed and the capabilities of the applicable personnel in order to better estimate (budget) the time required for the current audit. and how much further time is required for completion. A sample of this form is provided at the end of this section (Exhibit 6. Complete the form in detail. Other benefits of time reporting are: • Providing the quantitative support necessary at the staff level. c. digital certificates. SSL. Be neat. or the sixteenth through the thirty-first of the month.16 [9]Digital Chapter 6: Audit Planning signatures. Form: Corporate Audit Time Report A form is to be completed semimonthly and approved by the senior. Each audit assignment should be given a number indicating the year and the audit number—beginning with 001.. Accurate budgeting of all audit activities throughout the year will summarize into a viable total from which to determine the number of auditors required. • Supporting productivity. followed by 002. b. 2. a password and a PIN generated via pager. Task and audit type codes should be added as described below. • Adding to job control. and another ID and password for access to applications or data). Corporate Audit time reports are due semimonthly.g.4). etc. [10]For example. To use the Corporate Audit Time Summary: 1.5 Time Reporting Planning and budgeting are important procedures that should be performed as integral elements of every audit. The following discussion is an explanation of a basic time reporting form as well as a listing of basic reports. Each auditor should have been assigned an employee for time reporting purposes. a. 4. S-HTTP. how matters stand against the budget. Prompt time reporting enables the in-charge manager to effectively analyze how much time has been spent. As a result. 16 Chapter 6: Audit Planning . the senior auditor can use this data.

A listing of these and task codes follows.) Exhibit 6.3.Chapter 6: Audit Planning 17 d. Audit Codes Audit codes relate to the type of audit. obtain the appropriate job number from your supervisor or get the number from the planning memo in the administrative binder for that job. Task Type Codes 01 Planning/Planning Memo 40 Pre-implementation System Review 02 Audit Program/ICEG Development 41 Post-implementation System Review 03 Technical Research 42 Systems—Operational 04 Supervision 50 Contract Review 05 Review Workpapers 51 Contract Procedures/Controls 06 Write Reports/Memos 52 Contract Billing 07 General 53 Investigation 08 Cash 54 Benefit Plans 09 A/R Confirmation 55 Projects[a] 10 Inventories/Physical Observation 60 Quality Control 1 I Supplies Inventory 61 Performance Evaluation 12 Inventories—G/L 62 Orientation 13 Other Assets 63 Scheduling 14 Liabilities 64 Interviewing/Recruiting 15 Revenue/Expense 65 Education and Training Administration 16 Payroll 66 Administrative—Other[a] 17 Revenue System—Cycle 70 Staff Training—Internal 18 Expenditures System—Cycle 71 Conferences/Seminars 19 Payroll System—Cycle 72 Education Course—CPE 20 Production System—Cycle 73 Professional Organization 21 Auditee Conferences 74 Self Study 22 Permanent Files 75 Time Report Input 23 System Files 80 Sick 24 Travel—Work Time 81 Personal 25 Travel—Other 82 Vacation 30 Data Center Review 83 Holiday Chapter 6: Audit Planning 17 . Job numbers assist in the identification and accumulation of time reported by several individuals on various jobs. If you are asked to perform a task.3: Time System Codes: Audit Type Codes and Task Codes Audit Type Codes 01 High-Level Review 05 Contract Audit 02 Financial Audit 06 Other Audit 03 Operational Audit 04 IS Audit 99 Non—audit [a]Details to be listed on back of time report. e. Job Number Each assignment will have a specific job number. (See Exhibit 6.

Record travel as work time only between the normal work hours of 8:00 A. all staff time should be charged to a job. Monday through Friday or after a 40-hour week of flexible hours has been worked. Chapter 6: Audit Planning f. 18 Chapter 6: Audit Planning . Remember. training. and seminars—has specific task codes that are self-explanatory.. "Administrative" is defined as work that is beneficial to all jobs. audit code. This travel time should be charged to the normal job number. or at home. holidays. sick leave. personal leave. Other nonproductive time—including vacation.M. and task 24. i. etc. Travel during non-work hours should be charged to the job number. If an auditor is writing the report for job number 01-010 in the office. to 5:00 P. it would be chargeable to job number 01-010. home. it is that time you leave the home.) Consult your supervisor or the job budget in the planning memo for the proper task code. should be considered administrative. One would normally expect very little staff time charged to the administrative category. If you are traveling by automobile. in the office at night. One hour should be recorded as productive time and the remainder of the time spent traveling should be recorded as nonproductive. expense reports. But. if the same person were writing a policy statement that applies to office procedure and would affect the conduct of all jobs.M. or motel. and the commute from destination airport to office. (See Exhibit 6. An example is to assume you left the job at 4:00 P.M. Travel time is defined as the time required to commute to the airport. after you have spent seven hours on the audit at the job site. This record includes time spent working at the job site.. office. etc. from departure airport to destination airport. Time charged to the administrative category must be explained on the back of the time report to avoid making it a catch-all task code.. As a general rule. and task 25. in the motel. h. Productive Time Record all time applicable to the job. A listing of these codes follows. The daily hours are accumulated on the right side of the sheet. until you arrive at your destination. job site. then the hours would be charged to administrative. Think of reporting time as though you were going to bill your time to the auditee. Nonproductive Time Record travel time outside normal working hours of 8:00 A. Task Codes Task codes should be used to detail the specific work performed. g. audit code 99.3.. time spent filling out time reports. However. Hours should be reported to the half hour. with the appropriate task. All nonproductive charges go to job number 000.M.M.18 31 Applications Review 84 Compensation 32 Production/Maintenance 90 Administrative—Department[a] 33 Computer Program Changes 91 Peer Review 34 Conversions 92 Status Reports 35 IS Operating System 99 Other [a]Details to be listed on back of time report. audit code 99. or normal hours applicable to your organization. future projects will be understated if actual time spent on an audit is not recorded and remains hidden. not just one. Hours Only total hours for the semimonthly period need to be recorded in the "hours" column. and 5:00 P.

employee. and task • Report 70—Listing of hours by employee. by job. the data is compiled into various reports by the application. by task • Report 120—Listing of budget to actual hours for all jobs Exhibit 6. by task • Report 110—Listing of budgeted versus actual hours by job.4: Sample Corporate Audit Time Summary Form SAM POLE COMPANY TITLE: Expense Reporting Corporate Audit Department Procedures Manual NO: 6.6 Expense Reporting All approved expense reports should be submitted to the Audit Director. A copy should be retained for the department's records. Summarizing Time Each individual's time is entered into a time reporting application after it has been approved. if necessary. The following reports should be considered: • Report 10—Listing of employee names and numbers • Report 20—Listing of job numbers and job names • Report 30—Listing of audit numbers and names • Report 40—Listing of task numbers and task names • Report 50—Semimonthly input summarized by employee number within date • Report 60—Listing of hours by job number. employee. Chapter 6: Audit Planning 19 . by job. and by task • Report 80—Listing of hours by audit. Once all time sheets are input.6 REV NO: DATE: PAGES: 6. This process will provide a means for reconciling the monthly Departmental Budget Progress Reports on a timely basis and will provide auditors with a record. and task • Report 90—Listing of total audit and non-audit hours by employee • Report 100—Listing of non-audit hours by employee.Chapter 6: Audit Planning 19 j.

Grant. This list serves as only a general guideline. 2000. Non-excessive expenses for personal calls will be reimbursed.g. because secured access for e-commerce is usually multi-faceted. but are first to be approved by the manager level or above. Travel Expenses General guidelines for travel arrangements and travel expenses: • Airfare. • Mileage. Expense advances are to be obtained through the accounting department and are to be approved by the manager level or above. Endnotes 1. James A. Grant." Journal of Accountancy. 41–43.H. 3. September 2000. • Advances. SouthWestern College Publishing. • Expense Report Settlements. Depree Jr. Car rental is to be arranged through the travel department.e.20 Chapter 6: Audit Planning a. Reasonable meal expenses will be reimbursed. a password and a PIN generated via pager." Found at www. Mileage expenses will be reimbursed at the current rate acceptable by the Internal Revenue Service. 7.org/pubs/jofa/sep2000/dennis. 9. any expected exceptions must be discussed at the manager or director level. you will be asked. general company guidelines apply. and another ID and password for access to 20 Chapter 6: Audit Planning . multi-faceted access methods (e. however.T. The decision of whether to lease a car or use cabs is to be discussed at the manager level or above. 8. Some of the material in this section is from the following book: James A. When in doubt.M. and exceptions will occur. to explain deviations. • Lodging. Flight arrangements should be made through the travel department in accordance with corporate policy.. not from stealing them during transactions.. "Earnings Management and the Abuse of Materiality. Information Systems Auditing and Assurance. Information Systems Auditing and Assurance. Lodging arrangements are to be made through the travel department. • Local Transportation. Personal calls. call-back modems. Online and offline: almost all credit card theft over the Internet has been from files on the system. September 2000 issue. This term refers to the approach where the auditor audits through the computer system rather than around it (i. "Best Practices for Audit Efficiency. Hall. Individual auditors are responsible for settling their own expense reports with the accounting department. Overlaps with unauthorized access and system availability. a firewall.aicpa. • Telephone. • Meals. For example. should be limited to one per day.htm. 2000. and passwords combined for access control(s). however. 4. intrusion detection system. C. More than passwords. and G. an access ID and password. South-Western College Publishing.6 for more on IS audits. See Section 3.. Digital signatures. Before leaving on a trip. C. Hall. 6. black box). 2. 5. digital certificates. pp.

Chapter 6: Audit Planning applications or data). 21 Chapter 6: Audit Planning 21 . SSL. For example. SET. 10. S-HTTP.

22 Chapter 6: Audit Planning 22 Chapter 6: Audit Planning .

Begin two Approximately weeks before four weeks audit.A.2) Establish Announce audit. and approach. based Promptly upon audit Upon disclosure completion of upon existing circumstances field work AUTHOR ADDRESSEE COPIES Workpapers Unit Head None CONTENTS Chapter 7: Audit Performance Senior I. Manager. They also are compatible with audit standards such as the Institute of Internal Auditors' (IIA's) Standards for the Professional Practice of Internal Auditing. Exhibit 7.Chapter 7: Audit Performance Overview SAM POLE COMPANY Corporate Audit Department Procedures Manual NO: 7. scope.1) summarizes the activities contained within our sample audit process. Before or at beginning of audit Track report Interim field audit Document report of significant findings. Manager Planning Memo Status Memo Tentative Audit Audit Report Recommendations Distribution Worksheet Worksheet PURPOSE TIMING Establish audit objective. This sample process places a heavy emphasis on organization and implementation of all authorized department procedures.1 Corporate Audit Performance Process Matrix This chapter presents a number of audit tasks and documents that are necessary for effective audits. preparation and significant issuance. findings/problems As required. Manager Auditor Auditee Workpapers Auditor Auditee Workpapers Senior/Manager Workpapers None Unit Controller.1: Corporate Audit Performance Process Matrix Assignment Engagement Check List Memo—Notice to Auditee (Section 7. The corporate audit performance matrix (Exhibit 7.1 REV NO: DATE: TITLE: Corporate Audit Performance Process Matrix PAGES: 7.A. Senior I. assign number and log it. before audit complete one week after report is issued. It is through strict adherence to procedures performed by competent staff that good audit reports will result. [1] The audit process begins with the notification of the auditee and concludes with the performance evaluation of each staff member on the project. It is a structured program with a great deal of attention to planning. others Manager 1 . The importance of structuring the audit process and following documented department procedures cannot be overemphasized. control over audit.

checkpoints objectives. but also by the audit management. end date. status and disposition Calendar of checkpoints. request budget response hours detailed by area. audit audit scope period start date. distribution of copies ID of au transmi Audit C highligh audited scope o auditors conclus detailed comme recomm (for ma only) None None Senior Manager The example included in this manual requires the audit team to formally notify the auditee and develop a detailed audit plan and budget. Assignment Log and Checklist At the commencement of an audit assignment.2 Calendar of Audit entity or Audit audit location.2: Sam Pole Company Corporate Audit Department Assignment Checklist Audit #01 -nnn Company: _______________________________________________ Location: ________________________________________________ Assignment: ______________________________________________ Date: __________________________________________________ Date ___/___/___ 1. the scope and objectives should be seriously considered not only by field staff auditors. high-level budget/actual hours comparison Findings documentation. significant audit areas/audit. some of the management and auditee doubts are mitigated. approach staffing APPPROVAL None None Manager Chapter 7: Audit Performance Outline of significant audit developments. timing problems. It will also assist audit management in explaining why audits have taken more or less time than originally planned.2). Given the limitation of time for each audit. a number is given to the audit project. Budgets also help refine the long-term planning process and provide improved credibility for the audit function. timing. One must always keep in mind that it is very difficult to measure audit productivity. Notice to Auditee 2 Chapter 7: Audit Performance . One of the first steps in the audit performance process is to initiate an assignment checklist (see Exhibit 7. Exhibit 7. The purpose of the detailed plan is to ensure that the objectives of the audit are the most appropriate for the circumstances. The checklist is used as an overall control form and should be the first paper seen on the top of a workpaper binder set. This process is institutionalized through the development of a proper audit planning document. With budgets in place. need to alter objective or scope. The number consists of two digits for the year and a three-digit number designating the particular engagement. This checklist is a guide to ensure that all critical elements of the audit performance process are completed. audit objective. The budget will help guide the staff to put their time into the proper areas. a.

that result is accomplishing the spirit of the audit mission.3: Sample Notice to Auditee Chapter 7: Audit Performance 3 . it is more appropriate to notify the auditee that an audit will take place. If the notice of audit provides the impetus for the auditee department to improve.3 is a sample notice to the auditee. Manager review (two days before outside deadlines) ___/___/___ 7. petty cash counts are usually performed on a surprise basis. Audit Performance Process Log ___/___/___ 3 In order to maintain control over all audit assignments. Summary Memo ___/___/___ 9. this approach may not be appropriate. a log is kept by the department administrator. Audit Report draft ___/___/___ 8. What follows in Exhibit 7. This notification allows for a more orderly project. Description of Notice to Auditee As discussed in Corporate Audit Performance Process Matrix in our example. In some cases. For instance. Audit Report issued ___/___/___ 10. The manual should contain a sample so that there is a consistency within the audit function and between all audits. Performance Evaluations Name Completed by Date Supervising: ________________________________________ ___/___/___ In Charge: __________________________________________ ___/___/___ Assistant: ___________________________________________ ___/___/___ i. Field Work ___/___/___ • Preaudit Conference ___/___/___ • Begun ___/___/___ • Status Memo ___/___/___ • Completed ___/___/___ 4. Closing Conference ___/___/___ 5.Chapter 7: Audit Performance 2. Planning Memo 3. Exhibit 7. In general. we have opted to notify auditees in advance of audits. Senior Finalization of workpapers ___/___/___ 6. These are followed by columns to the right indicating the status of the audit and the beginning of the report initiation and completion process. Some audit departments do not notify auditees because they can improve or address areas that may come under audit procedures. b. The log consists of a column to the left indicating the year and audit number.

The following standards apply to the practical aspects of the audit planning process including: adequate skills. 1210. 2010 (Planning). we have scheduled an audit during the period from September 1 through September 9. and other competencies needed to perform its responsibilities. consistent with the organization's goals. skills.4 September 10. and knowledge. especially related to risk assessment • Begin the planning process These purposes relate to Generally Accepted Auditing Standards and IIA Standards. Pointed Audit Manager c. Purpose The purpose of a preliminary survey is to • Gain a basic understanding of the entity to be audited. Jones: Chapter 7: Audit Performance In accordance with our audit plan.S. A full financial audit will be conducted. The internal audit activity collectively should possess or obtain the knowledge. Please contact me if you have any questions related to our visit or if you have areas of concern that you may wish to have reviewed. • Performance Standard No. or other competencies needed to perform all or part of the engagement. • Attribute Standard No. skills. competencies. adequate resources. The chief audit executive should ensure that internal audit resources are appropriate. The chief audit executive should establish risk-based plans to determine the priorities of the internal audit activity. Preliminary Survey i. Very truly yours. and other competencies needed to perform their individual responsibilities.A1. • Attribute Standard No. Internal auditors should possess the knowledge. It will be performed under the supervision of Mr. the underlying role of risk assessment. The chief audit executive should obtain competent advice and assistance if the internal audit staff lacks the knowledge. 200x. E. Justin Tyme. Jones Sam Pole Company 2010 Main Street Anytown. including the evaluation of internal controls and tests of transactions supporting related account balances as well as verification of physical inventory valuations and circulation of customer accounts receivable balances. who will arrive in the office on September 1st. and effectively deployed to achieve the 4 Chapter 7: Audit Performance . 2030 (Resource Management). 1210 (Proficiency).") • Performance Standard No. skills. Newley A. USA Dear Mr. 200x Mr. and the nature of the work. sufficient. (Note: Subsection A1 further states that a "risk assessment should be undertaken at least annually.

The internal audit activity evaluates and contributes to the improvement of risk management. To perform an audit in accordance with Generally Accepted Auditing Standards and IIA's Standards. and activities and controls to be audited. Complete preliminary survey field procedures. to identify areas for audit emphasis. Progression of and Procedures for Preliminary Survey Review the scope of the pending audit. if the audit is limited in scope. a properly conducted preliminary survey is required. the fieldwork portion of the survey is ready to begin. The following information should be included in the memo: • Time. observation. A memo should be prepared discussing: • Purpose of the engagement • Nature of the final report. and documentation. and participation (who was there) • Summary of topics discussed • Potential problem areas noted • Potential conflicts • Office policies peculiar to that location After a memo is prepared documenting the preliminary meeting with management. 2100 (Nature of Work). For example. and to invite comments and suggestions. if any • Timing of the engagement • Auditee contacts 5 Arrange a preliminary meeting with management. The comprehensiveness of the survey depends on the scope of audit.Chapter 7: Audit Performance approved plan. date. an on-site survey to become familiar with risks. then the survey will be limited. The purposes of this meeting are to: • Meet management and inform them of the objectives of the survey • Arrange for working space • Prepare preliminary time tables • Gain the confidence of location management • Gain an understanding of management's objectives • Gain understanding of problems as perceived by local management • Gain understanding to determine if a new risk assessment needs to be undertaken Write a memo documenting the preliminary meeting with management. This process is accomplished by performing. as appropriate. ii. • Performance Standard No. gain an understanding of the following characteristics of the entity: Chapter 7: Audit Performance 5 . Auditors should obtain background information about the activities to be audited. The field survey procedures for a full scope audit are: • Through interview. control and governance systems.

sales. • In connection with the review of the accounting system. accounts payable. accounts receivable. • Perform a cursory review of the accounting system by obtaining and preparing the appropriate documents and memoranda: ♦ Obtain an organizational chart ♦ Determine the extent of information system (IS) and information technology (IT) usage ♦ Briefly describe the following systems. aging and obsolescence review procedures ◊ Supply inventory system ◊ Cost accounting system ◊ Environmental accounting system (if applicable) ◊ Fixed assets and depreciation ◊ General ledger system The following questions should be answered for each system: • What is the job? • Who does it? • Why is it done? • How is it done? • Where is it done? • When is it done? • How is it monitored? • How much does it cost? Prepare a schedule of all significant books of original entry. Overview systems flowcharts may be prepared for any of the accounting systems if they enhance the understanding. For computer systems' master files. Note the volume of transactions and the apparent control points and control weaknesses: ◊ Purchasing. and cash receipts ◊ Product inventory.6 ♦ Brief history of entity ♦ Size of entity ♦ Products produced ♦ Process flow ♦ Principal customers ♦ Principal supplies ♦ Current trends Chapter 7: Audit Performance The understanding should be documented in memorandum form. and cash disbursements ◊ Order entry. the following documents should be identified. The purpose is to provide the reader with an overall understanding of the entity as it relates to Sam Pole Company. if available: ♦ Internal accounting procedures and practice manuals ♦ Governmental regulatory reports 6 Chapter 7: Audit Performance . and transaction registers. Prepare a schedule of primary management reports.

or other activity. Planning represents an extremely important aspect of auditing and is required by the IIA and the American Institute of Certified Public Accountants' (AICPA) Statement on Auditing Standards of Field Work No. the auditor must consider any compensating controls that may be in existence. it is necessary to relate risks to exposure. A suggested format is to schedule the above on work-papers that will be used during the actual performance of the audit. special assignment. then the problem would be one of inadequate planning and organizing. Collation of risks—To assess the effectiveness of internal controls. This document will ensure that the objectives and scheduling of the audit are being Chapter 7: Audit Performance 7 . For example. It consists of the auditor's answers to the question. A risk can be defined as an exposure to loss or to less than the maximization of efficiency resulting from the lack of internal controls. and evaluate the risks. If the weaknesses are pervasive throughout the whole system. a planning memo is required to establish coordination between internal audit staff and management. Evaluation of risks—Evaluation of risks consists of the auditor's evaluation of the exposure resulting from the lack of functioning of an internal control over the particular risk. Planning Memo i.Chapter 7: Audit Performance 7 ♦ Prior audit reports. An analysis of answers to the forms will aid the auditor in determining: (1) if the nature of the weakness is confined to a single system. and (2) if the nature of the weakness is pervasive throughout the entire organization. If the weaknesses are confined only to cash. Due professional care is not intended to mean that the auditor is infallible or that extraordinary performance is to be expected. In order to exercise due professional care. Before each assignment. it will be necessary to identify. they should determine whether it is unique to cash or pervasive throughout the whole system of internal control. to controls. "What is the maximum exposure to the corporation if this particular internal control is not functioning effectively?" In answering the question. then the problem would be one of inadequate directing and controlling. and then to the eventual results of the audit procedures. relate. both internal and external ♦ Authoritative accounting publications related to the industry ♦ Industry standards ♦ Perform a risk analysis: Professional practice standards (see "Purpose") require the auditor to exercise due professional care. To write an effective audit plan. 1. to planned audit effort. These questionnaires will contain questions that point out unique risks for each system under review. Purpose The planning memo outlines the manner in which the department audit plan is to be implemented for a specific audit. if auditors note a lack of segregation of duties of cash. the auditor must be aware of potential risks. But it does require that reasonable care be taken. d. Common risks include: ◊ Inadequate controls ◊ Inadequate planning and organizing ◊ Inadequate directing and controlling Perhaps the easiest and most expedient means to detect common risks is a cursory internal control review using standard internal control questionnaires.

Examples include situations where the controller is new. and financial highlights. Comparative figures for two corresponding periods should be included. • Financial Highlights—The financial highlights section includes a summary of major account balances. It also states the audit approach to be used in these areas. to describe significant audit procedures. Prior to the audit. or operating costs have increased substantially. Prior to preparing the memo. Only in unusual circumstances will the planning memo be accepted after the audit has been started. engagement timing and personnel assigned. If the objective is to state an opinion on the adequacy of a certain system. even if previous approval has been obtained.8 Chapter 7: Audit Performance communicated and understood by all involved. • Significant Audit Areas/Audit Approach—This section identifies and outlines the more significant areas mentioned in the scope section. ii. Format The format designed to be used consistently for a planning memo is shown in Exhibit 7. budgeted hours. and the audit date(s). the senior auditor. account balances. • Objective—The deliverable product of an assignment requires a conclusion that will provide management with either assurances or reasons for action concerning. to document audit objectives. for example. iii. a brief description of the type of audit. This method will assist all parties in understanding the areas of concern and how these areas are to be 8 Chapter 7: Audit Performance . Areas of emphasis should be defined along with significant audit steps and procedures. etc. A copy is also included in the workpapers. it ensures that the more experienced auditors (management) consider scope and procedures prior to implementation. may have to visit the audit site to conduct a preliminary survey to obtain sufficient information to complete the planning memo. then the scope will explain compliance. Facts that are unusual or pertinent should be identified. The planning memo should be completed far enough in advance of an assignment for manager review and approval. conditions change affecting the initial planning memo. location. auditee background information. we must plan for the objective to direct our efforts toward that end result. Objective The planning memo serves several purposes. • Scope—Once the objective is documented. but should contain the entity name. the location is known to have had internal control problems in the past. sales have fallen off heavily. The addendum should explain and document the reason for the changes. an addendum should be written and forwarded to the manager. Accounts outlined in the objective section are also included in order to bring these accounts to the attention of the reader. • Background—Background information is necessary in order to give the reader a description of the entity or area to be audited. if circumstances warrant. namely. iv. internal controls. If after the audit begins. scheduled dates to begin and complete field work. and the substantive testing necessary to arrive at an opinion. A brief explanation for each section follows: • Introduction—The first brief paragraph outlines what was stated in the "Notice to Auditee" (see "Corporate Audit Performance Process Matrix"). Establishing objectives encourages an orderly work process and concentration of the audit effort toward a predefined goal. and procedures or description of operations. Properly implemented. It should contain the name and location of the entity to be audited.4. It does not need to be long or detailed. various functions or operational procedures. Consideration should be directed toward potential high-risk and material areas. Procedure Planning memos are to be typed on interoffice stationery and addressed to the Director of Auditing. the planning memo then logically leads into the scope section.

Planning in this area is necessary to ensure that the fieldwork will be completed within the audit budget. 200x. USA—is a key location for the company's ozone paint manufacturing. physical inventory compilation and a follow-up of previous audit comments will also be conducted. review. Emphasis will be on inventory.Chapter 7: Audit Performance audited. total hours will be estimated in a three-year plan. and detail compliance testing of existing key internal accounting controls in significant financial areas as of September 30.100 5. 200x From: Senior To: Manager Subject: Planning Memo—Sam Pole's Best Ozone Paint Manufacturing Facility Field work for the manufacturing facility interim audit will begin on Monday. 200x. Financial Highlights For the six months ended June 30 ($000's omitted) Balance Sheet Inventories Other Current Assets Total Current Assets Net Fixed Assets 200x 200x $ 4. 200x. Normally. An appraisal is made of the objective and scope of work to be performed and the number of hours to complete each area of the assignments.000 Chapter 7: Audit Performance 9 . AZ.300 13. It joined the company in 200x and experienced several startup problems. November 20. and payroll. The interim audit as of September 30. • Budget—The audit budget is a compromise between what audit management would like to accomplish and that for which it can effectively allow time in meeting the overall department objectives. Objective The interim audit will be conducted to determine the adequacy of internal accounting controls (through a review of accounting systems and a test of transactions) as a basis for the formulation of year-end balances. accounts payable. A review of the August 31. their job level. 9 • Staff and Timing—This section lists the staff assigned to the audit. 200x.000 $ 5. and the dates assigned to the audit. October 26. Scope—Interim The audit will include the documentation. A year-end audit will also be performed by the internal audit department in January 200x. will include a financial audit.000 15. The hours for each area should agree with total budgeted hours. A year-end review will also be conducted to determine the validity of accounting data that will be included in your company's consolidated general ledger trial balance as of December 31.4: Sample Planning Memo Date: October 20. Exhibit 7.000 100 300 4. trial balance. 200x. Background Sam Pole's Best Ozone Paint—located in Anytown. A variation analysis will be performed of all accounts with significant changes in comparison with the 200x year-end balance. and will be completed on Friday. sales billing. 200x.

review. Other Areas Other areas that will be given emphasis in the current audit include: • Analysis of repair and maintenance accounts • Analysis of all outside service accounts • Review of controls over customer returns Staff and Timing The audit will be conducted by both the Internal Audit Manager and J.000 $ 4. Our procedures will include flowcharting and testing of the system.100 $20. 200x. Substantive audit procedures will be used on all material balances. Analytical review Flowcharting and review of systems controls: • Inventory ledger 8 10 Chapter 7: Audit Performance 6 2 4 4 4 12 .300 Total Liabilities 12.000 14. tours.500 Net Income Before Taxes $ 2. Budget (in Hours) Planning Supervision General Meetings. Other Balance Sheet Accounts—Our approach to auditing these accounts will be to perform an analytical review to compare current-year balances to prior-year and accounting for all significant changes. Payables—Payables are significant because of the amount of volume and its interrelationship with inventory.300 Income Statement 200x 200x Net Sales $24.800 23.500 Gross Profit 5.500 SG&A 3. reviewing and preparing reconciliations of vendor statements and examining subsequent payments. Smith.300 Net Liabilities and Equity $17.000 $35.100 $20. vouching of selected account.000 Equity 5.200 11. Our audit procedures will include observation of the physical inventory. etc. testing of the system of internal controls.000 Significant Audit Areas/Audit Approach Chapter 7: Audit Performance Inventory—Inventory is considered to be the most significant area at Sam Pole's Best Ozone Paint manufacturing facility.100 6. and testing of the roll forward from the physical to September 30.10 Total Assets $17. a new audit senior.000 Cost of Sales 18. Field work will begin on October 26 and will last for two weeks. testing of the inventory compilation.200 7. testing of cutoff.

and other situations affecting the audit. The problem or situation as it exists must be fully defined and explained. describing significant findings. A typical report would outline significant findings. an informal report can be phoned into the manager. Discovery of an exception is the starting point in developing a recommendation.Chapter 7: Audit Performance • Purchasing/Accounts Payable 8 • Payroll 8 • Sales/Billing Cycle Tests Trial Balance Cash Accounts Receivable Inventory Fixed Assets Other Assets Accounts Payable Accruals Income and Expense Internal Control: • Questionnaire Review Travel Finalization of W/P Report TOTAL: 10 3 2 4 20 6 3 6 4 6 4 4 8 16 152 11 e. requires change or action and is of sufficient magnitude to warrant the attention of management. and communication. as required in our corporate audit performance process. The in-charge auditor has the responsibility for the status report. audit scope changes and rationale. In some instances. The ability to express the results of an audit in well-written audit recommendations is a measure of assurance that management will take appropriate action Chapter 7: Audit Performance 11 . A formal status report is not usually required for a short period assignment. This information documents and enables the manager to make a decision on additional scope changes. and an estimate of time to complete the assignment. in the auditor's judgment. in our project control file. and staff schedule changes. staffing (increase or decrease). However. Communication keeps the manager aware of current situations and assists in the decision making on that assignment as well as scheduling other audits. It also provides documentation. On assignments scheduled for more than four weeks. research. the estimate of time of completion. Audit Status Report The purpose of a status report is to provide audit management with a progress report of the assignment. f. the manager will issue a memo to the Director of Auditing. When an exception is revealed during audit testing. development of a recommendation may require a series of expanded audit tests. work completed. a status report is required. the status of the work completed. due to the importance of the matter. Developing Audit Recommendations An audit recommendation is a condition that.

To the extent possible. If the effect is minimal. 6. C.12 Chapter 7: Audit Performance and one of the principal bases on which audit performance will be judged. ridicule. 11. this condition is the auditor's notice to discuss the problem with the operating level of management. 4. Write constructively. A. Adequate background information should be provided so that the reader can grasp the significance of the situation being reported. 2. Some criteria regarding the performance of the activity must be established based on authority. Avoid disagreeable or inflammatory tone. even if it indicates disagreement with the auditor's position. Readability. A recommendation is not required in an audit report when the effect is minimal. Do not be evasive. Objectivity. state its name or subject somewhere in the report. Try to foresee the reader's reactions to certain words or phrases. Accuracy. Efforts should be made to obtain quantification in the gathering of measures of effect. clarity should be interpreted as requiring that every statement cannot only be understood. 8. Evaluate the significance of what you are reporting. spell out their meaning when they first appear. Provide support to all information in recommendations. Clarity. If you have something to say and can support it. Each auditor must assume individual responsibility for improving proficiency in this respect. The problem or situation as it exists must be fully defined and explained. The criteria or standards for an activity should be re-evaluated as to applicability and adequacy at this point in the development of the recommendation. Clearly identify opinions. Stress the need for improvements in the future rather than focusing on deficiencies in the past. 12. The auditor should be careful not so use data that could be misleading. 10. Write in simple. relevant information. 7. If you refer to a form number. sarcasm. Reasonable logic is important. 2. Do not rely on inferences and implications. 4. In preparing an audit recommendation. 3. Be tactful. but that it cannot reasonably be misunderstood. The use of correct grammar and proper punctuation is an imperative for well-written recommendations. 9. non-technical. especially if they concern significant matters. the auditor should be continuously conscious of how it will be perceived by the reader. or reasonableness. 12 Chapter 7: Audit Performance . Present relevant comments and reviews of the issues being discussed. Development Process The following steps should be followed in order to provide for systematic development of a recommendation after an exception is revealed: 1. Basic Criteria Some basic criteria for effective writing that should be observed in the preparation of audit recommendations are: 1. 3. Be concise. General Characteristics 1. Do not generalize by simply saying that a practice "weakens controls. or oratory." Specify how it weakens controls. 5. then say it. the extent of a problem and its importance must be determined. Include all significant. Avoid wordiness and inclusion of extraneous matter. 4. 3. It is necessary to look at the effect and significance of the problem. clear language. generally accepted principles. If you use abbreviations. Through further testing and gathering of data. B. Recommendations in audit reports must be verified thoroughly so that there are no factual errors. 2.

the job not being accomplished as well as it could be or as intended g. this step is the most difficult one in the development of an audit recommendation. If the auditor does not present information on the actual or potential adverse effect.) b. The auditor must seek to find out. Criteria. the auditor should state the circumstances surrounding the recommendation. manuals. However. The criteria applied may vary. the statement of action should be directed at the correction of the cause. In this section. 3. Each statement of condition must contain sufficient qualitative and quantitative information to fully support the conclusions or main point. labor) b. If an actual cause of the condition is revealed. which has resulted or can result from the condition being questioned. Independent opinion of experts outside the organization c. You cannot provide a statement of action that will give assurance that a situation will not recur. Frequently. but not to the point where completeness is sacrificed. the auditor will be guided as to the statement of action that should be made for correcting the condition. In a logical sequence. Written requirements (laws.Chapter 7: Audit Performance 5. Based on the outcome of this discussion with the auditee. 2. Ineffectiveness. Lack of assurance that the job is being done properly i. Effect. Information or records that are meaningless or inaccurate f. the auditor should concentrate on the criteria that are important to the objective of the audit. If criteria are not already set forth in writing. summarized. the auditor should seek to obtain a response as to what would improve the condition or situation. the effect. the auditor should discuss the situation with responsible management. the auditor may have to obtain information that will serve as evidence of criteria. D. money. and the cause should be held to obtain their comments in order to further substantiate the accuracy of the developed recommendation. without it. 6. Unwritten overall objectives as explained by management officials g. in dollars or other terms. Some examples of criteria are: a. regulations. instructions. A discussion with the responsible management as to the problem. If. Uneconomical or inefficient use of resources (time. directives. Managerial expertise f. Prudent business practice d. in the auditor's opinion. present the facts and specific illustrations describing the condition. the criteria. Lack of assurance that objectives are being met. Loss of potential income c. the auditor should proceed with the development of the recommendation. it should be both logical and convincing to the reader. the effect is significant. In this discussion. The statement of condition should be brief. the reader might assume that the Chapter 7: Audit Performance 13 . Statement of Condition. Developing Recommendation Data 1. Some examples of effect are: a. The criteria represent the standards against which the auditor is measuring a questionable condition or practice. Funds spent improperly e. Inadequate control or loss of control over resources or actions h. however. Common sense Published criteria may be directly quoted. etc. 13 If the actual cause of the problem cannot be disclosed through expanded testing and gathering of data. through expanded testing and gathering of data. what caused the problem or situation. or paraphrased. Violation of law d. If common-sense subjective judgment is to be used as a criterion. Effect is the actual or potential adverse impact. you have an incomplete recommendation and can offer management only a correction of the existing problem. Verbal instruction e.

realistic. faulty or ineffective organizational arrangement. Simply stating that the problem or adverse condition exists because someone did not comply with company policy is not very meaningful. The cause is the underlying reason why questionable behavior or condition occurs. This sensitive. As a minimum effort. e. who have responsibility and authority to take corrective action. Guidelines or standards (criteria) are inadequate. not provided.14 Chapter 7: Audit Performance apparent lack of concern means that the recommendation is not very important. or at least to one or more causes that will put the recommendation in perspective. 4. Unwillingness to change l. in the body of the recommendation. Unfamiliarity with requirements d. State what action will provide a meaningful solution to the problems." c." Some examples of cause are: a. by title. b." unless the nature of the problem is so serious that such language seems particularly appropriate. Present statements of action as a logical sequence to the related statement of conditions. Conscious decision or instruction to deviate from requirements (for any of a variety of reasons) g. specific statement of corrective action. f. If the effect is not significant. Dishonesty or personal gain j. Lack of effective or sufficient supervision. Cause. Instead." "expedite. Lack of resources (funds or staff) h. and as helpful as possible and related directly to the cause of the weakness or deficiency. Present statements of action that are as specific. Lack of planning. each recommendation will result in one or more statements of action. the recommendation should not be included in the report. Direct the statements of action toward the audited organization and to the specific persons. and usually highly judgmental. Lack of training b. The expression "for consideration" should not be used in presenting statements of 14 Chapter 7: Audit Performance . Lack of communications c. such as "immediately. Also. Negligence or carelessness e. report. Do not include statements of action on which adequate action has been taken before the report is issued. Failure to use good judgment or common sense i. one that is sufficiently detailed or specific enough to enable the recipient of the recommendation to correct the conditions. Generally." That is." or "procedures be established. It is necessary to get as close to the real cause of the problem as possible. Experience indicates a great receptivity to constructive audit statements of action. or delegations of authority 5. the auditor should have explored the situation thoroughly enough to be able to generate what is termed a "first-level statement of action. what action has been taken to correct the situation and only present additional statements of recommended action as warranted." "controls be strengthened. d. Caution should be exercised not to create an issue larger than facts actually warrant." "without delay. or impractical f. Some basic guidelines for developing statements of action are: a. this approach usually confines the auditor to the rather superficial statement of action to "comply with company policy. or lack of supervisory review k. and not simply recommend that "regulations be complied with." "as soon as possible. Avoid the use of extreme language in making statements of action. obsolete. Statement of Action. make the recommendation convincing and lead to a sensitive. area requires the most penetrating efforts and insights of the auditor.

. Strengths and weaknesses can be reconciled to improve the quality of the Chapter 7: Audit Performance 15 . more factual audit recommendations because the material is fresh on the auditor's mind—preferable to writing the recommendation later in time (i. thoughts. i. Generally. all statements of action are "for consideration. valuable research and input can be obtained before the closing conference.Chapter 7: Audit Performance 15 action.5: Recommendation Worksheet Example Audit Job No. Exhibit 7.5 for an example of a worksheet format). If recommendations are neat and well written at the time of discovery and copies given to the auditee. Material. A copy should then be given to the auditee. The statement of action should follow logically from what is presented in the recommendation." g. Since the Audit Department is a staff function and its service advisory.______ Recommendation No. Recommendation Worksheet A form should be created for the purpose of writing up the recommendations as they are initially discovered (see Exhibit 7. 1. 2. The procedure lends itself to better written.______ Auditee ______ Audit Date ______ Statement of Condition: (What is) _________________________________ Criteria: (What it should be) ______________________________________ Effect: (So what?) _______________________________________________ Cause: (Reason for deviation)______________________________________ Statement of Action: ____________________________________________ Present Status: ________________________________________________ • Recommendation corrected during audit____________________________ • Auditee agreed with recommendation______________________________ • Detailed support for adjustment/correction provided to auditee ____________ • In process of implementing ________________________________________ • Auditee disagrees with recommendation/comment ______________________ Preparer signature: ____________________________ Senior Auditor signature: _______________________ Provide a copy of this completed form to auditee ASAP/Use form for the Closing Conference. or information that were not developed in the body of the recommendation should not be introduced in the statement of action. at the end of the audit). This makes the closing conference more productive as both sides are knowledgeable on the subject. There are many good reasons for following this procedure.______ Workpaper Ref.e. the auditee is blindsided at the closing conference if recommendations have not been previously presented.

A discussion item is also an exception that may be material.—Corporate Audit Job Number • CAR No. precise write-up of recommendations. The auditee is required to submit a written response to the recommendations. Cause (reason for deviation) Present Status—A space provided for comments by the auditee to elaborate on original intentions or reaction to the audit recommendation. 5.16 Chapter 7: Audit Performance recommendations. and not on a daily basis." Corporate Audit Department Procedures Manual NO: 7. If the recommendation has been resolved by the auditee during the audit. once a week. Statement of condition (what is) B. 4. the auditee is not required to respond to the discussion item. as examples. The Corporate Audit Recommendation Number is the sequenced number of the recommendation developed as the audit work progresses. Criteria (what it should be) C." or Standards for the Professional Practice of Internal Auditing. ii. The interim communication also gives the auditor a written workpaper document to use in discussing recommendations at the closing conference. For example: • CAJ No. Therefore. Once written recommendations are resolved to the degree possible. but is not controlled by the auditee. it is much more agreeable to the auditee if only mention is made summarizing items corrected during the audit. this new version became effective for auditors and 16 Chapter 7: Audit Performance SAM POLE COMPANY . The Corporate Audit Recommendation Number is to be used as a control point. Recommendation/Facts—Remembering that a statement of action is a call for action by management and must be written on that basis. accounts payable. Form Format The form is designed to be as functional as possible. At the end of 2001. Tentative recommendations should be provided to the auditee periodically. which are controllable by the auditee. Recommendation/Discussion Item—A recommendation is a material exception to corporate policy. the facts follow the attributes of a recommendation: A. Effect (so what?) D.—Corporate Audit Recommendation Number Corporate Audit Job Numbers will be standardized and assigned by the audit division offices. but it is limited in space to encourage factual. 3. procedures. Subject—Identify the subject area where the exception occurred as payroll. corrections should be made and submitted for typing the final report. 6. Why take many recommendations to the closing conference when a "climate for change" can be initiated during the course of the audit? Too many recommendations presented at one time tends to make the auditee nervous and worrisome about how the report is going to look to others.2 REV NO: DATE: TITLE: Workpapers PAGES: [1]The Institute of Internal Auditors officially revised the "Red Book. It may only be necessary to check one of the preprinted comments such as "Recommendation Implemented During Audit. Audit—Write the name of the branch or location in the space provided to facilitate audit identification.

2 Workpapers Workpapers serve mainly to aid the auditor in conducting work and provide important support for the auditor's opinion. schedules. 1. In the office. is that the IRS can and has subpoenaed internal auditors' workpapers into court. Does it appear logically organized. give consideration to the objectives for creating your workpapers. or misplaced by the auditee employees. these comments are also applicable to internal auditors.. It is imperative that standards of compliance be established to help ensure quality workpapers. orderly fashion.Chapter 7: Audit Performance interested parties. letters of representation. would you be embarrassed if your workpaper was made a document of the court? What if the court made an enlargement of your workpaper and it was displayed on a screen for all to see? Other factors to consider in developing workpapers are: • Control • Retention • Headings • Permanent files: contents and format • Current files: contents and format • General organization • Detailed workpaper section organization • Indexing and cross referencing • Referencing • Standard tick marks a. For external auditors to rely on our workpapers. Control For Corporate Audit purposes." further attempt to describe workpapers and some of their contents. workpapers should be retained in a controlled. of tests and procedures. may include work programs. Envision how the workpaper will look after it is completed. workpapers are confidential documents used to support our conclusions. analysis memoranda. and neat—without half erasures. workpapers should be filed in secured cabinets. confirmations. Such language as "Workpapers are a record . Prior to leaving Chapter 7: Audit Performance 17 . During working hours. Although SASs are written for public accountants. That is. internal auditors must produce documents of the same quality. handled. audit bags containing workpapers must be locked if left overnight at the auditee's office. with figures and comments not crowded together? Is it complete—without loose ends that need to be addressed? A second thought. Section 338. The question is. Other comments. Before preparation. Only information supporting your objectives should be included. and commentaries prepared by the auditor. and one that should be seriously considered." are from Statement of Auditing Standards (SAS) No. accordingly. 17 7. relevant. abstracts of company documents. In order to maintain our independence and protect confidentiality.." "Workpapers. such as "Workpapers should fit the circumstances and the auditor's needs on the engagement to which they apply. During work hours. care should be exercised ensuring that visitors do not inadvertently observe confidential information lying on desks. they should not be left lying around the work area or left out in the auditee's office where they can be seen.

prepare a to-do list of points that have not been resolved. If done by computer. Identify the source of information on each workpaper. While the audit is in progress. and explanation. Indicate analysis that requires more than one workpaper by: 1 of 5. 18 Chapter 7: Audit Performance . be neat. use a medium-hard lead pencil. If done by hand. a notation indicating the destruction date should be boldly printed on the outside cover of the workpaper binder or on the face of the report. and so forth." indicate so with "PBA" on the workpaper. single line for subtotals. 5. reference books or original entry. be sure amounts are accurate and footings are correct. 16. When referring to auditee employees. Indicate clearly the extent of tests made. For workpapers on computer. Retention The retention period for both workpapers and reports is five years. Adequately explain all tick marks other than the standard tick marks. Distinguish between fact and opinion. Be accurate. 12. Avoid crowding on a single page. use a ruler. use the same guideline. conversations with employees. 14. 10. Skip every other line and write only to the right-hand margin line. double line for totals. Indicate the name of employee performing the task. write legibly. opinions. 2 of 5. develop a professional look with consistent formatting. If memoranda are done by hand: All memoranda should be prepared on memo pad paper. If a workpaper is "prepared by auditee. 13. 9. Chapter 7: Audit Performance b. If an exception arises in which the retention period is to be extended beyond this period. If memoranda are done by computer. 6. Head every workpaper (see headings above). Initial and date each workpaper (printed version if using a computer). 8. Headings In order to standardize Corporate Audit workpaper headings. set formatting according to this guideline. If using a computer. keep figures in proper columns. etc. using care to differentiate among facts. 7.18 the office. Use proper grammar. Write your opinions and conclusions. voucher numbers. double-check all formulas. the following information should be used for all workpapers: Description on Workpapers Location of Workpapers Name of auditee—location Top-Center As-of date of audit Top-Center Identification of workpaper Top-Center Initials of auditor performing the work Bottom-Right (area provided) Initials of in-charge senior manager Bottom-Right Workpaper index (red pencil only) Bottom-Right (area provided) WORKPAPER "DOS" AND DON'TS" Do 1. 3. 2. workpapers should be secured in locked cabinets or desks. c. Summarize explanations at the bottom of each workpaper by using a legend. For those workpapers kept by hand. spell their names and titles completely and correctly. 4. It is recommended that the auditor print out the worksheet formulas and audit them before relying upon them. Resolve points with auditee at one time during the day. 15. 11. 17.

Exhibit 7. Verify that the final figures on each workpaper agree with the lead sheets. The binder should be labeled "Permanent Folder" and contain an index showing the contents of the folder. Exhibit 7.. board) Chapter 7: Audit Performance 19 . but explain disposition. 3. This outline will also act as the index for the file. 19. Carry Forward Comments D. set electronic document margins to the equivalent size. 2.6 outlines the format of the permanent file. Leave enough space on each workpaper to clearly identify adjusting entries and comments. Reports (Other) C. avoid using "comments" for substantive remarks. Historical Information/Pictures/Nature of Business Unit I. 4. Don't 1. and cross-reference thereto. Permanent Files: Contents and Format Permanent files are to be used for documents that will be needed in audits for a number of years. Do not prepare separate income and expense account analyses when the accounts can be more effectively covered in conjunction with balance sheet items. branch. Organization Charts/Key Personnel E. the second in A-2. and so on. 24. Internal Control Questionnaire/Audit Programs F. Do not make workpapers available to anyone without prior approval from the manager. Each document entered into the permanent file must include the date and initials of the auditor. They should not be cluttered with documents that cannot effectively help or provide information for future audits. 7. Reference and cross-reference to other workpaper and interim recommendation worksheets. Contracts/Lease Agreements G. Permanent files should be economical in content. Corporate Audit Reports/Responses B. Use red pencil for this purpose. but have a logical reason for changes. d.6: Permanent Files Index Sam Pole Company Corporate Audit Department Permanent Folder Index A. 23. Do not repeat scope of work when steps are outlined in the audit program. 19 20. 5. Do not leave open points or questions on your workpapers. use red fonts if the workpaper is in electronic form. Correspondence (Major) J. Write on just one side of a working paper. For example. 6. Excerpts from Meeting (i. 21. If using a spreadsheet. 22. Labor Agreements H. Revisions of modifications must also be initialized and dated. add a column for remarks on the worksheet. if done by hand. The first report entered into the permanent folder will be indexed in A-1. Remove all items that have no value in supporting the conclusion. Do not follow previous audit workpapers blindly. Indicate the audit program followed.e. Do not prepare workpapers without first considering the objectives. working trial balance. Use red pencil. plant. Use legal size paper.Chapter 7: Audit Performance 18. rather. Do not merely cross over points or questions. consider A-Corporate Audit Reports/Responses.

If files exceed two inches. Detailed Workpaper Section Organization Each job will have a systems binder to be updated yearly. The following sequence will be utilized to organize the systems binder where the "S" denotes systems documentation work: SA-1 SA-2 SA-3 SA-4 SA-5 SA-6 SA-7 Flowchart (manual/IS) Narrative description List of key reports (official report title and informal user name) Internal control questionnaire Summary of major strengths and weaknesses Audit approach memo Other systems information as needed The compliance and substantive work for each account will be organized in the following sequence in a separate current file: A/C A/P A Overall scope and conclusion Audit program Lead sheets 20 Chapter 7: Audit Performance . Accordingly. Do not waste memo or 17-column paper for this purpose. Place information into the permanent file if the usefulness of the information is longer than two years. contents of the binder. Current Files: Contents and Format The criterion for determining whether information should be included either in the permanent file or the current file is the useful life of the information. Account Analysis M. and the name of the audit office producing the file. Other Chapter 7: Audit Performance e. f. Create dividers by using heavy-grade paper and attaching a tab at the bottom of the sheet. Acco fasteners of greater capacity can be obtained. Acco fasteners have 2 3/4-inch centers with 2-inch capacity. The majority of information obtained during an audit usually applies to the current year and will only be used for comparison and guidance in the subsequent year. A second method is to use 14-column paper as a wraparound for the individual section. The section name and indexing letter should be indicated in red at the bottom right-hand corner after the 14-column paper is folded in half. Note that certain information is to be completed on the cover of the binder: company identification. such expected useful life would be less than two years and is filed in the current file. the names of auditors who worked on sections included in the binder. g. General Organization Use the printed workpaper binder cover and back furnished by the department. All workpapers are to be 8 1/2 inches by 14 inches—legal size paper. review signatures. Company Directives Memoranda L.20 K. attach the document to heavy-grade legal size paper and then file it. If auditee documents are less than legal size.

Numbers are used to indicate accounts in the income statement. • A/C. In the conclusion section. • SA-3.Chapter 7: Audit Performance 21 A-1 to Account detail (substantive testing). and the investigation of unusual fluctuations and questionable items. should include the internal control questionnaire evaluations guides only for cash. • A/P. • SA-2. h. The internal control evaluation guide should be developed to include only questions applicable to the section involved. Lead sheets. The narrative system description can supplement flowcharts or stand alone if it best fits the system. Also. Audit programs should include all the steps necessary to test the system and reach a logical conclusion. comments for future audits A-nn and confirmation forms: detailed audit work supporting lead sheet balances Note The audit procedures performed and workpapers generated should be organized in a manner deemed to be logical and expedient in the senior's judgment." Chapter 7: Audit Performance 21 . columns are prepared for adjustments and final balances. extent of testing. Identify the work involved to support your conclusion—procedures such as sample size. This listing will greatly assist the following year's audit. • SA-1. Based on the above procedures. These schedules should reference the working trial balance. Internal control evaluation guide." the cash section. cycle testing (compliance testing). • A-100 to A-NNN. a summary of the system's major strengths and weaknesses should be prepared. The evidential matter obtained through two general classes of auditing procedures: (1) test of details of transactions and balances and (2) analytical reviews of significant ratios and trends. The auditor should give advance thought to the preparation of lead sheets. Single alpha letters are used for asset section designations. The key report listing should list important reports by their official title and also by informal names used by the auditee. The logic behind the selected audit procedures should be written up in a memorandum and included in this section. Narratives may be used to describe a system on a step-by-step basis. The first section of the indexing system is referred to as the administrative section. The purpose for tests of compliance is to provide reasonable assurance that accounting control procedures are being applied as prescribed. Audit programs. Account detail (substantive testing). Flowcharting. • SA-4. An index has been assigned to each major account classification. state your opinion based on the testing performed in the scope. The index can then be utilized throughout the files whenever a cross-indexing reference is made to that particular schedule or to an amount therein. but it is the first in the organization sequence. Graphically depict the inputs. and compliance with audit program. • A. Audit approach memo. These sections will be preceded by "PL" before the number indicated later in the index sample. Each schedule should be marked in red pencil (or font) in the designated box at the bottom right corner. Key reports listing. Double alpha letters are used for liabilities or capital accounts. Include both the manual and data-processing flow of documents as you flowchart the system. and outputs of each system. Such tests will include substantive tests of account balances and compliance tests of the system. The index to reference this section is "AD. Once the flowchart and internal control questionnaire have been prepared. Summary of major strengths and weaknesses. Minimum information includes a comparative schedule showing account balances at the prior year audit date and the book balance for the current audit date. Cycle testing (compliance testing). Overall scope and conclusion. • A-1 to A-NN. • SA-5. the auditor should have a good idea of the strengths and weaknesses of the system. processing. Indexing and Cross Referencing Workpapers should be indexed using the prescribed standard index. This workpaper will be the last item completed in the section. This summary will aid in the development of the audit approach. "A. Make references and cross-references to adjustments and recommendations or comments that were the result of your work. • SA-6. Narrative system description.

22 Chapter 7: Audit Performance The workpaper sections will include subaccounts under the major account classification. major problems and their solutions AD6 Working trial balances AD7 Adjusting journal entries AD8 Analytical review and interim financial statements AD9 Audit planning memo AD 10 Time budget AD11 Interim audit recommendations and comments summary (AUD form 1) AD12 Prior audit reports and follow-up AD13 Other correspondence AD14 As needed Assets A Cash B Securities and other negotiable assets C Sales. if section CC Accounts Payable becomes too large. The lead sheet (indexed "A") for this section should show the applicable subaccount balances for the current period and the prior period. For example. cash. shipping. part of the file can be stored in another file binder indexed CCX. and so on. A-1—Analysis of Cash in Bank. Occasionally.e. Cash on Hand. Three separate sections have been included for the work performed on confirmations.). Be sure to appropriately reference these sections in the working papers. inventory observation. The following is a listing of the indexes that should be used: Index Description Administrative AD1 Copy of the audit report AD2 Assignment checklist AD3 Copy of financial statements AD4 Summary memo—in-charge AD5 Manager comments—interpretive comments. In that instance. The analysis of the subaccounts should be documented on supporting schedules (i.. the section may be extended into another binder. Appropriate referencing should be indicated in the working papers. The indexing for the extended file binder becomes X. a section within a file binder may become too large to control effectively. and trade receivables D E F G H I M Inter-company receivables (Used for other accounts) Inventory Prepaid expenses and other assets (Used for other accounts) (Used for other accounts) Other tangible assets 22 Chapter 7: Audit Performance . also includes subaccounts of Cash in Bank. etc. For example. and inventory compilation. The other two sections are to be used when a physical inventory observation and a review of the inventory compilation are included within the scope of the audit. A-2—Analysis of Cash on Hand. The section for confirmations is to be used when the number of confirmations sent is too large to be practically included in the applicable account classification. These columns should be footed to show the total balance in the major account. the major account.

Prepare all tick marks in red pencil (or font if electronic). Standard Tick Marks Standardizing certain tick marks will result in uniformity and time saving for the preparer and reviewer by duplicating the tick marks and writing one explanation. Use a "Standard Tick Mark Sheet" to explain standard tick marks. Always explain tick marks in a legend located in the workpapers. general.Chapter 7: Audit Performance S Property. Standard tick marks are as follows: F (under number) footed F (to right of number) cross-footed T/B agreed to trial balance G/L agreed to general ledger SAM POLE COMPANY Corporate Audit Department Procedures Manual NO: 7. A circled number is used when referencing a number to a number. detail sub-schedules support the amounts shown on the lead schedules. The referencing of final totals (double underscored) may be done by inserting the page index directly below the applicable amount. Referencing should be done by inserting the page index next to the corresponding amount. All referencing should be done in red pencil (or font if electronic). When referencing on the same page. Also. Referencing Normally. j. Writing the page index to the right of the amount indicates "going to" a certain page. and administrative expenses X Extended file 23 i. the lead schedules support the amounts shown on the trial balance. Basic tick marks should be placed after the figure being checked. Tick marks should be simple in design. either a circled number or a circled capital letter should be used. Writing a page index to the left of the amount indicates "coming from" a certain page. plant. These workpapers should be cross-referenced to one another.3 REV NO: DATE: TITLE: Audit Objectives PAGES: Chapter 7: Audit Performance 23 . A circled capital letter is used when referencing a number (or any other section or symbol on the workpaper) to a note. and equipment Liabilities BB Notes payable CC Accounts payable DD Accounts payable inter-company FF Compensation GG (Used for other accounts) HH Other liabilities and deferred credits WW Capital stock and surplus PP Notes and inter-company debt Income Statement and Other PL1 Sales and revenue PL2 Cost of goods sold PL3 Selling.

deposited. • All receipts are properly identified. in transit. materials. The following is a listing of objectives that apply to the various audit areas (accounts) that normally are included in a financial audit. obsolete. and completeness. The list provides examples of assessing the five major management assertions in financial statements: existence or occurrence. or cycle counts. These types of audits may have different overall objectives that the auditor must satisfy through the performance of audit procedures. in storage. and/or modified as dictated by the audit situations encountered. Receivables • Recorded receivables exist and are carried at net collectible amounts. • All collections are properly identified. • Adequate disclosure is made of restricted or committed funds and of cash not subject to immediate withdrawal. and recorded. consistently applied.3 Audit Objectives As described in Chapter 6 of this manual. in transit. valuation or allocation. • The items are priced in accordance with GAAP. • All production activity and costs are properly and accurately reported and maintained in up-to-date cost records. • Billings and collections are properly recorded in individual customer accounts. 24 Chapter 7: Audit Performance . transfers. prices. • The ending inventories are determined as to quantities. that they are in conformity with Generally Accepted Accounting Principles (GAAP). and withdrawals of stock are properly and accurately recorded. and collections are promptly deposited. and supplies on hand. • All receipts. at the lower of cost or market. • All bank accounts and cash on hand are subject to effective custodial accountability procedures and physical safeguards. The most common type of audit for which auditors are responsible is the financial audit. the Corporate Audit Department may be responsible for conducting a variety of different types of audits. the overall objective of a financial audit is to assure that the financial statements are fairly stated. excluded. on a basis consistent with the inventories at the end of the preceding year. excess stocks. rights and obligations. and so on. computations. This listing is not all-inclusive. and all of the objectives may not apply in every circumstance. control totals are developed. • Allowance for doubtful accounts is adequate. Inventories • Periodic physical inventories. slow-moving.24 Chapter 7: Audit Performance 7. and that the accounting principles that were applied are consistent from year to year. and defective items are reduced to net realizable values. presentation and disclosure. • There is a proper accounting for all inter-company and inter-bank transfers. are taken and are valued in accordance with company policies that are in accordance with GAAP. • Adequate provision for losses on purchases or sales commitments exist. it is necessary to satisfy specific objectives that apply to the various accounts that comprise the financial statements. They should be used as a guide and should be included. Broadly described. In order to satisfy this overall objective. • Excess. or on consignment that belong to the company. Cash • Cash recorded properly represents cash and cash items on hand. • The quantities properly represent products. or in banks.

Fixed Assets • All recorded assets exist. and to date. • All checks are properly approved. prices. • Accrued interest is recorded. • Depreciation charged to income during the period is adequate but not excessive. Accounts Payable. inventory. and other assets. • All invoices processed for payment represent goods and services received and are accurate as to terms. • The basis upon which the property accounts are stated is proper. • All purchase requisitions are initiated and approved by authorized individuals. • All disbursements are properly recorded. • Physical inventories of recorded productive assets are taken at periodic intervals. and Disbursements • All costs are properly recorded and classified as expense. • All material and services received agree with original purchase orders. signed. • All checks are prepared on the basis of adequate and approved documentation and are compared with supporting data.Chapter 7: Audit Performance Investments 25 • The physical evidence of the ownership of investments is on hand or held in custody or safekeeping by others for account of the company. quantities. • All accrued expenses relate to goods and services received as of the end of the fiscal period. are reasonable under the circumstances. • All debt transactions are initiated by authorized individuals and are approved by the Board of Directors or executives to whom this authority has been delegated. • The additions during the audit period are proper charges to those accounts and represent actual cost. fixed assets. considering the expected useful lives of the property units and possible net salvage values. • Compliance with all provisions of loan agreements has occurred. and has been computed on an acceptable basis consistent with that used in prior periods. • Income from investments is accounted for properly. • The additions during the period under audit are proper capital charges and represent actual physical property installed or constructed. • All productive asset transactions are initiated by authorized individuals after advance approval has been obtained. Purchasing. and account distributions. • The basis on which the investments are stated conforms to GAAP and is consistently applied. extensions. Notes and Loans Payable • All amounts owed are properly recorded. and has been consistently followed. • Amortization or write-offs against revenues in the current period. • Adequate cost records are maintained for all in-progress and completed projects. • All purchases or sales are initiated by authorized individuals and are properly approved. conforms to GAAP. and mailed. and have been computed on an acceptable basis consistent with prior periods. Other Assets • Recorded prepaid and deferred expenses represent proper charges against future operations. • The balance in accumulated depreciation accounts is reasonable. Chapter 7: Audit Performance 25 .

The Institute of Internal Auditors officially revised the "Red Book. costs. separations. the amount. and other specified parties in a timely fashion. and stated in accordance with GAAP. • Reported revenues and applicable costs are recorded on a timely basis. unions. • Payroll deductions are determined in accordance with legal requirements or employee authorizations and are paid to the government. described. approved. and other deductions are authorized and recorded on a timely basis. business purpose. • Compensation rates are in accordance with applicable union agreements and/or approved rates. At the end of 2001. 26 Chapter 7: Audit Performance . • Revenues. place. If any reimbursements are compensatory. so as not to be considered compensatory.26 Capital Stock and Surplus Chapter 7: Audit Performance • The capital stock and surplus accounts are properly classified. Costs. time. • Charges to customers are for valid claims for sales rendered in accordance with established pricing policies. costs. Revenues. costs. • Employee time and attendance data are properly reviewed." or Standards for the Professional Practice of Internal Auditing. salaries. and expenses are appropriately classified and described in the statement of income. and Expenses • Reported revenues. this new version became effective for auditors and interested parties. Endnote 1. • Costs and expenses are properly matched with revenues. and are not in conflict with the requirements of the corporate charter (or articles of incorporation) or with the applicable statutes of the state of incorporation. • Payments for compensation and benefits are made only to bonafide employees. appropriate tax information must be retained. Payroll • Compensation costs reflect the aggregate cost of employee services during the period and are distributed to appropriate inventory and expense accounts. and expenses (including losses) which should be so recognized. • Reimbursements to employees must be fully accountable. • Transactions in the capital stock and surplus accounts during the audit period are properly authorized or approved where necessary. • Additions. • Sufficient documentation must exist. • Recognition has been given to revenues. and business relationship of the entertained party must be recorded. Specifically." meaning "customary and usual" within the experience of the particular community. • All authorized employee benefit plans and related costs are appropriately controlled and administered. and are recorded in accordance with GAAP. Travel and Entertainment Expense • All expenses recorded must be "ordinary." meaning "appropriate and helpful" for the development of the entity's business. • All expenses recorded must be "necessary. wage rates. and expenses are properly applicable to the accounting period under examination. and processed on a timely basis.

Chapter 7: Audit Performance 27 Chapter 7: Audit Performance 27 .

28 Chapter 7: Audit Performance 28 Chapter 7: Audit Performance .

It is the policy of Sam Pole Company to issue a summary-and-detail report for each significant audit completed. Exhibit 8.1: Corporate Audit Reporting Process Matrix Assign No. Report Assign No. and circumstances. The purpose of the summary report is to provide. The objectives of the report process include: • To ensure the development of comprehensive and accurate reports • To provide guidelines resulting in timely issuance of final reports • To provide the opportunity to convey additional related information to readers of the report Since the audit report is the most significant product issued by the Audit Department. the report format should be carefully considered. facts and comments.1. The reporting process begins with the draft audit comments and follows through to the issuance of reports and the report to the Audit Committee (if appropriate). distribution PURPOSE Draft to Draft Reports Auditee Formalize audit Obtain conclusions. the essence of the scope and results of the audit.1 REV NO: DATE: TITLE: Corporate Audit Report Process PAGES: 8. The procedures contained in this section of the manual are designed to help ensure that the best possible quality product is prepared. agreement on findings. summarizes the activities contained in this process. which helps put the audit results in the proper context.1 Corporate Audit Report Process The Corporate Audit Report is perhaps the most significant product of the audit function. It also allows for a profile section to convey additional information of interest to the Audit Committee and senior management. The corporate audit reporting process matrix. and Inclusion of Auditee Comments Incorporate auditee responses into draft reports Issue Fina Report to Manageme Apprise Aud Committee o audit results Chapter 8: Audit Reporting 1 . Draft Distribution Comments Worksheet Document audit Log/track findings. Exhibit 8. this information would be basic financial or operational. are contained in other sections of the manual.Chapter 8: Audit Reporting Overview SAM POLE COMPANY Corporate Audit Department Procedures Manual NO: 8. report comments. recommendations substance. Detailed descriptions of the summary and detailed report formats. in brief presentation format. The thoughtful and creative use of the profile section provides a vehicle for the Audit Department to convey information beyond the negative reporting process that is inherent in internal auditing. In some instances. To put it another way: the use of the profile section enables us to convey information that may contribute positively to the management of the corporation. with examples. and preparation recommendations and for review.

The manager will review all comments in conjunction with his review of the workpapers. status. approval. The audit manager will begin the preparation of the summary audit report. and reporting In office upon completion of field work Chapter 8: Audit Reporting materiality of issues for audited entity Within two weeks following exit conference TIMING PREPARED BY REVIEWED BY RESPONSIBILITY Staff or Senior Senior or Manager Senior or Manager Per tentative recommendations worksheet Regularly from completion of field work to issued report Senior Senior Manager Manager Senior Per distribution worksheet Senior Manager Manager Senior/Manager Develop comments into summary and detailed reports (see AU/ED) agre plan actio Within 30 Promptly upon 30 d days reply and follo following resolution of tran receipt Director of of fi Auditing repo consideration Senior Manager Aud Director of Senior/Manager Man Auditing afte Manager Manager Man Audit report to: Audit Committee CONTENTS DOCUMENTATION Manager Manager Manager DISTRIBUTION Auditee Revise comments and detailed responses reports for auditee responses. Draft Reports The audit report process begins with a review of the tentative audit recommendations worksheets prepared during the audit performance process. The Director of Auditing will review the draft and provide input. comment in summary report on responses Comptroller Financial. IA Manager. Each individual page contains comments accumulated during the audit process. ensuring that all comments are adequately supported. These comments will then form the basis of the detailed audit report draft. and Chief official at audited unit: Accountant of audited manager entity (See Distribution Section AU/ED) IA M Audit workpapers Audit workpapers Audit workpapers Audit workpapers Audit Corporate workpapers Secretary. Within approximately one week from the completion of the audit field work—or the closing conference of the audit team—the audit manager or his designee will draft an audit finding and recommendation for each of the tentative audit recommendation worksheets. workpapers Wor IA M Aud Com files a. 2 Chapter 8: Audit Reporting .2 approval. Information regarding the scope and highlight sections will be based on information contained within the planning. These pages will have been preliminarily reviewed by the auditee during the audit process. and resolution As disclosed or periodically during audit for review. and summary memos as well as the detailed finding and recommendation report.

The auditee will then issue a response and discussion of implementation plans. and obtaining input from auditees and incorporating it in the audit report provides for increased accuracy and a more level "playing field. Once the audit draft has been developed.K. Chapter 8: Audit Reporting 3 . and they bypass or reduce the auditee review process. Exhibit 8. Draft to Auditee Various practices regarding distribution of draft audit reports to auditees exist within the internal auditing profession. who is in agreement with the content of the report and detailed comments. by [date] on the issues discussed in the report so that we may proceed to issue the final report at the next meeting of the Audit Committee. Please reply to me or [designate] by phone by [date]. Auditees will have two weeks to review the comments and prepare a paragraph detailing their actions or position on the comment. Smith From: L. Exhibit 8. /S/ Manager Enclosures cc: Audit Director Exhibit 8.3 is an example of a transmittal of the report to senior financial officials. I would appreciate receiving your comments. if any." Still other audit departments believe that the function of the audit is to issue comments as soon as possible. Audited Entity From: Audit Manager Subject: Corporate Audit Report Draft The enclosed draft of a report on the recently completed [kind of audit] at [audit location] is for limited distribution to you and the Audit Director.3: Transmittal of Report Draft to Senior Financial Officials Example Date: [date] To: J. so that we may proceed to issue the final report. the draft is forwarded to the auditee for review. Gordon Subject: Corporate Audit Report Draft The enclosed draft of a report on the recently completed [kind of audit] at [audit location] has been reviewed with [financial official] at [audited entity]. Also include your response in one or two paragraphs for inclusion in the detailed audit report.2 provides an example of a transmittal of the report draft to audit entry. Some audit departments believe that timeliness is not the most critical factor.Chapter 8: Audit Reporting 3 b. The trade-off issues involve the interest in accuracy and fair presentation versus the issue of timeliness. The policy of Sam Pole Company is to review comments with the auditee as they are developed. Please review the draft to confirm (or not) that the recommendations and comments agree with those presented to and discussed with you at the closing audit conference. and Exhibit 8.2: Transmittal of Report Draft to Audit Entity Example Date: [date] To: Financial Official.

5.4 and 8. respectively. will approve the final audit report for issuance. Audited Entity From: Audit Manager Subject: Response to Audit Report [The Corporate Audit Department]/[public accountants] issued its report. standard 30-day (overdue reports) and 60-day (delinquent reports) letters are to be issued by the affected auditor and Director of Auditing.4: Overdue Response to Audit Report—30-Day Letter Example Date: [date] To: Financial Official. upon satisfaction with the foregoing steps. the Audit Manager will review their comments and integrate them into the draft audit report. with the auditee comments clearly identified. and evaluate such responses from audited units • To enable the Director of Auditing to report on the adequacy of responses to. dated _____________ on the results of its examination [covering internal accounting controls]/[of balance sheet accounts]/ of [______________________] for the period ended _____________ [date]. senior management and the Audit Committee Each auditor will develop and implement procedures to attain the objectives outlined above and ensure that the total audit process is completed for both this department and the public accountants. Please advise when we can expect your response. Audit Manager cc: Audit Director Public Accountants (if appropriate) 4 Chapter 8: Audit Reporting . i. (See Exhibits 8. the auditees' responses have been incorporated into the audit report. Audit Report Responses The objectives of monitoring audit report responses are: • To provide a framework to monitor. Upon receipt of the auditee's comments.4 /S/ Audit Manager Enclosures cc: Audit Director Chapter 8: Audit Reporting c.) Exhibit 8. The Audit Manager will be advised of any final changes to the report and will have the report dated. obtain. as appropriate. Inclusion of Auditee Comments In the example here. will be provided to the Director of Auditing for review. The revised draft. This letter is to remind you that a written response to the audit report is due no later than 30 days following the report transmittal date. The Director of Auditing. In cases when audited units have not responded within the prescribed period of time. and transmitted in final form for signature and reproduction. processed.

(See Exhibit 8.Chapter 8: Audit Reporting Exhibit 8.6. Evaluation of responses is to be documented in the workpapers or. 5 In the event you have compelling reasons for not responding. each manager is responsible for evaluating them to determine that satisfactory management action has or will be taken. A letter should be sent to the appropriate auditee which includes the company policy on responding to comments by public accountants and includes the public accountants' comments or is a transmittal for the comments. we expect your response within a week's time. Otherwise. reminded you one month earlier that corporate policy requires a written response to the audit report no later than 30 days following the report transmittal date. Policy The Sam Pole Company auditing policy states the following: • Audit findings. Management recommendations issued by the public accountants require similar responses from appropriate division or department management. when required. please call me or _____________ immediately. dated ______________. Audit Manager cc: Audit Director Public accountants (if appropriate) In addition to monitoring and accounting for responses. and the Chapter 8: Audit Reporting 5 .) Exhibit 8. Audited Entity From: Audit Manager Subject: Response to Audit Report Sixty days have now passed since [The Corporate Audit Department]/[public accountants] issued its report. Chief Financial Officer. advised in writing to the public accountants. when pertinent. on the results of its examination [covering internal accounting controls]/[of balance sheet accounts]/ of [_____________________] for the period ended ______________ [date]. You will recall that ____________. management responses to them. our manager in _______________. My responsibilities to the Audit Committee and senior management require regular reports on the adequacy and timeliness of responses to audit reports.6: Transmittal of Policy on Reports of Public Accountants Date: To: From: Subject: Purpose [date] Division or Department Manager Audit Director Reports of Independent Public Accountants This memorandum provides additional procedures implementing the policy covering the distribution of reports of independent accountants and. recommendations and other matters deemed to be significant by the public accountants are reported directly by them to the Audit Manager.5: Delinquent Response to Audit Report—60-Day Letter Example Date: [date] To: Financial Official.

General Manager.6 Audit Committee. concerning additional audit requirements and resolution of the issues. with copies to the Vice 6 Chapter 8: Audit Reporting . and the Audit Manager. • Management Responses • Audited entities respond in writing to internal control recommendations in accordance with the aforementioned policy.e. The policy further requires with respect to management responses: Chapter 8: Audit Reporting • A prompt formal written response to the Audit Manager. Subsequent audit procedures to test completed/proposed corrective action would be adequately documented and outlined for either Corporate Audit or public accountants' performance.7. Exhibit 8. Additional Procedures The following amplifies the policies covering the distribution of public accountants' reports and related responses to ensure that they are distributed properly: • Reports of Independent (Public) Accountants • Reports on internal control recommendations are issued to the individual with overall responsibility for the location under audit (i. The response is addressed to the Director of Auditing. These should be sent to the unit along with the final report. the auditor should advise the auditee and Audit Manager. in writing. RECOMMENDATION IMPLEMENTATION RESPONSIBLE PERSON TARGET DATE ii..7 is the standard form on which the audited unit should reply.7: Audit Response Example Company: ________________________________________________________ Operating Unit: ___________________________________________________ Audited By: ______________________________________________________ Submitted By: ____________________________________________________ NO. Plant Manager) and the Chief Financial Officer. the Secretary (for the official company record). Insert comments here or note regarding attachment of comments from public accountants. Responses are due no later than 30 days following the date of the auditor's report and in the format as shown on attached Exhibit 8. Copies are distributed to the Vice President and Comptroller. covering internal control and management recommendations made by both the public accountants and corporate auditors. When responses do not deal satisfactorily with audit recommendations. President. Exhibit 8.

xxx $xxx.xxx xxx. Detailed recommendations and comments. after review with local management. other key financial officials and the public accountants. There may be times when it will be appropriate to deviate from the standard format.Chapter 8: Audit Reporting President and Comptroller.xxx xxx.8: Corporate Audit Report Example Company Location: Audit Date: Audit Manager: Date Completed: Audit Office: Auditors: Date of Report: The Audit Committee Sam Pole Company This report summarizes the results of our audit of the company's accounting records and selected internal control procedures. i.xxx xxx x. Exhibit 8. It should be noted that there will be different levels of distribution for the summary and detailed reports. internal control procedures.xxx x. the final report will be distributed in accordance with the distribution policy discussed in the following sections of the manual. 7 d. anyone receiving the summary report can request a copy of the detailed report. The additional procedures outlined above enable implementation of effective and consistent practices to monitor and report on the results of audits by public accountants in the United States and other countries. Comparative operating data are as follows: 2002 2003 $xxx.xxx xxx.xxx xxx Sales Cost of Sales Inventory SALES Backlog Number of Employees Scope of Audit Our examination included a review and evaluation of accounting systems. These instances must be discussed with the manager before proceeding. Issue Final Report to Management After approval by the Director of Auditing. However. and tests of account balances. Audit Report Format The audit report and the detailed recommendations and comments section have a standard format that will be adequate for writing most reports. Sam Pole Company Profile The manufacturing plant produces approximately NNN square yards of carpet tile per month.xxx xxx. were provided to the local accounting personnel for written responses to this office.8 is an example of an audit report. Chapter 8: Audit Reporting 7 . and to the public accountants for their information. Exhibit 8. and to other key officials.

Audit Office. 200x. internal controls are adequate. and account balances. In-Depth Recommendations and Comments—Detail Cover Page (Optional) Heading Lead Paragraph Categories Recommendations Comments Discussion Items Manager's Signature Exhibits (Optional) 8 Chapter 8: Audit Reporting . Audit Report—Summary Heading Salutations Lead Paragraph Profile Scope Conclusion Summary Manager's Signature Distribution I. Date Audit Completed. as adjusted. Quantities of inventory on hand December 31. The date of the closing conference or last day of fieldwork. 200x. are fairly stated. Summary The significant matters discussed in the detailed report include the following: • A Disaster Recovery Plan should be developed for the data processing operation. whichever is later. II.8 Conclusion Chapter 8: Audit Reporting In our opinion. Audit Date. Standard Format I. Audit Report—Summary Heading. The heading is preprinted on the Corporate Audit Report preprinted form. • Procedures to ensure that computer program changes are properly authorized should be developed. are fairly stated in all material respects. Weaknesses outlined in the detailed recommendations and comments provided to local management did not have a material effect on the account balances at December 31. and Audit Manager are all self-explanatory. Manager Internal Audit Department Distribution: Headquarters President Chief Financial Officer Local President Local Accountant ii. Company/location. • Documentation for significant computer applications is weak and should be improved.

The detailed recommendations and comments section does not accompany the audit report issued to the Audit Committee. In some instances. but not as good as indicating that specific systems such as payroll. and accounts receivable were not reviewed. Scope. number of employees. or implications of adjustments attributable to company size. but not others. if included. In certain situations. production. The profile. because this information is included in the heading. or the reliability of systems. "we did not review. scope. All auditors who participated in the audit. The conclusions can only be written on the basis of the work performed in the scope section and subject to the major exceptions contained in the summary section. No new or additional information can be interjected into the conclusion that has not been specifically stated in these two areas (scope and summary). Salutation. One is to identify exactly what was done during the audit and the second is to delineate in writing that which was not done. Instead. Clearly stating what was done in the audit leaves no doubt as to what was not done. The profile section should be designated to be a "stage setter" for the reader. accounts payable. should not leave the reader with unanswered questions. and conclusion sections. The scope should clearly state the work that was limited to or restricted to the payroll system. it should be limited in size to approximately one informative paragraph. It also states that the detail has been distributed to key officials and the public accountants." is not specific to the reader and leaves the audit open for question later. the adequacy of internal controls. To state "certain" systems were reviewed is better. Summary. as the situation warrants. The auditors should conclude or state their opinion on the fairness of the account balances. If internal controls were reviewed on certain systems. Date of Report. Comparative financial information. Keep in mind that the profile should not distract from the purposes of the report. or department. etc. the summary never contains information not published in the detailed Chapter 8: Audit Reporting 9 . company. The profile should not dominate the report. which are the summary. The profile section is intended to be informative to the reader. Significant variations should be explained. The scope section has two principal functions. It should not be necessary to restate the auditee's name or dates. test. It should help the reader visualize the entity." which refers to the auditee. as an example. the reader has not had the opportunity to visit the auditee's facility. it may be necessary to clearly qualify the scope section by saying. "Profile" is generally preceded by "plant. Profile. The lead or introduction paragraph indicates to the Audit Committee that this report is a summary of the results or our audit or review. This item will generally be addressed as follows: The Audit Committee Sam Pole Company 9 Lead Paragraph. The summary component summarizes the detailed recommendations and comments section of the report. The date the report is issued for distribution. Therefore.Chapter 8: Audit Reporting Auditors. A general statement such as. may be excluded or contain a narrative description or financial schedules. financial statements. It refers to the detail section that recommendations and comments have been discussed with local management and require a response. Use the first two initials in all names. it must be clearly indicated. "we reviewed the plant's systems of internal controls." Conclusion.

The Audit Manager is responsible for the review and signing of the audit report issued to the Audit Committee of the Board of Directors. to how it is written. second. Other recommendations and comments that are not considered "material" should be addressed in the summary by referring to them in total as one item covered by a few sentences. We recommend system changes to help prevent future occurrences. Manager's Signature. the report is ready for distribution. • Contract terms covering sales of real estate should be reviewed by counsel and entries properly recorded in accordance with Generally Accepted Accounting Principles (GAAP). If auditors feel strongly that the item should be included in the report. Considerable thought should be given to what is included in the summary and. Discussion items do not require a response from the auditee. pending this situation. After the report is written in draft form. is to send the draft to the Corporate Controller and Director of Auditing. • Fifty thousand dollars were lost due to weak internal controls in the data processing area. He may assign this responsibility to others under certain circumstances. The second step toward distribution. Because discussion items are written with the same attributes as recommendations. Discussion items may be included in the summary if material. Standard distributions for the report consist of: Sam Pole Company Audit Committee Chief Operating Officer Company Level 10 Chapter 8: Audit Reporting . a second time. This account was adjusted January 7. Examples of summary items are as follows: • Accrued payroll was understated $1 million at December 31. A specific designed cover letter is used to convey the drafts to the auditee. or the next level of authority over the auditee.10 recommendations and comments section. It was recommended that management investigate and adjust the account. Discussion items are generally only used when auditees object to recommendations on the grounds that they have no control over the subject. Problems may arise if the auditor overreacts or improperly states the situation. After the drafts clear the second step and adjustments or corrections are made. Statement of action to summary items may either be included with the summary items individually or prepared in a trailing paragraph to the last summary item. Therefore. the summary may indicate that an audit disclosed no material weaknesses. but still communicate the problem to management and the Audit Committee. But. only a statement of condition and a statement of action are used to write the points of the summary. Distribution. it may be necessary to send a copy to the auditee and Director of Auditing. Chapter 8: Audit Reporting Of the five attributes that are used as a basis for writing a recommendation. a copy is sent to the Director of Auditing and the auditee simultaneously. the discussion item approach is a way around the situation. after review and corrections are accomplished. the statement of condition and statement of action will be included. 200x. This cover letter indicates the draft has been sent to the auditee first for comments and that time is of the essence. The distribution is a multi-step process. The summary only includes major or material exceptions resulting from the audit.

Disaster Recovery In the event of emergency or disaster in which the AS/400 system is not available for long-term use. in accordance with corporate policy." presents an example of this report. contingency plans would then be in place to allow continued processing at an off-site facility. These detailed recommendations and comments were reviewed with appropriate levels of management and. A Disaster Recovery Plan should meet the following criteria: Chapter 8: Audit Reporting 11 . etc. Because this section may become separated from the audit report. 200x These detailed recommendations and comments supplement our report to the Audit Committee. In-Depth Recommendations and Comments—Detail This section is issued with the audit report. Public Accounting Firm Partner Manager II. 200x. it must be written to stand alone as an independent document. This weakness could result in a delay of processing transactions and have an adverse effect on business operations. In the event that the AS/400 System is disabled.Chapter 8: Audit Reporting Director of Auditing Chief Financial Officer 11 Division/Branch/Department (as applicable) Branch Manager/Division President Comptroller Chief Accountant. "Corporate Audit Detail Recommendations and Comments. Exhibit 8. See distribution of the audit report in a prior section. Exhibit 8.9: Corporate Audit Detail Recommendations and Comments Example SAM POLE COMPANY Corporate Audit Recommendations & Comments December 31.9. but is not distributed to everyone on the distribution list. there are no contingent plans in effect for the continuance of processing on the AS/400. are subject to their written response. in which we concluded that account balances as adjusted were fairly stated in all material respects and controls were adequate at December 31. • Recommendations/Comments • We recommend that management initiate efforts to develop a Disaster Recovery Plan.

the manager or supervisor of the user department should sign the program change form. 12 Chapter 8: Audit Reporting . including a ranking of critical applications and adequate method of creating. ♦ A list of contacts and responsibilities in the event of emergency. This process may require management support for the development of a plan to document systems by certain key target dates. Documentation Good documentation of computerized applications is necessary to document the methods and formulas utilized in the computer operation. and to assist programmers with systems development and program modification work. signifying that the program has been changed according to the original instructions. ♦ A list of programs and data files needed for recovery. Requests for changes to programs should be authorized by user departments. We suggest that documentation along the following lines be considered: • Systems documentation includes: ♦ System description ♦ System flowcharts. and storing data backups. This site could be a cold site in which a third party has another AS/400. ♦ Detailed instructions on execution of a Disaster Recovery Plan. We believe documentation is an important area and should be implemented. When the program change has been made. changed programs should be placed into production libraries. to provide a tool to train new personnel. Program Change Control Program change control is not formally addressed. testing.12 Chapter 8: Audit Reporting ♦ To identify a location for further processing. to provide operators with instructions. user approval to initiate the project. • Program documentation consists of: ♦ Brief narrative description ♦ Flowcharts ♦ Sources statements or parameter listings ♦ Control features ♦ File formats and record layouts ♦ Record of program changes ♦ Input/output formats ♦ Operating instructions. The program change form should then be filed in numerical sequence. which the company would have access to. • Recommendation • All program change requests should be properly authorized in writing by the manager or supervisor of the user departments. and final sign-off. To be properly controlled. Only properly authorized. indicating the reason for the change. or an arrangement with IBM that would permit them to be provided with another AS/400 on short notice. showing the flow of data through the system and the relationship between processing and computer steps ♦ Input descriptions ♦ Output descriptions ♦ File descriptions ♦ Copies of authorizations and their effective dates for system changes that have been implemented. A copy of the program change form should also be filed with the system's documentation such that a record of each change made to the system is kept in chronological sequence. a formal authorization form should be developed.

. halts. quality assurance. turn-around time. Manager —Internal Audit Department Cover Page. and user approval) ♦ A log to permit the tracing of transmittals through the change control cycle. 200x. and user.e. If you elect to insert this page. For example: • These detailed recommendations and comments supplement our summary audit report to the Audit Committee of the Board of Directors in which we concluded that internal controls for the payroll and account balances were fairly stated in all material respects as of April 30. testing schedule. response time. data center approval. a written response is required. The heading consists of the auditee name. • Establishment of formal testing procedures to include: ♦ Identification of the person responsible ♦ When the test will take place/begin ♦ When the test will be completed ♦ Details of the test ♦ Actual results of the test ♦ Approval of test results by the data center. and files ♦ Setup instructions and operating system requirements ♦ Operating notes listing program messages. elapsed time.e. programmer and project manager. manual labor time. there is a summarized restatement of the conclusion. Lead Paragraph.. name of contact) ♦ Impact on operations (i. user training/impact. An optional cover page may be developed to separate the audit report from the detailed recommendations and comments section. Finally. The purpose of the lead or introduction paragraph is to convey to the reader three points. "Corporate Audit Detailed Recommendations and Comments. Heading." and the "as of" date of the audit.. These detailed Chapter 8: Audit Reporting 13 . the name of the section. resources consumed.e.. individuals responsible and titles.Chapter 8: Audit Reporting • Operation documentation includes: ♦ Descriptions of functions ♦ Inputs and outputs ♦ Sequence of cards. test results) 13 ♦ Authorization (i. and action to signal the end of jobs ♦ Control procedures to be performed by operations ♦ Recovery and restart procedures ♦ Estimated normal and maximum run-time ♦ Instructions to the operator in the event of an emergency • User documentation consists of: ♦ Description of the system ♦ Error correction procedures ♦ List of control procedures and an indication of who is responsible for performing those procedures ♦ Cutoff procedures for submission of data to the data processing department ♦ Description of how the user department should check reports for accuracy ♦ Application analyst support (i. ♦ Testing plan (i. tapes. it could contain "Detailed Recommendations and Comments" as a title and be centered on the page. programmer.e. First. disks. this document supplements the summary audit report to the Audit Committee. Second.

Like pictures. In lieu of saying. Care should be used in that generally. "These are our recommendations for improvement. Comments differ from recommendations in that the five attributes—condition. effect. Discussion items are used in instances where auditees object to an item being included in the report when they are not directly responsible for the situation. Recommendations are one of the five attributes that make up a finding. add a degree of professionalism to the auditor's work. the attribute recommendation has also been renamed statement of action. exhibits are worth a thousand words. present a more positive image by saying. double spacing is used before and after the subtitle. but if properly done. Periodically." Do not report something was wrong merely that the auditee can improve existing conditions. criteria. and these task lists will be updated and. Exhibits may take the form of photographs. financial schedules. Recommendations. Comments. The auditors feel strongly that the situation needs exposure in a written report. To lessen the confusion. Comments are more of a remark or brief statement of fact or opinion. A compromise is the discussion item approach. The exhibit section is optional. Discussion items are developed and written as recommendations. Manager's Signature. all recommendations and comments relating to accounts payable should be numbered under the subtitle "accounts payable. A more positive approach implies professionalism by suggesting improvements as opposed to dwelling on or publishing problems and failings. Supporting exhibits not only add clarity. adjustment schedules. For purposes of organization. anything material enough for the report should be adequately supported. Categories. Discussion Items. that is. which could be used only as a last resort. management will be queried on the status of open issues.2 REV NO: DATE: PAGES: 14 Chapter 8: Audit Reporting ." inferring something wrong was found. e. "These are our findings. subtitles are used to group recommendations and comments relating to the same subject. SAM POLE COMPANY TITLE: Report to Management Corporate Audit Department Procedures Manual NO: 8. Exhibits." The subtitles are typed on the left margin in bold type and underlined. in most instances.14 Chapter 8: Audit Reporting recommendations and comments were reviewed with appropriate levels of branch management and are subject to their written response in accordance with corporate policy. cause. as published by the Institute of Internal Auditors. Use "recommendations" rather than "findings" to describe the audit exceptions because it has a more positive connotation. flowcharts. but should be considered if additional information will help make the audit recommendations and comments clear to the auditee or management. and recommendation—are not present. This list will be used to monitor the implementation of audit comments. but differ in that the auditee is not required to respond to these items. or other sundry schedules of supporting information. Numbers start over for each subtitle. Follow-up compliance audits will take place one year after the date of the audit. The numbering sequence starts with the first recommendation and is continuous to the last recommendation under that subtitle. closed out. The manager is responsible for signing the recommendation and comments section. To emphasize the subtitle. Open Audit Results and Comments A task listing will be prepared containing all open audit issues and comments on date of implementation.

200x This report summarizes the department and my activities since the status report date July 15. Exhibit 8. This sequence will enable the material developed for this report to be reworked for inclusion in the report to the Audit Committee. the total budget will grow beyond normal inflation. The report should be prepared on a detailed basis prior to the next scheduled Audit Committee meeting. activities related to the external accounting firm. the Report to Management should be prepared prior to Audit Committee meetings. This process will enable auditors to inform management of some of the items that will be included in the administrative section of the report to the Audit Committee. pending and in process. the report could be patterned after other similar reports required within the organization. There are no formal guidelines for what should be included in the Report to Management. one can measure the output in units and analyze it in many ways. In addition. Audit functions have a lot of control over the quantity and quality of the work they perform. great care should be taken to include all relevant activities on a prospective basis. As noted earlier in this section. if possible. 200x. It will also enable auditors to integrate the text of this material into the Audit Committee report to save work when that report is being developed.Chapter 8: Audit Reporting 15 8. and budget status. All department administrative activities including quality assurance. The format is simple and self-explanatory. The formal process involves issuing audit reports (see "Corporate Audit Report Process") and issuing reports to the Audit Committee (see "Report to Audit Committee"). In order to demonstrate the tone and range that a Report to Management can take. Exhibit 8. However. as well as activities that have already taken place. Therefore.10: Report to Management Example SAM POLE COMPANY INTEROFFICE CORRESPONDENCE TO: Senior Management OFFICE: New York FROM: Chief Auditor OFFICE: New York SUBJECT: Internal Audit Status Report DATE: September 10. education. In a manufacturing or distribution operation. we deal with the opportunity to report on a somewhat more detailed basis to management. Communications with management is a very important element of an internal audit function.2 Report to Management The report to management should summarize the activities of the department in the interim since the last report to management. These activities should include audits performed and planned or changes made to plans. and participation in other company-sponsored programs should be considered. INTERNAL AUDITS Chapter 8: Audit Reporting 15 . internal audit reports issued. Some of the sections that should be considered include: Corporate Audit Department personnel issues. Due to the addition of a Director and an operational audit unit. BUDGET FOR 200x The Budget for 200x has been drafted and will be presented to you and the Audit Committee on schedule. wide latitude should be used to help explain issues and promote progress achieved within the audit operation. it is difficult for management to understand the issues involved in running a successful audit function and producing quality audit reports. It is more important than in some other operations because the management issues and output of the audit function are more qualitative than quantitative. Audit management has a number of opportunities to express their issues and report on activities. However. personal development programs.10 is an example of a Report to Management. a number of sample report elements have been included in the example. In this section.

He is now recruiting another semi-senior. To date. competent professional performance. staff members considered salary increases equitable. • Jim will lead a one-day. We continue to attempt further East staff reduction by transfer to other departments. These in-house seminars are designed to provide basic background and set the tone for maximum benefit from the MPC Institute course. we have the following audit report status: ♦ Issued Since July Status Report ◊ XYZ Subsidiary ◊ Tulane Contract Audit ◊ Purchasing Department Audit ♦ Pending Issuance ◊ Transportation Department ◊ ABC Subsidiary • Physical Inventories • In cases where reports are to be issued upon completion of location audits. videotape-supported orientation program on IS audit concepts for the East staff (scheduled for August 25 at the East office). at their New York offices. in-house. At this date. Inc. We observed these physical inventories since the July status report: ♦ XYZ Subsidiary ♦ ABC Subsidiary ♦ Main Supplies Inventory ORGANIZATION/PERSONNEL The department is currently comprised of 37 professionals and two secretaries at September 1. to convey to them the significance of controls and also to improve their understanding of the auditor's purpose and responsibilities in a computer environment. 16 Chapter 8: Audit Reporting . The staff generally responded receptively to constructive criticism designed to insist on or encourage. In other cases. • MPC Institute • The MPC Institute staff will conduct. for the entire professional staff. at minimum. the West manager is pleased with the performance of his staff. The West staff participated in a similar program on August 15. With certain exceptions. inventory audit findings will also be included. only exception reports will be issued regarding observations and review of compilations. concentrating on auditing in a contemporary computer environment. which reflects the termination of John Doe and the resignation of Jane Smith in the East and the hiring of Pay Plum (CPA-CISA) as a semi-senior in the West. a week-long seminar beginning on September 14. Total East West International Professionals 35 15 14 6 Secretaries 2 1 1 0 37 16 15 6 Annual performance reviews were discussed with each eligible East staff member in conjunction with salary increases granted effective September 1.16 Chapter 8: Audit Reporting • Audit Reports • We continue to strive for timely report issuance. EDUCATION/TRAINING • Advance Systems. We have also invited Sam Pole personnel from other departments/locations to join us for some of the more technical sessions dealing with controls.

Out-of-pocket expenses were billed to ABC. The demand for Management Development Program participants to work outside the department is likely to conflict with our peak workload period—the Fall—when we experience our heaviest external audit coordination commitment. POLICY STATEMENTS • Compliance Program • Results of circularization for employee acknowledgment of compliance with our code of conduct are virtually complete. we have set up a meeting with the General Council to apprise him of our activities to date and get his Chapter 8: Audit Reporting 17 . • Policy Statement Booklet • The supply of booklets in New York is exhausted. We do foresee a potential problem associated with these off-staff assignments. between audit assignments. We have submitted suggested changes to the text of the booklet to the General Council. we have been working with the Finance Director to assess ways to improve the corporation's focus on security. SPECIAL STAFF ASSIGNMENTS • New Jersey Mill • John Jones continues to assist in the development of a plant cost accounting manual. We have received favorable feedback regarding his contribution. This work is monitored by our Personnel Development Coordinator. We are developing our audit plans and schedules to attempt effective attainment of both goals. To further our groundwork. 17 MANAGEMENT DEVELOPMENT PROGRAM PARTICIPANTS— OFF-STAFF ASSIGNMENTS Bill Clark. We have also offered to assist the Director of Financial Analysis on 200x budget matters. and analyzing operating companies' 200x budget proposals. and statistical sampling. We are considering the need for centralizing the responsibility for all aspects of security within the company. will assist the CFO during October in assembling. continuing the assignment has been suspended pending agreement on the scope of the work. Out-of-pocket expense and pro-rata salary is billed to the plant. OTHER MATTERS • Security • As noted in my prior status reports and memos. These opportunities have a two-fold purpose: (1) to broaden participants' exposure and experience in Sam Pole. Jane Paul and Marc John were given a two-week assignment to develop overview flow charts of the plant cost accounting system. Our recommendation was for a high-level survey of our current practices and security plans. individual staff members are involved with IIA self-study courses dealing with internal audit theory and practice. • Atlanta Foundry • At the ADC Division's request. we have arranged with XYZ to use their self-study guides. We plan to issue a brief formal report on the results of our review. relieving department expenses. reviewing.Chapter 8: Audit Reporting • Other • In a less formal. by making Peter Daily (East) or Rod Stewart (West) available for six weeks to two months. • In order to enable staff members to prepare for the CPA examination and still fulfill audit schedule responsibilities. at no cost to Sam Pole. and (2) to add another dimension in the evaluation process from sources outside internal audit. Responses received at this office disclosed no conflict or other situations that warrant reporting. Having completed a portion of the work. yet structured manner. We also offered to assist them toward publication of the next revision.

and Audit Department status reports. This report will include a report on internal controls and summary of items of significance. 200x Gentlemen: I am pleased to present this report to the Audit Committee. This report is generally not copied to the Audit Committee. Corporate Audit Department status report Audits in process and concluded since our report dated December xx. 18 Chapter 8: Audit Reporting . This report provides the opportunity to explain the accomplishments of the department and should be viewed as a critical Audit Department product. Also review Section 9. comprising: 1.18 Chapter 8: Audit Reporting input. the summary of the Corporate Audit Department reports. periodically a summary report will be made to the Audit Committee. "Marketing the Audit Function.11 presents a sample of a report to the Audit Committee. Report on internal controls and summary of items of significance 2. • On July 24." Exhibit 8. John Jones presides over monthly board meetings and plans education events for members. • Professional Activities • As president of the New York Chapter. have not disclosed any developments that require action by the Committee.3 Report to Audit Committee In addition to the distribution of reports as audits are completed. the Chief Auditor addressed our external audit firm's seminar for internal auditors on internal audit department practices.11: Report to Audit Committee Example SAM POLE COMPANY 101 Mapole Street East Flagstaff. but should be copied to the President or CEO. SAM POLE COMPANY TITLE: Report to Audit Committee Corporate Audit Department Procedures Manual NO: 8. AZ 12345 February 28. Regards. • Marc John serves on the IIA Board of Governors and as Chairman of the Editorial Committee. 200x. Summary of Corporate Audit Department reports 3. • Jane Paul serves on the IIA International Research Committee.3 REV NO: DATE: PAGES: 8. if appropriate. The Report to Management should be addressed to the management reporting line of the Chief Auditor. ISACA.5. Exhibit 8.

nothing has come to our attention since our prior report that would indicate that the existing systems of internal controls are not effective. SECTION II Summary of Corporate Audit Department Reports The following audit reports. Jones Internal Audit Director SAM POLE COMPANY Report to the Audit Committee February 28. We have received full cooperation from all levels of management and have been permitted access to all requested company records and documents.Chapter 8: Audit Reporting 19 I look forward to meeting with you to review the contents of this report and any other matters you may wish to discuss. and that the corporation's assets are protected from unauthorized use. 200x. S. Based on continuing reviews of internal controls at company locations. Very truly yours. as commented on in our December report. Audit Committee meeting. issued since the December 5. that prescribed policies and procedures are adhered to. more specifically. the segregation of duties. Summary of Items of Significance Although we have made recommendations to management to improve internal controls. so that the changing conditions in Sam Pole Company's operations— primarily reductions in the number of salaried employees—are not accompanied by a weakening of existing internal controls. We plan to continually focus on such areas of potential weaknesses and report situations where we believe action is required. the company must be continually alert. However. 200x SECTION I Report on Internal Controls Sam Pole Company maintains systems of internal accounting controls and procedures designed to provide reasonable assurance that all transactions are properly recorded in the books and records. nothing of a significant nature was disclosed that would require action by the Audit Committee. are enclosed for your review: • Corporate Data Center • Sam Pole Antenna Company • Payroll System • Products Company • Sales Company—Trading and Logistics Chapter 8: Audit Reporting 19 .

we have been significantly involved in disposition audits of the various units. we are planning special audit training in the following areas . and accounts payable. however. Disposition Audits As previously reported. . Most recently. will be at the entry level. Sharp to manager in New York and Jane Pink to supervising senior in Detroit. High turnover has continued in Denver. Steering Committee The Director of Auditing. Since our last report. we reported on our management-requested special review of supplies inventories. Future recruiting. Based on our evaluation of auditee responses.. we would promptly advise the Committee and issue a preliminary report. . Administrative and Other Matters Professional Staff The current field staff.. this involvement provides input to the Committee and knowledge of company plans to the Director. unless otherwise required. Our current three-year plan indicates a need for approximately 21 auditors. We also continued our reviews of automated systems. Quality Assurance Program 20 Chapter 8: Audit Reporting . including customer accounts receivable. SECTION III Audits and Related Activities Audit Activities Audits pertinent to annual corporate financial statement reporting centered primarily on completing interim and year-end audits under the rotation plan with our external auditors. salaried payroll.20 Chapter 8: Audit Reporting Recommendations relate to internal controls that can be improved. while not a member. Briefly. Two individuals transferred from the audit staff— one to the Controller's staff and the other to MIS. totals 20: six in New York and fourteen in Denver (as compared to 19 in 200x). no material exceptions were noted. we assisted in the development of data that allowed for timely . due to the company's situation and increased salaries available in an area with a high employment rate. Supplies Inventories At the December meeting of the Audit Committee. . based upon the company's new operating structure. . we believe that our recommendations have been or are being given considerable management attention and action. meeting our authorized complement. We are pleased to report that we have promoted Mr. with the public accountants. As a result of attending these meetings. Our comments and recommendations have involved matters significant to the organizational units audited. In the event of significant findings. attends by invitation the Information Resource Steering Committee meetings. We will adjust this plan and reevaluate staffing requirements after developing the rotation program.

we had a more in-depth review in New York and Detroit with a good appraisal (on a test basis) of the adequacy of each other's performance. etc. we had each audit group perform a high-level quality assurance review. Accordingly. In 200x. We are providing partial company assistance to provide further incentive and yet ensure the individual's own sincere interest. CIA.Chapter 8: Audit Reporting 21 A responsibility of the Director. to appraise the quality of the department's operations. with a review of our department planned for June 200x. A copy of the policy for your review is enclosed in Appendix XX. Preliminary discussions will be held in late February. as described in the department's charter. is that audit work conform to the Standards for the Professional Practice of Internal Auditing. Initially. We have been planning this independent review of our total department performance for several years. We are now looking forward to this independent peer review to see how we can improve our operations. (Not shown here—see "Policies" section of the manual). The Standards call for an independent external review at least once every three years. CISA. CMA.) within the first five years or before promotion to senior. Professional Certification We have developed a professional certification policy for the internal audit department. we have tentatively agreed to reciprocal department reviews with IPL Corporation in 200x and 200x. Chapter 8: Audit Reporting 21 . We are strongly encouraging certification (CPA.

22 Chapter 8: Audit Reporting 22 Chapter 8: Audit Reporting .

Part IV: Long-Term Effectiveness Chapter List Chapter 9: Managing the Effectiveness of the Audit Department Part IV: Long-Term Effectiveness 1 .

2 Part IV: Long-Term Effectiveness 2 Part IV: Long-Term Effectiveness .

) Earlier in 2001.1 Introduction The internal audit (IA) function should be more than activities as prescribed by management and professional organizations. quality assurance. and tools available to assist IA in attaining the highest level of excellence possible. at least one member of the audit committee is required to be an expert in financial accounting. In 2002. and Adelphia remind managers. and other stakeholders of the risks that exist even for those businesses that seem to be immune to fraud.4(e) for more on the Sarbanes-Oxley Act. Congress passed the Sarbanes-Oxley Act as a result of these and other financial failures. Yet this large firm went bankrupt after booking a $600 million entry to revise its earnings in late 2001. By choice. In general.Chapter 9: Managing the Effectiveness of the Audit Department Overview SAM POLE COMPANY Corporate Audit Department Procedures Manual NO: 9. (See also Sections 1.) Chapter 9: Managing the Effectiveness of the Audit Department 1 . continuous improvement systems. SAM POLE COMPANY TITLE: Corporate Governance Corporate Audit Department Procedures Manual NO: 9. the U. programs. There are a number of methods. techniques. These events also show the need for effective corporate governance. Enron had an audit committee made up of distinguished members with financial accounting pedigrees. For example.2 Corporate Governance [1] Recent financial failures such as Enron. But that will only happen with a great deal of commitment and effort. Enron had a $10 billion book value and a $60 billion market value. auditors. (Note: At one time. and marketing the IA function.6(e) and 3. the IA department can be a "world-class" entity—achieving excellence and maintaining it. Enron proved that large companies with billions of dollars in assets can go bankrupt under the noses of well-intended board members—and despite the fact an internal audit function is present. Their latest audited financial reports showed $1 billion in profits. and to be as effective as possible. IA will need to address issues such as corporate governance.1 REV NO: DATE: PAGES: TITLE: Introduction 9. WorldCom.2 REV NO: DATE: PAGES: 9. followed by a loss of confidence in credit markets. Enron outsourced its IA to its external auditor—Arthur Andersen. members are required to be independent. and the committee is required to perform certain interactive activities and processes associated with audits—such as being responsible for hiring external auditors and maintaining regular communications with the IA function.S. board members. the law supports efforts to make corporate governance more effective. In order to achieve the status of a world-class entity.

and from company to company. Independence. 3. The board should meet frequently for extended periods of time and should have access to the information and personnel it needs to perform its duties. Board Responsibilities. Leadership. 8. the IIA recommends: • Internal Controls. Board Purpose. South Africa.). functional area. The importance of corporate governance is illustrated by a McKinsey report that stated that investors are willing to pay a premium on shares of companies that had a corporate governance framework in place: 12 to 14% in North America and Western Europe. Meetings and Information. All publicly held companies should establish and maintain an independent. and 30% in Eastern Europe and Africa. employees. Codes of governance in the United Kingdom. Disclosure. Internal Audit. Georgia [3].g. Expertise.. creditors. The board's major areas of responsibility should be monitoring the chief executive officer (CEO). compensation. The directors should reflect a mix of backgrounds and perspectives. 5. The National Association of Corporate Directors has recommended that the SEC require public companies to disclose the extent to which they meet endorsed standards developed by the listing exchanges. and the internal auditor. The board of directors of all publicly traded companies should be required to publicly disclose an assessment of the effectiveness of internal controls within their organizations. In addition. Directors should employ healthy skepticism in meeting these responsibilities. it has been endorsed by the IIA. the board of directors. Their model of principles includes: 1. The vast majority of the directors should be independent in both fact and appearance so as to promote arms-length oversight. insider trades) in a transparent and timely manner. Sound governance requires effective interaction among the board. 7. 4. 20 to 25% in Asia and Latin America. Proxy statements and other board communications should reflect board activities and transactions (e. 2 Chapter 9: Managing the Effectiveness of the Audit Department . the external auditor. rather than being limited to accounting controls over the recording and reporting of financial information. The roles of board chair and CEO should be separate. 10. overseeing the corporation's strategy. Canada. The nominating. 2. Committees. One emerging model has been proposed by the Corporate Governance Center at Kennesaw State University in Kennesaw.2 Chapter 9: Managing the Effectiveness of the Audit Department Effective corporate governance is a synergy between internal auditors. Interaction. management. and monitoring risks and the corporation's control system.. and external auditors. 9. and audit committees of the board should be composed only of independent directors. 6. The directors should possess relevant industry. • Internal Audit Function. [2] The IIA believes that good corporate governance principles could prevent some of the frauds that have been investigated by the Securities and Exchange Commission (SEC). company.g. senior management. and other countries already require disclosure of conformity to certain recommended governance practices. governance policies and practices vary considerably from state to state. The board of directors should understand that its purpose is to protect the interests of the corporation's stockholders while considering the interests of other stakeholders (e. In the United States. The major stock exchanges should define an "independent" director as one who has no professional or personal ties (either current or former) to the corporation or its management other then service as a director. This recommendation includes the suggested usage of the Committee of Sponsoring Organizations (COSO) model described in Chapter 3. etc. All directors should receive detailed orientation and continuing education to assure they achieve and maintain the necessary level of expertise. full-time internal audit function that reports directly to the audit committee. and governance expertise. Such disclosures should address internal controls broadly. All public companies should maintain an effective.

of their Chapter 9: Managing the Effectiveness of the Audit Department 3 . and especially CAEs. and competently staffed internal auditing function to provide management and the audit committee with ongoing assessments of the organization's risk management processes and the accompanying system of internal control. Internal auditors. but prove especially valuable in developing audit committees. In establishing and providing oversight for an internal audit function.e.1). The study analyzed 200 randomly selected cases of alleged financial fraud investigated by the SEC during the decade. This statistic is particularly chilling because of the role executives play in the business. They also had little apparent experience in serving on the boards of other companies. or the company had no audit committee at all. audit committees should ensure that the function is structured in a manner that achieves organizational independence and permits full and unrestricted access to top management. The results of the study provide valuable information for any organization in protecting against fraud. the audit committee. and the CEO appeared to be involved in the financial frauds in 72% of the cases. audit committees should charge chief audit executives (CAE) with the responsibility of ensuring that internal audit work is performed in accordance with the IIA's Standards. If an internal audit function is not present. larger firms were investigated Lack of experience in board members Lack of independence of audit committee/board members Absence of audit committee or infrequent audit committee meetings Likelihood of involvement of executive managers in financial fraud Most of the auditors explicitly named in SEC enforcement releases were non-Big Five auditors Audit firms of all sizes were associated with companies committing financial statement fraud (i. and the board. Exhibit 9. • Internal Audit Professionalism.Chapter 9: Managing the Effectiveness of the Audit Department 3 adequately resourced. In 1999. In establishing and providing oversight for the internal auditing function. most audit committees of the firms investigated met only about once a year. the riskiest group of perpetrators was executive managers—83% of the cases appeared to involve either the CEO or chief financial officer (CFO). Insight into the audit committee element of corporate governance can be drawn from a study by COSO.1: Commonalities of Fraud Entities from COSO Study Smaller firms vs. Second. Third. most fraud in financial reporting among public companies was committed by smaller corporations—well below $100 million in assets. Consideration of the work of internal auditors is essential for the audit committee to gain a complete understanding of an organization's operations. which is about two-thirds of all the SEC probes into fraud during the time period. Last. The absence of an active audit committee leaves a gap in the enterprise internal control environment. • Internal Audit Independence. COSO issued a study on the SEC enforcement activities from 1987 to 1997. you cannot depend on your external auditors to detect fraud based on their size) Cumulative amounts of frauds were relatively large in light of the relatively small sizes of the companies involved-the average misstatement or misappropriation was $25 million First. The "COSO Landmark Study on Fraud in Financial Reporting" points to several common factors about the companies in the study (see Exhibit 9. Most were not listed on the New York or American Stock Exchanges.. the board of directors should be required to disclose in the company's annual report why the function is not in place. should demonstrate their professional competency by attaining appropriate professional certification. the boards of directors of the companies investigated were dominated by insiders and directors with significant equity ownership.

organizational structure. aggressive audit committee that is willing to challenge management.theiia. IIA Attribute Standard No. competence. 2002. operations. external auditors. that IA provides.org/ecm/guide-pc.4 Chapter 9: Managing the Effectiveness of the Audit Department ability to override internal controls. It is an independent review of the quality of its service. and other responsibilities it has related to both corporate governance and quality. T. IA is an integral part of effective corporate governance. and internal controls.S. and so on. Why and How. The model attributes include independence. 4 Chapter 9: Managing the Effectiveness of the Audit Department . when necessary. whistle blowers) Leadership (active. Exhibit 9. It is available online at www. Summer 2002. McKinsey." The Cooperative Accountant. 2002. Singleton. 22–30.pdf. and a proactive approach. pp. Congress.2). a model for audit committees can be developed.com/practices/corporategovernance/PDF/GloballnvestorOpinionSurvey2002. and of the difficulty in recognizing the involvement of executives in financial frauds." a position paper presented to U. and the COSO fraud report (see Exhibit 9. much like a review of quality of earnings. critical thinkers) Organizational Structure (reporting channels direct from internal audit function. SEC rules.mckinsey.cfm?doc_id=3602. [3]Corporate Governance Center. 2002. [4]From "Effective Audit Committees for Cooperatives: Part I — What. Corporate Audit Department Procedures Manual NO: 9. and an audit committee vigilant in looking for signs indicative of ongoing fraud in management.S. decisive chair) Proactive Approach These points are made to assist IA in providing input into audit committee members.3 REV NO: DATE: TITLE: Quality Assurance PAGES: [1]Much of this section comes from the IIA's "Recommendations for Improving Corporate Governance. [2]Global SAM POLE COMPANY Investor Opinion Survey: Key Findings. The University of Delaware also sponsors a Center for Corporate Governance at www. Available online at www. This model of attributes was developed based on existing standards.edu/ccg/staff. One way to provide a control against management fraud is to have an effective. Kennesaw State University.be. board members.udel. Public Companies. 1300 requires directors to develop and maintain a QA program. 9. strong. auditing. leadership.2: Model of Attributes for Effective Audit Committee [4] Independence (outside directors) Competence (knowledge and understanding of accounting.3 Quality Assurance Quality assurance provides a similar service to IA that IA provides to management. 21st Century Governance and Financial Reporting Principles for U.htm. From this data. April 8.

b. Are the workpapers in a binder and ready for filing? C. are then forwarded to the Quality Assurance Coordinator for follow-up. Objective The objective of the quality control program is to ensure that all assignments are completed in accordance with the department. Is the engagement checklist complete? __________ __________ __________ __________ __________ Chapter 9: Managing the Effectiveness of the Audit Department 5 .3: Quality Assurance Checklist I. c. and Information Systems Audit and Control Association (ISACA) standards where applicable. • Responsibility. who will be responsible for the quality control program. • Method. GENERAL A. policies. together with the workpapers. ♦ The work was properly planned. and for keeping the Director of Auditing informed of all results. Are workpapers properly ordered? Do they contain indexes and lead sheets where appropriate? E. Is the General section complete? B.Chapter 9: Managing the Effectiveness of the Audit Department 5 a. ♦ The work was properly supervised. and documentation. Detailed review of selected assignments 3. It is the responsibility of the Quality Assurance Coordinator to have all assignments reviewed for meeting of minimum department standards. Annual self-assessment of department-wide standards. ♦ The workpapers were properly reviewed. Are all review notes and pending matters complete and removed from the binder? D. Summarized Review of All Assignments by Unassigned Auditors • Objective. The objective is to ensure that all assignments meet minimum standards for planning supervision. The Coordinator is also responsible for communicating the deficiencies noted to the Audit Manager and to follow up on correcting the deficiency. The manager on the engagement is responsible for ensuring: ♦ The workpapers are complete. IIA. Unassigned auditors will be required to review assignments on which they did not work. Tri-annual external review i. and procedures 4. Exhibit 9. The Director of Auditing will appoint a Quality Assurance Coordinator. All "no" and "N/A" answers must be fully explained. Method The program is in four parts: 1. The review will be completed by answering the questions in the quality control checklist (see Exhibit 9.3 for checklist). The completed checklist. Summarized review of all assignments by unassigned auditors 2. Responsibility It is the responsibility of the Director of Auditing to have quality audits completed on all assignments and to maintain a quality control program to evaluate the operations of the department.

Cause ◊ ⋅ d. Is a copy of the year-end financials. Introduction ◊ ⋅ b. Statement of condition ◊ ⋅ b. Is a final copy included in the workpapers? ◊ 2. Was timely notice given to auditee? H. Have all employee evaluation forms been completed? G. Has the auditee response been: ◊ 1. if applicable D. or other meaningful reports. Audit results ◊ ⋅ c. Scope of audit ◊ ⋅ d. Was it completed prior to the audit field work? ◊ __________ __________ __________ ____________ __________ __________ __________ __________ __________ __________ __________ __________ __________ __________ __________ __________ __________ __________ __________ __________ __________ __________ __________ __________ __________ __________ __________ __________ __________ __________ 6 Chapter 9: Managing the Effectiveness of the Audit Department . Is the report in standard format? The following should be included: ◊ ⋅ a.6 Chapter 9: Managing the Effectiveness of the Audit Department F. Detailed recommendations 3. Budgeted hours to actual hours analysis. Manager Comments — Are all significant accounting and auditing problems fully documented? E. Audit Planning Memorandum ◊ 1. Is it completed? ◊ 2. Summary ◊ ⋅ f. Was it prepared by senior or other appropriate individual? ◊ 3. Does it contain the following: ◊ ⋅ a. Working Trial Balance (for year-end financial audits) — Is a working trial balance complete and cross-referenced to the supporting workpapers? F. Received? ◊ 2. Audit Report ◊ 1. Conclusion ◊ ⋅ e. Effect ◊ ⋅ e. and explanations of significant variations ◊ ⋅ e. REPORTING AND CONTROL SECTION A. Statement of action ◊ 4. Comments for subsequent audits. included? C. Other comments ◊ ⋅ g. Audit objectives ◊ ⋅ b. Criteria ◊ ⋅ c. Reviewed: By Manager? By In-Charge? II. Auditee background information ◊ ⋅ d. Profile and/or financial highlights ◊ ⋅ c. is the reason explained on the report distribution worksheet? B. Summary Memorandum ◊ 1. Do the detailed recommendations contain the following five attributes? ◊ ⋅ a. Was the report issued timely? If not.

Have they been properly reviewed. Is the notice to auditee and other appropriate correspondence included in the binder? M. Budgeted audit hours ◊ ⋅ f.Chapter 9: Managing the Effectiveness of the Audit Department ◊ 2. Approved by manager and Director of Auditing? ◊ 3. All workpapers signed off? ◊ 3. Audit Recommendation Summary/Interim Recommendation Worksheet ◊ 1. Description of significant audit procedures ◊ ⋅ e. Are they approved by manager and senior? ◊ 3. Audit objectives ◊ ⋅ b. if appropriate. Are changes approved by manager and senior? H. Are all recommendations not included in the detailed Report of Recommendations and Comments explained? K. Are conclusions on major accounts or areas stated and properly supported? Chapter 9: Managing the Effectiveness of the Audit Department __________ __________ __________ __________ __________ __________ __________ __________ __________ __________ __________ __________ __________ __________ __________ __________ __________ __________ __________ __________ 7 __________ __________ __________ __________ __________ __________ __________ __________ __________ __________ __________ __________ 7 . Have internal controls been considered and. Auditors assigned G. Do all workpapers contain headings? ◊ 4. Background information ◊ ⋅ c. as evidenced by: ◊ 1. Are comments appropriately cross-referenced to detailed workpapers? ◊ 3. Are the significant comments included in the summary memorandum? N. Is the closing conference documented? III. Timing of audit ◊ ⋅ g. Does it agree to hours reported per semimonthly Corporate Audit progress reports? J. All workpapers referenced? ◊ 2. Fluctuation Analysis — Has it been completed and are all significant fluctuations explained? I. Noted for Future Audits ◊ 1. Do workpapers contain evidence of review? ◊ 5. Has consideration been given to developing CAAPs? ◊ 2. tested? ◊ 6. Were prior audit reports included? Did the auditee implement the items noted? Have the comments been repeated in the current year's report? L. Does it contain the following: ◊ ⋅ a. Is it complete? ◊ 2. Are they complete? ◊ 2. Audit Programs ◊ 1. Financial highlights ◊ ⋅ d. Time Budget ◊ 1. Is it completed? ◊ 2. AUDIT WORKPAPERS A.

corporate. the Quality Assurance Coordinator will sign off on the engagement checklist. All "no" answers will be reviewed with the manager and the senior in-charge. The Quality Assurance Coordinator will summarize all items noted in these reviews and prepare the selected assignments review memo to the Director of Auditing.8 ◊ ◊ Chapter 9: Managing the Effectiveness of the Audit Department 7. The Quality Assurance Coordinator is responsible for completion of this review. The Quality Assurance Coordinator will compare the actual operating procedures of the department with the Standards of Professional Practice of Internal Audit. Were all material adjustments approved by the senior and manager? 8. and other corporate and department standards as appropriate. ii. The manager is responsible to see that the deficiencies are corrected. Once all deficiencies are corrected. and Procedures • Objective.4 for criteria). Assignments will be selected at random. This process will be accomplished through 8 Chapter 9: Managing the Effectiveness of the Audit Department . Detailed Review of Selected Assignments • Objective.4: Selection of Assignments for Detailed Review 1.g. All noted items. • Responsibility. IIA. or the fact that there are no items. Policies. The selection of assignments to be reviewed will be made by the Quality Assurance Coordinator (see Exhibit 9. ISACA Standards. Workpapers will be reviewed in detail using a published checklist (if appropriate). supplemented by the Quality Assurance Coordinator's judgment. Do the workpapers include a final report copy? __________ __________ The Quality Assurance Coordinator will review all deficiencies noted with the senior and the manager of the assignment. iii. ISACA). The objective of this phase of the quality control program is to see that Corporate Audit workpapers: ♦ Support the conclusions reached ♦ Are efficient ♦ Are appropriate in the circumstances ♦ Comply with department and professional standards • Responsibility. Annual Self-Assessment of Department-Wide Standards. The objective of this review is to ensure that the department is in compliance with department. Audits and special projects would be selected to meet the following criteria: ◊ Minimum 10% of all assignments ◊ Minimum 10% of audit hours incurred during the year ◊ At least one assignment for each senior or supervising senior ◊ At least one of all types of audits: ⋅ Financial ⋅ Systems review ⋅ Special projects ⋅ Data center audits 2. preferably from two different locations or groups.. Exhibit 9. • Method. will be reported to the Quality Assurance Coordinator in selected assignment review memoranda. • Method. The Coordinator will assign the detail review of workpapers to two seniors. to meet all of the above criteria. and professional standards (e.

Chapter 9: Managing the Effectiveness of the Audit Department 9 . The method of review—public accounting. summary of deficiencies noted. and suggestions for improvement. This memo is first reviewed with the assignment manager and in-charge accountant before being given to the Quality Assurance Coordinator. Upon completion. Annual Report to the Director of Auditing This report is a summarized one of the quality control program for the year that includes results of the annual self-assessment. Items that must be considered are: ♦ Cost ♦ Confidentiality of records ♦ Expertise in performing reviews ♦ Knowledge of business and operating environment d. Selected Assignments Review This report is a summary memorandum and detailed checklist. or an IIA team—will be decided upon a complete review of the alternatives. upon the recommendation of the Quality Assurance Coordinator. Reports There are several key reports. the Quality Assurance Coordinator will prepare the annual report to the Director of Auditing. reporting on the quality control program and the results of the annual self-assessment. interviews. iii. enumerating the deficiencies and findings from the detailed review of selected audits.Chapter 9: Managing the Effectiveness of the Audit Department 9 review of documentation. iv. This memorandum is sent to the Director of Auditing and is discussed with the entire staff during an annual meeting. It will be the responsibility of the Director of Auditing. Annual Report to the Audit Committee of the Board of Directors This report is a summarized one. Summary of Review The Quality Assurance Coordinator prepares a summary of the detailed deficiencies noted in the ongoing review of all workpapers. to have a tri-annual review performed. Tri-Annual External Review • Objective. prepared by the Director of Auditing. The objectives of this review are to: ♦ Obtain an outside view of the department's performance versus professional and internal standards ♦ Obtain suggestions for improving operating efficiencies • Responsibility. • Method. sent to the Audit Committee. and actual experience. ii. e. They include: • Annual Report to the Audit Committee of the Board of Directors • Annual Report to the Director of Auditing • Selected Assignments Review i. other internal auditors. prepared for each assignment selected in the annual review process discussed below.

4 Continuous Improvement Systems for Internal Auditors Continuous quality improvement methodologies can provide the tools to lead IA into becoming. how internal processes can be enhanced. and how the investment in people supports improved future performance. Upon completion. return on investment. Common measures include employee satisfaction. Theory of Constraints. Focuses on shareholders. a. Other improvement methodologies that are not necessarily continuous include Activity-Based Costing and Business Process Reengineering (BPR).5: Balanced Scorecard System Model 10 Chapter 9: Managing the Effectiveness of the Audit Department . the ones that should be most applicable to the IA department are Balanced Scorecard. cycle time. productivity. Kaizen. Common measures include research and development expenditures. From these systems. TQM. VBM. and net income. in fact. that would be related to the mission statement discussed in Section 4. Balanced Scorecard [5] The center of the Balanced Scorecard System is the entity's strategy and vision. ISO 9000.5(b) later in this chapter for discussion of IA's "customers"). Six Sigma. and customer retention. SAM POLE COMPANY Corporate Audit Department Procedures Manual NO: 9. Measures are made from four perspectives (presented as originally developed for businesses in general — see Exhibit 9. They include: Total Quality Management (TQM). Exhibit 9. or infrastructure. the checklist will be forwarded to the Quality Assurance Coordinator who is responsible for follow-up. dollars spent on training. Baldrige National Quality Program. needed to meet the objectives from the other two operational perspectives.5): • Customers. and emphasize customer needs. The strategic objectives related to audits and services provided by IA are translated into measures that can be used to track how IA's services create value for its customers (see Section 9. a world-class status. Common measures include economic value-added (EVA®).10 Chapter 9: Managing the Effectiveness of the Audit Department f. The Balanced Scorecard System combines both financial and non-financial performance measures. Focuses on the external environment to understand. and maybe Baldrige. ABC. and voluntary turnover. Balanced Scorecard. the checklist will be completed on all assignments after they have been approved for filing by the manager. operations. and the International Organization for Standardization (ISO) 9000 family. Every measure in the Balanced Scorecard System should be part of a causal link that ends in financial measures. Users of Balanced Scorecard learn to take advantage of non-financial measures successfully. Quality Assurance Checklist Prepared by unassigned auditors. to ensure the elimination of any deficiency noted. discover.1 (a) i. For the IA department.3 for a checklist). and the report has been issued (see Exhibit 9. Most of the current continuous improvement programs were designed for manufacturing and then adopted to service organizations. Common measures include customer satisfaction. • Financial. and throughput efficiency. Focuses internally along a value chain comprising innovation. • Learning and Growth. sales from new products. users of Balanced Scorecard only have about 20% of their measures as financial. customer loyalty. Provides the foundation. or maintaining. • Internal Business Processes. Value-Based Metrics (VBM). and post-delivery service processes.4 REV NO: DATE: TITLE: Continuous Improvement Systems for Internal PAGES: Auditors 9.

innovation could be things such as new computer-aided audit tools and techniques (CAATTs) applied to audits. Exhibit 9. Post-delivery services could include gathering empirical data. recognizing that an appropriate Balanced Scorecard System would likely include other documents and measures.). employee satisfaction within the department can easily be measured. cycle time. The Internal Audit department would obviously use what can apply and ignore the rest.6: Summary of Personal Activities Chapter 9: Managing the Effectiveness of the Audit Department 11 . were they implemented. what improvements were realized. Training can be measured by PD/CPE hours and the annual staff conference (see Section 5. and efficiency. and even Balanced Scorecard System itself being applied to IA. etc.Chapter 9: Managing the Effectiveness of the Audit Department 11 Some of the above measures and concepts do not apply to IA. Comparing budgeted hours for audit projects versus actual time is a good measure for efficiency (see Exhibit 6.1(a). The documents and processes recommended throughout the manual provide source documents to assist in these measures..5).6). captive audience exists).e.e. Applicable measures include productivity. Voluntary turnover can be measured from the Human Resource Summary recommended in Section 9. "Three-Year Operating Plan"). on the effectiveness of audit recommendations from audits (i. or do not directly apply. however.2 and Section 6. if it can be done anonymously. Customer loyalty and retention. or follow-up procedures to audit recommendations.5(d) (see Exhibit 9. For Learning and Growth. do not easily apply (i.. In the area of internal business processes. the customer satisfaction component is important and can be measured by a survey instrument. For customers.

Shareholders could be extended to stakeholders as a more effective scope. That focus is more aligned to the responsibilities of the IA function. and other areas. customer satisfaction and retention. growth. operating efficiency. Activity-Based Costing Activity-based costing (ABC) is a cost accounting theory used to allocate overhead costs to products based on the cost of the activities that are required to produce the product or deliver the service. fairly easily. operating effectiveness.12 Chapter 9: Managing the Effectiveness of the Audit Department Financial could be measured by using IA as a profit center. the VBM approach ties measures into strategic objectives. VBM and targets are set that are aligned (linked) to business strategies. Like Balanced Scorecard. costs are allocated to activity pools according to the type of activity carried out in each pool. In the first stage. etc. the Board of Directors in general.). Balanced Scorecard can be adopted. resource allocation. VBM are particularly useful as the basis for incentive compensation. employee skills and training. duties. The true drivers of VBM are often non-financial. The following is a sample of possible non-financial measures in VBM: innovation. by the IA department. Continuing Professional Education/Professional Development (CPE/PD) 12 Chapter 9: Managing the Effectiveness of the Audit Department . For example. An ABC system usually involves two stages. Value-Based Metrics A system similar to Balanced Scorecard is Value-Based Metrics (VBM). CFO. investor relations. and value chain. the Audit Committee. c. the Balanced Scorecard System provides an excellent model for IA to use in pursuing world-class quality in its processes. a pool for training would include costs associated with the Annual Staff Conference. Stakeholders would include: executive management (CEO. and shareholders or the public. b. The allocation bases are cost drivers&"drive" the costs. In the VBM system. or even a cost center with budget variances. Altogether. and services. on-time delivery of services.

or a government department. just "our way of doing things. responsiveness. and other training costs. and whether it is a business enterprise. Generic means that the same standards can be applied to any organization. productivity. In a very small organization. a public administration. This ensures that nothing important is left out and that everyone is clear about who is responsible for doing what. how. the product or service must meet or exceed the requirements or expectations of customers for that product or service." as such. so that time. For IA. Management system standards provide the organization with a model to follow in setting up and operating the management system. when. more appealing. principally of concern to engineers and other technical specialists concerned by the precise scope addressed in the standard. These help ensure that everyone is not just "doing his or her thing. instructions. the more the likelihood that there are some written procedures.g. aesthetics. followed nearly 10 years later by ISO 14000. ISO 9000 Family [7] The International Organization for Standardization (ISO) is another continuous improvement system. that is. but all in the manager's or owner's head. This model incorporates the features that experts in the field have agreed upon as representing the state of the art. durability. came ISO 9000. an audit project). industry and technology since 1947. large or small. Its unique feature is the emphasis of quality from the customer's viewpoint. Management system refers to what the organization does to manage its processes. forms or records. In the second stage. The larger the organization. costs are allocated from the activity pools to a cost object. such as a good or service (e. therefore." and that there is a minimum of order in the way the organization goes about its business. it can help to control departmental overhead on a continual basis and keep it current. d. less-variable response — from design and development through supplier and sales channels. offices. should be effective in achieving and maintaining high quality. TQM may use a variety of tools and techniques to seek continuous improvement of quality. money and other resources are utilized efficiently. and plants all the way to the final user • Even greater flexibility in adjusting to customers' shifting volume and mix requirement • Even lower cost through quality improvement. and product or service features.Chapter 9: Managing the Effectiveness of the Audit Department 13 seminars attended by staff. which have brought ISO to the attention of a much wider business community. the core activity would be audits. reliability. To be really efficient and effective. ISO has been developing voluntary technical standards over almost all sectors of business. defined by customers. the organization can manage its way of doing things by systemizing it. Total Quality Management Total Quality Management (TQM) is another strategic approach to business improvement. Entities that use TQM need to commit to [6]: • Even better. and customer responsiveness. after-sale service. less-variable quality of the product or service • Even quicker. and non-value adding waste elimination Total Quality Management (TQM) is an applicable continuous improvement approach. why and where. in 1987.. While ABC is not a continuous improvement program. ISO standards were. which applied appropriately. before ISO 9000 and ISO 14000. Appropriate application of ABC for service entities can be effective if the entity focuses on core activities and reducing non-core activities. These expectations may involve attributes such as performance. However. and the more people involved. A management system that follows the model — or "conforms to the Chapter 9: Managing the Effectiveness of the Audit Department 13 . timeliness of delivery. e. flexibility." and "our way" is probably not written down. durability. Then. whatever its product — even if the "product" is actually a service — in any sector of activity. rather than the producer's. there is probably no "system. rework reduction. both ISO 9000 and ISO 14000 are known as generic management system standards. Quality is. or activities.

The award is named for Malcolm Baldrige. or some other continuous improvement system. Human resource focus 6. energy and money to meet the ISO criteria. Leadership 2. Customer and market focus 4.5 REV NO: DATE: TITLE: Marketing the Audit Function PAGES: Chapter 9: Managing the Effectiveness of the Audit Department 14 . The Baldrige National Quality Program (BNQP) is supervised by the National Institute of Standards and Technology. f. Principal support for the program comes from the Foundation for the Malcolm Baldrige National Quality Award. Both families consist of standards and guidelines relating to management systems. The award program.. Information and analysis 5. the principles could be followed without officially applying for the Baldrige Award with successful results. who served as secretary of commerce from 1981 until his tragic death in a rodeo accident in 1987. It is recommended that IA and the Director of Audit in conjunction with corporate management consider using one of these programs. Such companies use the Baldrige criteria to assess their management systems and improve performance in their most vital areas. such as auditing (the process of checking that the management system conforms to the standard). While the IA department will probably not seek the certificate unless the entire organization does. His managerial excellence contributed to long-term improvement in efficiency and effectiveness of government. established in 1988. it obtains an ISO 9000 certificate. "Quality management" means what the organization does to ensure that its products conform to the customer's requirements. and supporting standards on terminology and specific tools. continually improved since 1988. 1987. The Award criteria.14 Chapter 9: Managing the Effectiveness of the Audit Department standard"—is built on a firm foundation of state-of-the-art practices. responsive to the purposes of Public Law 100–107. in addition to the quality assurance program in order to establish and maintain a world-class audit function. led to the creation of a new public-private partnership. If a business or organization has invested time. the principles of ISO 9000 can guide IA into becoming a world-class IA function. ISO 9000 is primarily concerned with "quality management. Conclusions An overlap in criteria between these programs is clearly evident (e. signed into law on August 20. Applicants must meet stringent self-assessment criteria before being selected for the Baldrige Award. Although BNQP applies only to organizations as a whole. Strategic planning 3. Both ISO 9000 and ISO 14000 are actually families of standards. g. and it makes awards each year. SAM POLE COMPANY Corporate Audit Department Procedures Manual NO: 9. customer focus). Business results The criteria are built on a set of core values and concepts that are embedded behaviors in well-managed companies. include seven categories: 1. Process management 7.g." The standardized definition of "quality" in ISO 9000 refers to all those features of a product (or service) that are required by the customer. Baldrige National Quality Program/Baldrige Award [8] The Malcolm Baldrige National Quality Award was created by Public Law 100–107.

what products are produced. corporate managers and the CEO.1. 1996. Audit departments need to be addressing all of these areas of their operations. Norton. Marketing should be involved when the product is being developed to consider whom the different customers are and how the product should be delivered to each. Who are your customers as the IA department? There are many types. For instance. corporate financial managers and the CFO. as discussed in Section 8. to allow for a summary audit report and a detailed audit report.Chapter 9: Managing the Effectiveness of the Audit Department [5]For 15 the definitive book on Balanced Scorecard.quality. 1995. The reader of the summary report is always offered the full detailed report on request. more information on Baldrige. sound long-range planning. Harvard Business School Press. a color banner is suggested to highlight the product. Parts of this section are based on this book. such as audit functions. divisional operations managers. The need to be close to the customer and driven to satisfying the customer are basic principles learned in business school — but sometimes businesses or operations. Marketing involves studying the customers' wants and satisfaction with the product. price value of products and services. a. the summary report is limited to two pages.iso. To respect the time commitments of the CEO-type customer. The audit report product has been designed. The objective of this section is to remind auditors to think about who their customers are. What Is Marketing? A conventional definition of marketing includes all the steps to place a product in the hands of a consumer. and to attempt to improve the delivery of the products by using some basic marketing concepts. [6]According to TQM expert Richard Schonberger.5 Marketing the Audit Function A series of books was published in the 1980s that examined what made successful companies so. Should an audit department get close to customers? Should IA have marketing functions? Do auditors produce products? Within the limits of independence and objective review of operations and financial position.P. Does the corporate CEO want the same level of detail as the divisional controller? There is a very good chance the CEO does not.S. Carl Pegels. The audit report is discussed in Section 8. 9. [7]Much [8]For of this section was taken from the ISO web site at www. To help differentiate this important report from others arriving on the customer's desk.1 and includes a two-level reporting process that allows for some product differentiation and divides the product logically to allow for different combinations for different customers. and the independent auditors. Who reads the audit reports? The answer may include divisional financial managers and controllers. the audit department produces audit reports.org. the audit committee.. Strengths included an obsession with quality.gov/. from Boyd & Fraser Publishing Co. building a family or families out of employee groups. the answers are yes. lose this focus. These are all customers. read The Balanced Scorecard by R. and they may want different products. Kaplan and D. See Total Quality Management: A Survey of Its Important Aspects by C.nist. and closeness to the customer. Chapter 9: Managing the Effectiveness of the Audit Department 15 . and they may not all want the same products. see www.

including age. Reports on professional activities should be included in reports to management and reports to the Audit Committee. and sections on Audit Department objectives and services. The department brochure could include a message from the CEO and the Chief Auditor. the Audit Department produces many products including written reports such as: reports to the Audit Committee.) This approach markets the Audit Department in a positive way. the objective of which is to show the product or service in a positive way while still respecting the professional image. transfers. Operations managers may not understand as fully the implications of the audit findings. (See Chapter 3 for more details on internal controls that might be useful in developing such a brochure. to gain solid knowledge of emerging developments and solutions. and separations. time commitments. Consider adding a separate background report or glossary when applicable. staff qualifications and organization. and other important information. most financial managers have a financial background that enables them to understand more fully financial audit reports. Issuing control-related brochures to improve the organization's system of internal control can add value and reduce the negative reporting image of internal audit. If this approach is taken. password security. statistics can be developed on number of personnel transferred and promoted. The preparation of all reports should include the study and evaluation of the intended customer and how the product could be developed and delivered in a better. and more highly productive way. what to do if a fraud is suspected.16 Chapter 9: Managing the Effectiveness of the Audit Department b. these are different customers with different information needs. For example. For example. To manage this program. 16 Chapter 9: Managing the Effectiveness of the Audit Department . corporate financial managers may not have the same time available for every division and may only want summary information on non-problem audit reports. This brochure is a form of adverting. priorities.) can improve individual employees' control awareness and improve the overall system of internal control. Therefore. c. The brochure becomes a recruitment tool as well as an orientation tool for new Audit Committee members and corporate and other senior management. Human Resources As discussed in more detail in Chapter 5. Understanding the Customers Marketing requires understanding the needs of customers and assessing their understanding of the product and their satisfaction with the product. background. and to promote the audit department. The department can be used as a training ground for financial and operational managers. Some audit departments include a quantified score or grade for each audit. Getting the Audit Message Out In addition to audit reports. however. Audit staff should be encouraged to be professionally active to develop professionally. the role of the Audit Committee. Audit Department brochures are marketing tools that can help the department improve the understanding of the IA function and improve its image. reports to management. To respect the time availability of customers and the need to commit the audit department to clear reporting of results. High visibility in the audit profession will also enhance the Audit Department image. etc. As discussed above. and budget reports. a summary should be kept of all audit personnel hired each year with information on promotions. more comprehensive. a brochure on basic personal computer controls (backups. which should be considered as the product (report) is developed. by considering the customer. From this summary (see Exhibit 9. d.6). who to contact. audit departments are developers of people. an opinion paragraph is included in the summary audit report. and need for information. management's requests. human resource development becomes a significant Audit Department product. Marketing and successful acceptance of products can be enhanced by studying and understanding customers' profiles. the audit department adds value to its product by constructing products that customers (users) want and with which they will be satisfied.

According to TQM expert Richard Schonberger. 1995. Public Companies. e. See Total Quality Management: A Survey of Its Important Aspects by C. Global Investor Opinion Survey: Key Findings. Summary Marketing considerations are important elements in every business operation. Congress. Constantly be on the look-out for opportunities to market the audit function and produce positive deliverables and new products and services.pdf. The University of Delaware also sponsors a Center for Corporate Governance at www. 3.be.quality.Chapter 9: Managing the Effectiveness of the Audit Department 17 Using the Audit Department as a training ground also helps address the issues of career-path opportunities for the Audit Department. Much of this section was taken from the ISO web site at www." a position paper presented to U. from Boyd & Fraser Publishing Co. Much of this section comes from the IIA's "Recommendations for Improving Corporate Governance.iso.org/ecm/guide-pc.. Corporate Governance Center. read The Balanced Scorecard by R.com/practices/corporategovernance/PDF/GloballnvestorOpinionSurvey2002. 1996.S. It produces a tangible additional and positive audit product for the organization. 2. Kaplan and D.htm. Planned turnover will result. For more information on Baldrige.edu/ccg/staff. 5. Endnotes 1. 4. Harvard Business School Press. 2002. Kennesaw State University. Norton. It is available online at www. it requires more work on the part of audit management.cfm?doc_id=3602.org.theiia. Of course. see www. 2002. and staff scheduling becomes more complex. 7.gov/. If the Audit Department is going to be used as a training ground.mckinsey.S. Parts of this section are based on this book. 21st Century Governance and Financial Reporting Principles for U. a formal Management Development Training Program should be developed outlining the plan's objectives and guidelines. 2002.P.udel. Carl Pegels.S. including the audit function. 6. Available online at www. For the definitive book on Balanced Scorecard. Chapter 9: Managing the Effectiveness of the Audit Department 17 . McKinsey.nist. April 8.

18 Chapter 9: Managing the Effectiveness of the Audit Department 18 Chapter 9: Managing the Effectiveness of the Audit Department .

78–83 Association of Information Technology Professionals (AITP). 1932. 344–345 Equity Funding.Index A AICPA Founding. 52 IIA—SPPIA. 46–48. 1938. 263. 41 Auditing Frauds COSO Study (SEC fraud violations). 265 ISACA—Standards. 7 Risk Assessment. 99. 230–231 Standards AICPA—GAAS. 97. 115–117. 8 McKesson & Robbins. 1973. 90 Index 1 . 8–9 South Sea Bubble. 97–104. 7 SysTrust. 19–20 Ivar Kreuger. 227. 1925. 48–52 SDLC. 53–57. 6 Ultramares.

2 Index 2 Index .

123 Denial of Service/Distributed DoS. 94. 13 COSO Model. 94. 102 Viruses/Worms. 100. 70. 122 Misappropriation of Assets (theft). 243 Computer Crimes Criminals/Intruders. 92. 100–101 Virus Hoaxes. 106 Index 1 . 85. 72–74. 101–102.Index C COSO (Treadway Commission) COSO. 106 Financial Fraud. 94. 122 Unethical E-Mail.

2 Index 2 Index .

44–45 Index 1 . 41–45 IIA Code of Ethics.Index E Ethics. 42–44 ISACA Code of Professional Ethics.

2 Index 2 Index .

1913. 61. 29. 61. 87 Index 1 .Index F Federal Laws Copyright Laws. 87–88 Foreign Corrupt Practices Act. 7. 30.61 Sarbanes-Oxley Act. 88–89. 1977. 31. 87 Income Tax (Sixteenth Amendment). 1934. 29. 342 Securities Act. 87 Securities Exchange Commission Act. 2002. 7–8. 29. 30. 7–8. 1933.

2 Index 2 Index .

Index G GAO Yellow Book. 15 Index 1 .





Information Systems Audit & Control Association CobiT, 74–75 Founding, 1969, 21–22, 48 Institute of Internal Auditors Founding, 1941, 10–14 SAC Study, 20–21, 76–77 Internal Audit Annual Staff Meeting, 214–216 Audit Recommendations, 275–283, 311, 318–320 Budget Planning, 232 Continuous Improvement Activity-Based Costing, 358, 630 Balanced Scorecard, 356–358 Baldrige National Quality Program, 361–362 ISO 9000, 360–361 Total Quality Management (TQM), 360 Value-Based Metrics, 358 Coordinator of Education, 192 Corporate Audit Charter, 144–147 Corporate Audit Training Model, 193–195 CPE, 197 Department Policies Confidentiality, 177–178 Days Off for Extensive Travel, 179 Orientation/Training, 178–179 Professional Certification, 180 Job Descriptions, 149–176 Marketing, 363–365 Mission Statement, 136–137 Orientation, 217–220 Outsourcing, 139–141 Performance Evaluation, 204–213 Personnel Files, 199–203 Planning Memo, 269–275 Preliminary Survey, 236–269 Professional Certification, 185, 336 Quality Assurance, 347–355 Recruiting Aids, 184–185 Management Development Programs 185 Sources, 182–184 Reporting Expense Reporting, 256 Time Reporting, 250–255 Scope, 314 Types Compliance Audits, 241 Contract Audits, 241–242 Index 1

2 Desk Review, 242–243 E-Commerce Audits, 249 Financial Audits, 238–240 Follow-Up Audits, 243 High-Level Review of Procedures, 238 Information System Audits, 243–248 International Audits, 249 Operational Audits, 240 Workpapers, 284–294 Internal Auditing Audit Committee, 31, 114–119, 331–336, 342–346 Control Self-Assessment, 141–142 Corporate Governance, 114–119, 342–346 IT Governance, 119–120 Independence, 60–61 Materiality, 235–237 Responsibilities, 59–61 Internal Controls Basic Assumptions, 69–70 Business Recovery/Disaster Recovery, 94–96, 245–246 CAATTs Authentication, 124–125 Biometrics, 124–125 Call-back Modems, 125 Computer Logs, 120 Firewalls, 126–127 Generalized Audit Software, 127–128 Internet Storm Watcher, 105–106 Intrusion Detection Systems (monitoring), 126 Passwords, 92–93, 124 CobiT, 74–75 Computer Controls, Application, 112–113, 244, 246–248 Computer Controls, General, 111–112, 243–244 COSO Model, 72–74, 85, 243 COSO Study (SEC fraud violations), 99, 115–117, 344–345 Cost-Benefit Analysis, 71 Definitions, 65–66 Models, 68, 91 PDC Model (expanded), 105–108 Physical Controls, 109–111, 244–245 Policies Business Recovery/Disaster Recovery, 94–96 Computer Usage, 92 E-Mail, 94 Password, 92–93 Privacy, 95 SDLC, 90 Security, 92 Risk Assessment, 97–104 SAC/eSAC, 76–77 Sarbanes-Oxley Act, 88–89 Segregation of Duties, 121 SysTrust, 78–83












88–89 Index 1 .Index S Sarbanes-Oxley Act (2002) Corporate Governance. 344–345 Sarbanes-Oxley Act. 7–8. 31. 88–89 Legal Requirements. 31 SEC. 29. 61. 87. 115–117. 114–115 COSO Study (SEC fraud violations). 342 Internal Controls Requirements.

2 Index 2 Index .

List of Tables Chapter 6: Audit Planning Sam Pole Company Corporate Audit Department Three-Year Audit Plan Chapter 7: Audit Performance Financial Highlights For the six months ended June 30 ($000's omitted) List of Tables 1 .

2 List of Tables 2 List of Tables .

1: Interview Questionnaire for New Internal Auditors Exhibit 5.15: IS Model of Controls Exhibit 3.502) Exhibit 3.1: Corporate Audit Planning.7: Internal Control System Model Exhibit 3. Scheduling.5: SysTrust Model Exhibit 3.16: Physical Controls Exhibit 3.2: Sam Pole Company Organization Chart Exhibit 4.2: SDLC Steering Committee/Cross-Functional Team Matrix Exhibit 2.1: Internal Control Environment Model Exhibit 3.1: ISACA Auditing Standards Guidelines Exhibit 2. Administration.10: Disaster Recovery Plan Exhibit 3.2: Sample Three-Year Audit Plan List of Exhibits 1 .8: Orientation Checklist Chapter 6: Audit Planning Exhibit 6.3: SDLC Guidelines Chapter 3: Internal Control System Exhibit 3.11: Anti-Virus System/Model Exhibit 3.6: Performance Evaluation Review Form Exhibit 5.6: Comparison of Internal Control Models Exhibit 3.3: COSO Model Exhibit 3.2: Overview of Corporate Audit Training Model Exhibit 5.17: Audit Committee Oversight Areas—In Order of Importance Exhibit 3.2: Controls Decision Making Overview Exhibit 3.4: eSAC Model Exhibit 3.5: Corporate Audit Department Interest Questionnaire Form Exhibit 5.3: Sam Pole Company Audit Department Organization Chart Chapter 5: Personnel.18: Commonalities of Fraud Entities from COSO Study Exhibit 3.1: Sample Corporate Audit Charter Exhibit 4. and Recruiting Exhibit 5.List of Exhibits Chapter 2: Auditing Standards and Responsibilities Exhibit 2. 2.9: E-Mail Questionnaire Exhibit 3.3: Continuing Professional Education (CPE) Record Exhibit 5.7: Group Discussions Instruction Sheet Exhibit 5.13: Sample Questionnaire/Inquiry Exhibit 3.14: SANS Institute: Top 20 Most Critical Internet Security Vulnerabilities (ver.8: Password Policy Exhibit 3.4: Corporate Audit Department Background Information Form Exhibit 5.19: Model of Attributes for Effective Audit Committee Chapter 4: Department Organization Exhibit 4. and Staffing Exhibit 6.12: A Basic Vulnerability Plan Exhibit 3.

4: Sample Planning Memo Exhibit 7.3: Time System Codes: Audit Type Codes and Task Codes Exhibit 6.5: Recommendation Worksheet Example Exhibit 7.6: Permanent Files Index Chapter 8: Audit Reporting 2 List of Exhibits .1: Corporate Audit Performance Process Matrix Exhibit 7.2: Sam Pole Company Corporate Audit Department Assignment Checklist Exhibit 7.3: Sample Notice to Auditee Exhibit 7.4: Sample Corporate Audit Time Summary Form List of Exhibits Chapter 7: Audit Performance Exhibit 7.2 Exhibit 6.

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->