Managing The Audit Function 3rd Edition - John Wiley & Sons

toc
toc
Table of Contents
Managing the Audit FunctionA Corporate Audit Department Procedures Guide, Third Edition........1 Foreword..............................................................................................................................................................1 Preface..................................................................................................................................................................1 Standing at the Rubicon! .........................................................................................................................1 Part I: Fundamentals of the Internal Auditing Function ................................................................................1 Chapter List.............................................................................................................................................1 . ..........................................................................................................................................................1 Chapter 1: Background......................................................................................................................................1 1.1 Introduction.......................................................................................................................................1 1.2 History of Auditing [1]......................................................................................................................1 1.3 History of Internal Auditing ...............................................................................................................4 1.4 Auditing Government Agencies........................................................................................................8 1.5 History of Information Systems Auditing.........................................................................................8 a. Birth of Information Systems Auditing........................................................................................9 b. Commercialization of Computers................................................................................................9 c. AUDITAPE: Breakthrough for Information Systems Auditors.................................................10 d. Equity Funding Scandal: Abuse of Information Technology....................................................11 e. Systems, Auditability, and Control Research StudyInstitute of Internal Auditors .................12 f. Electronic Data Processing Auditors Association......................................................................13 g. Emerging Technologies ..............................................................................................................14 1.6 History of Federal Regulations Related to Auditing ........................................................................19 a. Income Tax Law (Sixteenth Amendment): 1913.......................................................................19 b. Securities and Exchange Commission Acts: 1933, 1934...........................................................20 c. Foreign Corrupt Practices Act: 1977..........................................................................................20 d. Copyright Laws: 1976 et al........................................................................................................21 e. Sarbanes-Oxley Act: 2002..........................................................................................................21 1.7 Professional Organizations Related to Internal Auditing................................................................21 a. Institute of Internal Auditors......................................................................................................22 b. Information Systems Audit and Control Association .................................................................22 c. American Institute of Certified Public Accountants ...................................................................23 d. American Accounting Association .............................................................................................24 e. Financial Executives International.............................................................................................24 f. Association of Government Accountants...................................................................................25 g. Association of Certified Fraud Examiners.................................................................................25 Endnotes .................................................................................................................................................26 Chapter 2: Auditing Standards and Responsibilities......................................................................................1 Overview.................................................................................................................................................1 2.1 Introduction........................................................................................................................................1 2.2 Ethics.................................................................................................................................................1 a. Institute of Internal Auditors (IIA) [2].........................................................................................2 b. Information Systems Audit and Control Association (ISACA) [3].............................................3 2.3 Professional Auditing Standards........................................................................................................4 a. Institute of Internal Auditors........................................................................................................4 b. Information Systems Audit and Control Association [5].............................................................6 c. American Institute of Certified Public Accountants .....................................................................8 2.4 Systems Development Life Cycle Standards.....................................................................................9 2.5 Professional Development...............................................................................................................12 i
toc
Table of Contents
Chapter 2: Auditing Standards and Responsibilities 2.6 Responsibilities of a Corporate Auditor..........................................................................................12 a. Nature.........................................................................................................................................13 b. Objective and Scope...................................................................................................................13 c. Responsibility and Authority......................................................................................................13 d. Independence..............................................................................................................................13 e. Regulatory Issues ........................................................................................................................14 Endnotes .................................................................................................................................................15 Chapter 3: Internal Control System.................................................................................................................1 Overview.................................................................................................................................................1 3.1 Definition...........................................................................................................................................1 3.2 Fundamental Assumptions in Establishing an Internal Control System ............................................2 a. Business Reasons for a Strong Internal Control System..............................................................3 b. Legal Reasons for a Strong Internal Control System...................................................................3 c. Basic Assumptions for the Internal Control System....................................................................4 d. Evolution of Attacks and Intruders' Technical Knowledge.........................................................4 e. Cost-Benefit Analysis of Controls ................................................................................................5 3.3 Effective Internal Control Models.....................................................................................................5 a. The COSO Model (AICPA, AAA, FEI, IIA, and IMA)..............................................................5 b. The CobiT Model (ISACA).........................................................................................................7 c. The SAC and eSAC Reports (IIA)...............................................................................................8 d. SysTrust (AICPA and CICA).......................................................................................................9 e. Conclusion: Comparing and Contrasting the Models .................................................................13 3.4 Regulations......................................................................................................................................15 a. Securities and Exchange Commission (1933, 1934)..................................................................15 b. Foreign Corrupt Practices Act (1977)........................................................................................16 c. Copyright Laws (1976 et al.)......................................................................................................16 d. Environmental Laws (Various)..................................................................................................16 e. Sarbanes-Oxley Act (2002)........................................................................................................17 3.5 Policies [7].......................................................................................................................................17 a. Systems Development Life Cycle Policy...................................................................................18 b. Systems Usage Policy (End Users)............................................................................................19 c. Security Policy ............................................................................................................................19 d. Password Policy.........................................................................................................................19 e. E-Mail Policy ..............................................................................................................................20 f. Business Recovery Policy...........................................................................................................20 g. Privacy Policy .............................................................................................................................21 3.6 Risk Assessment..............................................................................................................................22 a. Risk Assessment: Internal Perspective.......................................................................................23 b. Risk Assessment: External Perspective ......................................................................................24 3.7 Control Strategies............................................................................................................................28 a. Fourfold Perspective of Controls Model....................................................................................28 b. Information Systems and Controls Model.................................................................................30 . c. An Internal Audit Function .........................................................................................................34 d. Corporate Governance ................................................................................................................34 e. Logs and Auditability.................................................................................................................38 f. Segregation of Duties..................................................................................................................38 g. Investigation Procedures............................................................................................................38 3.8 Malicious Activities.........................................................................................................................39 a. Crime and Misappropriation of Assets.......................................................................................39 b. Unauthorized Access and Authentication..................................................................................41 ii
toc
Table of Contents
Chapter 3: Internal Control System 3.9 Specific Controls/Caatts..................................................................................................................43 a. Monitoring Systems ....................................................................................................................43 b. Firewalls.....................................................................................................................................43 c. Generalized Audit Software.......................................................................................................43 d. Other Potential Controls/CAATTs.............................................................................................44 References..............................................................................................................................................45 Endnotes .................................................................................................................................................45 Part II: Management and Administration.......................................................................................................1 Chapter List.............................................................................................................................................1 . ..........................................................................................................................................................1 Chapter 4: Department Organization...............................................................................................................1 Overview.................................................................................................................................................1 4.1 Introduction........................................................................................................................................1 a. Strategic Objectives......................................................................................................................1 b. Essence of Internal Auditing........................................................................................................2 c. Quality Assurance Reviews of Internal Audit..............................................................................3 d. Outsourcing Internal Audits.........................................................................................................3 e. Control Self-Assessment..............................................................................................................5 f. Integrating the Auditing Process...................................................................................................6 4.2 Corporate Audit Charter....................................................................................................................6 4.3 Company Organization......................................................................................................................8 a. Audit Department Organization...................................................................................................9 b. Job Classifications and Descriptions..........................................................................................10 4.4 Audit Department Policies...............................................................................................................24 a. Confidentiality............................................................................................................................24 b. Orientation (Training)................................................................................................................25 c. Days Off for Extensive Travel Policy........................................................................................26 d. Professional Certification Policy................................................................................................26 Endnote..................................................................................................................................................26 Chapter 5: Personnel, Administration, and Recruiting..................................................................................1 Overview.................................................................................................................................................1 5.1 Introduction........................................................................................................................................1 a. Sources of Personnel....................................................................................................................1 b. Recruitment Aids ..........................................................................................................................3 c. Management Development Programs..........................................................................................5 d. Certifications................................................................................................................................6 5.2 Personal Development.......................................................................................................................6 a. Introduction..................................................................................................................................6 b. Objectives.....................................................................................................................................7 c. Coordinator of Education.............................................................................................................7 d. Corporate Audit Training Model .................................................................................................7 . e. Core Program ................................................................................................................................8 f. Advanced Program ........................................................................................................................9 g. Record-Keeping ............................................................................................................................9 5.3 Personnel Files.................................................................................................................................11 a. Corporate Audit Department Background Information Form....................................................13 b. Corporate Audit Department Interest Questionnaire ..................................................................13 5.4 Periodic Performance Evaluation Review.......................................................................................13 iii
toc
Table of Contents
Chapter 5: Personnel, Administration, and Recruiting a. Performance Evaluation Review Guidelines for Preparation of Report....................................16 . 5.5 Annual Staff Meeting/Conference...................................................................................................19 a. Group Discussions......................................................................................................................19 5.6 New Staff Orientation......................................................................................................................21 Endnotes .................................................................................................................................................24 Part III: Technical Procedures..........................................................................................................................1 Chapter List.............................................................................................................................................1 . ..........................................................................................................................................................1 Chapter 6: Audit Planning.................................................................................................................................1 Overview.................................................................................................................................................1 6.1 Corporate Audit Planning, Scheduling, and Staffing .........................................................................1 a. Three-Year Operating Plan ...........................................................................................................2 b. Risk Analysis ................................................................................................................................3 c. Annual Budget and Plan...............................................................................................................4 d. Six-Month Audit Plan..................................................................................................................5 e. Three-Month Audit Schedule.......................................................................................................5 f. Two-Month Staff Schedule...........................................................................................................5 6.2 Internal Controls................................................................................................................................5 6.3 Materiality..........................................................................................................................................6 6.4 Types of Audits..................................................................................................................................8 a. High-Level Review of Procedures...............................................................................................8 b. Financial Audit.............................................................................................................................8 c. Operational/Managerial Audit......................................................................................................9 d. Compliance Audit......................................................................................................................10 . e. Contract Audit............................................................................................................................10 f. Desk Review...............................................................................................................................11 (g) Follow-Up Audits.....................................................................................................................11 h. Information Systems Audits [3].................................................................................................11 i. E-Commerce Audits....................................................................................................................15 j. International Audits.....................................................................................................................15 6.5 Time Reporting................................................................................................................................16 a. Form: Corporate Audit Time Report..........................................................................................16 b. Report for the Period Ending ......................................................................................................16 c. Auditor's Name/Employee Number...........................................................................................16 d. Job Number................................................................................................................................17 e. Audit Codes................................................................................................................................17 f. Task Codes..................................................................................................................................18 g. Hours..........................................................................................................................................18 h. Productive Time.........................................................................................................................18 i. Nonproductive Time...................................................................................................................18 j. Summarizing Time......................................................................................................................19 6.6 Expense Reporting...........................................................................................................................19 a. Travel Expenses ..........................................................................................................................20 Endnotes .................................................................................................................................................20 Chapter 7: Audit Performance..........................................................................................................................1 Overview.................................................................................................................................................1 7.1 Corporate Audit Performance Process Matrix...................................................................................1 a. Assignment Log and Checklist.....................................................................................................2 iv
toc
Table of Contents
Chapter 7: Audit Performance b. Description of Notice to Auditee ..................................................................................................3 c. Preliminary Survey.......................................................................................................................4 d. Planning Memo............................................................................................................................7 e. Audit Status Report....................................................................................................................11 f. Developing Audit Recommendations.........................................................................................11 7.2 Workpapers......................................................................................................................................17 a. Control........................................................................................................................................17 b. Retention....................................................................................................................................18 c. Headings.....................................................................................................................................18 d. Permanent Files: Contents and Format......................................................................................19 e. Current Files: Contents and Format...........................................................................................20 . f. General Organization..................................................................................................................20 g. Detailed Workpaper Section Organization .................................................................................20 h. Indexing and Cross Referencing................................................................................................21 i. Referencing.................................................................................................................................23 j. Standard Tick Marks...................................................................................................................23 7.3 Audit Objectives..............................................................................................................................24 Cash................................................................................................................................................24 Endnote..................................................................................................................................................26 Chapter 8: Audit Reporting...............................................................................................................................1 Overview.................................................................................................................................................1 8.1 Corporate Audit Report Process........................................................................................................1 a. Draft Reports................................................................................................................................2 b. Draft to Auditee............................................................................................................................3 c. Inclusion of Auditee Comments...................................................................................................4 d. Issue Final Report to Management ..............................................................................................7 . e. Open Audit Results and Comments ............................................................................................14 8.2 Report to Management....................................................................................................................15 . 8.3 Report to Audit Committee ..............................................................................................................18 Part IV: Long-Term Effectiveness....................................................................................................................1 Chapter List.............................................................................................................................................1 . ..........................................................................................................................................................1 Chapter 9: Managing the Effectiveness of the Audit Department.................................................................1 Overview.................................................................................................................................................1 9.1 Introduction........................................................................................................................................1 9.2 Corporate Governance [1].................................................................................................................1 . 9.3 Quality Assurance..............................................................................................................................4 a. Objective .......................................................................................................................................5 b. Responsibility...............................................................................................................................5 c. Method..........................................................................................................................................5 d. Reports ..........................................................................................................................................9 e. Summary of Review.....................................................................................................................9 f. Quality Assurance Checklist.......................................................................................................10 9.4 Continuous Improvement Systems for Internal Auditors................................................................10 a. Balanced Scorecard [5] ...............................................................................................................10 b. Value-Based Metrics..................................................................................................................12 c. Activity-Based Costing ...............................................................................................................12 d. Total Quality Management ........................................................................................................13 . v
toc
Table of Contents
Chapter 9: Managing the Effectiveness of the Audit Department e. ISO 9000 Family [7]...................................................................................................................13 f. Baldrige National Quality Program/Baldrige Award [8]............................................................14 g. Conclusions................................................................................................................................14 9.5 Marketing the Audit Function ..........................................................................................................15 a. What Is Marketing?....................................................................................................................15 b. Understanding the Customers....................................................................................................16 c. Getting the Audit Message Out..................................................................................................16 d. Human Resources.......................................................................................................................16 e. Summary .....................................................................................................................................17 Endnotes .................................................................................................................................................17 Index.....................................................................................................................................................................1 A ..............................................................................................................................................................1 Index.....................................................................................................................................................................1 C..............................................................................................................................................................1 Index.....................................................................................................................................................................1 E..............................................................................................................................................................1 Index.....................................................................................................................................................................1 F..............................................................................................................................................................1 Index.....................................................................................................................................................................1 G ..............................................................................................................................................................1 Index.....................................................................................................................................................................1 I...............................................................................................................................................................1 Index.....................................................................................................................................................................1 S..............................................................................................................................................................1 List of Tables.......................................................................................................................................................1 Chapter 6: Audit Planning......................................................................................................................1 Chapter 7: Audit Performance................................................................................................................1 List of Exhibits....................................................................................................................................................1 Chapter 2: Auditing Standards and Responsibilities..............................................................................1 Chapter 3: Internal Control System........................................................................................................1 Chapter 4: Department Organization......................................................................................................1 Chapter 5: Personnel, Administration, and Recruiting...........................................................................1 Chapter 6: Audit Planning......................................................................................................................1 Chapter 7: Audit Performance................................................................................................................2 Chapter 8: Audit Reporting .....................................................................................................................2
vi
Managing the Audit FunctionA Corporate Audit Department Procedures Guide, Third Edition
Michael P. Cangemi Tommie Singleton
John Wiley & Sons, Inc. This text is printed on acid-free paper. Copyright 2003 by John Wiley & Sons, Inc. All rights reserved. Published by John Wiley & Sons, Inc., Hoboken, New Jersey. Published simultaneously in Canada. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400, fax 978-750-4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, 201-748-6011, fax 201-748-6008, e-mail: <permcoordinator@wiley.com>. Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages. For general information on our other products and services, or technical support, please contact our Customer Care Department within the United States at 800-762-2974, outside the United States at 317-572-3993, or fax 317-572-4002. Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books. For more information about Wiley products, visit our web site at www.wiley.com. Library of Congress Cataloging-in-Publication Data:
Cangemi, Michael P., 1948Managing the audit function : a corporate audit department procedures guide/by Michael P. Cangemi, Tommie Singleton.&"isbn">ISBN 0-471-28119-0 (pbk. : alk. paper)
1. Auditing, InternalHandbooks, manuals, etc. 2. Corporations AuditingHandbooks, manuals, etc. I. Sin
HF5668.25 .C37 2003 657' .458dc21 2002153133 Printed in the United States of America 10 9 8 7 6 5 4 3 2 1 Dedicated to our mutual friend Belden Menkus for always providing encouragement and confidence in us.
ABOUT THE AUTHORS Michael P. Cangemi is President and Chief Executive Officer and Director of Etienne Aigner Group Inc., a leading designer o Mr. Cangemi has served as Director of the New York Region Computer Audit Program at Ernst & Young. He is currently servi Mr. Cangemi is a Certified Public Accountant and a Certified Information Systems Auditor. He is a member of the Financial Ex Mr. Cangemi has published many articles that have appeared in publications including Internal Auditing, Datamation, New Acc Mr. Cangemi received his Bachelor of Business Administration in Accountancy Practice degree from Pace University. In 2000, Mr. Cangemi and his wife, Maria, and two children, Michael Jason and Marc Ignatius, have residences in both Edison, New Jer Tommie Singleton is professor of Accounting and Computer Information Systems (CIS) at the University of North Alabama ( Since becoming an academic in 1994 at UNA, Dr. Singleton has been eminent scholar (19961997), ChairDepartment of CIS Dr. Singleton has earned several accounting certifications: Certified Public Accountant (CPA), Certified Information Systems A Dr. Singleton has published numerous articles related to auditing and systems in publications such as EDP Auditor Journal, Inf Over the last few years, Dr. Singleton has led several seminar sessions on systems and auditing subjects, many for CPE credit. H Dr. Singleton received his Bachelor of Science in Accounting (1977) and MBA (1979) from the University of North Alabama. Tommie and his wife Rebecca reside in Muscle Shoals, AL. They have three grown children: Shayne, Krissie, and AJ.
Foreword
At the turn of the century, copper mining companies such as Phelps Dodge Corporation were the darlings of Wall Street. They were growth plays at the dawn of the new age of electricity and communications. The demand for wiring throughout the country seemed endless. By the early 1900s, Phelps Dodge Corporation had already achieved a proud heritage. Formed in the early 1800s as a trading company, it wisely invested its profits in the copper mining business. By the late 1970s when I joined Phelps Dodge Corporation as Chief Financial Officer, much had changed. I was asked by my good friend, then Chairman and CEO, George B. Munroe, to assist him and the Company in meeting the challenges ahead. The Management Information Systems (MIS) operating areas and the Internal Audit function were to receive special attention. George and I found that the audit resource should be more consistently applied across company operations, and that the reputation of the audit function and the results of its efforts could be improved. Michael Cangemi joined Phelps Dodge as Director of Internal Audit. My background as a Public Accountant and Chairman of BDO Seidman CPAs helped me to recognize the need for a strong internal audit function. Internal auditing is a difficult function to develop in a company. To allow it to contribute to the company, the internal audit management must be empowered with wide-ranging authority. The director of audit must possess integrity, initiative, and excellent communication skills. Michael Cangemi had the personal traits we were looking for. In addition, he had a program to ensure that all audit personnel would be trained in the areas of information technology and the application of the technology to the audit function. Based on his work as Director, Computer Audit at the New York Office of Arthur Young & Company (now Ernst & Young LLP), Michael decided to integrate EDP audit and financial audit. His audit personnel team was designed to be capable of advancing with the Company into the information age. Over the next two years, Michael proceeded, with the help of his audit team, to produce an audit methodology that resulted in a most successful audit function at Phelps Dodge Corporation. This book outlines the methodology that was implemented, and much more. After those two years, Michael was promoted to General Auditor of Phelps Dodge Corporation. This was a high honor in a company that had a very lean corporate management structure. At the age of 33, he was one of the youngest officers in the history of the company. More importantly, he had gained the respect of the senior management team and the board of directors. Procedures properly implemented produce the guideposts necessary to ensure that a function such as audit stays on course. Developing budgets for each audit assignment, preparing status reports, and planning documents are essential to efficient audit performance. Audit reports containing a summary report limited to two pages that give the scope of the report, key background information, and a conclusion and summary of findings in a concise bulleted format were created for directors. Detailed reports were prepared for use by those responsible for implementation. Michael was fond of saying that "good people using good procedures will produce an audit product with a reliable, high-quality level." This was the result at Phelps Dodge Corporation. Personnel development was a very high priority of the new audit program. Audit conferences were serious training and key team-building events. The audit group was also assigned to activities such as contract, acquisition, and disposition audits. Contract audits alone have saved the company millions of dollars a year in contracting fees.
Foreword
Foreword
Once Michael had the audit function organized and had built a team that was capable of proper succession, he moved on to become a successful corporate vice president with responsibility for all of the company's information systems and benefit plans as well as internal audit. You can take the methodology outlined in this book and improve your own company's audit program or use it as a basis for forming a new, modern audit program. Any chapter in this book provides ideas that are worth the price of the entire publication. L. WILLIAM SEIDMAN, CPA November 1995 Washington, DC
Foreword
Preface
Standing at the Rubicon!
The Emperor Julius Caesar had to cross a river to launch a civil war against General Pompey in the year 49 B.C. The description of that act has become a metaphor meaning standing at a point at which there is no turning back or new beginnings. The world of internal auditing is now at the Rubicon! The first edition of this book was published in 1991. At that point, internal auditing outsourcing was on the rise. Could this trend have been a symptom of the decline in corporate governance and the rise of aggressive accounting to boost earnings? Enron Corp., at times, outsourced their internal audit functions. WorldCom, Inc.'s accounting issues were discovered by an internal auditor. The theme of this book is very simple. Quality internal auditors utilizing tested and proven procedures in a proactive way will produce beneficial tangible results. Auditing is as exciting as the world in which we audit. In fact, anticipating and preparing for the changes that constantly take place in the business world makes auditing even more challenging. Coexisting with other management and partnering in the company's mission, while maintaining a healthy dose of skepticism, provides a significant interpersonal and intellectual challenge. However, many auditors have attempted to live in a slow-paced, reactive world. As a profession, internal auditing has been evolving for less than one hundred years. The profession continued to grow steadily through the 1950s and into the 1960s. The business community was changing dramatically, with technological leaps and global expansion leading the way. Internal control, as it was known, was destined to change to address the issues and complexities of the modern day. The first wake-up call came in 1977 with the passage of the Foreign Corrupt Practices Act. Passed to address the practices of paying bribes in foreign countries, the law had requirements that adequate systems of internal control be maintained. Internal audit's role in management rose to new heights. The internal auditing professionals reacted swiftly and implemented new programs to strengthen internal controls and checks and balances. Those internal audit departments that were capable and proactive produced solid returns on investments for their organizations. Many branched out into operational audit areas that were heretofore only discussed. All audit functions addressed information technology in one way or another. Auditors met at conferences and shared information and best practices in a way that should be the envy of all professional groups. In the 1990s, internal control was redefined. The Committee of Sponsoring Organizations (COSO) issued its landmark definitional study of internal control. The product amounted to a five-volume publication which has, for the first time ever, attempted to define all of the intricacies and the subtleties of internal control and achieve agreement among leading professional organizations. The 1990s also saw the profession of internal auditing as a candidate function for outsourcing. Is internal auditing a core capability? Can professionals from outside the organization perform studies of internal control without a thorough understanding of the personality of the organization? The debate on outsourcing is an interesting challenge for the profession of internal auditing. During these decades, internal auditing groups that were proactive and worked hard to create excellent internal audit programs, have continued to satisfy their management. They searched for new requirements, responsibilities, and ways to contribute to their organization. The first thing that all successful audit organizations have done is to organize themselves. It has always been my hope that this book would help audit departments improve their organization and operations so that they can improve their overall performance. Preface 1
Preface
As noted above, internal auditing is a very challenging profession, and once the fundamentals of an audit organization are established through the development of a policies and procedures manual, the audit department can focus more of its energies on the delivery of internal audit services. This third edition of Managing the Audit Function greatly expands on the prior edition. In addition to a general update, a new chapter on internal controls has been added. This chapter defines internal control, risk assessment, control strategies and malicious activities. The subject should be studied and understood not just by internal auditors but all managers and board members as well. The recent developments with accounting irregularities demonstrates a clear need for an education on the complex subject of internal control! In addition, a section on the history of audit was greatly expanded and integrated into the background materials. As the finishing touches were being made to this edition of Managing the Audit Function, the U.S. Congress passed the Sarbanes-Oxley Act of 2002. This act makes reporting on internal control a requirement for public companies registered with the Securities and Exchange Commission (SEC). The law requires annual reports to contain an assessment of the effectiveness of internal control over financial reporting. In addition, it requires the adoption of standards for independent auditors to attest to management's report on internal control. Separately, the act requires a company's CEO and CFO to certify quarterly and annual reports. These developments will focus senior management's attention on ensuring the adequacy and effectiveness of their internal audit department to assist management with these requirements. Senior management can use this book as a primer on the elements of a modern internal audit function. As the original author, there is little doubt that I am fascinated with auditing in general, and specifically the internal auditing profession! I first observed internal and external auditing as a member of the operations staff of a brokerage house in my college years. I then spent a number of years in public practice at Ernst & Young before joining a large corporation as Director, Internal Audit. After rising to General Auditor, I moved out of internal auditing and into a financial officer position. Internal auditing continued to report to me during this period, and I attended all audit committee meetings. I then rejoined the public practice at BDO Seidman as National Director of EDP Auditing and Internal Audit Services. I joined Aigner Group, Inc. in a senior management position and after eight years as CFO, I am currently the President and Chief Executive Officer of the company.
I have seen internal control and auditing from a number of interesting vantage points. My current position affords me one of the best views from the standpoint of how internal auditing should fit in to and contribute to an organization. All corporate managers have a desire to run a well-controlled operation. We need to be able to rely on the integrity of the data and results of our operations. However, I am now further convinced of the need for the audit department to be proactive and seek out ways to contribute positively to the corporate mission. As pointed out in this book, the audit function does not have the same performance measurements available to them as do other line functions within the organization. I am also now more aware than ever of the need for cost justification for every dollar spent, especially dollars that are not spent in the direct pursuit of revenue. Internal audit departments must have the disciplines and measurements proposed in this book. These issues have come more clearly into view, and as a result of my current position, I am certain that the methodologies suggested in this book are essential principles of internal audit management. To add new dimensions and perspective to this methodology, I asked Tommie Singleton to join with me on this third edition. After a career in industry, Tommie Singleton went back to school and devoted himself to accounting and auditing all the way to the PhD level. We met while working on publishing segments of his dissertation on the history of IS auditing in the IS Control Journal, where I am to this day the Editor-in-Chief. Dr. Singleton is Professor of Accounting and Computer Information Systems at the University of North Alabama. He added tremendously to this book as co-author, giving his insights and knowledge on the complex subject of internal control and sharing his vast acumen on our profession's history. 2 Preface
Preface
We are both very active with professional associations, which keeps us at the forefront of developments affecting internal auditing. We owe a debt of gratitude to our colleagues at the IIA and ISACA who keep us connected to this interesting world of auditing. We are also very busy with our "real" jobs and rely heavily on our co-workers. We would especially like to thank Deb Urquhart, my Executive Assistant, for her untiring efforts and dedication to this book project. I would also like to thank my associates at ISACA, Susan Caldwell, Jennifer Blader and Jane Seago, who care so much about the profession's response to technological developments and who work to make IS Control Journal a significant contributor to the expansion of the professional literature. Finally, last but certainly not least, I'd like to thank Sheck Cho, our editor, who guided me through editions one, two, and now three and is always there for support and encouragement. MICHAEL P. CANGEMI November 2002 Edison, New Jersey
Preface
Preface
Preface
Part I: Fundamentals of the Internal Auditing Function

Chapter List
Chapter 1: Background Chapter 2: Auditing Standards and Responsibilities Chapter 3: Internal Control System
Chapter 1: Background
1.1 Introduction
It is the goal of this manual to provide a broad scope of information in assisting you in developing your auditing function into a well-respected contributor to the company's mission and a world-class audit department. This manual will serve to document approved departmental procedures. It will be the basis for establishing methods to ensure the highest level of performance and quality in the department. These procedures should be evaluated and updated on an ongoing basis to keep pace with changing conditions. This book has been set up in the format of a procedures manual. Beginning with Chapter 2, each page has a heading consisting of the company name, the title of the manual (Corporate Audit Department Procedures Manual, if appropriate), the section number, the revision number (if you choose to keep track of the number of changes made in a particular section), and the date of the revision. Much of the text has been written so that it can be considered boilerplate and be used with your modifications to easily create your own manual. The manual is based on a methodology employed very successfully at Phelps Dodge Corporation. Subsequently, the methodology was used as a basis for audit management workshops and consulting projects. Through these processes, the material contained in the methodology was analyzed and improved over a 10-year period. The methodology is broken down into four main components: Part One: Fundamentals of the Internal Auditing Function (Chapter 1, "Background"; Chapter 2, "Auditing Standards and Responsibilities"; Chapter 3, "Internal Control System"), Part Two: Management and Administration (Chapter 4, "Department Organization"; Chapter 5, "Personnel Administration and Recruiting"), Part Three: Technical Procedures (Chapter 6, "Audit Planning"; Chapter 7, "Audit Performance"; Chapter 8, "Audit Reporting"), and Part Four: Long-Term Effectiveness (Chapter 9, "Managing the Effectiveness of the Audit Department"). Other programs can be added to your manual. The technical chapters all begin with a matrix that outlines the various tasks or functions addressed in that chapter. In order to achieve the above goals, a brief overview of historical events affecting the audit is beneficial. Thus this chapter is written to familiarize auditors with historical events that directly relate to audits, audit planning, and in particular the management of a world-class audit function. This section will review the history of auditing before information systems (IS), the history of IS auditing, the history of federal regulations related to auditing, and professional organizations related to auditing. An understanding of these events and organizations should provide substantial benefits in managing your auditing function.
1.2 History of Auditing [1]

The ancient history of accounting and auditing left sparse documentation, but possibly did predate the invention of writing, circa 8,500 B.C. The earliest surviving records in double-entry form are those of the Medici family of Florence, Italy, from 1397. The "modern" era of accounting dates from the year 1494, when a monk named Luca Pacioli published the first book on accounting. He became known as the "Father of Accounting" because of the widespread dissemination of his book and its information. However, Pacioli was a typical monk of the fifteenth centuryeducated in a wide variety of disciplines, and served as tutor and mentor to the wealthy. In fact, the book itself contains more than accounting, including arithmetic. All Pacioli really did was to explain existing Chapter 1: Background 1
2 accounting principles.
Auditing, too, is one of the oldest professions. Writing was invented in part to satisfy the need for audits. Zenon papyri record the application of audits on the Egyptian estate of the Greek ruler Ptolemy Philadelphus II as early as 2,500 years ago. Early Greek and Roman writers such as Aristophanes, Caesar, and Cicero make mention of accountants, auditors, and auditing accounts and audit rooms. As early as the Middle Ages, a form of internal auditing existed among the manor houses of England where the lord served as manager of the audit function. The earliest external audit by an independent public accountant was in 1720 by Charles Snell as a result of the South Sea Bubble scandal in England. The total market value of the South Sea Company, chartered in 1710, eventually exceeded the value of all money in England. Thus when the company crashed, it was an extremely significant public event in the English economy. Fictitious entries were discovered in the books. This event set a precedent in the history of auditing. In fact, many, if not most, major auditing events, improvements, and standards tend to follow public exposure of scandals and/or fraud. Later, the industrial revolution in England resulted in factory systems that were financed by stockholders. This situation necessitated the need for auditors, both internal and external. To protect the public, the British Companies Act of 1844 provided for mandatory audits. Soon afterward, in 1853, organizations of chartered accountants were formed in Scotland. Then in 1880, five organizations were melded into the unified Institute of Chartered Accountants in England and Wales. By 1881, it had a membership of more than 1,000 members. The same industrial revolution was occurring across the Atlantic in the United States. By the late nineteenth century, British auditors were being sent to audit American companies. For example, the British firm Price Waterhouse was sending over auditors as early as 1873. Soon, New York offices existed for British firms Price Waterhouse, Peat Marwick & Company, and Arthur Young & Company. Thus it was the British who built the infrastructure for professional auditing in the United States.
One of the first key events in the history of the U.S. audit profession was the establishment of what was the forerunner of the American Institute of Certified Public Accountants (AICPA) in 1887. In 1896, New York law provided for the issuance of CPA certificates to those who could pass a qualifying examination. Initially, experienced practitioners were "grandfathered" in by being granted CPA certificates without having to take the examination. Eventually, all states passed CPA laws. At first, each state prepared its own CPA examination, but in 1917 the American Institute of Accountants began preparing a uniform CPA examination that could be used by all states. Another early event of note is the 1913 passage of the Sixteenth Amendment legalizing income taxes. [2] One provision of the law required all companies to maintain adequate accounting records. Thus, even small firms that did not need accounting for management control purposes suddenly had to have accounting records. The audits of the late 1800s and early 1900s were largely devoted to the accuracy of bookkeeping detail. In most cases, all vouchers were examined and all footings verified. Hence, items omitted from the records were overlooked by the auditors, and the result was an auditing profession that was viewed by outsiders as more clerical than professional. This view was to change between 1900 and 1917, because bankers became more important as sources of financing and because practice began to catch up with the auditing literature. The change in philosophy mirrored the recommendations in the leading auditing book of the time, which was written by Robert Montgomery. Bankers were less concerned with clerical accuracy than with balance-sheet quality. Thus, as bankers became major users of audited financial statements, the objective of the audit became more concerned with the valuation of assets on the balance sheet. This new direction culminated in the 1917 issuance of Uniform Accounting, a joint publication of the 2 Chapter 1: Background
American Institute and the Federal Trade Commission, which also had the endorsement of the Federal Reserve Board. This publication was reissued, with minor changes, in 1918 under the title Approved Methods for the Preparation of Balance-Sheet Statements. This document was the first formal declaration of generally accepted accounting principles and auditing standards. It outlined a complete audit program, instructions for auditing specific account balances, and a standardized audit report. In 1929, another revision included more emphasis on the income statement and internal controls. Still another revision in 1936 placed equal emphasis on the balance sheet and income statement. The 1917 document and its revisions became the bible of the auditing profession for more than two decades. The recent history of external auditing is more events-oriented. In other words, little has occurred in recent years that was not brought about by some catastrophic event such as a lawsuit, financial disaster, or a major fraud case. One of the earliest important auditing cases was that of Ultramares Corporation v. Touche, Niven & Company (1931). Ultramares had loaned money to Fred Stern and Company in 1924 on the basis of financial statements prepared by Touche. On those statements, accounts receivable had been overstated. Subsequently, in 1925, Fred Stern and Company filed for bankruptcy. A lower court found Touche guilty of negligence, but the firm was declared not liable to Ultramares because there was no privity of contract between the auditor and Ultramares. The New York Court of Appeals agreed that third parties could not hold an auditor liable for ordinary negligence, only for fraud. However, gross negligence could be construed as fraud, which opened up the auditor to lawsuits even though there was no way of knowing who was going to rely on the misleading financial statements. Thus, the auditor became subject to almost infinite third-party liability. This liability was further expanded at the federal level in the securities acts of 1933 and 1934.
By the time of the 1929 stock market crash, external auditing had become a somewhat standardized profession, but not a particularly large profession. Since bankers were the primary users of financial statements, the only companies needing audits were those that depended on banks for capital. Companies that depended on stockholder financing were not required to have audits. Consequently, even companies listed on the New York Stock Exchange often did not issue audited financial statements. That was to change because of Ivar Kreugerone of the greatest swindlers the world has ever seen. The most widely held securities in the United Statesand the worldduring the 1920s were the stocks and bonds of Kreuger & Toll, Inc., a Swedish match conglomerate. The company was founded and headed by Ivar Kreuger, supposedly the richest man in the world. Kreuger's securities were popular because they sold in small denominations and paid high dividends and interest (often 20% annually). Financial reporting as we know it today was in its infancy; stockholders based their investment decisions solely on dividend payments. Kreuger's dividends were paid, however, out of capital, not profits. Kreuger was essentially operating a giant pyramid scheme, which was hidden from the investing public by Kreuger's insistence that financial statements not be audited. He advocated that financial secrecy was paramount to corporate success. In Kreuger's defense, some amount of secrecy was needed because he was often dealing with foreign kings and dictators about government monopolies and taxes on wooden matches. Subsequently, it was discovered that many of his companies' assets were in the form of intangible monopolies. The stock market crash of 1929 made it more difficult for Kreuger to sell new securities to fuel his pyramid scheme. Thus, he committed suicide in March 1932. Within three weeks, his companies were in bankruptcy as it became apparent that there were few assets to support the unaudited financial statements that had been issued over the years. The bankruptcy was the largest on record up to that time and resulted in numerous changes in financial reporting. Newspaper articles kept U.S. citizens aware of the extent of Kreuger's fraud at the same time that Congress was considering passage of the federal securities laws. Thus, the timing of the bankruptcy and the corresponding media coverage made it politically expedient to pass laws that would make similar schemes difficult in the future. A single event, the corruption of Ivar Kreuger, had shaken investors' confidence and provided the media event of the decade.
As a result, the Securities Act of 1933 was passed, and the New York Stock Exchange issued rules mandating audits of listed companies. Even a movement toward uniformity in accounting principles can be laid at the feet of Kreuger. Auditors thus owe much of their livelihood to the fraud perpetrated by Ivar Kreuger. In fact, some might say that because of the resulting improvements to financial reporting, Kreuger did more good than harm for the financial community. A person of his ilk was needed to show the world that auditors are necessary and can make a contribution to a regulated securities market. The 1936 version of the American Institute's 1917 joint pronouncement with the Federal Trade Commission on auditing standards suggested that auditors might want to observe inventories and confirm receivables, but there was no requirement for these procedures. Many auditors had long opposed observing inventories under the theory that CPAs were not skilled appraisers and that a statement that they had physically inspected inventories might be construed as a guarantee of the inventory valuation. This lack of a requirement for inventory observations and receivable confirmations proved to be an embarrassment to the profession when the McKesson & Robbins scandal surfaced in 1938. The senior management of McKesson & Robbins had used a facade of false documents to conceal the fact that $19 million in inventory and receivables were nonexistent. A Securities and Exchange Commission (SEC) investigation concluded that Price Waterhouse & Company had adhered to generally accepted auditing procedures as recommended in the 1936 Institute pronouncement. The auditors had obtained management assurances as to the value of the inventories and had test-checked the inventories to purchase orders (which were fabricated to conceal the fraud). But the SEC concluded that although general accepted procedures had been followed, those procedures were inadequate. As a result, in 1939 the American Institute issued Statement on Auditing Procedure (SAP) No. 1 that required auditors to observe inventories and confirm receivables. The McKesson & Robbins case was a turning point in auditing history. No longer was the auditor responsible for auditing the accounts of management; responsibility was extended to an audit of the business itself. And the profession began to issue promulgated statements and standards related to the specific procedures and standards of audits. Other cases have influenced auditors in recent years, but none to the extent of the frauds associated with Ultramares, Kreuger, and McKesson & Robbins. Continental Vending Machine Corporation (1968) was unusual in that it marked the first instance of an external auditor being criminally convicted for fraud. The overriding conclusion of all of this activity is that the (external) auditing profession has long been reactive rather than proactive. On the whole, the recent history of auditing has been centered on reacting to adverse events affecting the profession.
[1]Special
thanks to Dr. Dale Flesher for the use of his article, "A History of Accounting and Auditing Before EDP," The EDP Auditor Journal, Vol. III, 1993, pp. 3847. Most of this section came from this article.
[2]Interestingly
enough, a similar law was passed during the Civil War but was later ruled to be unconstitutional by the U.S. Supreme Court.
1.3 History of Internal Auditing

Some types of internal audits date back thousands of years. As mentioned earlier, the Greeks, Romans, and Egyptians were conducting audits before the birth of Christ. Interestingly, the scope of these early audits was in many ways akin to that of modern internal audits; both included an examination of the correctness of accounting records and an evaluation of the propriety of activities reflected in the accounts. Emphasis was on improving management control over the activities of the organization. Such broad emphasis was not to reappear on a wide scale until after World War II. [3]
In the United States, there was little need for internal auditing in the colonial period because there was little in the way of large industry. In fact, accounting textbooks of the period never referred to the subjects of internal auditing or internal control. In government, however, the need for an audit function was recognized. The first U.S. Congress in 1789 approved an act that included a provision for the appointment of a secretary of the treasury, a comptroller, and an auditor. The auditor's job, basically a clerical function, was to receive all public accounts, examine them, and certify the balances. Despite the aforementioned early references, railroad companies are usually credited with being the first modern employers of internal auditors. It was during the latter part of the nineteenth century that these first real internal auditors became commonplace. The title applied to these employees was traveling auditors, and their duty was to visit the railroads' ticket agents and determine that all the accounting for all monies was properly handled. Other early industries to use internal auditors included the large Krupp Company in Germany. Krupp apparently employed some type of internal audit staff at least as early as 1875 since there is a company audit manual dated January 17, 1875, which includes the following provisions: The auditors are to determine whether laws, contracts, policies and procedures have been properly observed and if all business transactions were conducted in accordance with established policies and with success. In this connection, the auditors are to make suggestions for the improvement of existing facilities and procedures, criticisms of contracts with suggestions for improvement, etc. Although the roots of internal auditing do date back into the nineteenth century, real expansion did not occur until the early part of the twentieth century with the growth of the large corporate form of business. The major factor in the emergence of internal auditing was the extended span of control faced by management in business employing thousands of people and conducting operations in many locations. Defalcations and improperly maintained accounting records were major problems, and the growth in the volume of transactions resulted in a substantial bill for public accounting services for the organization that tried to maintain control by continuing the traditional form of audit by the public accountant. The objectives of early internal auditors were primarily built around the protection of assets. The National Industrial Conference Board's study of internal auditing explained the early motives as follows: Protection of company assets and detection of fraud were the principal objectives. Consequently, the auditors concentrated most of their attention on examinations of financial records and on the verification of assets that were most easily misappropriated. A popular idea among management people a generation ago was that the main purpose of an auditing program was to serve as a psychological deterrent against wrongdoing by other employees. That same study recognized the internal auditor of yesteryear did not perform the same duties as the modern-day internal auditor. In addition, there was no need for the pioneer internal auditor to perform all of the functions that are handled by today's internal auditors. In less complicated times, of course, management frequently maintained control over company operations by personal supervision. There were not so many levels of authority separating policy makers from production workers, and demands on senior executives' time were neither so numerous nor so urgent. Prior to 1941, internal auditing (IA) was essentially a clerical function with no organization and no standards of conduct. Because of the nature of accounting record keeping at the time (i.e., manual), auditors were needed to check the records after they were created for accuracyfor errors in postings or footings. Auditors were also concerned with the possibility of fraud. Thus, the internal auditor was a verifier, or a "cop," to protect organizational assets.
The old concept of internal auditing can be compared to a form of insurance: The major objective was to discover fraud more quickly than it could be discovered by a public accountant during an annual audit. That is, the internal auditor was performing a function similar to a police officer or detective. The modern concept of internal auditing is that of an arm of management. Today, internal auditors are an integral link in the management process and are just as concerned with waste and inefficiency as with fraud. Part of the development probably can be attributed to the change in technology. As accounting became mechanized and computerized, records became subject to automatic checking procedures. Thus, the need to check every transaction declined, giving internal auditors time to reach beyond the historical clerical limits. The year 1941 marked a turning point in the development of internal auditing as two significant events occurred. One of those events was the publication of the first major book on the subjectVictor Z. Brink's Internal Auditing. Also in 1941, 24 individuals joined together to form The Institute of Internal Auditors (IIA). During the 1940s, internal auditors began to expand their audits to encompass more than the traditional financial audit. The shift to a war economy in the early 1940s was the primary cause for the expansion of internal audit scope. Management became more concerned with production scheduling, shortages of materials and laborers, and compliance with regulations. Also, cost reporting became more important than external reporting. As a result, internal auditors began directing their efforts toward assisting management in whatever way possible. Following the war, the benefit of the auditor's assistance was so obvious to management that there was no consideration of reducing the auditor's scope to prewar levels. The term operations or operational auditing was adopted to describe the expanded activity. In March 1948, Arthur H. Kent's work, "Audits of Operations," published in The Internal Auditor, was the first article to describe the expanded-scope audit. In that piece, Kent made frequent mention of an operations audit. Other authors had discussed the subject, but had referred to non-accounting matters, instead of operational subjects. The first technical paper to use the phrase operational auditing in the title was published in The Internal Auditor in June 1954 and written by Frederic E. Mints. By the mid-1950s, others were using the term in speeches, articles, and technical publications. At about the same time, accounting became more mechanized and computerized, and records became subject to automatic checking procedures once performed by internal auditors. That trend was reflected in the 1957 Statement of Responsibilities of Internal Auditing, published by the IIA. The growth in the internal auditor's scope of responsibility can be observed through a comparison of the 1947 Statement of Responsibilities of the Internal Auditor and the 1957 revision of the same document. The 1947 version stated that internal auditing dealt primarily with accounting and financial matters but may also properly deal with matters of an operational nature. That emphasis was to change in just one decade. The IIA described the broad role of internal auditing with its 1957 Statement of Responsibilities of the Internal Auditor. Whereas the 1947 Statement said that an auditor might also deal with operating matters, the 1957 Statement stated that the auditor should be concerned with any phase of business activity. The 1957 Statement included these internal auditor (IA) duties: Reviewing and appraising the soundness, adequacy, and application of accounting, financial, and operating controls Ascertaining the extent of compliance with established policies, plans, and procedures Ascertaining the extent to which organizational assets are accounted for, and safeguarded from, losses of all kinds Ascertaining the reliability of accounting and other data developed within the organization Appraising the quality of performance in carrying out assigned responsibilities As previously mentioned, there were two significant events in 1941the publication of the first major book on internal auditing and the founding of the IIA. Interestingly, the latter event was related to the former. Victor Z. Brink's doctoral dissertation was published in January 1941 by Ronald Press. At the same time, John 6 Chapter 1: Background
Chapter 1: Background B. Thurston, internal auditor for the North American Company in New York, had been contemplating establishing an organization for internal auditors. Thurston and Robert B. Milne had served together on an internal auditing subcommittee formed jointly by the Edison Electric Institute and the American Gas Association. These two had decided that further progress in bringing internal auditing to its proper level of recognition would be difficult in the two organizations. Instead, what was needed was an independent organization for internal auditors. When Brink's book came to the attention of Thurston, the two men got together and found they had a mutual interest in furthering the role of internal auditing.
Only 11 members were present at the first annual meeting of the IIA. Thurston was elected as its first president. Membership grew quickly. The original 24 increased to 104 by the end of the first year, to 1,018 at the end of five years, and to 3,700 by 1957, with 20% of the latter figure located outside the United States. The new group was quick to begin its activities to further the development of its members. A director of research approved in January 1942 the first book published under the IIA auspices, and it was issued in March 1943. A journal, The Internal Auditor, was begun in September 1944. Membership was divided into local chapters beginning in December 1942, when the New York chapter was formed. The Detroit, Chicago, Los Angeles, and Philadelphia chapters followed in 1943. Additional chapters were formed the following year in Dayton, Cleveland, and Toronto, the first outside the United States. By the end of 1947, 19 chapters operated throughout North America. The first chapters outside North America were formed in London and Manila in 1948 to begin the trend toward true internationalization. Other developments would further focus IA on operational audits. In 1963, the National Industrial Conference Board studied 177 organizations' objectives for their internal auditing programs. The Board concluded with five primary objectives: 1. Determine the adequacy of the system of internal control 2. Investigate compliance with organizational policies and procedures 3. Verify the existence of assets, ensure that proper safeguards for assets are maintained, and prevent or discover fraud 4. Check on the reliability of the accounting and reporting system 5. Report findings to management and recommend corrective action where necessary In 1975, the IIA found that 95% of all respondents to a survey conducted operational audits for purposes of judging efficiency, effectiveness, and economy. The same study found that 51% of the total audit time was spent on operational auditing activities. Thus the shift from financial to operational had become profound and permanent. The modern work of the internal auditor had become auditing for efficiency and effectiveness more than financial propriety. The internal auditor had also become an integral part of the management team. Another dramatic change in the IA function in the United States occurred in 1987 with the Treadway Commission report. The Commission was organized by five accounting organizationsIIA, AICPA, American Accounting Association (AAA), Institute of Management Accountants (IMA), and Financial Executives International (FEI)known as the Committee of Sponsoring Organizations (COSO). The commission was formed to study the cause of fraudulent financial reporting. The committee concluded: (1) an internal audit function should exist in every public corporation, and (2) there should be a corporate audit committee composed of non-management directors of the corporation. These conclusions not only enhanced the IA profession but also brought fraud to the forefront of IA functions, like it had been before 1941. Also in the 1990s, one trend caused a change in the way the IA function was carried out. Outsourcing became a popular way for organizations to employ the IA function. The role of the IA function was served by public accounting and other providers. The IIA Standards and Statement have evolved further and now have the cornerstone of risk assessment.
The internal auditing function has undergone significant changes in the last century. The main objective of the IA function has moved from that of fraud detection to assisting management in making decisions beginning with a risk assessment. The IA staff of today is considered a good training ground for management-level personnel, but many organizations have out-sourced the entire IA function.
[3]Some
of the material from this section was taken from The Institute of Internal Auditors: 50 Years of Progress, by Dale L. Flesher, IIA. Copyright 1991 by The Institute of Internal Auditors, Inc., 247 Maitland Avenue, Altamonte Springs, FL 32701-4201. Reprinted with permission.
1.4 Auditing Government Agencies

Various governmental audit agencies throughout the world have played a role in the movement toward the modernization of internal audit procedures. In the United States, the General Accounting Office (GAO) has played a major part in broadening the role of the auditor. The GAO's publication, Standards for Audit of Governmental Organizations, Programs, Activities and Functions (commonly called the "Yellow Book" because of the color of its cover) explains the metamorphosis in the following manner: This demand for information has widened the scope of governmental auditing so that such auditing no longer is a function concerned primarily with financial operations. Instead, governmental auditing now is also concerned with whether governmental organizations are achieving the purposes for which programs are authorized and funds are made available, are doing so economically and efficiently, and are complying with applicable laws and regulations. Basically, the recommended standards encompass those standards that have been adopted by the AICPA for use in audits to express an opinion on the fairness of financial statements. Governmental audits, however, go a step beyond those standards that are applicable to audits of financial statements. The scope of a governmental audit (e.g., an audit of or for a government agency) is composed of three elements: 1. Financial compliance, 2. Economy and efficiency, and 3. Program results. The typical definition of a financial audit would not include elements 2 and 3. These are operational auditing techniques.
1.5 History of Information Systems Auditing

The technology revolution in accounting and auditing began in the summer of 1954 with the first operational business computer. Information technology (IT) changed the way accounting data was stored, retrieved, and handled. These new systems led to radically different audit trails, if one at all. The revolution became a dynamic evolution as the computer industry sustained continuous, rapid technical innovations. In addition to the introduction of computers to the business world, other IT-related events have also had a profound effect on the auditing profession and the way audits are conducted. These events included: (1) the commercialization of computers; (2) the introduction of AUDI-TAPE; (3) the Equity Funding scandal; (4) the 8 Chapter 1: Background
emergence of Information Systems Audit and Control Association (ISACA); (5) the Systems, Auditability, and Control (SAC) studies by the Institute of Internal Auditors (IIA); and (6) constant emerging technologies. Information technology affected, and continues to affect, auditing. It became necessary to add new standards, affecting the body of auditing standards. The audit process itself has become different from traditional audits prior to 1954 (e.g., audit tools and techniques). It was possible for an auditor to retire in the 1950s having used similar audit programs throughout one's career. That will never happen again! The effects of IT on auditing have culminated in a set of knowledge, skills, and standards necessary to conduct the contemporary audit that were nonexistent in 1954.
a. Birth of Information Systems Auditing

The introduction of computer technology into accounting systems disrupted the routine auditors had been able to establish to properly audit accounting systems. General Electric is attributed with the first operational electronic accounting system, a UNIVAC computer, in the summer of 1954. Because of the new knowledge necessary to understand computers and electronic data processing (EDP), the auditing profession struggled to develop a new set of tools, techniques, and systems knowledgeand the training and standards to accompany them. A seminal event occurred very early in the history of business computers. This notable example of early innovation was an article, "Using a Computer to Reconcile Inventory Counts to Books," published in N.A.C.A. Bulletin (National Association of Cost Accountants) in June 1956. In the article, the author, Frank Howell, member of the Auditor General's staff for the United States Air Force (USAF) in Washington, D.C., described how an organization used the computer to reconcile inventory counts to books. The computer was programmed to print out major differences between counts and inventory records while automatically adjusting the books to the count for minor differences. The program even evaluated the effectiveness of inventory operations in various departments and determined which supervisors were doing the best job of counting inventory. Taking into account the length of publication cycles, this technique was being used as early as 1955, that is, at the beginning of IT history. Some nascent articles and discussions deliberated the possibility of using information technology (i.e., the computer) as an audit tool, but Howell at the USAF was actually using technology as an audit tool. At the time, this idea was radical and innovative. Thus, one early effect of information technology was to provide the very tools auditors would need to adequately audit accounting data. This effect became perpetual as future technologies would also be used as tools in audits of EDP systems. Not all creative tools and techniques were delivered using emerging technologies. As early as 1961, the U.S. Air Force adapted traditional separation of duties between programmers, systems designers, and keypunch operators. Other traditional auditing principles would be similarly altered to accommodate the effects of IT on auditing. In the beginning, IT itself provided an inherent protection. From 1955 to the mid-1960s, the computer world included only mainframes. During this time, few people had the knowledge and expertise to program a computer. This situation prevented most accountants from preparing programs to audit through the system. It also provided its own form of security, because few people knew enough to violate the systems.
b. Commercialization of Computers
Beginning in 1963, the escalation of computer usage in accounting systems caused auditors to think about how they were going to deal with this new technology. Several organizations had begun to manufacture computers to be used in business during the late 1950s and early 1960s. Some manufacturers, such as Singer and General Electric, soon exited the computer market. Others, such as Burroughs and IBM, became major suppliers of business computers. Up until then, all of the computers were mainframes. The cost of these machines made it prohibitive for most companies to purchase one.
10
The use of computers in accounting began to escalate in 1963 with the introduction of a new, lower-cost computer by IBMthe IBM 360. The plan at IBM was to introduce smaller machines at more affordable costs to businesses. The IBM 360 accomplished this objective, and a rapid increase in sales of commercial-use computers ensued. This increase in computer sales was instrumental in creating a greater need for EDP auditing concepts in businesses and a need for auditors skilled and knowledgeable about EDP. And the spiral of better IT, cheaper IT, and smaller-size IT was off and running.
c. AUDITAPE: Breakthrough for Information Systems Auditors

From the beginning, external auditors had a difficult time in auditing through the computer. First, the majority of auditors audited around the computer ignoring, for the most part, the effect of EDP on the audit. In the 1960s, those auditors who audited through the system had to rely on expensive, time-consuming, and continuously changing custom audit programs. For example, Keagle Davis undertook a study at Touche Ross that showed that their programmers had written 150 to 250 customized audit programs in 1967 alone. While 75% of these were effective, 80% required major programming changes the next year because of changes in the computer system or changes in audit needs. Meanwhile, the number and variety of financial accounting systems and clients with computers greatly increased in the last half of the 1960s. The need for skills required to handle the audit of computerized data significantly increased beyond those of an EDP technician. Together, these needs drove the development of generalized audit software (GAS). A series of events and projects at Haskins & Sells (H&S) led to the initial GAS package. In the late 1950s, Kenneth Stringer began to develop a statistical sampling plan. In 1962, H&S formerly adopted the plan, Probability Proportional to Size Sampling (PPS). PPS was a precursor to AUDITAPE, but it was not the only motivation, or even the primary motivation, in developing AUDITAPE. Stringer and the management at H&S were also motivated by the fact that the more clients computerized their accounting, the more dependent auditors would become on computer expertise. The growth of computerized accounting systems would create an environment in which auditors would be unable to perform the audit steps once done manually. That is, access to data was gradually slipping away from auditors. The introduction of AUDITAPE in October 1967 by Haskins & Sells at the American Accounting Association (AAA) annual meeting in Portland, Oregon, was a key event for external auditors in particular (at that time), and internal auditors (later). Practitioners were excited when they saw the potential of AUDITAPE because external auditors who were not highly technical could now run the computer and use it as an audit tool. Very few auditors had yet acquired a high level of technical skills in 1967. As a direct response to the introduction of AUDITAPE, several GAS packages were developed from 1968 to the early 1970s. Every Big Eight public accounting firm developed its own proprietary GAS package during this time. Independent organizations, such as Computer Audit Systems, Inc. (Joseph Wasserman, CARS software) and, in the late 1970s, P.J. Corum (later Pansophic, Panaudit software), also developed GAS packages. The development and use of GAS was a breakthrough in audit tools. In 1967, very few audit tools existed, and there was a meager use of the tools that did exist. AUDITAPE was the impetus that led to the development and use of audit tools, specifically GAS, in EDP audits. AUDITAPE also affected other aspects of auditing. Although statistical sampling preceded AUDITAPE by several years, AUDITAPE affected the use of statistical sampling as much as it affected anything. Thus, AUDITAPE was born from a need to audit through the computers (information technology) in a simple, efficient, and effective manner. Information technology's effect on access to data by external auditors (i.e., difficult to examine) drove the need for better audit tools. To this day, GAS is perhaps the most valuable tool an auditor has to audit data embedded in IT. The AICPA added its contribution to EDP audits, even though it was without official standards or guidance. In 1968, Robert Trueblood of Touche Ross, president of the AICPA, pursued the theme of computers in 10 Chapter 1: Background
11
accounting during his term. Trueblood used his influence to have the AICPA hire Gordon Davis to both assist CPAs in the use of computers and codify EDP auditing. Dr. Davis, a professor at the University of Minnesota, accepted the responsibility and took a leave of absence to be de facto chairman of the committee appointed by the AICPA. Each of the Big Eight firms was invited by the AICPA to participate on the committee in the development of this project, and seven firms provided representatives. The major result of the project was a book entitled Auditing & EDP. This popular book went through many printings and a revision in 1983. It included examples of how to document an EDP audit and a sample questionnaire for processing internal control review. The Auditing & EDP project led to several changes in the auditing profession. Although the book itself did not present the official position of the AICPA (i.e., it was not promulgated standards), it did present a number of audit and control concepts and procedures as an unofficial document. Perhaps the most important chapter was one dedicated to explaining when and how to audit around the computer. In the 1960s, auditors could officially audit input and output and still be in compliance with AICPA standards. If auditors did choose to audit around the computer, the chapter recommended that an evaluation of internal control be made to both review and test the system. Auditors could not simply ignore the presence of EDP in the accounting system. This recommendation was essentially the context of Statement on Auditing Standards (SAS) No. 3: The Effects of EDP on the Auditor's Study and Evaluation of Internal Control, promulgated six years later in December 1974. Another result of the Auditing and EDP Task Force was the establishment of a permanent EDP auditing committee within the AICPA. The committee's efforts eventually led to the issuance of several audit guides and SAS No. 3.
d. Equity Funding Scandal: Abuse of Information Technology

Oddly enough, the abuse of information technologyto falsify accounting data and hide a fraudwas one of information technology's most significant influences on auditing. The Equity Funding financial fraud scandal jolted both the accounting profession and managementincluding audit managementfrom a stodgy, traditional audit ideology. Managers who believed that the computer was a black box and it did not really matter what went on inside began to change their minds. Audit managers who believed the computer was a fad or a fancy calculator began to take more seriously the implications of using EDP in accounting. The atmosphere, in general, was ripe for change. Managers at Equity Funding Corporation of America used a series of frauds beginning in 1964 to show false profits, thus increasing the company's stock price. The primary fraud was the use of phony insurance policies. Equity Funding used several tactics to perpetrate the fraud. One was to use different external auditors in order to confound the audit process and prevent detection of the fraud. The company used another deceptive tactic during confirmation of receivables. When the external auditing firm tried to confirm receivables (policies) by phone, the Equity Funding switchboard operator simply patched them through to Equity Funding employees in the building. That is, EF employees were in on the fraud and actually provided external auditors with false information. The most amazing fact of the case is that it went undetected for so long. Many people inside the company knew about the fraud, and yet the fraud was a better-kept secret than some of our military secrets of the time. The fraud was exposed when a disgruntled ex-employee blew the whistle. In March 1973, the SEC suspended trading of Equity Funding stock. The subsequent audit by Touche Ross was definitely not traditional. First, the auditors were trying to prove that the insurance policies did not exist. Second, it was a fraud audit, not a financial audit. Touche Ross auditors used the opportunity to apply a variety of new techniques to satisfy audit requirements in terms of information and how the system reports and files data. The audit took two years to complete. Touche Ross found about $2 billion of phony insurance policiestwo-thirds of the policies Equity Funding claimed to have in force.
11
12
For the most part, the external auditors before Touche Ross failed to follow up on numerous clues that indicated something was wrong. The use of audit software could have detected the fact that the policy file was fraudulent. For example, all bogus policies were coded to department "99." The auditors also did not review system flowcharts or program code but treated the computer as a black box. Not only did the external auditors overlook the clues, but the SEC could be accused of the same thing. An SEC staff member wrote memos 15 months prior to Equity Funding's collapse reporting rumors of irregularities. The SEC, however, dropped the investigation shortly after receiving the memos. The popular press treated the fraud as a computer fraud, but it really was notit was a management fraud. Still, the fact is that Equity Funding management probably could not have perpetrated the fraud without the use of computers. The public's perception of the part that the computer played in the fraud caused a new wave of interest in audit procedures where computers were a component of the accounting system. The prevailing belief at this time was that traditional audits (those that audited around the computer) were sufficient to detect the existence of material and significant frauds, such as the Equity Funding fraud. Others, primarily EDP auditors, had espoused the need for auditing through the computer. These people were now receiving attention from accountants, auditors, and management. This financial fraud affected a wide range of constituencies. These included insurance regulators, bank regulators, postal inspectors, the FBI, and the U.S. Attorney's office. At least 12 different federal and state agencies were involved in the aftermath of exposure of the scandal. Equity Funding did more for the rise of EDP auditing (i.e., more EDP auditor jobs) than any other single event. For example, Harold Weiss was credited with providing the only major EDP auditing training during the late 1960s and early 1970s. He said that his activity increased so significantly after Equity Funding that he had trouble filling all of the requests. He also said most of the managers that had previously told him "no" to his requests of EDP audits or the use of EDP audit techniques were now calling and asking for his help to institute computer controls and EDP audit techniques. The Equity Funding scandal had a domino effect in the auditing community. The attitude of isolating the computer system from the EDP auditors, held by some corporate management, changed after Equity Funding. In addition, auditing procedures were being challenged; some of the customary policies and procedures that had been acceptable began to be questioned. Equity Funding highlighted the need for audit standards that apply directly to EDP auditing (these were non-existent at the time). Security became an increasingly significant issue for all auditorsup until Equity Funding, auditors were absorbed with accounting-related issues in EDP. Auditing literature was also affected. An analysis of citations prior to 1973 show an insignificant amount of research and publications on EDP auditing issues by such organizations as the AICPA, Big Eight firms, and IIA. From 1955 through 1970 (16 years), the AICPA published only 21 articles, two chapters in a book, and Auditing & EDP, according to Accountants' Index published by the American Institute of Accountants. The IIA published 10 articles and no books in the same period. State societies published 25 articles. None of these institutions averaged two articles per year. The more active Big Eight published about 40 articles (some overlap with the AICPA publications in The Journal of Accountancy and state society publications). Between 1973 and 1977, however, numerous activities followed Equity Funding: publications, standards, research, and seminars. Even IBM changed; management at IBM decided to make a substantive effort to change the image of the computer from a villain to a hero. A comparison of the EDP auditing profession prior to 1973 and immediately thereafter leads to the conclusion that the Equity Funding scandal was the single most important event in EDP audit history.
e. Systems, Auditability, and Control Research StudyInstitute of Internal Auditors

By 1973, IBM had established a close working relationship with the public accounting community. In 1965, IBM helped establish a users group, Accountant Computer Users Technical Exchange (ACUTE), in New 12 Chapter 1: Background
13
York City. After Equity Funding, IBM established a liaison position to cooperate with the public accounting community. As a result of these relationships, IBM instituted auditability and security programs for its computers and for auditors, a two-way communication line intended to benefit both parties. For example, every IBM computer had a technical guide on the security and auditability features of that particular computer. Auditors benefited from these guides when conducting their audits. Also, IBM invited accountants to training, even if they did not own an IBM computer (IBM normally required training attendees to be owners of IBM equipment). While other computer manufacturers were offering only technically oriented training, IBM offered training that was less technical, and thus more useful to accountants. In return, feedback from auditors led to improvements in the security and auditability features of IBM computers, and the referrals from accountants led to sales. Auditors were assisting IBM, to some degree, in becoming the leading manufacturer of computers. Members of the IIA staff had been planning a large-scale research project into information systems and auditing called Systems, Auditability, and Control (SAC). In 1973, the IIA formally approached the IBM liaison, Sam Albert, about the possibility of IBM's financial support for the SAC research. Albert eagerly agreed to pursue possible financial support from IBM and was able to convince IBM management to invest in the project. Albert unilaterally decided it was in the best interests of IBM to be the sole sponsor of the project, and he secured a financial commitment of $500,000 from IBM. In 1975, no entity had been able to define EDP auditing precisely and communicate that definition nationally. State-of-the-art tools, techniques, and procedures also suffered from a lack of exposure and codification. The SAC study had the ambitious goal of making a definitive evaluation of EDP auditing. In 1977, SAC was published. Due to this effort, SAC managed to define EDP auditing because SAC provided some prescription of how to approach EDP auditing. In addition, SAC codified tools and techniques into a benchmark or standard. That is, SAC established what effective EDP audit shops were doing, especially best practices. Others believed SAC legitimized the need for an EDP auditing staff and function. SAC's contributions made an impact, moving EDP auditing forward significantly. SAC was a landmark study in changing the audit profession and controlling computer systems. The IIA and IBM gave away hundreds and thousands of copies for free. The prestige of IBM, the notoriety of the individual members of the Advisory Committee, and the IIA lent credibility to SAC. At least up until the mid-1980s, SAC was probably the most widely publicized, read, accepted, and applied publication that encapsulated a comprehensive set of principles for EDP auditing. SAC has been updated several times since its initial publication (in 1991, 1994, and eSAC 2001). It is currently referred to as eSAC (Electronic Systems Assurance and Control), and available online from the IIA.
f. Electronic Data Processing Auditors Association

By the late 1960s, many EDP auditors were ready for an organization dedicated to EDP auditing. At that time, there was no authoritative source for EDP audits that would provide information, standards, tools, and techniques. From the efforts of a handful of interested auditors in Southern California, the Electronic Data Processing Auditors Association (EDPAA) was organized in 1969. Its first conference was held in January 1973, just before the exposure of the Equity Funding scandal, and its first regular publication, The EDP Auditor, began in May of the same year.
In 1977, the EDPAA's Foundation (EDPAF) published its first edition of Control Objectives, a compilation of guidelines, procedures, best practices, and standards for conducting EDP audits. It was intended to provide a normative model for EDP auditors in performing their duties. The publication was revised and updated frequently in the subsequent years (1980, 1983, 1990, and 1992). Between 1992 and 1996, Control Objectives underwent a major revision. Since 1996, the document goes by the title CobiT (Control Objectives for Information and Related Technology). CobiT was revised in 1998 and 2000 (third edition), and is available on CD-ROM and online. CobiT has become an authoritative, up-to-date, international set of generally accepted Chapter 1: Background 13
14
IT control objectives for day-to-day use by business managers, users of IT, and IS auditors. In June 1978, the EDP Auditors Foundation (EDPAF) introduced its certification programCertified Information Systems Auditor (CISA). Because of information technology, some internal and external auditors wanted a separate certification for auditors of Information Technology; the CISA provided the vehicle. The first CISA exam was given in 1981 and offered in two languages. In 2002, more than 10,000 candidates around the world took the CISA exam in their choice of nine languages: English, Dutch, French, German, Italian, Japanese, Spanish, Chinese, or Korean. The introduction of the CISA certification program brought a standard for IS auditors that came to be respected throughout the auditing profession. Today, more than 27,000 professionals in dozens of countries have become certified through the CISA program. By 1984, the international growth of the EDPAA began to accelerate. Many international chapters were chartered beginning about this time. For example, in 1985, Region 10encompassing Japan, Hong Kong, Singapore, Malaysia, India, and the Philippineswas activated. The EDPAA began to translate key documents into foreign languages. When Control Objectives was translated into Japanese in 1986, it soon became a best sellerselling more than 10,000 copies. By 1988, the CISA exam and other documents were also translated into foreign languages. In 1989, the EDPAF issued its 10 worldwide General Standards for IS Auditing, and its first two worldwide Statements on IS Auditing Standards. In 1991, the EDPAA elected its first international president living outside North AmericaDeepak Sarup. The Information System, Audit and Control Association (ISACA) has become the only true international professional auditing organization, with international members, international chapters, and international standards (applicable on an international scale)all within a single entity. In June 1994, the EDPAA formally changed its name to Information Systems Audit and Control Association (ISACA). Over the years, EDPAA/ISACA has held training seminars, sponsored technical journals, and assumed sponsorship of Computer Audit, Control and Security conferences (CACS) begun by Harold Weiss in the 1960s. The activities of EDPAA/ISACA have contributed to the emergence of the large number of IS auditing experts today. ISACA is known today for its CobiT project, its services, CISA certification, training, informationtopics such as corporate governance and Global Knowledge Network (Global Information Repository)and it continues to publish its technical journal, Information Systems Control Journal. ISACA has more than 26,000 members internationally in more than 100 countries.
g. Emerging Technologies
Technology continued to change at a rapid pace until the introduction of the microcomputer in the late 1970s. At that time, information technology became portable and distributed, carrying with it new control problems. While the pioneers did blaze a trail for others to follow (in the mainframe area), all the trails seemed to change by 1979, and the walls around the data center were no longer secure. In addition, EDP auditing had even evolved into a separate function in many organizations, or at least a separate position in IA: audit manager/IS audit. The breadth of IT also began to compound the knowledge and expertise needed to perform audits and audit projects. The 1980s saw many new technologies incorporated into accounting systems. Some had been in the process of developing, but the proliferation of IT in the 1980s and 1990s drove the need for better IS products as well as new technology. The emerging technologies included microcomputers or personal computers (PCs), database management systems, electronic data interchange (EDI), bar coding, artificial neural systems (ANS) or neural networks, expert systems (ES), decision support systems (DSS) and group decision support systems (GDSS), executive information systems (EIS), online analytical processing (OLAP), enterprise resource planning (ERP), andmost important of allthe Internet and World Wide Web (WWW). In addition, changes in telecommunication technologies affected nearly all accounting information systems.
14
Chapter 1: Background i. Microcomputers and Networks
15
Microcomputers date back to 1975 with a group of young experts (e.g., Bill Gates) who built the first microcomputer called the Altair. Several attempts to mass market microcomputers followed from then-maverick companies such as Apple and Commodore, and traditional companies like Radio Shack. In 1977, Apple introduced its Apple II, followed in 1979 with Radio Shack's TRS-80. Also in 1977, Xerox developed a microcomputer with a mouse, graphical display, and other "windows"-like features. It was not until 1979 when VisiCalc (an electronic spreadsheet) hit the market, however, that micros really began to sell. In the fall of 1981, IBM began to sell its version of the microcomputerthe personal computer (PC). Early in the 1980s, IS auditors were becoming concerned about the controls in microcomputer systems (e.g., spreadsheets used in accounting and financial accounting packages). Microcomputer software advances (financial accounting) had led to many installations on PCs. The widespread use of PCs dispersed the IS function within organizations. One result of micros was a loss of control of the security of computing activities. That is, computer processing, which had once at least been centralized at the mainframe computer in a single room, was now distributed throughout much of the organization. Information system auditors quickly determined the need for new tools to audit the data that were resident on microcomputer systems. Yet the micro also provided IS auditors with the opportunity to develop new tools to take advantage of the power of micros for audit purposes. This potential led to the birth of the need for micro-based computer-assisted audit tools (CAATs), a major turning point because these tools enabled IS auditors to start doing their own micro work, instead of needing an IS expert as a go-between. Thus, the growth of PC-based CAATs was, in fact, driven by IS auditors. The PC was a greater tool for auditors than for just spreadsheets and word processing. The automation of work papers and micro-driven analytical tools were major innovations. The 1980s also saw the growth of networked PCs. With networks, several applications and numerous users have access to the same data and resources. During transmission along network lines, data often were exposed to loss or theft (e.g., sniffers, hackers). Maintaining the security of the users connected to the network and their physical location (nodes) was also difficult because users could be frequently added or moved on a network. That is, the network a manager brings up in the morning may not be the same one brought up yesterday. This volatility creates havoc for the network manager and can be a nightmare for IS auditorsit is virtually impossible to audit an environment when the environment keeps changing, and doing it so often. These two developments (PCs and networks) have resulted in information systems that have become more difficult to audit. Technology continues to change and expand rapidly. Meanwhile, the structure of the organizational system has drastically changed (exactly where are the data and controls?), and the locus of control for data processing continues to expand. However, microcomputers (and CAATs developed for them) have also provided a powerful tool that IS auditors can use to improve or facilitate the audit process. ii. Database Management Systems Use of relational databases grew in the early 1980s. The expanding base of PCs created a new market for application software, such as databases. Data integrity problems existed because several different applications (and users) had access to the same information. Databases (and PCs) eliminated much of the traditional separation of duties that had been established for mainframe systems. Information System auditing had to address these issues. The introduction of products such as the series of DBASE products, ACCESS, FoxBase, and so on, gave end users the ability to perform tasks previously restricted to the IS group: that is, they could develop their own applications. With much of IS programming suffering from large backlogs, end users saw a way to achieve their goals much quicker. Because of this situation, databases were popular with users. This phenomenon drove end-user computing (EUC). EUC, too, expanded the scope and exposures of information systems, again leading to changes in IS auditing. Chapter 1: Background 15
16
The proliferation of databases as the foundation of Accounting Information Systems (AIS) caused both problems and a simplification. Systems such as DB2 (from IBM) and Oracle began to dominate the market in the 1990s. The good news is that if an IS auditor understands database management systems concepts and technical issues, there is a good chance the organizational data resides within one. The basic concepts among database systems are fairly common. Also, the two most popular packages dominate IS in the larger businesses. iii. Electronic Data Interchange and Electronic Commerce EDI technology provided users with many benefits in the delivery and production of products and services. The use of EDI, however, exposes data during telecommunications between the two systems. Because of incompatible EDI systems, some organizations use a third party to provide EDI services and introduce another source of exposure. Therefore, EDI (computerized) audit trails have become even more difficult to follow. Universal product code (UPC) bar coding was first used in 1973 in grocery stores. Bar coding increased input accuracy and permitted fast data capture. Bar coding and scanning had advantages to management beyond inventory control. For example, Toys 'R Us uses bar coding and scanning for sales analysis: to know the hot toy first and order the entire supply! Quick response systems integrate EDI, bar coding, and just-in-time (JIT) inventory management. The basic element of the JIT philosophy is to carry only enough inventory to meet customers' orders for a short time frame (ideally one day). Wal-Mart has fine-tuned its quick response system so well that its system has become one of its major competitive advantages. For example, the elimination of local warehouse storage at branch locations reduced costs enough to pay for the quick response system in about six months.
The security of data has not only escaped the confines of the IS central location within an organization, but it is now virtually open to exposure to anyone in the external environment who has enough knowledge and criminal intent to disrupt the information traveling over phone lines and networks. The increase in users of EDI has expanded the risks to transmission of data. Encryption and virtual private networks (VPN) became some of the controls used for these risks and exposures. iv. Artificial Intelligence and Decision Support Systems Other major innovations in information technology provide additional opportunities for its use, sometimes as a competitive edge, by management in the area of artificial intelligence (AI), decision support systems (DSS), and group decision support systems (GDSS). Artificial neural systems (ANS) are a special type of AI systems. ANS emulate the functioning of the human brain in model building and decision-making. Neural nets appear to be well suited to problems of pattern recognition, classification, nonlinear feature detection, and nonlinear forecasting. One good example of an emerging technology and how it affects IS auditing is executive information systems (EIS). EIS are computerized systems that support top management in their strategic decision-making. An EIS must be easy to use by relatively unskilled users. Because internal auditing is supposed to review the reliability and integrity of financial and operating information, the emergence of new EIS has had an impact on internal auditors. Information system auditors should define the control risks and internal controls of EISas well as all other information technologies. Internal controls should be "seamless" to ensure the flexibility necessary. Thus, IS auditors can contribute to the development of EIS in a variety of waysbut especially in defining controls, auditability, and security for the systems. All of these emerging technologies led to constantly changing systems, with new information technologies being implemented frequently. Many times, systems are changed with input from IS auditors regarding audit, control, and security. Management and staff are often so enthralled with the features of the new IT that it can be easy to overlook important control and auditing attributes. But if IS auditors do participate in the systems 16 Chapter 1: Background
17
development, the controls, auditability, and security probably will be adequate. CISA guidelines suggest that a CISA be involved in every systems development life cycle (SDLC) project. v. Telecommunications In the mid-1960s, modems and acoustical couplers began to appear. Again, it was the growth of the PC that propelled the use of this technology. The 1980s saw global competition begin to affect many more organizations, driving a need for telecommunications. With this expansion of telecommunications came risks and exposures. One problem that arose with telecommunications was computer crime. For example, vandalshackers and crackersbegan to steal or corrupt data from long distance. With the legal system not ready to handle these types of crimes, many organizations could do nothing even if they caught the criminal. The nature of telecommunications and information technology makes it difficult, if not impossible, to identify computer criminals. Using viruses, hackers also vandalized information systems. During the last decade, the impact of viruses has grown and is now considered dramatic. [4] Viruses entered the public limelight in the fall of 1987. But the military had been aware of viruses since 1978 (according to the head of information security at SRI International, Donn Parker). Modern accounting systems, especially due to the expansion of telecommunications, are vulnerable to the detrimental effects of viruses. Most auditors are convinced viruses present a real threat to IS security and control that must be addressed by IS auditors. It is estimated that viruses cost companies $12.3 billion in 2001. vi. Expanded Interfacing/Scope of Accounting Systems Other advances caused significant changes in existing accounting information systems (AIS). One major change was enterprise resource planning (ERP), in which AIS was interfaced with all, or most, of the other systems in the organization. For example, in common ERP systems, human resource systems are interfaced with the payroll system, and sales systems are interfaced with the accounts receivable system. In recent years, ERP is being expanded to include customer relationship management (CRM), supply chain management (SCM), and other functions. In addition, data needs resulted in software such as online analytical processing (OLAP), data warehousing, data mining, and a host of extraction software to create value and draw benefits from AIS and operational data captured over time in systems. vii. The Internet and the World Wide Web The most dramatic of advances has been the proliferation of the Internet and the World Wide Web (WWW). With it have come new security problems, new risks, and new challenges for auditing. Suddenly, data is exposed to the entire world! Organizations want to use the 24/7 access to increase sales, improve customer relations, and achieve other business objectives. The increased risk of fraud and damage is considerable. The growth of commerce over the Internet has been phenomenal. It has been estimated that between 2002 and 2005, the number of consumers using online account management will more than double, reaching 45% of the U.S. adult population. On the retail sales side business-to-consumer (B2C), electronic commerce, or e-commerce, sales grew 92% from 1999 to 2000, with a total of $29 billion. On the wholesale side business-to-business (B2B), e-commerce transactions increased 17% from 1999 to 2000, with a total of $213 billion. In the service sector, sales increased 48% from 1999 to 2000, with a total of $37 billion. Retail sales for 4Q 2001 were up 13% over 2000 at $10 billion. It is estimated that sales for the year of 2001 were $32.6 billion, an increase of 19% from 2001. The Internet and WWW have changed commerce worldwide in both the nature of transactions and AIS. Electronic commerce makes it possible to better compete on a global scale and find the best suppliers without regard to geographic location. It also facilitates more efficient and flexible internal operations, better (closer) relationships with suppliers, and improved customer service, with better response to customer needs and expectations. Indeed, e-commerce has become a critical success factor for modern business, strategic needs, and economical development. Firms are changing their organizational and commercial processes to take full Chapter 1: Background 17
18 advantage of the opportunities that e-commerce offers.
Yet the electronic systems and infrastructure commensurate with effective e-commerce present significant exposures and risks related to abuse, misuse, and failure. Risks extend to all connected parties: merchants, customers, finance entities, and service providers. Risks from attacks range from hackers who are on a cyberspace joy ride to crackers who are out to kill, steal, and destroy. The risks also include viruses and intelligent agents (e.g., distributed denial of service (dDoS) agents). To a lesser extent, it includes those objects whose intent is to clog bandwidth: urban legends, hoax viruses, and chain letters. Those responsible for information security (InfoSec), operational audits, and internal controls have a very difficult task managing the risks associated with the Internet. In general, the most common adverse consequences include the following types of exposures: Financial loss as a result of a fraud Destruction of important financial records Compromise of valuable confidential information to an unauthorized party Loss of business opportunities through a disruption of service Unauthorized use of resources Loss of confidentiality or customer relationship Some of these consequences can be minimized through appropriate practices of internal control within the organization. For example, in order to minimize possible losses because of disruption of service, contingency planning and physical security measures could be taken. However, the risks may not always be minimized through the traditional security and/or preventative methods. In addition, security threats have become a ubiquitous problem and an ever-evolving challenge for those responsible for information systems. There is a seemingly endless barrage of attacks from computer criminals with the intent to destroy systems, data, and information assets. Mailing lists such as those from BugTraq, CERT, and SANS Institute put out a continuous stream of warnings about emerging risks, from new viruses to vulnerabilities in operating systems and browsers. The costs of these security problems appear to outweigh even those of Internet fraud. The Computer Security Institute and FBI conducted a study of organizations that experienced security breaches. Respondents who could put a dollar amount on the cost of a security breach averaged more than $2 million in financial losses. The rate of the growth of the Internet and e-commerce may have slowed, but the scope of this exposure is approaching 100% because it affects both suppliers (hosts/servers) and users (clients). Whether it is web servers (hosts), e-commerce systems, extranets, or just access to the Internet (clients/browsers), firms are exposed to a plethora of possible attacks if they are connected in any way to the Internet. Obviously, those firms with servers (hosts) have a much greater risk. Theoretically, data can be accessed by anyone. In order to respond to these and other critical factors within the implementation strategy of electronic commerce, the role and responsibility of the IA is crucial in establishing auditing procedures and IS specifications that will, at least, minimize risks. viii. Paradoxical Evolution of Information Technology The effects of emerging technologies have been paradoxical. On one hand, emerging technologies have created a more difficult system to audit effectively. On the other hand, auditors have managed to use emerging technologies as audit tools and thus become more effective and efficient. The microcomputer innovation in the early 1980s epitomizes this phenomenon. An example of hindrances caused by emerging technologies is distributed data. Emerging technologies, especially the Internet, decentralized the control points. No longer could an auditor go to a single location and audit the major control points of an EDP systemusually a mainframe in a single, glass-enclosed room. This distribution and multiplication of control points exasperated the audit process. Coupled with the scope change 18 Chapter 1: Background
Chapter 1: Background was new technology. Not only did the control points move away from a central location and expand in numbers, but they became different because the technology changed. Thus general controls and application controls were significantly different.
19
One current, actual example of using emerging technologies is the use of laptops and customized generalized audit software to audit credit unions long distance using telecommunications, never interrupting daily operations (Weber, 1994). One developing example is embedded audit modules: For example, an artificial neural system (ANS) could be developed to "sit" in the IS and warn auditors of transactions or events that are "outliers"that is, fraud or irregularity is suspected. This type of warning system is possible because ANS can "learn" to recognize errors and possible fraud by exposing the system to actual errors and frauds. This tool would amount to 100%, real-time, on-line verification. Today several computer-assisted audit tools (CAATs) already exist that perform a 100% verification. Despite the existence of IDEA, ACL, Panaudit Plus and other micro-based CAATs, these tools are apparently greatly underutilized at present. This situation is attributed to serious cost constraints within audits, the expertise to use them effectively, combined with a misconception that CAATs are cost effective only for large audits. One thing the future holds for certain is more rapid change in information technology. One source says: The task will require ingenuity, special training, and, of course, experience to be efficiently accomplished. Unlike the auditors of the early 1900s, today's auditor is faced with a dynamic situation in which time is of the essence. The increased volume of data being handled, the speed with which these data are processed and the centralization of accounting functions have by no means reached their zenith, nor will the pace in technology diminish. The modern-day auditor must not only meet the challenge quickly, but parallel its future growth. To do otherwise will render the role he plays ineffective, if not futile. Sound familiar? This statement was written decades ago (USAF, 1966)! The challenge is to use the lessons of the past to solve problems of the present and future.
[4]See
Journal of Corporate Accounting & Finance, Vol. 13, Issue 4, 2002, pp. 2939, for more on viruses. "Stop Fraud Cold With Powerful Internal Controls" by Tommie Singleton.
1.6 History of Federal Regulations Related to Auditing

A review of relevant federal regulations follows to provide the IA department and its members a general understanding of these laws. Each regulation has had an impact on audits.
a. Income Tax Law (Sixteenth Amendment): 1913

One of the first major regulations that was passed by the U.S. Congress was the Sixteenth Amendment in 1913. This law legalized income taxes and had a direct impact on internal auditing. One provision of the law required all companies to maintain adequate accounting records. Thus, even small firms that did not need accounting for management or financing purposes suddenly had to maintain accounting records for income tax purposes. This change meant a need for more accountants and internal auditorswho had to review travel and business expenses for income tax returns and who would respond if the Internal Revenue Service solicited audit reports during their examinations.
19
20
b. Securities and Exchange Commission Acts: 1933, 1934

The main impact of the Securities Act of 1933 and the Securities Exchange Act of 1934 was on public accounting. In fact, some have referred to this legislation as the "full employment acts for external auditors." The purpose of the acts was to make accountants liable for purchases of securities containing material misstatements in the portions of the registration statement for which the CPA is responsible. The registration had to include audited financial statements. Essentially, plaintiffs must only establish that they suffered investment losses and that the relevant financial statements contain material errors or omissions. If a plaintiff establishes those elements of proof, the defendant auditor assumes the burden of proving that its employees used "due diligence" in performing the audit. This purpose was a result of the Ivar Kreuger scandal mentioned previously. The Supreme Court has made it clear that the plaintiff must prove more than mere negligence to impose liability on the CPA. Plaintiffs must prove scienter [5] ("a mental state embracing intent to deceive, manipulate, or defraud")Section 10(b), Rule 10(b)-5 of the 1934 SEC Act. Most criminal cases brought against CPAs involve this section. Perhaps the most significant fact about the SEC acts is the legal authority it gives the SEC for setting accounting and standards. The SEC has in effect delegated that authority to the Financial Accounting Standards Board (FASB). Because of its membership makeup and the influence the AICPA tends to have in the rule-making process, the SEC has basically delegated rule making to the accounting profession, allowing it to monitor and police itself generally. The SEC does issue Staff Accounting Bulletins that are authoritative for publicly traded companies.
For IA, the SEC acts provide impetus for financial accounting responsibilities for publicly traded companies. The acts also require all corporations that report to the SEC to maintain a system of internal control that is evaluated as part of the annual external audit. The responsibility for this system of internal control generally falls on the IA function.
c. Foreign Corrupt Practices Act: 1977

Although the primary purpose of the Foreign Corrupt Practices Act (FCPA) in 1977 was supposedly to eliminate payments by U.S. corporations to foreign officials, the secondary purpose of enhanced internal controls is more important to internal auditors. Organizations were required to have sufficient internal controls so that any illegal payments would be uncovered by the accounting system or internal controls. Thus, if a corporation was guilty of making an illegal payment, management could not (supposedly) escape conviction by claiming a lack of knowledge. If a corporation tried that approach, then it would be guilty of having a system of internal controls that could not uncover illegal payments; that is, the organization would be out of compliance with a federal law. FCPA required two things that affect auditing and IA: 1. SEC registrants must establish and maintain adequate books, records, and accounts. 2. SEC registrants must maintain an internal control system that provides reasonable assurance the organization's objectives are being met: a. Transactions are executed in accordance with management's general or specific authorization. b. Transactions are recorded as necessary to prepare financial statements (i.e., GAAP), and to maintain accountability. c. Access to assets is permitted only in accordance with management authorization. d. Recorded assets are compared with existing assets at reasonable intervals. e. Internal controls are capable of detecting illegal foreign payments.
20
21
Penalties for violations include fines (up to $2 million), imprisonment (up to five years), and, in some cases, both. [6]
d. Copyright Laws: 1976 et al.

Also affecting internal auditing is the series of copyright laws beginning in 1976, relating to intellectual property. The acts have the following implications for IA: U.S. intellectual property is protected. The acts have been amended numerous times. Management is legally responsible for violations of the organization, even if executives did not know of any illegal activities. The U.S. government has continually sought international agreement on terms for protection of intellectual property globally, but without complete success (especially in areas of the Far East and Middle East).
e. Sarbanes-Oxley Act: 2002

The Sarbanes-Oxley Act passed by the U.S. Congress in the summer of 2002 will have a dramatic effect on both external and internal auditing. Section 301 (Public Company Audit Committee) requires an audit committee for listed companies and describes the functions and oversight the audit committee should have over the audit processes. The new law requires the committee to have a great deal of interaction with major facets of audit, including IA auditors. It also requires members of the committee to be independent. Section 302 (Corporate Responsibility for Financial Reports) calls for the certification of financial reports submitted to the SEC by the principal executive officer and principal financial officer. Section 406 (Code of Ethics for Senior Financial Officers) requires a code of ethics for certain executive officers and requires disclosures when a code does not exist. Section 407 (Disclosure of Audit Committee Financial Expert) adds further requirements of the audit committee, specifically that at least one member should have financial accounting expertise. But it is Section 404 (Management Assessment of Internal Controls) that will have the greatest impact on internal auditing. This section requires an annual report to management of the internal controls and their effectiveness. Internal audit is clearly in the optimum position to deliver this required service, and the law is therefore good news for the IA profession. Fulfilling this regulation is an excellent motivation to have an IA department in house. The scope of this section was amplified by the NYSE when it actually required, for the first time, an internal audit function for all NYSE-listed companies (Section 303A.7(c)). (See also Sections 3.4(e) and 9.2 for more on the Sarbanes-Oxley Act.)
[5]Per [6]See
case: Ernst & Ernst v. Hochfelder (First Securities Co. of Chicago) 1976. full text of FCPA at www.usdoj.gov/criminal/fraud/fepa/fepastat.htm.
1.7 Professional Organizations Related to Internal Auditing

Several organizations furnish professional services, certification, and continuing education that relate to IA. The following list summarizes some of these major organizations. A summary of each organizationmostly derived from information at their web sitefollows. Organization Chapter 1: Background Certification Web Site 21
22 Institute of Internal Auditors (IIA) Information Systems Audit and Control Association (ISACA) American Institute of Certified Public Accountants (AICPA) American Accounting Association (AAA) Financial Executives International (FEI) Association of Government Accountants (AGA) Association of Certified Fraud Examiners (ACFE) CIA, CGAP, CFSA, CCSA CISA CPA, CITP n.a. n.a. CGFM CFE
Chapter 1: Background www.theiia.org www.isaca.org www.aicpa.org www.aaa-edu.org www.fei.org www.agacgfm.org www.cfenet.com
a. Institute of Internal Auditors

The Institute of Internal Auditors 247 Maitland Avenue Altamonte Springs, FL 32701-4201 Phone: (407) 830-7600 Fax: (407) 831-5171 E-mail: <iia@theiia.org> Web: www.theiia.org
The IIA focuses on the internal audit function. Its certification is the Certified Internal Auditor (CIA). Established in 1941, the IIA serves more than 75,000 members in internal auditing, governance and internal control, IT audit, education, and security from more than 100 countries. The world's leader in certification, education, research, and technological guidance for the profession, the IIA serves as the profession's watchdog and resource on significant internal auditing issues around the globe. Presenting important conferences and seminars for professional development, producing leading-edge educational products, certifying qualified auditing professionals, providing quality assurance reviews and benchmarking, and conducting valuable research projects through the IIA Research Foundation are just a few of the Institute's many activities. The IIA also provides internal audit practitioners, executive management, boards of directors and audit committees with standards, guidance, and information on best practices in internal auditing. It is a dynamic international organization that meets the needs of a worldwide body of internal auditors. The history of internal auditing has been synonymous with that of the IIA and its motto, "Progress Through Sharing." In December 2000, the IIA's Internal Auditing Standards Board approved the issuance of new standards, in the first major revision to the "Red Book" since it was introduced a quarter century ago (i.e., Standards for the Professional Practice of Internal Auditing (SPPIA)).
b. Information Systems Audit and Control Association

Information Systems Audit and Control Association 3701 Algonquin Road, Suite 1010 Rolling Meadows, IL 60008 Phone: (847) 253-1545 Fax: (847) 253-1443 Web: www.isaca.org
The Electronic Data Processing Auditing Association (EDPAA) was formed in 1969 and later changed its name to Information Systems Audit and Control Association (ISACA). It is dedicated to the profession of IS 22 Chapter 1: Background
Chapter 1: Background auditing. Its certification is CISA (Certified Information Systems Auditor).
23
With more than 26,000 members in over 100 countries, ISACA is a recognized global leader in IT governance, control and assurance. The organization sponsors international conferences, administers the globally respected CISA designation earned by more than 27,000 professionals worldwide, and develops globally applicable information systems auditing and control standards. An affiliated foundation undertakes leading-edge research in support of the profession. The IT Governance Institute, established by the association and foundation in 1998, offers symposia, original research, presentations at both ISACA and non-ISACA conferences, and electronic resources to assist enterprise leaders in their responsibility to make IT successful in supporting the enterprise's mission and goals. ISACA's vision is to be the recognized global leader in IT governance, control, and assurance. ISACA's mission is to support enterprise objectives through the development, provision, and promotion of research, standards, competencies, and practices for the effective governance, control, and assurance of information, systems, and technology.
ISACA members residing in more than 160 chapters throughout more than 100 countries around the world unite through: One set of standards used as guidance for IS audit and control activities worldwide A respected certification program that is recognized internationally in the IS audit, control, and security fields A professional development program on critical managerial and technical topics Award-winning technical publications providing the latest research, case studies, and how-to information, and A code of professional ethics to guide members' professional activities and conduct
c. American Institute of Certified Public Accountants

American Institute of Certified Public Accountants 1211 Avenue of the Americas New York, NY 10036-8775 Phone: (212) 596-6200 Fax: (212) 596-6213 Web: www.aicpa.org
The AICPA is the professional organization that represents external auditors. The AICPA oversees the Certified Public Accountant (CPA) designation that is actually administered and awarded by individual states (the examination is common to all states). It has a strict code of ethics that it enforces. Internal auditors must be familiar with their duties, Generally Accepted Accounting Principles (GAAP), and other financial reporting criteria in order to perform their duties effectively. The AICPA and its predecessors have a history dating back to 1887, when the American Association of Public Accountants was formed. In 1916, the American Association was succeeded by the Institute of Public Accountants, whose membership numbered 1,150. The name was changed to the American Institute of Accountants in 1917 and remained so until 1957, when the name was again changed to the American Institute of Certified Public Accountants. Separately, the American Society of Certified Public Accountants was formed in 1921 and acted as a federation of state societies. The Society was merged into the Institute in 1936 Chapter 1: Background 23
24 and, at that time, the Institute agreed to restrict its future members to CPAs.
d. American Accounting Association

American Accounting Association 5717 Bessie Drive Sarasota, FL 34233-2399 Phone: (941) 921-7747 Fax: (941) 923-4093 E-mail: <office@aaahq.org> Web: www.aaa-edu.org
The American Accounting Association is dedicated to accounting education with most of its membership comprised of accounting academics; in fact, it has fewer practitioners as a percentage over time. There is no separate certification associated with the AAA. The AAA promotes worldwide excellence in accounting education, research, and practice. Founded in 1916 as the American Association of University Instructors in Accounting, its present name was adopted in 1936. The AAA provides a wealth of resources for IA in doing research and in communicating education needs back to the classrooms. Interaction between IA and AAA should lead to a synergistic relationship.
e. Financial Executives International

Financial Executives International 10 Madison Avenue P.O. Box 1938 Morristown, NJ 07962-1938 Phone: (973) 898-4600 Fax: (973) 898-4649 Web: www.fei.org
FEI represents the financial profession and community. It has no separate certification. FEI was founded in 1931. Over time the role of the financial executive expanded and it adopted its broader present name in 1962. On November 6, 2000, the Financial Executives Institute became what is now Financial Executives International. FEI is the preeminent professional association for senior financial executives representing 15,000 individuals. Membership driven, FEI provides peer networking opportunities, emerging issues alerts, personal and professional development, and advocacy services to chief financial officers, controllers, treasurers, tax executives, finance and accounting professors in academia. FEI does this principally through its strong Internet community, its 85 chapters and its 9 technical committees. Membership is limited to individuals holding senior management positions, but the organization allows many other finance professionals to join if they meet certain criteria. Other typical titles held by FEI members include assistant controller, subsidiary CFO or controller, assistant treasurer, and director of tax. FEI also has a special rate and status for academics. As the global economy developed, FEI was the driving force in forming the International Association of Financial Executives Institutes in 1969. FEI proactively helped design the CFO Act and has a history of supporting legislation that enhances the business climate. Its largest chapters are in Boston, Santa Clara Valley, New York, and Chicago. In total, FEI has 85 chapters across the United States and Canada. FEI Canada was established in 1973 to serve the needs of its Canadian members and consists of 11 chapters. 24 Chapter 1: Background
Chapter 1: Background Vision: FEI will continue to be the association for the corporate finance profession.
25
f. Association of Government Accountants

Association of Government Accountants 2208 Mount Vernon Avenue Alexandria, VA 22301 Phone: (703) 684-6931 (800) AGA-7211 Fax: (703) 548-9367 Web: www.agacgfm.org
The Association of Government Accountants specializes in public financial management. AGA sponsors the CGFM (Certified Government Financial Manager) certification. Since 1950, the AGA has been&"para">AGA has been instrumental in developing accounting and auditing standards and in generating new concepts for the effective organization and administration of financial management functions, including the passage of the Inspector General Act of 1978 and the Chief Financial Officer's Act of 1990. AGA conducts independent research and analysis of all aspects of government financial management. These studies have led AGA to be recognized as a leading advocate for improving the quality and effectiveness of government fiscal administration. Since its inception in 1994, the CGFM has become the standard by which government financial management professionals are measured. Its education, experience and ethics requirements have served to elevate the most seasoned financial professionals. More than 13,000 individuals have received the designation so far.
g. Association of Certified Fraud Examiners

Association of Certified Fraud Examiners The Gregor Building 716 West Avenue Austin, Texas 78701 Phone: (512) 478-9070 (800) 245-3321 (USA & Canada only) Fax: (512) 478-9297 Web: www.cfenet.com
The Association of Certified Fraud Examiners (ACFE) specializes in anti-fraud activities and white-collar crime detection, and sponsors the CFE (Certified Fraud Examiner) certification. ACFE, established in 1988, is based in Austin, Texas. The 26,000-member professional organization is dedicated to educating qualified individuals (Certified Fraud Examiners), who are trained in the highly specialized aspects of detecting, investigating, and deterring fraud and white-collar crime. Each member of the association designated a Certified Fraud Examiner has earned certification after an extensive application process and upon passing the uniform CFE examination. Certified Fraud Examiners come from various professions, including auditors, accountants, fraud investigators, loss prevention specialists, attorneys, educators, and criminologists. CFEs gather evidence, take statements, write reports, and assist in investigating fraud in its varied forms. CFEs are employed by most Chapter 1: Background 25
26
major corporations and government agencies, and others provide consulting and investigative services. The association sponsors approximately 100 local chapters worldwide. CFEs in more than 100 countries on four continents have investigated more than 1 million suspected cases of civil and criminal fraud.
Endnotes
1. Special thanks to Dr. Dale Flesher for the use of his article, "A History of Accounting and Auditing Before EDP," The EDP Auditor Journal, Vol. III, 1993, pp. 3847. Most of this section came from this article. 2. Interestingly enough, a similar law was passed during the Civil War but was later ruled to be unconstitutional by the U.S. Supreme Court. 3. Some of the material from this section was taken from The Institute of Internal Auditors: 50 Years of Progress, by Dale L. Flesher, IIA. Copyright 1991 by The Institute of Internal Auditors, Inc., 247 Maitland Avenue, Altamonte Springs, FL 32701-4201. Reprinted with permission. 4. See Journal of Corporate Accounting & Finance, Vol. 13, Issue 4, 2002, pp. 2939, for more on viruses. "Stop Fraud Cold With Powerful Internal Controls" by Tommie Singleton. 5. Per case: Ernst & Ernst v. Hochfelder (First Securities Co. of Chicago) 1976. 6. See full text of FCPA at www.usdoj.gov/criminal/fraud/fepa/fepastat.htm.
26
Chapter 2: Auditing Standards and Responsibilities

Overview
SAM POLE COMPANY Corporate Audit Department Procedures Manual NO: 2.1 REV NO: DATE: PAGES:
TITLE: Introduction
2.1 Introduction
The internal audit function is guided by auditing standards, guidelines, principles, and the responsibilities for auditors both individually and professionally. Individually, internal auditors have an ethical responsibility to perform their duties with integrity. Professionally, there are standards that must be considered.
SAM POLE COMPANY
TITLE: Ethics
Corporate Audit Department Procedures Manual NO: 2.2 REV NO: DATE: PAGES:
2.2 Ethics
Every company should have its own ethics officer, who answers to the chief executive officer (CEO) or, better yet, chairman of the board. Companies should consider ethics training and an ethics system for reporting suspicious activities or events (e.g., a toll-free phone line that goes to a special group responsible for corporate ethics). Companies may even hire ethics consultants when necessary (e.g., for developing international ethics). Managers and business professionals alike should use ethical principles to evaluate their activities, behaviors, and decisions. One area of concern for organizations today is the potential harm or risks from the use of information technologies. Because the work of auditors is inexorably melded with technology, ethics related to information technology (IT) should at least be considered while conducting reviews and audits. Ethical principles for responsible use of IT include: Proportionality. The good achieved by technology must outweigh any harm or risk in its use. Informed Consent. Those affected by the technology should understand and accept the risks associated with that use. Justice. The benefits and burdens of the technology should be distributed fairly. Minimized Risk. To the extent that any risk is judged acceptable by the preceding three guidelines, technology should be implemented to eliminate all unnecessary risk. The Association of Information Technology Professionals (AITP) provides the following guidelines for becoming a responsible end user [1]: Chapter 2: Auditing Standards and Responsibilities 1
Chapter 2: Auditing Standards and Responsibilities Act with integrity, avoid conflicts of interest, and ensure your employer is aware of any potential conflicts. Protect the privacy and confidentiality of any information you are entrusted with. Do not misrepresent or withhold information that is germane to a situation. Do not attempt to use the resources of an employer for personal gain or for any purpose without proper approval. Do not exploit the weakness of a computer system for personal gain or personal satisfaction. Set high standards for your work. Accept responsibility for your work. Advance the health, privacy, and general welfare of the public.
The above ethics principles can be used to govern ethical conduct by managers and users. However, more specific standards of conduct are needed to govern ethical use of information technology. One of the hallmarks of any profession is having and following a basic set of ethical standards. For auditors, it matters how "doing what is right" is defined and by whom. Exactly what constitutes the ethical standards for internal auditing as a profession? A code of ethics is necessary and appropriate for the profession of internal auditing, founded as it is on the trust placed on its objective assurance about risk management, control, and governance.
a. Institute of Internal Auditors (IIA) [2]

The Institute of Internal Auditors has a Code of Ethics that applies to its members and Certified Internal Auditors (CIA). It extends beyond the definition of internal auditing to include two essential components: 1. Principles that are relevant to the profession and practice of internal auditing. 2. Rules of conduct that describe behavior norms expected of internal auditors. These rules are an aid to interpreting the principles into practical applications and are intended to guide the ethical conduct of internal auditors. i. Purpose The purpose of this Code is to promote an ethical culture in the profession of internal auditing. ii. Applicability This Code of Ethics applies to both individuals and entities that provide internal auditing services. For the IIA, "internal auditors" refer to IIA members, recipients of IIA professional certification (CIA, CGAP, CCSA, and CFSA), and candidates for those certifications. For internal auditors, breaches of the Code will be evaluated, and enforcement administered according to the IIA's bylaws and administrative guidelines. iii. Principles of the IIA Code of Ethics Internal auditors are expected to apply and uphold these principles: Integrity. The integrity of internal auditors establishes trust and thus provides the basis for reliance on their judgment. Objectivity. Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by their own interests or by others in forming judgments. Confidentiality. Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority, unless there is a legal or professional obligation to do so. Competency. Internal auditors apply the knowledge, skills, and experience needed in the performance of internal auditing services. 2 Chapter 2: Auditing Standards and Responsibilities
Chapter 2: Auditing Standards and Responsibilities iv. Rules of Conduct The rules of conduct include:
Integrity. Internal auditors (a) shall perform their work with honesty, diligence, and responsibility, (b) shall observe the law and make disclosures expected by the law and the profession, (c) shall not knowingly be a party to any illegal activity, or engage in acts that are discreditable to the profession of internal auditing or the organization, and (d) shall respect and contribute to the legitimate and ethical objectives to the organization. Objectivity. Internal auditors (a) shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased assessment; this participation includes those activities or relationships that may be in conflict with the interests of the organization, (b) shall not accept anything that may impair or be presumed to impair their professional judgment, and (c) shall disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under review. Confidentiality. Internal auditors (a) shall be prudent in the use and protection of information acquired in the course of their duties, and (b) shall not use information for any personal gain or in any manner that would be contrary to the law or detrimental to the legitimate and ethical objectives of the organization. Competency. Internal auditors (a) shall engage only in those services for which they have the necessary knowledge, skills, and experience, (b) shall perform internal auditing services in accordance with the Standards for the Professional Practice of Internal Auditing, and (c) shall continually improve their proficiency and the effectiveness and quality of their services.
b. Information Systems Audit and Control Association (ISACA) [3]

The Information Systems Audit and Control Association (ISACA) also has a Code of Professional Ethics. i. Purpose The purpose of the ISACA Code is to guide the professional and personal conduct of members of the association and/or holders of the professional certifications from ISACA. ii. Applicability The Code applies to members of ISACA and/or holders of Certified Information Systems Auditor (CISA) and/or the Certified Information Security Manager (CISM) certifications. Failure to comply with the Code can result in an investigation into one's conduct and, ultimately, in disciplinary measures. iii. Rules of Conduct This Code says members and CISAs [4] shall: Support the implementation of, and encourage compliance with, appropriate standards, procedures, and controls for information systems. Serve in the interest of relevant parties in a diligent, loyal and honest manner, and shall not knowingly be a party to any illegal or improper activities. Maintain the privacy and confidentiality of information obtained in the course of their duties unless disclosure is required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties. Perform their duties in an independent and objective manner and avoid activities that impair, or may appear to impair, their independence or objectivity.
Chapter 2: Auditing Standards and Responsibilities Maintain competency in their respective fields of auditing and information systems control. Agree to undertake only those activities that they can reasonably expect to complete with professional competence. Perform their duties with due professional care. Inform the appropriate parties of the results of information systems audits and/or control work performed, revealing all material facts known to them, which if not revealed could either distort reports of operations or conceal unlawful practices. Support the education of clients, colleagues, the general public, management, and boards of directors in enhancing their understanding of information systems auditing and control. Maintain high standards of conduct and character and not engage in acts discreditable to the profession.
Corporate Audit Department Procedures Manual NO: 2.3 REV NO: DATE: TITLE: Professional Auditing Standards PAGES: [1]According to the Code of Ethics and Standards of Conduct by AITP from its web site at www.aitp.org.
[2]The
SAM POLE COMPANY
majority of this section comes from the IIA's Code of Ethics web page at www.theiia.org/ecm/guidance.cfm?doc_id=92 (or www.theiia.org and search for "ethics"). Please check the web page for any changes. The document used in this manual was adopted by the IIA Board of Directors on June 17, 2000.
[3]The
majority of this section comes from the ISACA's Code of Professional Ethics web page at www.isaca.org/codeofethics.htm (or www.isaca.org and search for "ethics"). Check the web page for any changes. The document used in this manual was adopted by ISACA on July 1, 2001. It also is under review at the time this chapter was written for changes related to the CISM certification.
[4]At
the time of this writing, ISACA is revising the Code of Professional Ethics to accommodate its new certificationCISM. Please visit the web page, www.isaca.org/codeofethics.htm, for possible changes effective since this writing.
2.3 Professional Auditing Standards

Like ethics, standards exist from authoritative sources that impose certain requirements and/or structures to the tasks and duties of the internal auditor. These standards come from professional accounting organizations and proven systems theory. There is great deal of overlap from accounting organizations regarding auditing standards; for example, independence, planning, and competence.
a. Institute of Internal Auditors

The IIA's authoritative standards document that is applicable to IA is known as the Standards for the Professional Practice of Internal Auditing (SPPIA). The purpose of SPPIA is to: Delineate basic principles that represent the practice of internal auditing as it should be Provide a framework for performing and promoting a broad range of value-added internal audit activities Establish the basis for the measurement of internal audit performance 4 Chapter 2: Auditing Standards and Responsibilities
Chapter 2: Auditing Standards and Responsibilities Foster improved organizational processes and operations
In December 2000, the IIA's Internal Auditing Standards Board approved the issuance of new standards in the first major revision of the so-called "Red Book" since it was introduced a quarter century earlier. Mandatory implementation date for these Standards was January 1, 2002. The Standards consist of Attribute Standards (the 1000 series), Performance Standards (the 2000 series), and Implementation Standards (nnnn.Xn). While there is one set of the two former standards, the later may be multiple setsa set for each of the major types of internal audit activity. Implementation Standards related to assurance include an "A" in the number (e.g., 1130.A1), and standards related to consulting include a "C" in the number (e.g., 1130.C1). The following is a brief summary of the main categories of the Attribute Standards and Performance Standards from the most recent version of the SPPIA: Attribute Standards 1000Purpose, Authority, and Responsibility The purpose, authority, and responsibility of the internal audit activity should be formally defined in a charter, consistent with the Standards, and approved by the board. 1100Independence and Objectivity The internal audit activity should be independent, and internal auditors should be objective in performing their work. 1200Proficiency and Due Professional Care Engagements should be performed with proficiency and due professional care. 1300Quality Assurance and Improvement Program The chief audit executive should develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity and continuously monitor its effectiveness. The program should be designed to help the internal auditing activity add value and improve the organization's operations and to provide assurance that the internal audit activity is in conformity with the Standards and the Code of Ethics. Performance Standards 2000Managing the Internal Audit Activity The chief audit executive should effectively manage the internal audit activity to ensure it adds value to the organization. 2100Nature of Work The internal audit activity evaluates and contributes to the improvement of risk management, control, and governance systems. 2200Engagement Planning Internal auditors should develop and record a plan for each engagement. 2300Performing the Engagement Internal auditors should identify, analyze, evaluate, and record sufficient information to achieve the engagement's objectives. 2400Communicating Results Internal auditors should communicate the engagement results promptly. 2500Monitoring Progress The chief audit executive should establish and maintain a system to monitor the disposition of results communicated to management. 2600Management's Acceptance of Risks When the chief audit executive believes that senior management has accepted a level of residual risk that is unacceptable to the organization, the chief audit executive should discuss the matter with senior management. If the decision regarding residual risk is not resolved, the chief audit executive and Chapter 2: Auditing Standards and Responsibilities 5
Chapter 2: Auditing Standards and Responsibilities senior management should report the matter to the board for resolution.
b. Information Systems Audit and Control Association [5]

The concept of a professional association of computer auditors originated in Los Angeles, California, in the late 1960s with a small group of auditors who were working in the area of computerized systems. The entity was named the Electronic Data Processing Auditors Association, and the name changed later to Information Systems Audit and Control Association (See Section 1.5(f) for a detailed history of EDPAA/ISACA). Computer-based systems are pervasive tools used by management in almost all organizations. Such systems affect control over many of the assetsincluding the very valuable corporate dataand operations of an organization. Development and support of such systems may require a significant portion of an organization's total resources. When these conditions exist, the auditor's mission may include auditing the development, maintenance, and operation of the systems. The work of auditors, both internal and external, is governed by standards developed by a number of professional organizations, each of which seeks to assure the quality of auditing work being performed. The Information Systems Audit and Control Foundation (ISACF) has determined that the specialized nature of information systems (IS) auditing work, and the skills necessary to perform such audits, require the development and promulgation of auditing standards that apply specifically to IS auditing. For the purposes of these standards, IS auditing is defined as any audit that encompasses the review and evaluation of all aspects (or any portion) of automated information processing systems, including related non-automated processes, and the interfaces between them. IS auditors review and evaluate the development, maintenance, and operation of components of automated systems (or such systems as a whole) and their interfaces with the non-automated areas of the organization's operations. The objectives of such auditing generally are to assess the extent to which such systems or components produce reliable and accurate information and to determine if such information is in conformity with management's requirements and any applicable statutory provisions. ISACF has developed its Standards in order to inform (1) IS auditors of the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA Code of Professional Ethics, and (2) management and other interested parties of the profession's expectations concerning the work of practitioners. The framework for the IS Standards, Guidelines, and Procedures for IS Auditing (Standards) provides multiple levels of guidance. First, Standards define mandatory requirements for IS auditing and reporting. Second, Guidelines provide guidance in applying IS Auditing Standards. The IS auditor should consider them in determining how to achieve implementation of the Standards, use professional judgment in their application, and be prepared to justify any departure. Last, Procedures provide examples of procedures an IS auditor might follow in an audit engagement. Procedures should not be considered inclusive of any proper procedures and tests or exclusive of other procedures and tests that are reasonably directed to obtain the same results. In determining the appropriateness of any specific procedure, group of procedures or test, IS auditors should apply their own professional judgment to the specific circumstances presented by the particular information systems or technology environment. The procedure documents provide information on how to meet the standards when performing IS auditing work, but do not set requirements. The Standards, and their concomitant number, are divided into three areas: Standard Category, the Standard, and Guideline (see Exhibit 2.1). There are eight Standard Categories and 12 overall IS Auditing Standards. IS Auditing Standards are brief mandatory requirements for CISA holders' reports on the audit and its findings. IS Auditing Guidelines and Procedures are detailed guidance on how to follow those Standards in most situations. There will be times however, when the auditor will not follow that guidance. In such a case, it will be the auditor's responsibility to justify the way in which the work is done. The Procedure examples show the steps performed by an IS auditor and are more informative than IS Auditing Guidelines. The examples are constructed to follow the IS Auditing Standards and the IS Auditing Guidelines and provide information on following the IS Auditing Standards. To some extent, they also establish best practices for procedures to be 6 Chapter 2: Auditing Standards and Responsibilities
Chapter 2: Auditing Standards and Responsibilities followed. For ISACA, these Standards are effective for all information systems audits with periods of coverage beginning July 25, 1997. Exhibit 2.1: ISACA Auditing Standards Guidelines[6] Standard Category 010Audit Charter Standard .010Responsibility, Authority, and Accountability .010Professional Independence .020Organizational Relationship .010Code of Professional Ethics .020Due Professional Care .010Audit Considerations for Irregularities .020Due Professional Care 040Competence .010Skills and Knowledge .020Continuing Professional Education .010Audit Planning Guideline .010Audit Charter .020Outsourcing .010Nonaudit Role Impact
020Independence
030Professional Ethics and Standards
.010Irregularities and Illegal Acts
050Planning
.010Materiality .020Planning .030Risk Assessment .040Effect of Third Parties .010Audit Documentation .020Application Systems Review .030Audit Evidence .040Audit Sampling .050IT Governance .060Pervasive IS Controls .070Use of CAATS .080Use of EXPERTS .NNNetc. .010Reporting
060Performance of Audit Work
.010Supervision .020Evidence
070Reporting 080Follow-Up Activities
.010Report Content and Form .010Follow-Up
Source: ISACA, from web site www.isaca.org/stand1.htm. Reprinted with permission. Chapter 2: Auditing Standards and Responsibilities 7
The eight categories and a brief summary description of each follow: 010Audit Charter The responsibility, authority, and accountability of the information systems audit function are to be appropriately documented in an audit charter or engagement letter. 020Independence In all matters related to auditing, the information systems auditor is to be independent of the auditee in attitude and appearance. The information systems audit function is to be sufficiently independent of the area being audited to permit objective completion of the audit. 030Professional Ethics and Standards The information systems auditor is to adhere to the Code of Professional Ethics of the Information Systems Audit and Control Association. 040Competence The information systems auditor is to be technically competent, having the skills and knowledge necessary to perform the auditor's work. The information systems auditor is to maintain technical competence through appropriate continuing professional education. 050Planning The information systems auditor is to plan the information systems audit work to address the audit objectives and to comply with applicable professional auditing standards. 060Performance of Audit Work Information systems audit staff are to be appropriately supervised to provide assurance that audit objectives are accomplished and applicable professional auditing standards are met. During the course of the audit, the information systems auditor is to obtain sufficient, reliable, relevant, and useful evidence to achieve the audit objectives effectively. The audit findings and conclusions are to be supported by appropriate analysis and interpretation of this evidence. 070Reporting The information systems auditor is to provide a report, in an appropriate form, to intended recipients upon the completion of audit work. The audit report is to state the scope, objectives, period of coverage, and the nature and extent of the audit work performed. The report is to identify the organization, the intended recipients, and any restrictions on circulation. Audit findings, conclusions, and recommendations and any reservations or qualifications that the auditor has with respect to the audit are to be stated in the report. 080Follow-Up Activities The information systems auditor is to request and evaluate appropriate information on previous relevant findings, conclusions, and recommendations to determine whether appropriate actions have been implemented in a timely manner. The first three digits in a document number represent one of the eight standards categories. IS Auditing Standards begin with 0 and Standards for IS Control Professionals begin with "5." The standards numbers are the second three numbers in the document (12 standards to date). The third set of three digits in a document number is the number of the guideline. Procedures are listed separately and numbered consecutively by issue date. For example, document 050.010.030 is a guideline (see Exhibit 2.1). It provides guidance in the fifth standard category (050), Planning. The Guidance applies to the first standard in that category (010), Audit Planning. It is the third guideline listed under Audit Planning (030). Procedures are numbered consecutively as they are issued, beginning with "1." Refer to the latest index of IS auditing standards, guidelines, and procedures for a complete listing of those documents available online from ISACA's web site.
c. American Institute of Certified Public Accountants

The AICPA has long-established Generally Accepted Auditing Standards (GAAS) that are related to internal auditingit is at least tangential when external auditors come to the IA's firm to conduct financial audits. The basic Standards fall into three categories: General Standards, Standards of Field Work, and Reporting 8 Chapter 2: Auditing Standards and Responsibilities
Chapter 2: Auditing Standards and Responsibilities Standards. The first two groups are similar to many of the standards from the IIA and ISACA. The AICPA also issues Statements of Auditing Standards from time to time. General Standards
1. The auditor must have adequate technical training and proficiency. 2. The auditor must have independence of mental attitude. 3. The auditor must exercise due professional care in the performance of the audit and the preparation of the report. Standards of Field Work 1. Audit work must be adequately planned. 2. The auditor must gain a sufficient understanding of the internal control structure. 3. The auditor must obtain sufficient, competent evidence. Reporting Standards 1. The auditor must state in the report whether financial statements were prepared in accordance with generally accepted accounting principles (GAAP). 2. The report must identify those circumstances in which GAAP were not applied. 3. The report must identify any items that do not have adequate informative disclosures. 4. The report shall contain an expression of the auditor's opinion on the financial statements as a whole.
Corporate Audit Department Procedures Manual NO: 2.4 REV NO: DATE: TITLE: Systems Development Life Cycle Standards PAGES: [5]Much of this section was taken from ISACA's web page on Standards located at: www.isaca.org/stand1.htm.
[6]The
SAM POLE COMPANY
list illustrates the Standards for Information Systems Auditing issued by ISACA, and is not comprehensive. For the complete list, see www.isaca.org/stand1.htm.
2.4 Systems Development Life Cycle Standards

While the standards from the IIA, ISACA, and AICPA are obviously relevant to the IA function, it is also true that proven systems development life cycle (SDLC) standards are relevant. For instance, the ISACA standard 060.020.020 (IS Auditing Guideline: Applications Systems Review) states in section 2.1.1 "Planning Considerations" in part: The IS auditor should gain an understanding of ... the risks and exposures associated with the organization's objectives and its information systems. Further, section 2.1.3 states in part: Application level risks at the system and data level include such things as: system integrity risks relating to the incomplete, inaccurate, untimely, or unauthorized processing of data, and system Chapter 2: Auditing Standards and Responsibilities 9
10
Chapter 2: Auditing Standards and Responsibilities maintainability risks relating to the inability to update the system when required in a manner that continues to provide for system availability, security, and integrity.
All of the above portions of the Standards are directly related to the proper use of SDLC techniques. For example, if system updates are done online (LAN or Internet) rather than taken offline, updated, tested, then restored to live access, risks are greater according to SDLC standards. Many a system has been updated online only to cause extra costs or other loss due to the extra or unnecessary problems this process created. The same is true for the phrase from section 2.1.3 "integrity risks relating to incomplete . . . ." By not following SDLC procedures in systems changes or purchases, the result can be these very risks. The SDLC procedures for new systems include these steps: Identify the process, understand what needs to be done, consider alternative solutions, select the best solution, test the solution, activate or implement the solution, and maintain the solution. Another key SDLC standard is the use of a cross-functional team in developing any major system, whether new or a major change. The team should include: systems professionals (analyst, programmers, etc.), end users, management, and auditors or accountants (limited to design functions, focusing on application controls). Another effective technique is to include different levels of the organization within the different functions. That is, consider using a manager from IS, a mid-level person, and someone from the operational level of IS. The same would be true for users/operations, and audit/accounting (see Exhibit 2.2 for a matrix view of this technique). Part of the responsibility of this team or steering committee is to ensure an appropriate linkage between the project and the strategic objectives of the firm. Exhibit 2.2: SDLC Steering Committee/Cross-Functional Team Matrix Departments = > Executive Management Middle Management Operations Personnel IA =>1 =>1 =>1 IS Dept. 1 Dept. 2 =>1 =>1 =>1 =>1 =>1 =>1 =>1 =>1 =>1
The SDLC has two pre-requisite documents and steps: a preliminary feasibility study and project authorization. The specific phases of the SDLC cycle are described in the following, and pictured in Exhibit 2.3which includes a list of the documents or reports that are involved with the phases: Phase 1Systems Planning Systems planning has proven to be cost effective, although it is tempting for the IS technicians to skipusually due to time pressures. It includes both the strategic systems planning (long-term planning) and project planning (short-term planning). A dynamic strategic systems plan is certainly better than no plan at all. Project planning includes identifying users' needs, preparing proposals, evaluating proposals, prioritizing individual projects, and scheduling work. It includes a project proposal and project schedule document. One proven effective approach to systems planning is to use a steering committee to manage the process. The members of this group follow a similar makeup as the "matrix" view of cross-functional teams, and that depicted in Exhibit 2.2. Phase 2Systems Analysis This phase includes surveys, if necessary, and other fact-gathering steps. The step is documented by the system analysis report. Phase 3Conceptual Design In this phase, the team will develop alternative systems that satisfy the system requirements identified during system analysis. This phase includes a data flow diagram (DFD), in general terms. Phase 4Systems Evaluation and Selection This process seeks to identify the optimal solution from among the alternatives. It includes a feasibility study, cost-benefit analysis, and the system selection report (documentation). 10 Chapter 2: Auditing Standards and Responsibilities
11
Phase 5Detailed Design This phase will produce a detailed description of the proposed system that satisfies system requirements identified during systems analysis and is in accordance with conceptual design. It will include some sort of testing, such as a simulation or walkthrough. It involves numerous reports and some of the most important documentation of the processes and system. Examples include: detailed design report, DFD (detail), entity-relationship (ER) diagram, relational model, normalized data, data dictionary, and other documentation. Phase 6Systems Implementation At this point, the database structures are created and populated with data, applications are coded and tested (prior to going live), equipment is purchased and installed, employees are trained, the system is documented, and the new system is installed. Once the final tests have been conducted, the system is placed in active use. This phase then would provide a post-implementation review, program flowcharts, program documentation, and the user acceptance report. It also should include a budget variance analysis. The post-implementation review and budget analysis are critical follow-up processes that will be valuable to management decisions and future projects. Phase 7Maintenance The maintenance phase is the longest in time, and therefore the efficiency and effectiveness of this phase are highly dependent on the documentation of the previous steps. Because about 80% of the total cost of the system will occur during this phase, there is plenty of opportunity for cost savings based on activities such as the data dictionary [7] developed in the detailed design phase. During this phase, the system is changed to accommodate changes in user needs. A minimum of four controls are needed in maintenance: formal authorization for changes, technical specifications (documentation), retesting (offline first), and updating of the documentation (especially the data dictionary). Exhibit 2.3: SDLC Guidelines
A materially flawed financial application will eventually misstate the financial data, which will then be incorrectly, and materially, reported in the financial statements. Therefore, the accuracy and integrity of these information systems directly affects the accuracy of the client's financial data. Some of the questions internal auditors should ask include: How can audit verify that SDLC activities are being applied consistently? How can audit verify that systems are free from material errors and fraud using SDLC principles? How can audit verify that the purchase or development of a system is justified? How can audit verify that system documentation is adequate and complete? How can audit verify that a library control is effective for original source code (or original copies and licenses of commercial software) and data (backups)? That is, what controls exist to protect original software and backup data? (See page 109 for a description of library control.) Chapter 2: Auditing Standards and Responsibilities 11
12 SAM POLE COMPANY
Corporate Audit Department Procedures Manual NO: 2.5 REV NO: DATE: TITLE: Professional Development PAGES: [7]A data dictionary will include all of the fields in all of the files used by the system with details on the characteristics of the field and places it is used in the applications.
2.5 Professional Development

One of the critical success factors in internal audit (IA) is professional development. Not only do accounting and auditing rules change, but other relevant matters also change. For instance, technology and systems are constantly evolving at a rapid pace; they not only house the accounting information, but are also excellent tools to use in audits. Management issues, such as conflict resolution and leadership, are vital to IA. Life-long learning, professional development, is a necessity. (See Section 5.2 on personal development for details on professional development.) Certification is an important element in a successful, effective internal audit department. Major benefits are that certification is a sign of professionalism, an adequate level of knowledge (for the area under certification), and a willingness to submit to a professional code of ethics. Another benefit of certification is the mandatory Continuing Professional Education (CPE) credits that must be earned each year in order to maintain one's certification. (See Section 5.1(c) i for more on certification.) This manual also recommends an annual staff meeting or conference for training and education of the staff auditors, in addition to other educational options. (See Section 5.5 for details.) Most of all, the ISACF Standards state that IS auditors are to be technically competent, having the skills and knowledge necessary to perform auditor's work (040.010Competence/ Skills and Knowledge) and also specify that IS auditors are to maintain their technical competence through appropriate CPE (040.020Continuing Professional Education). The IIA Code of Ethics states the same requirement for competence in its "Principles" and "Rules of Conduct" sections. Therefore, professional development is a key to quality audits and an effective IA function.
SAM POLE COMPANY
Corporate Audit Department Procedures Manual NO: 2.6 REV NO: DATE: TITLE: Responsibilities of a Corporate Auditor PAGES:
2.6 Responsibilities of a Corporate Auditor

In addition to the various standards to be followed, the corporate auditor and the IA function have responsibilities that must be fulfilled for IA to have successful results.
12
13
a. Nature
Internal auditing is an independent appraisal activity within an organization for the review of operations as a service to management. It improves managerial control by measuring and evaluating the effectiveness of other controls, and by maintaining a vigilant watch over risks.
b. Objective and Scope

The objective of internal auditing is to assist all members of the organization in the effective discharge of responsibilities by furnishing them with analyses, appraisals, recommendations, and pertinent comments concerning the activities reviewed. The internal auditor is concerned with any phase of business activity where he/she may provide service to the organization. This scope involves going beyond the accounting and financial records to obtain a full understanding of the operations under review. The attainment of this overall objective involves such activities as: Reviewing and appraising the correctness, adequacy, and application of accounting, financial, and other operating controls and promoting effective control at reasonable cost Ascertaining the extent of compliance with established policies, plans, and procedures Ascertaining the extent to which company assets are accounted for and safeguarded from losses of all kinds Ascertaining the reliability of management data developed within the organization Ascertaining the quality of performance in carrying out assigned responsibilities Recommending operational improvements
c. Responsibility and Authority

The responsibilities of corporate auditing within Sam Pole Company are clearly established by management policy. The related authority provides the corporate auditor full access to all of the organization's records, properties, and personnel relevant to the subject under review. The corporate auditor should be free to review and appraise policies, plans, procedures, and records. The internal auditor's responsibilities should be: To inform and advise management and to discharge this responsibility in a manner that is consistent with the codes of ethics of the IIA and the ISACA (IS audits) To coordinate his/her activities with others so as to best achieve audit objectives and the objectives of the organization Corporate auditors have neither direct responsibility for, nor authority over, any of the activities that they review. Therefore, the corporate audit review and appraisal do not in any way relieve other persons in the organization of the responsibilities assigned to them.
d. Independence
Independence is essential to the effectiveness of corporate auditing. This independence is obtained primarily through organizational status and objectivity: The organizational status of the corporate auditing function and the support accorded to it by management are major determinants of its range and value. The head of the corporate auditing function should be responsible to an officer whose authority is sufficient to assure both a broad range of audit coverage and the adequate consideration of and effective action on the audit findings and recommendations. Objectivity is essential to the audit function. Therefore, corporate auditors should not develop and install procedures, prepare records, or engage in any other activity that would normally be the subject of a review Chapter 2: Auditing Standards and Responsibilities 13
14
and could reasonably be construed to compromise one's independence. Auditors' objectivity need not be adversely affected by their determination and recommendation of standards or controls to be applied in the development of the systems and procedures under review. It is common to read in the financial section of a newspaper or other publication that a public accounting firm has been sued or censored. Why? Usually because the firm allegedly did not follow Generally Accepted Auditing Standards (GAAS), or the firm did not issue an accurate audit report on the financial statements, or the firm did not ensure adequate disclosures (e.g., certain information required by the Securities and Exchange Commission (SEC) or other regulatory body that could influence shareholders and/or the general public in financial planning decisions).
Although similar situations specifically addressed to the internal audit profession are rare, the possibility does exist. The SEC and other regulatory entities are looking in that direction due to the improved image of the profession and the greater reliance upon internal auditors' work by management and the public accountants. Don't be alarmed! Unlike the public accountants, internal auditors do not have the same contractual or fiduciary obligations. We do have similar responsibilities. Therefore, we must perform our audits with the same extreme care as the external auditors, and in accordance with GAAS. The Director of Auditing reports directly to the Audit Committee of the Board of Directors of Sam Pole Company for the purposes of audit scope. The Director's responsibility to the Committee, the entire Board of Directors, and management is to inform them promptly of significant situations disclosed by audits so that they can meet their obligations to the shareholders, regulatory bodies, and the general public.
e. Regulatory Issues
Due care is required in reporting comments related to regulatory bodies and federal laws. Relevant laws include income tax, SEC, copyright laws and the Foreign Corrupt Practices Act. In 1913, the Income Tax Act was passed (Sixteenth Amendment), and it affects internal auditors. For example, the Internal Revenue Service can and does request copies of audit reports during their examinations of tax returns. The company's reporting should be objective and factual to reduce further extensive tests of expense reports. If improved controls for reporting of travel and other business expenses are recommended, it is essential that the situations are clearly described and the number of instances noted be reflected in the detailed section of the audit report. Also, any corrective action taken should be indicated. Otherwise, the auditee will normally do so in the response to the audit report. The Securities Act of 1933 and Securities Exchange Act of 1934 require all corporations that report to the SEC, which was created by the acts, to maintain a system of internal control that is evaluated as part of the annual external audit. The Foreign Corrupt Practices Act, passed in 1977, requires, under penalty of law, that managements ensure good systems of internal control in their companies. Copyright laws (1977 et al.) protect intellectual property, which usually affects audit programsthat is, audit steps need to be included to audit for unlicensed software and other potential violations of this law. (See Section 1.6 for a history of federal regulations related to auditing.) The company's legal responsibilities can be attained if due care is used, GAAS are followed, situations are promptly and carefully reported, and confidentiality is maintained.
14
15
Endnotes
1. According to the Code of Ethics and Standards of Conduct by AITP from its web site at www.aitp.org. 2. The majority of this section comes from the IIA's Code of Ethics web page at www.theiia.org/ecm/guidance.cfm?doc_id=92 (or www.theiia.org and search for "ethics"). Please check the web page for any changes. The document used in this manual was adopted by the IIA Board of Directors on June 17, 2000. 3. The majority of this section comes from the ISACA's Code of Professional Ethics web page at www.isaca.org/codeofethics.htm (or www.isaca.org and search for "ethics"). Check the web page for any changes. The document used in this manual was adopted by ISACA on July 1, 2001. It also is under review at the time this chapter was written for changes related to the CISM certification. 4. At the time of this writing, ISACA is revising the Code of Professional Ethics to accommodate its new certificationCISM. Please visit the web page, www.isaca.org/codeofethics.htm, for possible changes effective since this writing. 5. Much of this section was taken from ISACA's web page on Standards located at: www.isaca.org/stand1.htm. 6. A data dictionary will include all of the fields in all of the files used by the system with details on the characteristics of the field and places it is used in the applications.
15
16
16
Chapter 3: Internal Control System

Overview
TITLE: Definition
3.1 Definition
Executives and auditors alike understand the importance of a strong internal control system in relation to financial audits and reliable financial reports. But a sound internal control system also has the potential to enhance corporate strategies and thus provides internal auditors with the opportunity to express their value as business partners. Corporate objectives generally include the provision for reliable, timely information in effective decision-making. There is a need to protect assets, to communicate internally, and to analyze events and transactions. A strong internal control system can enhance all of these strategic objectives and assist in operational control. Exactly what is an internal control system? The Information Systems Control & Audit Association (ISACA) defines it as: The policies, procedures, practices and organizational structures, designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented, or detected and corrected. This definition demonstrates the link between the internal control system and business objectives. According to the Committee on Sponsoring Organizations (COSO), internal control is: A process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in (1) the effectiveness and efficiency of operations, (2) the reliability of financial reporting and (3) the compliance of applicable laws and regulations. According to the Institute of Internal Auditors (IIA), the control system is: The attitude and actions of management and the board regarding the significance of control within the organization. The control environment provides the discipline and structure for the achievement of the primary objectives of the system of internal control. The control environment includes the following elements: integrity and ethical values, management's philosophy and operating style, organizational structure, assignment of authority and responsibility, human resource policies and practices, and competence of personnel. The bottom line is that an effective internal control system is a critical success factor for any organization in the long term, and that internal auditors should ensure they are inexorably melded with corporate strategies. Internal controls have become more than accounting guidelines. They are indispensable tools for the ever-increasing risks, exposures, and threats to accounting systems, data, and assets. Therefore, this manual will use the following definition for internal control system, and provides the basis for the discussion in this chapter: Chapter 3: Internal Control System 1
Chapter 3: Internal Control System Internal control system is the policies, practices, procedures, and tools designed to: (1) safeguard corporate assets, (2) ensure accuracy and reliability of data captured and information products, (3) promote efficiency, (4) measure compliance with corporate policies, (5) measure compliance with regulations, and (6) manage the negative events and effects from fraud, crime, and deleterious activities.
It goes without saying that corporate data, and the files that contain them, are an asset and do have value. The same is true for systems and the value is proportionate to the degree the organization is dependent on information systems (IS) or information technologies (IT) in delivering products or services. Thus the safeguarding of corporate assets includes the data and systems of the organizationeven system availability. This chapter will attempt to provide information to strengthen the internal control system. There is a discussion of related management policies, related regulations, risk assessment, some control activities, the employment of proven resources (i.e., computer-assisted audit tools and techniques), related fraud and crime, various applicable models, and some specific examples of tools and documents for internal auditors.
SAM POLE COMPANY
Corporate Audit Department Procedures Manual NO: 3.2 REV NO: DATE: TITLE: Assumptions in Establishing an Internal Control PAGES: System
3.2 Fundamental Assumptions in Establishing an Internal Control System

Federal law and business wisdom require management to exert a conscientious effort to maintain an effective system of internal controls and to build a strong internal control system. Management, with the aid of the internal audit IA function, should identify what needs protecting (i.e., assets), what risks exist to compromise those assets, and the extent of those risks (probability and impact cost). With those factors in mind, management, along with the assistance of the IA function, then should see that appropriate policies and strategies are developed concerning organizational structure (i.e., segregation of duties); physical, general, and application controls; and transaction processes. One key to safeguarding assets is personal accountability, whether it is enforcing policy violations by employees or tracking down and prosecuting crackers and hackers. It also extends to management to make sure controls are operating effectively as designed. That accountability means management must make sure error logs, monitoring reports, and so on, are being read and responded to timely. Management should employ the skills and abilities of professionals in designing internal controls and auditing their effectiveness. That includes technicians in the IS function and audit professionals in the IA function. If the company is conducting business over the Internet, that would include IS professionals such as Certified Information System Security Professional (CISSP), Certified Information Technology Professional (CITP), or Certified Information Systems Auditor (CISA) who understand both computer technologies and security. For the IA function it would include Certified Internal Auditor (CIA) or CISA. Internal control professionals should also be involved in all new systems developmentCIA, CISA, or CITP. The specific tools and techniques used to develop specific controls should be used in conjunction with the expertise of IA personnel. Management should also encourage the use of proven resources, such as the Internal controls models identified herein. Most of all, management should pursue an effective audit committee in which members are qualified and independent (i.e., effective corporate governance).
An important step in building an effective internal control system is to make sure the organization has adequate relevant policies, accompanied by an effective monitoring and reporting system to make sure management's objectives are being met. Another step, sometimes chronologically preceding policy development, is for the organization to identify the risks to which it is subject and the corresponding loss if that risk came to pass; that is, a thorough risk assessment. Also, the organization should use proven resources to determine and implement the actual controls necessary to manage the risks. Exhibit 3.1 depicts a model of an effective internal control system to illustrate these elements, and most of the detail processes described in this chapter. Some basic assumptions constrain the implementation and effectiveness of any internal control system, no matter how well it may be designed. It is also important to think about the evolution of intruders in order to design effective controls. Controls are affected by laws and regulations. Exhibit 3.1: Internal Control Environment Model
But first, reasons will be given for a strong internal control system. There are business reasons, legal reasons, and audit reasons.
a. Business Reasons for a Strong Internal Control System

The business reasons have to do with management objectives. Sound internal controls enhance corporate strategies by maximizing the reliability and timeliness of information in making effective decisions. Management, in general, desires to safeguard assets thoroughly, to communicate efficiently and effectively internally, to analyze events and transactions timely, and to promote operational efficiencies universally. Strong internal controls have the potential to help meet these objectives. For example, the Committee on Sponsoring Organizations (COSO) says this about internal controls: ... a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in (1) the effectiveness and efficiency of operations, (2) the reliability of financial reporting and (3) the compliance of applicable laws and regulations.
b. Legal Reasons for a Strong Internal Control System

The last statement brings up the second point about compliance with applicable laws and regulations. Controls help to assure such compliance, especially for laws regarding the system and intellectual property. (See "Regulations" in this chapter for more details.)
c. Basic Assumptions for the Internal Control System

The first basic assumption is that of management responsibility. The responsibility for an effective internal control system is not that of internal auditors, external auditors, management accountants, or any other group except management. The second assumption is that of reasonable assurance. There is no such thing as a perfect internal control system. Controls can generally be compromised under the right conditions. No computer system is impervious to attacks or malicious activities. In addition, controls have a cost and following the cost-benefit concept used in accounting, it must be applied even to controls. After all, if it costs $1 million to implement a control and the risk assessment shows a risk of loss of $200,000, then the control does not pass the cost-benefit test. The result is an exposurea weakness in the control system. Internal control does not guarantee that an entity will meet management objectives, or even that the firm will survive. Rather, internal controls are designed to provide management with reasonable assurance regarding the achievement of these objectives. The third assumption is independence from the method of data processing. That is, the control objectives should be designed without regard for the specific type of data processing. Certain control objectives may be peculiar to information systems or information technologies, but generally, a strong control objective should be just as applicable to a paper-based system as a computer-based system. The specific controls will vary with different technologies, but the objectives should be process independent. The fourth assumption deals with limitations, of which there are several. First, there will always be a possibility of error in any accounting system. There will always be the possibility of circumvention of controls by a determined and talented attacker. There is certainly always the possibility of management override of controls. Last, there is the simple passing of timeconditions change. With changing conditions, effective controls may become obsolete or ineffective and thus need constant re-evaluation (raison d'tre for the internal audit function!).
d. Evolution of Attacks and Intruders' Technical Knowledge

Attacks have grown from simplistic to complicated, while simultaneously the technical knowledge needed by intruders has gone from a high level to a very low level. For example, in the 1980s, attacks were mostly password guessing ("war dialers"), password cracking, some self-replicating code, and exploiting known vulnerabilitiesall of which required a high level of technical skills at the time. Then, there was not the widespread communication of vulnerabilities and hacker tools that we have in the twenty-first centurymaking it much easier today to do these kinds of attacks. Then attacks became a little more sophisticated, such as hijacking sessions, back doors, sweepers, sniffers, and stealth diagnostics. The technical knowledge became moderate instead of the high level of technical skills needed earlier. In fact, the term "hacker" really evolves from a complimentary term applied to those who had a lot of technical knowledge, knowing the administrative types of functions, commands, and intricacies of operating systems. By 1995, attacks became even more sophisticated. They included packet spoofing, use of intelligent agents, denial of service, and a combination of the twodistributed denial of service. Yet the level of knowledge diminished. In fact, there is such an abundance of malicious code, and so easy to obtain, that by the end of the twentieth century, many intruders were called "script kiddies"so named because young teenagers were downloading scripts files and conducting attacks, all without a prerequisite high level of technical knowledge. Therefore, the level of risk today is much higher than 20 years ago. It is necessary for the IA function and other security personnel to understand the profiles of intruders and the types of popular tools being employed, in order to be best prepared to defend the corporate assets. (See Section 3.8 for more details.)
e. Cost-Benefit Analysis of Controls

An important constraint in developing internal controls is the use of cost-benefit analysis on controls. Control activities are subject to the same cost-benefit analysis of other management activities. But a 2 2 model of risk probability and cost provides additional guidance in decision-making related to security and controls (see Exhibit 3.2). For example, those risks that have a low probability and low cost should simply be ignored. But for those with high probability and high costs, control activities need to be implemented to prevent the risk from occurring. For example, a disaster may have a low probability but it has a high cost (see Exhibit 3.2); therefore management should employ insurance and/or backup plan as an appropriate control activity. This model requires management to identify what needs protecting, what the risks are for those assets, and the level of cost impact and probability for each risk. Input from internal auditors and IS professionals most likely will be necessary to perform these steps appropriately. Exhibit 3.2: Controls Decision Making Overview
SAM POLE COMPANY
Corporate Audit Department Procedures Manual NO: 3.3 REV NO: DATE: TITLE: Effective Internal Control Models PAGES:
3.3 Effective Internal Control Models

There are numerous proven internal controls models that internal auditors can rely on in developing and maintaining an effective internal control system. These come from reliable professional organizations such as COSO, ISACA, IIA, AICPA, and the Canadian Institute of Chartered Accountants (CICA).
a. The COSO Model (AICPA, AAA, FEI, IIA, and IMA)

The COSO Model was developed by the Committee of Sponsoring Organizations (COSO), [1] originally known as the Treadway Commission. Organizations in COSO include American Institute of Certified Public Accountants (AICPA), American Accounting Association (AAA), Financial Executives International (FEI), Institute of Internal Auditors (IIA), and the Institute of Management Accountants (IMA). The final promulgated model on internal controls was published in 1992. The model contains five elements: the control environment, risk assessment, control activities, monitoring, and information and communication (see Exhibit 3.3). This particular model has been widely accepted and used by internal auditors and financial executives with equal success, and provides an effective model for designing, implementing, evaluating, and managing an effective internal control system. Exhibit 3.3: COSO Model
The COSO report defines internal control as "a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations." The report emphasizes that the internal control system is a tool of, but not a substitute for, management and that controls should be built into, rather than built onto, operating activities. Although the report defines internal control as a process, it recommends evaluating the effectiveness of internal control as of a point in time. COSO recognizes that people are involved with internal control as members of the board of directors (especially the audit committee), management, and other entity personnel such as internal auditors. Objectives are categorized by COSO as operational, financial reporting, and compliance (see Exhibit 3.3). COSO's "Internal Control Environment" covers factors such as integrity and ethical values of management, competence of personnel, management philosophy and operating style, how authority and responsibilities are assigned, and the guidance provided by the board of directors. Under "Risk Assessment," COSO addresses the risk of failing to meet financial reporting objectives, failing to meet compliance, and failing to meet operational objectives. COSO suggests the identification of external and internal risks to the entity and to individual activities. The cost-benefit consideration is a part of the COSO Model, as well as the dynamic nature of risk assessment. The COSO Model considers management's analysis of risk and their ability to override and adjust the internal control system.
Information systems are covered in the "Information and Communication" segment of the COSO Model. This area covers the need to capture pertinent internal and external information, the potential of strategic and integrated systems, and the need for data quality. The Communication subsection discusses conveying internal control matters, and gathering competitive, economic, and legislative information. COSO discusses the "Monitoring" aspect by recognizing the need for management to monitor the entire internal control system through the internal control system itself and through special evaluations directed at specific areas or activities. It uses an internal perspective for monitoring, and covers them in broad terms. "Control Activities" and procedures are discussed throughout the entity in the COSO Model. This model uses only one classification scheme for IS control procedures (by contrast, SAC uses five different schemes). 6 Chapter 3: Internal Control System
Chapter 3: Internal Control System COSO emphasizes the desirability of integrating control activities with risk assessment.
The AICPA has adopted the COSO Model officially by incorporating it into Statement on Auditing Standards (SAS) No. 78. SAS 78 revised SAS No. 55: Consideration of Internal Control in a Financial Statement Audit, and makes the COSO model part of external audit standards.
b. The CobiT Model (ISACA)

The CobiT Model [2] is the culmination of the evolution of ISACA's Control Objectives. In 1977, the Electronic Data Processing Auditors Foundation (forerunner of ISAC Foundation) published the first Control Objectives. It was a compilation of techniques and procedures for conducting IS audits covering various information technologies. This book provided a normative model for IS auditors in performing their duties. Control Objectives included not only objectives related to controls, but also audit procedures. The publication matched a particular IT with certain controls that ought to be addressed when conducting IS audits in that area or technology. Thus, Control Objectives provided IS auditors a benchmark to measure audit effectiveness and emphasized best practices. The guidelines underwent revisions in 1980 and 1983 (second edition). The 1983 version was intended to be a complete overhaul of delineating the discharge of IS auditors' responsibilities. Other revisions would occur in 1990 and 1992 (the fifth version of the document). Then, in 1996, the ISAC Foundation revised the tools in Control Objectives into a new guidance publication known as Control Objectives for Information TechnologyCobiT. CobiT helps bridge the gaps between business risks, control needs, and technical issues. It is a control model, or framework, to meet the needs of IT governance and ensure the integrity of information and information systems applied on an international basis, from international input. Research for the first (1996) and second (1998) editions included the collection and analysis of identified international sources and was carried out by teams in Europe (Free University of Amsterdam), the United States (California Polytechnic University) and Australia (University of New South Wales). The researchers were charged with the compilation, review, assessment and appropriate incorporation of international technical standards, codes of conduct, quality standards, professional standards in auditing, and industry practices and requirements, as they relate to the Framework and to individual control objectives. After collection and analysis, the researchers were challenged to examine each domain and process in depth and suggest new or modified control objectives applicable to that particular IT process. Consolidation of the results was performed by the CobiT Steering Committee and the Director of Research of ISACF. [3] The current edition is the third (2000) and is available on CD-ROM and online from ISACA. [4] CobiT provides an Executive Summary, a Framework for control of IT, a list of Control Objectives, and a set of Audit Guidelines. The latter two are reference works for the Framework. CobiT adapted its definition of control from COSO: The policies, procedures, practices, and organizational structures are designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected. CobiT adapts its definition of an IT control from SAC: a statement of the desired result or purpose to be achieved by implementing control procedures in a particular IT activity. The role and impact of IT controls as they relate to business processes are emphasized in CobiT. The document outlines platform and application independent IT control objectives that can be applied internationally. CobiT combines the principles embedded in existing reference models in three broad categories: quality, fiduciary responsibility, and security. From these broad requirements, the report extracts seven overlapping categories of criteria for evaluating how well IT resources are meeting business requirements for information. These criteria are effectiveness, efficiency, confidentiality, integrity, availability, compliance, and reliability of information. CobiT also classifies IT processes into four domains: planning and organization, acquisition and implementation, delivery and support, and monitoring. These processes follow the system development life cycle applicable to IT processes in any IT environment. CobiT includes definitions of both internal control Chapter 3: Internal Control System 7
and IT control objectives, four domains of processes and 32 high-level control statements for those processes, 271 control objectives references to those 32 processes, and audit guidelines linked to the control objectives.
c. The SAC and eSAC Reports (IIA)

The SAC report also has a long history of development and evolution. In 1977, the International EDP Audit Committee (later known as the Advanced Technology Committee) codified and published best practices among IT shops related to EDP audits in a document entitled Systems Auditability and Control (SAC). Based on empirical evidence from around the world and from a committee of experts, SAC was published in three separate documents: Control Practices, Audit Practices, and Executive Report. SAC enjoyed a high degree of dissemination, mostly because of the numbers of copies distributed by the IIA to members, and by IBM, the financial sponsor of the project. After 11 printings of the original document, SAC was revised in 1991, and again in 1994 by the IIA Research Foundation. In order to emphasize both e-business impact and electronic delivery of the new material, in 2001 the IIA Research Foundation issued a completely revised set of guidance, Electronic Systems Assurance and Control (eSAC). It brings executive management, corporate governance entities, and auditors new information to understand, monitor, assess, and mitigate technology risks. These guidelines examine and assess risks that accompany each organizational component, including customers, competitors, regulators, communities, and owners (see Exhibit 3.4). Exhibit 3.4: eSAC Model
The eSAC report defines the system of internal control, describes its components, provides several classifications of controls, describes control objectives and risks, and defines the internal auditor's role. The report provides guidance on using, managing, and protecting IT resources and discusses the effects of end-user computing, telecommunications, and emerging technologies. The eSAC report defines a system of internal control as: "a set of processes, functions, activities, subsystems, and people who are grouped together or consciously segregated to ensure the effective achievement of objectives and goals." The report emphasizes the role and impact of computer-based information systems on the system of internal controls. It stresses the need to assess risks, to weigh costs and benefits, and to build controls into systems rather than add them after implementation. The system of internal controls consists of three components: the control environment, manual and automated systems, and control procedures. The control environment includes organization structure, control framework, policies and procedures, and external influences. Automated systems consist of systems and application software. The eSAC report discusses the control risks associated with end-user and departmental systems, but neither describes nor defines manual systems. Control procedures consist of general, application, and 8 Chapter 3: Internal Control System
Chapter 3: Internal Control System compensating controls.
The eSAC report provides five classification schemes for internal controls in information systems: (1) preventive, detective, and corrective, (2) discretionary and non-discretionary, (3) voluntary and mandated, (4) manual and automated, and (5) application and general controls. These schemes focus on when the control is applied, whether the control can be bypassed, who imposes the need for the control, how the control is implemented, and where in the software the control is implemented. Risks in eSAC are defined as fraud, errors, business interruptions, and inefficient and ineffective use of resources. Control objectives reduce these risks and assure information integrity, security, and compliance. Information integrity is guarded by input, processing, output, and software quality controls. Security measures include data, physical, and program security controls. Compliance controls ensure conformance with laws and regulations, accounting and auditing standards, and internal policies and procedures. The role of internal auditors is also defined in eSAC. Their responsibilities include ensuring the adequacy of the internal control system, the reliability of data, and the efficient use of the organization's resources. Internal auditors are also to be concerned with preventing and detecting fraud, and coordinating activities with external auditors. The integration of audit and IS skills and an understanding of the impact of IT on the audit process are necessary for internal auditors. Internal audit professionals now perform financial, operational, and IS audits.
d. SysTrust (AICPA and CICA)

In response to the increased dependence on IS, the AICPA and Chartered Accountants of Canada (CICA) developed SysTrust and introduced it in December 1999. SysTrust focuses on providing assurance of the reliability of the controls of a system. To evaluate the reliability of a system objectively, the CPA evaluates SysTrust's four essential principles [5]availability, security, integrity, and maintainabilityindividually against four categories of criteriapolicies, communication, procedures, and monitoring. In a SysTrust engagement, the CPA reports on the availability, security, integrity, and maintainability of a system. The system must meet all of SysTrust's four principles and 58 criteria to earn an unqualified SysTrust report (see Exhibit 3.5 for a list of the criteria). The SysTrust model is another potential model to use in designing, implementing, and especially evaluating an internal control systemin particular, where there is a high reliance on IS and IT for business operations. Exhibit 3.5: SysTrust Model[6] SysTrust Principles and Criteria Availability. The system is available for operation and use at times set forth in service-level statements or agreements. A1 A1.1 A1.2 A1.3 The entity has defined and communicated performance objectives, policies, and standards for system availability. The system availability requirements of authorized usersand system availability objectives, policies, and standardsare identified and documented. The documented system availability objectives, policies, and standards have been communicated to authorized users. The documented system availability objectives, policies, and standards are consistent with the system availability requirements specified in contractual, legal, and other service-level agreements and applicable laws and regulations. Responsibility and accountability for system availability have been assigned. Documented system availability objectives, policies, and standards are communicated to entity personnel responsible for implementing them. 9
A1.4 A1.5
10 A2 A2.1 A2.2 A2.3 A2.4 A3 A3.1 A3.2 A3.3
Chapter 3: Internal Control System The entity utilizes procedures, people, software, data, and infrastructure to achieve system availability objectives in accordance with established policies and standards. Acquisition, implementation, configuration, and management of system components related to system availability are consistent with documented system availability objectives, policies, and standards. There are procedures to protect the system against potential risks that might disrupt system operations and impair system availability. Continuity provisions address minor processing errors, minor destruction of records, and major disruptions of system processing that might impair system availability. There are procedures to ensure that personnel responsible for the design, development, implementation, and operation of system availability features are qualified to fulfill their responsibilities. The entity monitors the system and takes action to achieve compliance with system availability objectives, policies, and standards. System availability is periodically reviewed and compared with documented system availability objectives, policies, and standards. There is a process to identify potential impairments to the system's ongoing ability to address the documented system availability objectives, policies, and standards and to take appropriate action. Environmental and technological changes are monitored and their impact on system availability is assessed on a timely basis.
Security. The system is protected against unauthorized physical and logical access. S1 S1.1 S1.2 S1.3 The entity has defined and communicated performance objectives, policies, and standards for system security. The system security requirements of authorized users and the system security objectives, policies, and standards are identified and documented. The documented system security objectives, policies, and standards have been communicated to authorized users. Documented system security objectives, policies, and standards are consistent with system security requirements defined in contractual, legal, and other service-level agreements and applicable laws and regulations. Responsibility and accountability for system security have been assigned. Documented system security objectives, policies, and standards are communicated to entity personnel responsible for implementing them. The entity utilizes procedures, people, software, data, and infrastructure to achieve system security objectives in accordance with established policies and standards. Acquisition, implementation, configuration, and management of system components related to system security are consistent with documented system security objectives, policies, and standards. There are procedures to identify and authenticate users authorized to access the system. There are procedures to grant system access privileges to users in accordance with the policies and standards for granting such privileges. There are procedures to restrict access to computer processing output to authorized users. There are procedures to restrict access to files on off-line storage media to authorized users.
S1.4 S1.5 S2 S2.1 S2.2 S2.3 S2.4 S2.5
S2.6 There are procedures to protect external access points against unauthorized logical access. S2.7 There are procedures to protect the system against infection by computer viruses, malicious codes, and unauthorized software. S2.8 Threats of sabotage, terrorism, vandalism, and other physical attacks have been considered when locating the system. S2.9 10 Chapter 3: Internal Control System
11
There are procedures to segregate incompatible functions within the system through security authorizations. S2.10 There are procedures to protect the system against unauthorized physical access. S2.11 There are procedures to ensure that personnel responsible for the design, development, implementation, and operation of system security are qualified to fulfill their responsibilities. S3 The entity monitors the system and takes action to achieve compliance with system security objectives, policies, and standards. S3.1 System security performance is periodically reviewed and compared with documented system security requirements of authorized users and contractual, legal, and other service-level agreements. S3.2 There is a process to identify potential impairments to the system's ongoing ability to address the documented security objectives, policies, and standards and to take appropriate action. S3.3 Environmental and technological changes are monitored and their impact on system security is periodically assessed on a timely basis. Integrity. System processing is complete, accurate, timely, and authorized. I1 The entity has defined and communicated performance objectives, policies, and standards for system processing integrity. I1.1 The system processing integrity requirements of authorized users and the system processing integrity objectives, policies, and standards are identified and documented. I1.2 Documented system processing integrity objectives, policies, and standards have been communicated to authorized users. I1.3 Documented system processing integrity objectives, policies, and standards are consistent with system processing integrity requirements defined in contractual, legal, and other service-level agreements and applicable laws and regulations. I1.4 Responsibility and accountability for system processing integrity have been assigned. I1.5 Documented system processing integrity objectives, policies, and standards are communicated to entity personnel responsible for implementing them. I2 The entity utilizes procedures, people, software, data, and infrastructure to achieve system processing integrity objectives in accordance with established policies and standards. I2.1 Acquisition, implementation, configuration, and management of system components related to system processing integrity are consistent with documented system processing integrity objectives, policies, and standards. I2.2 The information processing integrity procedures related to information inputs are consistent with the documented system processing integrity requirements I2.3 There are procedures to ensure that system processing is complete, accurate, timely, and authorized. I2.4 The information processing integrity procedures related to information outputs are consistent with the documented system processing integrity requirements. There are procedures to ensure that personnel responsible for the design, development, implementation, I2.5 and operation of the system are qualified to fulfill their responsibilities. There are procedures to enable tracing of information inputs from their source to their final disposition I2.6 and vice versa. The entity monitors the system and takes action to achieve compliance with system processing integrity I3 objectives, policies, and standards. System processing integrity performance is periodically reviewed and compared to the documented I3.1 system processing integrity requirements of authorized users and contractual, legal, and other service-level agreements. There is a process to identify potential impairments to the system's ongoing ability to address the I3.2 documented processing integrity objectives, policies, and standards and take appropriate action.
11
12 I3.3
Environmental and technological changes are monitored and their impact on system processing integrity is periodically assessed on a timely basis. Maintainability. The system can be updated when required in a manner that continues to provide for system availability, security, and integrity. M1 The entity has defined and communicated performance objectives, policies, and standards for system maintainability.
M1.1 Documented system maintainability objectives, policies, and standards address all areas affected by system changes. M1.2 Documented system maintainability objectives, policies, and standards are communicated to authorized users. M1.3 Documented system maintainability objectives, policies, and standards are consistent with the requirements defined in contractual, legal, and other service-level agreements and applicable laws and regulations. M1.4 Responsibility and accountability for system maintainability have been assigned. M1.5 Documented system maintainability performance objectives, policies, and standards are communicated to entity personnel responsible for implementing them. M2 The entity utilizes procedures, people, software, data, and infrastructure to achieve system maintainability objectives in accordance with established policies and standards. M2.1 Resources available to maintain the system are consistent with the documented requirements of authorized users and documented objectives, policies, and standards. M2.2 Procedures to manage, schedule, and document all planned changes to the system are applied to modifications of system components to maintain documented system availability, security, and integrity consistent with documented objectives, policies, and standards. M2.3 There are procedures to ensure that only authorized, tested, and documented changes are made to the system and related data. M2.4 There are procedures to communicate planned and completed system changes to information systems management and to authorized users. M2.5 There are procedures to allow for and to control emergency changes. M3 The entity monitors the system and takes action to achieve compliance with maintainability objectives, policies, and standards. M3.1 System maintainability performance is periodically reviewed and compared with the documented system maintainability requirements of authorized users and contractual, legal, and other service-level agreements. M3.2 There is a process to identify potential impairments to the system's ongoing ability to address the documented system maintainability objectives, policies, and standards and to take appropriate action. M3.3 Environmental and technological changes are monitored and their impact on system processing integrity is periodically assessed on a timely basis. The evaluation of a system's reliability begins by understanding the basic components of the system. A system is defined as a set of procedures used to accomplish specific results, and an information system consists of five basic components organized to transform data inputs (raw facts) into information outputs. These five basic components of a system are: (1) infrastructure, (2) software, (3) personnel, (4) procedures, and (5) data. A reliable system is capable of operating without material error, fault, or failure during a specified period in a specified environment. Availability is defined by the system being available for operations. Security is the protection of the system against unauthorized physical or logical accessincluding both the physical components and the data. Integrity refers to system processing being complete, accurate, timely, and authorized. Maintainability refers to the required updates of the system, and whether such updates will continue to provide for the other three 12 Chapter 3: Internal Control System
Chapter 3: Internal Control System aspects above.
13
For each of these aspects, the CPA practitioner uses four categories of criteria: Policies, Communication, Procedures, and Monitoring. For Policies, the CPA evaluates whether the entity had defined and documented its policies relevant to the particular principle. Communication refers to the fact that the entity has defined and communicated performance objectives, policies, and standards for the essential principle being evaluated (availability, security, integrity, or maintainability). Procedures refer to the entity using procedures that are in accordance with its established policies and standards. Monitoring is defined as the monitoring of the entity's activities and the surrounding environment of the system to identify potential impairments to the system's reliability and to achieve compliance with objectives, policies, and standards for the essential principle being evaluated. To further assist the practitioner in the evaluation of these criteria, the Systems Reliability Task Force developed a list of illustrative controls. This list is not intended to be comprehensive, so the practitioner must tailor the list to the circumstances of the particular engagement. See Exhibit 3.5 for a list of the illustrative controls.
e. Conclusion: Comparing and Contrasting the Models

Although the different control definitions contain similar concepts, the emphases are somewhat different (see Exhibit 3.6 for a comparison table). The CobiT Model views internal control as a process that includes policies, procedures, practices, and organizational structures that support business processes and objectives. The eSAC report emphasizes that internal control is a systema set of functions, subsystems, people, and their interrelationships. The COSO Model accentuates internal control as a processan integrated part of ongoing business activities. SysTrust emphasizes the reliability of IS in financial reporting and business activities. Exhibit 3.6: Comparison of Internal Control Models CobiT eSAC SYSTRUST Primary Management, users, Internal auditors External auditors Audience process owners, auditors Set of processes, Not explicitly defined: IC Viewed as a ... Process Set of processes subsystems, and Viewed similar to an including policies, assertion to which a CPA procedures, practices, and people organizational structures does an attestation Effectiveness of business IC Objectives Effective and Effective and efficient Effective and Organizational efficient operations operations efficient purposes and operations management's objectives Reliable financial Confidentiality, integrity, reporting. and availability of Reliable Reliable financial reporting information financial Compliance with reporting laws and Reliable financial regulations reporting Compliance with laws and regulations Compliance with laws and regulations Components or Control Planning and Control Availability Domains environment organization environment Security Risk management Acquisition and Manual and implementation automated Integrity Control activities systems Delivery and support Maintainability Chapter 3: Internal Control System 13 COSO Management
14 Information and communication Monitoring Overall entity Monitoring
Chapter 3: Internal Control System Control procedures
Information technology Information Information systems and overall entity technology IC Effectiveness At a point in time For a period of time For a period of At a point in time Evaluated time Responsibility for Management Management Management Management IC System Size 353 pages in four 664 pages in five 1,193 pages in A few online pages volumes volumes 12 modules Source: ISACA, from web site www.isaca.org/bkr_cbt3.htm. Reprinted with permission. Focus The use of the COSO Model components is one way to compare and contrast the four models. The following analysis, therefore, is based on these five components. 1. Control Environment. The eSAC report describes three components of internal control. COSO discusses five components. CobiT incorporates the five components of the COSO report and focuses them within the IT internal control system. CobiT further bridges the gap between the broader business control models such as COSO and highly technical IS control modelsworldwide. SysTrust describes four principles measured by four categories. 2. Information and Communication Systems. CobiT's focus is the establishment of a reference framework for security and control in IT. It defines a clear linkage between IS controls and business objectives. In addition, it provides globally validated control objectives for each IT process that gives pragmatic control guidance to all interested parties. CobiT also provides a vehicle to facilitate communications among management, users, and auditors regarding IS controls. The eSAC report, however, focuses on automated IS. The document examines the interrelationships among internal control and systems software, application systems, and end-user and department systems. The volumes of eSAC provide guidance on internal controls in these areas. COSO discusses both information and communication, emphasizing the need to capture internal and external information, the potential of strategic and integrated systems, and the need for data quality. Communication focuses on conveying matters related to the internal control system. 3. Control Objectives. CobiT, eSAC, and SysTrust examine control procedures relative to an entity's automated IS. COSO discusses the control procedures and activities used throughout the entity. CobiT classifies controls into 32 processes naturally grouped into four domains. SAC uses five different classification schemes for IS control procedures. COSO only has one classification scheme, and emphasizes the desirability of integrating control activities with risk assessment. SysTrust classifies 58 controls into four classifications. 4. Risk Assessment. COSO identifies risk assessment as an important component of internal control. CobiT identifies a process within the IT environment as assessing risks, falling in the planning and organization domain and with six specific control objectives associated with it. CobiT addresses, in depth, several components of risk assessment in an IT environment. These include business risk assessment, the risk assessment approach, risk identification, risk measurement, risk action plan, and risk acceptance. It also deals directly with IT types of risk such as technology, security, continuity, and regulatory risks. Lastly, CobiT addresses risk from both a global and systems-specific perspective. Risk assessment is an explicit component of eSAC's system of internal control, and the document contains extensive discussions of the importance of risk assessment as foundational to internal controls. COSO and eSAC address risk concepts in a similar fashion. For example, both address the risks of failing to meet compliance and operational objectives. SysTrust stresses the entire attestation is to identify weak controls or other risks in the internal control system. Only one of the controls, however, specifically addresses risk. 14 Chapter 3: Internal Control System
15
5. Monitoring. In contrast to COSO, CobiT, and SysTrust, eSAC does not explicitly include monitoring as a component of the internal control system. SysTrust uses monitoring as one of the four categories that must be addressed in each of the four principal areas of investigation. COSO discusses monitoring activities in broad terms, and eSAC discusses specific monitoring activities that should be performed. CobiT, in an in-depth manner, defines specific monitoring requirements and responsibilities within the IT function. All the documents assign management the responsibility of ensuring the adequacy of the internal control system and its continued effectiveness. All of the models provide tools, usually explicit tools or controls, as guidance in managing the internal control system. There are some differences, but altogether, there are more similarities between the models. The more technology an entity uses, or the more reliance an entity had on technology, the more it needs CobiT, eSAC, or SysTrust. If the entity conducts e-commerce and is publicly traded, SysTrust makes a good choice. If an entity has only a modicum of technology and a low-to-medium reliance upon IT, COSO is probably the best choice. The final choice is up to the IA function, in matching the entity with the strengths of these individual models, or it may choose to develop its own unique model.
SAM POLE COMPANY
[1]See [2]See
TITLE: Regulations www.coso.org. www.isaca.org/cobit.htm.
[3]This [4]See [5]An
paragraph is from the ISACA web page on CobiT at www.isaca.org.
www.isaca.org.
exposure draft exists that will change the principles to: (1) security, (2) availability, (3) processing integrity, (4) online privacy, and (5) confidentiality.
[6]An
exposure draft exists that will change the principles to: (1) security, (2) availability, (3) processing integrity, (4) online privacy, and (5) confidentiality. These new principles will cause this chart to change accordingly.
3.4 Regulations
Internal auditors know the importance of adhering to federal and state regulations. Some of them apply to internal controls. (See Section 1.6, "History of Federal Regulations Related to Auditing.")
a. Securities and Exchange Commission (1933, 1934)

The Securities Act of 1933 and the Securities Exchange Act of 1934 require all corporations that report to the Securities and Exchange Commission (SEC) to maintain a system of internal control that is evaluated as part of the annual external audit. The acts give the SEC authority to oversee the setting of Generally Accepted Accounting Principles (GAAP) for publicly traded companies. They also convey the authority to investigate cases of suspected financial fraud and to censure companies from trading (i.e., prevent the stock from being Chapter 3: Internal Control System 15
16
traded publicly). The SEC laws have a direct impact on companies that have publicly traded stock, especially regarding the need for a system of internal control and its evaluation.
b. Foreign Corrupt Practices Act (1977)

The Foreign Corrupt Practices Act of 1977 also requires SEC companies to maintain an internal control system with reasonable assurance that the organization's objectives are being met, and even providing penalties for violations.
c. Copyright Laws (1976 et al.)

The Copyright Laws of 1976 (and other years) protect intellectual property. One aspect of intellectual property crucial to internal controls is software. Illegal copies of software on organizational computers can lead to severe penalties and bad publicity. In addition, management will be held responsible by federal officials even if software piracy went on contrary to policy and without management awareness. Other intellectual property includes books, music, and copyrighted graphical images (e.g., logos). Therefore, management must first develop a policy against violations of copyright laws, such as software piracy, and make sure the internal audit function ensures compliance with the policy. A study of 121 Certified Information Systems Auditors (CISAs) showed that software piracy is a problem in relatively large firmsthose with about 3,000 microcomputers. Although almost all (91%) indicated an organizational policy governing unauthorized duplication of software, they estimated that more than 20% of their firms' employees had illegally copied software in the previous 12 months. Sixty percent of the auditors reported that their typical audit program included a specific procedure that was designed to detect pirated software. In spite of this fact, the auditors indicated that less than one-fourth of the audits that were conducted in the previous 12 months actually included such a test. Surprisingly, over one-third of the sample indicated that none of their audits included a test for unauthorized software. Unauthorized software poses a legal and financial risk to firms. Risks (or exposures, as the case may be), such as civil and criminal penalties, exist for those who use unauthorized or pirated computer software. These risks also include significant monetary fines. Information systems auditors, in general, and CISAs, in particular, should be especially concerned with these risks. However, it has been reported that many managers and auditors are unaware of the potential legal liability from software piracy. According to ISACA, IS auditors have a responsibility regarding the risks of software piracy to: (1) be aware of such risks, (2) communicate these risks to management, (3) review software implementation, (4) develop adequate control procedures, and (5) incorporate appropriate techniques or tools in audit programs to detect unauthorized use of software. ISACA Standards (Section 030.010.010, Irregularities and Illegal Acts, paragraph 2.1.1) defines irregularities and illegal acts as "Other acts that involve noncompliance with laws and regulations, including the failure of IT systems to meet applicable laws and regulations." The Standard further clarifies that ISACA believes it is management's responsibility to prevent and detect irregularities and illegal acts, and not the IS auditor's, unless evidence exists that would indicate an irregularity or illegal act has occurred. ISACA Standards assert that IS auditors should be familiar with irregularities and illegal acts that are common to a particular industry or have occurred in similar organizations (paragraph 4.1.5).
d. Environmental Laws (Various)

In addition, there are federal laws regarding environmental issues that affect many organizations. Due to stiff penalties and negative public image that result from violations, internal auditors must be cognizant of any applicable environmental laws.
16
17
e. Sarbanes-Oxley Act (2002)

Several public frauds carried out in the years prior to 2002 focused attention on all aspects of financial reporting. Enron collapsed after what amounted to financial fraud by some of its executive managers. WorldCom also filed for bankruptcy when an internal auditor, Cynthia Cooper, Vice President of Internal Audit, uncovered $3.8 billion in fraud, the largest accounting fraud at the time. She boldly identified the fraud and fraudsters to the board of WorldCom in June 2002; as much as $9 billion of fraud has since been uncovered. She later was recognized as Person of the Year by Time magazinealong with Sherron Watkins of Enron and Coleen Rowley of the FBI. Sherron Watkins, a former accountant, tried to blow the whistle at Enron, but the principal executive officers dismissed her claims of fraud. Other frauds were uncovered at Adelphia and Tyco, to mention just a few from this time. As a result of these frauds and related pressures brought on the U.S. Congress, the Sarbanes-Oxley Act was passed in the summer of 2002. The subsequent rules and regulations by the Securities and Exchange Commission (SEC) and New York Stock Exchange (NYSE) will have a dramatic affect on internal controls for publicly traded companies. According to Section 404 (Management Assessment Of Internal Controls), affected companies are required to: (1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting, and (2) contain an assessment, as of the end of the issuer's fiscal year, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting. For the first time, the NYSE now requires an IA function in all listed companies. Because the law requires CEOs and CFOs to report on their internal control systems and sign off onand therefore certifytheir financial statements filed with the SEC, this law will force top executives to assure the adequacy of their internal control systems. The role of internal controls and the system of internal controls has become more critical. Therefore, the material in this chapter is an important resource for IA in performing this critical and required function. (See also Sections 1.6(e) and 9.2 for more on the Sarbanes-Oxley Act.)
SAM POLE COMPANY
TITLE: Policies
3.5 Policies [7]

Internal controls should have objectives related to assets, security, and auditabilityideally, objectives shared with executive management. These objectives should be methodically developed into cogent policies that protect the assets identified as important (see Exhibit 3.7). Internal auditors will need to consider the following areas (and maybe others) related to internal controls, with the goal of providing valuable input into management's development of policies: computer system development, computer system usage, security, passwords, e-mail, business recovery (also disaster recovery), and privacy of both employee and customer data. For all policies, management should provide oversight for enforcement to hold employees accountable for them in order to increase the effectiveness of policies. While policies in and of themselves are not preventive measures, they are the foundation for building appropriate preventive techniques or tools, they set the tone for the internal control environment, and they provide the benchmark for evaluating controls (i.e., measure compliance with the specifics of the policies). Where applicable, employees should sign a copy of policies to indicate their commitment (e.g., e-mail, computer usage). Exhibit 3.7: Internal Control System Model
17
18
Management Policy System Development System Usage Security (especially passwords) Privacy E-Mail Business Recovery Plans Regulations SEC FCPA Environmental Copyright (e.g., software piracy) Risk Assessment Internal Threats: External Threats: Malicious Activities Remote Access Accidents Intruders: Disgruntled Employees Hackers/Crackers/Script Kiddies Ineffective Accountability Viruses Financial Fraud/Theft of Assets Computer Crime Control Strategies Prediction (e.g., monitoring systems) Prevention (e.g., multi-layered firewall) Detection (e.g., intrusion detection system) Correction (e.g., DRP/IRP) ComputerGeneral Controls ComputerApplication Controls Physical Controls (e.g., locked doors) Human Resource Procedures (e.g., background checks) IA Function Computer Logs/Electronic Audit Trail Segregation of Duties (IS, et al.) Corporate Governance: Audit Committee and IT Governance Specific Controls CAATTs Authorization: LAN, Applications, Data (password systems) Fraud and Crime-Related Activities (e.g., encryption) Business Recovery Plans: Disaster Recovery Plan (DRP), Incident Data Integrity (e.g., validation procedures Response Plan (IRP), Backups in applications) System Development Life Cycle Concepts Firewalls (multi-layered) Intrusion Detection Systems/Monitoring Policies may be developed before a risk assessment is formally conducted, but if so, they are definitely affected by an appropriate risk assessment. Therefore policies, to some degree, will need to be flexible and dynamic in order to accommodate evolving issues. A well-written policy, however, should state in broad terms the organization's objectives regarding areas such as those discussed and allow the details and specifics to evolve based on the expertise and knowledge of the internal auditors and maybe IS personnel.
a. Systems Development Life Cycle Policy

A key policy consideration is information systems, especially systems development and implementation. There should be a written policy that segregates processes of systems development, usage (operations), and maintenance (see "Segmentation of Duties" in this chapter for more information). There are many stories of programmers and systems people who operated without proper segregation and were able to build fraudulent codes into programs unnoticed. At least one case involved millions of dollars stolen from ATM machines, and many others involved large sums stolen using techniques such as salami slicing. A review of the organizational chart should indicate proper segregation of duties in the IS group. One systems development life cycle (SDLC) concept that is often overlooked in actual practice is that of taking systems off-line for upgrades, updates, and so on, and bringing them back online only after testing the 18 Chapter 3: Internal Control System
Chapter 3: Internal Control System new system thoroughly. It is recommended that this concept be included as corporate policy.
19
b. Systems Usage Policy (End Users)

A second related area is computer usage. In order to effectively manage distributed computer resources, a thorough written computer usage policy must be developed and communicated. The computer system usage policy should focus on identifying the authorized uses of company computer resources. One recent survey showed that a majority of employees use company computers for personal business while at work. A good method of developing this policy is to specifically identify all of the approved uses of systems and to state all other uses are prohibited, unless permission is secured in writing from management. The policy should also stipulate repercussions for violations.
c. Security Policy
Another critical policy is the security (or information securityInfoSec) policy. Internal auditors need to assist management in establishing fundamental security objectives tied to business objectives and assets that need protection from identified risks. One goal of the security policy is to emphasize to all stakeholdersemployees in particularthat information and data are not just computer filesthey are assets that have a value. A security policy will remind employees of the importance and value of information they handle, and the risks or exposures that exist. Such a policy will help create a corporate culture that is security conscious. For a good overview of why to have an InfoSec policy, and how to develop it, view Computer Emergency Response Team's (CERT's) presentation. [8]
d. Password Policy
A significant part of the security policy is a password policy. An effective password policy is a strategic advantage in maintaining strong internal controls and helps to minimize adverse events such as computer crime, fraud, and other unauthorized activities. It has been shown that an effective password system in operation prevents the majority of potential unauthorized activities. In one recent study, a researcher stated that 80% of the fraud and malicious activities he found could have been prevented with an adequate password system. For example, a former AT&T employee stole thousands of dollars of materials after being terminated. He used his password to get into the system, then cracked the purchasing agent's password, then ordered materials and had them shipped to him at a remote location. In a similar case, a former network administrator for a medium-size firm was terminated. He later logged onto the system with his regular password and proceeded to destroy live data and online backup data. The company almost went bankrupt. Obviously, in both circumstances, the passwords for the terminated employees should have been disabled immediately upon dismissal. That simple procedure would have prevented both tragedies. Therefore, the password policy needs to include a strong statement about authentication and authorization via access to systems using appropriate password schemes and structures, including the immediate removal of passwords when an employee is dismissed. (See Section 3.8(b) for more details on passwords; see Exhibit 3.8 for additional guidance in developing an effective password policy.) Exhibit 3.8: Password Policy Communication Promote it, use it during employee training or orientation, and find ways to continue to raise awareness within the organization. Multi-faceted For example, use multiple levels of access requiring multiple passwords; use a password matrix of data to grant read-only, read/write, or no access per data field per user; use biometrics (such as fingerprints, voice prints), smart cards, or beeper personal identification numbers (PINs) in conjunction with remote logins; and user-defined procedures. Chapter 3: Internal Control System 19
20
= > 6 characters The more characters, the more difficult to guess or crack. Eight characters provide an effective length to prevent guessing, if combined with below. Mix numbers, special characters with alphabet The more non-alpha, the harder to guess or crack. Make them case-sensitive, and mix upper and lower case. Regular forced changes At regular intervals, make employees change their passwords. Protection of individual passwords Prohibit the sharing of passwords or "post-its" with passwords located near one's computer. Limited trials Limit the number of attempts to access the system with invalid data to about three. Lock the account after 1-3 false attempts to prevent hacking. Notification of significant employee changes Make sure the IS department is notified immediately when an employee is terminated or reassigned where responsibilities require a change in system access. This process prevents a disgruntled employee from perpetrating malicious activities.
e. E-Mail Policy
Internal auditors should also assist management in developing an e-mail policy that describes appropriate use of corporate e-mail resources. In order to enforce the policy, management will likely need to audit e-mail messages from time to time. If there is ever a need to access an employee's e-mail messages, management should make sure that such access is stated in the e-mail policy and that all employees are aware that their e-mail could be read by management or staff. Otherwise employees rightfully could complain, maybe even sue successfully, for violation of privacy. The policy should address the unethical activities discussed later in this chapter and procedures for opening attachmentsbecause they could be viruses or other malicious codes. It should also be signed by every employee using corporate e-mail resources. See Exhibit 3.9 for a checklist or questionnaire about e-mail controls. Also see Section 3.6(b) for discussion on a variety of e-mail issues that are unethical or detrimental, all of which need to be considered in the e-mail policy. Exhibit 3.9: E-Mail Questionnaire
1. Are there effective procedures and controls in place to prevent viruses from penetrating the IS of the enterprise via e-mail attachments (a thorough anti-virus systemsee Exhibit 3.11)? 2. Are there effective procedures and controls in place to prevent employees from broadcasting hoax virus warnings to the employees of the enterprise? 3. Are there effective procedures and controls in place to prevent flamming by employees? 4. Are there effective procedures and controls in place to prevent spamming? Has the enterprise determined which states have laws regarding spamming, and have the details of applicable laws been incorporated into policy and controls? 5. Are there effective procedures and controls in place to prevent spoofing?
f. Business Recovery Policy

An indispensable policy is business recovery plans (a.k.a. enterprise availability, business continuity). Those plans include adequate planning for business recovery of systems (e.g., after systems become unavailable, minor disruptions), disaster recovery (natural or man-made cataclysmic events that wipe out systems), incident response plans (to deal with the effects of a deleterious event such as theft of credit cards, including bad press), and even ordinary backups of data. Because disastrous events are so rare, many organizations 20 Chapter 3: Internal Control System
21
(most organizations, according to statistics) do not plan adequately for any of the recovery procedures. However, the simple truth is every organization will deal with business recovery in some form or the other, to some extent or scope. Not only can natural or man-made disasters disrupt the commercial affairs of an organization, but system errors, system failures, hacking, or other computer attacks can also cause disruption. For disaster recovery, the policy should include some basics of the disaster recovery plan. For example, the ability to recover critical operations with minimal downtime should be the objective of the plan and the foundation of the policy. The plan itself should cover backup measures for a site, hardware, system software, application software, data, supplies, and documentation (see Exhibit 3.10). In addition, the plan should include a means to develop a ranking of critical applications and to test for effectiveness. Exhibit 3.10: Disaster Recovery Plan Site A backup site facility, including appropriate furniture, housing, computers, and telecommunications. Another valid option is a mutual aid pact where a similar business or branch of same company swap availability when needed. Hardware Some vendors provide computers with their site, known as a "hot site" or recovery operations center. Some do not provide hardware - known as a "cold site." When not available, make sure plan accommodates compatible hardware (e.g., ability to lease computers). System Software Some hot sites provide the operating system. If not included in the site plan, make sure copies are available at the backup site. Application Software Make sure copies of critical applications are available at the backup site. Data Backups One key strategy in backups is to store copies of data backups away from the business campus, preferably several miles away or at the backup site. Another key is to test the restore function of data backups before a crisis. Critical Applications Rank critical applications so an orderly and effective restoration of computer systems is possible. Team The specific team members and their roles should be written, understood, and rehearsed. The team leader is a critical success factor of the plan. Supplies A modicum inventory of supplies should be at the backup site or be able to be delivered quickly. Documentation An adequate set of copies of user and system documentation. Also, the steps and elements of the plan itself should be documented with adequate detailed information. TEST! The most important element of an effective Disaster Recovery Plan is to test it before a crisis occurs, and to test it periodically (e.g., once a year). Results from one survey show data losses were due to hardware or system malfunctions (44%), human error (32%), software malfunctions (14%), viruses (7%), and natural disasters (3%). To survive such events with minimal losses, a business needs to formalize recovery procedures into a business recovery plan. It serves this purpose and provides protection against other undesirable events, and usually goes beyond such ordinary business decisions as insurance. Obviously, it is critical when disasters actually occur (e.g., hurricanes, floods, or the attacks on the World Trade Center on September 11, 2001). A cost-benefit analysis will also raise eyebrows to the necessity of having an appropriate set of business recovery plans. Therefore, internal auditors should encourage management to have written policies about restoring or recovering systems and/or data before a detrimental event occurs.
g. Privacy Policy
Information about individuals, either personal data or data about actions, is generally considered private information. If an entity observes an employee secretively, it can be taken as intrusive; in some cases, the legal system considers it an invasion of privacy. To protect the company from either of these injurious events, the company should protect the private information of employees wherever possible. When data is captured to ensure compliance with policies, employees should be asked to sign the pertinent policy to ensure their Chapter 3: Internal Control System 21
22
knowledge of this type of observation, the type of data about the employee being captured, and the ramifications for violations. For entities that have interactions with customers or clients over the Internet, a privacy policy should be developed for them regarding information collected by the entity (e.g., cookies). Then, this policy should be easily found on the web site home page and accessible to all customers or prospects. It is important for customers or potential customers to know how the entity will use their information, what the cookies will contain, and how they will function in order to make them comfortable in conducting business online.
Corporate Audit Department Procedures Manual NO: 3.6 REV NO: DATE: TITLE: Risk Assessment PAGES: [7]See Exhibit 3.1 for a full diagram of Sections 3.5 through 3.9.
[8]www.cert.org/present/cert-overview-trends/module-6.pdf.
SAM POLE COMPANY
3.6 Risk Assessment

Risk assessment is a critical step in building an effective internal control system that has the ability to manage undesirable events, primarily because it strategically focuses attention on the most likely trouble spots with the highest costs rather than general protection. The IIA focuses on risk assessment in IA activities and standards. Under the Performance Standards of the IIA's Standards for the Professional Practice of Internal Auditing, the first topic is Planning (section 2010): "The chief audit executive should establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organization's goals." Risk analysis, or assessment, has become the preeminent method of guiding audits. External auditors have long begun their process of financial audits with the audit formulaassessing inherent risk, control risk, detection risk, audit risk, and business risk. In SAS No. 78: Consideration of Internal Control in a Financial Statement Audit, [9] the AICPA institutionalized as guidelines the Committee of Sponsoring Organizations (COSO) model of internal control. The five major areas of internal control include (1) Control Environment, (2) Risk Assessment, (3) Information and Communication, (4) Monitoring, and (5) Control Activities. Lately, internal auditing has also put more focus on risk assessment. The current definition of internal auditing by the IIA states: Internal auditing is an independent, objective assurance and consulting activity to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. In 2000, the IIA basically adapted risk assessment as the cornerstone of audits in its Standards. In the Nature of Work section (SPPIA 2100), the first standard relates to Risk Management (SPPIA 2110). It states: "The internal audit activity should assist the organization by identifying and evaluating significant exposures to risk and contributing to the improvement of risk management and control systems." In order to develop effective audit planning, some type of risk analysis is necessary because it provides strategic direction for limited resources. One model for investigating risks is to view them as internal risks and external risks. This manual uses this simple model for discussing some of the more common risks that exist in the average organization. See 22 Chapter 3: Internal Control System
Chapter 3: Internal Control System Section 6.1(b) of this manual for more about risk assessment, especially as it relates to audit planning.
23
a. Risk Assessment: Internal Perspective

An effective risk assessment must emphasize a good understanding of the internal risks (i.e., risks from within the organization). Despite the high-profile stories of hackers in the public press, research shows that about 75 to 80% of frauds and malicious activities actually originate from within the organization. An appropriate risk assessment would not only identify the specific risks associated with malicious activities, accidents, and other activities for the specific organization but perhaps put more emphasis on it than external threatsdepending on the specific system, risks, and threats. There are several groups to think about in assessing risk from internal sources. Disgruntled employees as a group probably present the highest riskeven more than hackers external to the firm. These people can be motivated to cause extensive harm to the organization and, depending on their knowledge and access to systems, data, and assets, may cause very costly damage. Second, management itself is a risky group. Because of their unique position to override controls, they can more easily commit fraud, especially financial fraud. If management is subjected to monetary pressures (e.g., they have stock options, but declining profits are driving stock prices down, or their bonuses are based on profits, etc.), they may be tempted to "cook the books." Even the normal aggressive nature of driven managers can become a risk if not mitigated by strong personal and corporate ethics, and an effective internal control system (e.g., audit committee). One management accountant reported his dilemma when his boss wanted him to reverse a correct accounting transaction because it caused a department to miss its profit goals (budget variances) for the first time in months. Such actions are indicative of ethical soft spots that can lead to fraud, theft, or material misstatements. Because of the nature of internal audit, it is difficult to assess this risk, but should be analyzed thoroughly by external audits during financial audits. Another dangerous group is the one of employees with personal problems. These conditions can motivate fraud, theft, or misuse of assets. For example, a person who has a severe deficit cash flow, for whatever reason (e.g., gambling, excessive lifestyle, etc.), coupled with weak controls or opportunity, may be tempted to steal assets to cover personal losses; often with the intent to "pay back" the organization shortly. Numerous reported frauds give credence to this particular set of risky circumstances internally. It is also possible someone in the firm will become an industrial spy.
Malicious activities include destructive activities directed at the data or information system, communications to outsiders that would be detrimental to the organization, theft or fraudulent activities related to assets, and other similar activities. A sample of accidents using the internal view would include the following: inadvertent data destruction (e.g., erasing a hard drive), unintentional IS interruptions (e.g., infesting it with a virus or worm), errors in systems development, and errors in accounting data. Another area of concern is ineffective accountability. It is possible to create a strong set of appropriate internal controls only to have them fail to operate effectively. For example, well-designed systems provide error reports or logs where errors have been detected but not corrected. Failure to review such reports on a timely basis and provide corrective action quickly not only fails to correct an existing error but may likely lead to further errors. First, if the error is systematic, then obviously it will occur again when the circumstances are duplicated. Second, if the error report has actually identified a fraudulent event, this oversight can inadvertently allow the fraud to be perpetrated without discovery. A similar result can happen if management fails to enforce policies when violations occur. Such neglect could encourage further violations or even extend the scope of violations, since employees would know that repercussions are not forthcoming.
23
24
One other observation must be made concerning internal controls, fraud, and management. COSO made a study of 200 randomly selected cases of alleged financial fraud investigated by the Securities and Exchange Commissionabout two-thirds of the 300 SEC probes into fraud between 1987 and 1997. In that decade, most of the financial frauds among public companies were committed by small corporationswell below $100 million in assets. Top senior executives were involved in most of the cases (CEO and/or CFO in 83% of the cases). The average misstatement or misappropriation of assets was $25 million, with a median of $4.1 million. The size of the fraud relative to the size of the company is quite large. Some companies committing fraud were experiencing net losses or were at close to break-even positions in periods before the fraud. Pressures of financial strain or distress may have provided incentives for fraud for some companies. For internal auditors of firms of this size, these findings provide valuable input to a risk assessment.
b. Risk Assessment: External Perspective

An effective risk assessment must also emphasize a good understanding of the external risks (i.e., risks from without the organization), especially if the firm has a web server connected to its internal systems, or has remote access to networks. If the company has remote access to its computer systems, it should be concerned about unauthorized access by users external to the organization. Unauthorized access would most likely eventually lead to some detrimental activities.
If the company has employed electronic commerce, there are a number of risks to consider. These risks being unique require some special expertise regarding internal controls. It begins with security of data. While online, there is a risk that the data used in an e-commerce transaction might be stolen. However, secure sockets layer (SSL) and secure electronic transaction (SET) have proven to be nearly invincible, using encryption combined with public keys to protect data while exposed online. Both serve as effective tools in preventing theft of data while online. It is after the online transaction is consummated that credit card data has been stolen. For example, one online storefront selling compact discs (CDs) took down its firewall to upgrade the system. Once the upgrade was completed, the connection was restored but IS employees forgot to reactivate the firewall. Crackers broke through the system and stole files containing thousands of credit cards, and then held the firm hostagethreatening to post the credit card data on the Internet unless the firm paid the ransom. The episode was devastating to the CD company, causing its financial collapse. This also demonstrates the combination of risks: an accident (firewall not restarted) and crackers (stolen credit card data). There are other reports of "crackers" (see "Types of Criminals" in this chapter for definition and description of cracker) stealing credit card data but always from files on the back office computers or web servers after the transactions were completed online. Some adverse activities have the objective of disrupting service (availability). For instance, denial of service (DoS) and/or distributed denial of service (DDoS) attacks are examples of crimes other than theft, in which crackers bring down an e-commerce server with technically devised computer attacks. One series of attacks brought down eBay and Yahoo, among others, in early 2000. Yet even here, there were early warnings from certain groups that a DDoS attack was pending. The likelihood of these kinds of attacks depend on whether it occurs because of personal reasons (e.g., vengeance from disgruntled former employee or a computer whiz out to get your business) or because the organization is high-profile (e.g., government entity, eBay, Yahoo, amazon.com, etc.). For internal auditors, that means the level of risk is lower if the company has a low profile, is not a government entity, or has a low level of online transactions. Nevertheless, there is a serious threat to anyone connected to the Internet today, including desktop computers of a firm. The highest risk associated with the Internet is neither hackers or crackers but viruses or worms. It is relatively easy to spread malicious code as attachments to e-mail. And while it is virtually impossible to activate a virus by simply opening an e-mail message, Microsoft complicated that by allowing the automatic opening of attachments in Outlook. Almost all widespread viruses depend on the features of Outlook (e.g., 24 Chapter 3: Internal Control System
25
automatically open attachments) and the address book on each computer. One relatively easy and cheap way to stop the spreading from a single infected computer is to add an e-mail address that will sort to the top with a bogus e-mail address. The costs of damages created by viruses and worms in 2001 ran $12 billioneach of the several successful ones perpetrated costing millions. Therefore, it is very important for internal auditors and the internal control system to address this risk specifically and conscientiously. Anti-virus software alone is insufficient as a control. For instance, new viruses would not be included in the database/definitions of an anti-virus system. Thus, some sort of dynamic, daily warning system is necessary. Several mailing lists offer this service, including CERT, [10] SANS, [11] and Zdnet, [12] and IA should ensure the responsible party is subscribed to this kind of mailing list. Exhibit 3.11 provides a model for an effective anti-virus system. Exhibit 3.11: Anti-Virus System/Model
1. Anti-virus software installed on all PCs (with online updates available). 2. Require regular desktop and laptop updates of virus definitions and databases (use e-mail reminders and/or policy). 3. Responsible person or group subscribes to a credible virus alert mailing list (Cnet, Zdnet, Norton Anti-Virus Center, CERT, and others to identify emerging viruses that cannot be detected using existing anti-virus databases, and to be able to get the newest anti-virus definitions when a new virus is released on the Internet). 4. Regular virus scans of PC hard desktops and laptops (part of regular anti-virus maintenance). 5. Filter e-mail servers (using routers, firewalls, or software) for potential viruses. 6. Other measures as appropriate in particular enterprise (e.g., removal of floppy drives). 7. Training of all employees (e.g., during orientation). 8. Measures to prohibit propagation of hoax viruses (e.g., policy to not forward virus warnings except by executive designate). There are several other problem areas or risks associated with e-mail. One is the fact that some virus warnings via e-mail are simply hoaxes. They are a problem, but much less costly than real viruses. Yet it only takes a minute to access one of the several hoax centers (e.g., computer incident advisory capability (CIAC), [13] Norton Anti-Virus Center [14]) to authenticate the message before forwarding it to everyone you knowthe hidden purpose of the perpetrator. One suggestion regarding policy is to forbid broadcasting virus warnings from anyone other than a designated person or group. If a person receives a message and he/she thinks it is legitimate, that person would be required to forward the message to the enterprise anti-virus person or group. This person or group can then authenticate any virus warnings and broadcast appropriate messages. By centralizing broadcast warnings, the enterprise can eliminate the waste of resources associated with hoax viruses (time to delete, clogging bandwidth with numerous bogus messages, etc.). Another e-mail risk to consider is flaming (electronic smash mouth, trash talking, derogatory messages, and even biased remarks). Such use of corporate e-mail should be prohibited, whether the attack is another employee or the company. It can be a serious problem, even leading to litigation, if it involves sexual harassment or racial slurs. Spamming (junk e-mail) is a risk because it can clog bandwidth much like hoax viruses. Many states have laws against spamming. But as long as the message has some mechanism to disable future messages, it is not considered spamming, although often such mechanisms do not work. Internal auditors should investigate Chapter 3: Internal Control System 25
26
spamming legislation in the states where the enterprise has servers and promote an appropriate policy regarding the handling of spammingreceived or sent. America Online (AOL) has a strict policy regarding spam and enforces itas such AOL serves as a good model to follow. Anti-spam software packages are available but some have problems making a consistent distinction between spam and legitimate e-mail. Spoofing (impersonating) can also be a risk. Spoofing refers to e-mail messages that pretend to be sent (authorized) by someone who has no knowledge of the message. For example, an e-mail message could be broadcast to the enterprise's employees informing them of a day off, or some other message, and give the appearance of being authentic (such as the signature of an executive), yet be a bogus message. Exhibit 3.9 provides a questionnaire for internal auditors that could be used to audit the e-mail services of an entity. There are objects or code agents that pose threats similar to viruses or wormsbe it applets, scripts, ActiveX elements, or other objects. Be sure the IS department has made the necessary precautions to prevent these objects from carrying out destructive code. Crackers and script kiddies also take advantage of security holes in systems. These holes allow outsiders to gain unauthorized access to systems and then they can do a wide variety of malicious activities, all unnoticed. Controls and procedures need to be developed to effectively protect against such attacks and risks. See Exhibit 3.12 for a set of basic vulnerability controls, Exhibit 3.13 for a questionnaire related to vulnerabilities, and Exhibit 3.14 for a list of the Top 20 vulnerabilities. The latter, developed by SysAdmin, Audit, Network, Security (SANS) and the FBI, documents the most often used vulnerabilities by attackers and intruders. Exhibit 3.12: A Basic Vulnerability Plan
1. List of probable vulnerabilities (broad scope of input). 2. Use list as checklist to plug applicable vulnerabilities. 3. Subscribe to security-related mailing list (security alerts). 4. Regularly use the alerts to plug emerging leaks. 5. ALWAYS test all changes, fixes, plugs OFFLINE before putting the system back online. Exhibit 3.13: Sample Questionnaire/Inquiry There is a reputable source or list of applicable vulnerabilities to our information systems. The list is reviewed on a regular basis to see that all applicable vulnerabilities have been corrected. There is a credible source to update the list for emerging vulnerabilities. The updates are reviewed daily (weekly) for applicable ones, and corrections made. Both processes are reported or checked off by a responsible party in InfoSec. The system is tested on a regular basis for known vulnerabilities or potential exposures. Fixes and changes are first thoroughly tested on systems OFFLINE before being allowed online. Exhibit 3.14: SANS Institute: Top 20 Most Critical Internet Security Vulnerabilities (ver. 2.502)[15] G1Default installs of operating systems and applications G2Accounts with no passwords or weak passwords G3Non-existent or incomplete backups
26
Chapter 3: Internal Control System G4Large number of open ports G5Not filtering packets for correct incoming and outgoing addresses G6Non-existent or incomplete logging G7Vulnerable CGI programs W1Unicode vulnerability (web server folder traversal) W2ISAPI extension buffer overflows W3IIS RDS exploit (Microsoft Remote Data Services) W4NETBIOSunprotected Windows networking shares W5Information leakage via null session connections W6Weak hashing in SAM (LM hash) U1Buffer overflows in RPC services U2Send mail vulnerabilities U3Bind weaknesses U4R commands U5LPD (remote print protocol daemon) U6sadmind and mountd U7Default SNMP strings Corporate Audit Department Procedures Manual NO: 3.7 REV NO: DATE: TITLE: Control Strategies PAGES: [9]SAS No. 78 revised SAS No. 55the same topic.
[10]See [11]See [12]See [13]See [14]See [15]G
27
SAM POLE COMPANY
www.cert.org. www.sans.org. www.securityresponse.symantec.com/avcenter or www.norton.com. www.ciac.org/ciac by U.S. Department of Energy. www.securityresponse.symantec.com/avcenter/ or www.norton.com.
= General Vulnerabilities, W = Windows Vulnerabilities, U = UNIX Vulnerabilities. See www.sans.org/top20.htm.
27
28
3.7 Control Strategies

Effective control activities can help to mitigate the risks identified in the risk assessment. Control activities are developed at least in part from proven control strategies. Specific controls, such as CAATTs, are identified in "Specific Controls/CAATTS" in this chapter. Control activities will be presented in two models and some other general areas of control activities, with specific illustrations. The two models are discussed to provide a way for internal auditors to think about developing general control activities and objectives.
a. Fourfold Perspective of Controls Model

Before developing management policies, management needs to have a general understanding of how to design effective internal controls. The management of undesirable events is one aspect, which is divided into four perspectives. The first is prediction. The second is preventive controls that will minimize the possibility of a risk occurring. The third and fourth are detective and corrective, where controls are able to detect undesirable events after they have occurred and in some cases automatically correct itin others it provides the means to correct it. Obviously, predictive and preventive measures are more efficient and less harmful and therefore should be premier in building the internal control system. i. Prediction The first area, prediction, is the most difficult. Profiling and background checks are specific activities that serve to predict malicious behavior or actions. Others include systems that are capable of generating accurate warnings regarding malicious activities. Two examples are certain mailing lists and Internet warning systems. One good example is the early warning system of a mailing list for malicious activities such as viruses and security vulnerabilities. When a new virus is released on the Internet, several organizations watch for them and publish early warnings via a mailing list. These organizations include non-profit or government ones such as CERT, some of the anti-virus manufacturers such as Norton, and technical publications such as ZDnet. Since anti-virus software is vulnerable to a new virus, such a system is both "predictive" and preventive, and as such is critical to protecting assets (see Exhibit 3.11 to illustrate the inclusion of a predictive step in an anti-virus set of controls). Another type of predictive control is an Internet-wide monitoring system such as those employed by CERT, [16] BUGTRAQ, [17] and the Internet Storm Center (ISC). [18] The latter uses a similar approach as the virus warning systemsto monitor the Internet in a broad manner to determine if any malicious activity is emerging. The infamous Berkley Internet Name Domain (BIND) attack is an example of how access to the ISC serves as a predictive control.
On March 22, 2001, intrusion detection sensors around the globe logged an increase in the number of probes to port 53the port that supports the domain name service. Attacks on port 53 are significant only because the software program called BIND [19] uses that port, and versions of BIND that had not been recently updated had a vulnerability that attackers could use to take over the systems. [20] Thousands of organizations that had not updated their version of BIND were being infected with a worm called Lion. Lion stole password files from infected machines and sent them to a site in China, and it installed a distributed denial of service (DDoS) tool so that the infected machines could be used in denial of service attacks. But hundreds of intrusion detection sensors that were logging attacks had become part of regional and industry-specific security monitoring networks. They sent their logs to analysis sites. There the data was aggregated and charted automatically, and posted for analysis at SANS. Analysts immediately saw a spike in the number of attacks on DNS Port 53. Some kind of man-made, "electronic storm" (actually an electronic packet storm) was sweeping through the Internet. The analysts determined what damage the worm did and how it was able to do it, and then they developed a computer program to determine which computers had been infected. They tested the program in multiple sites and they also let the FBI know of the attack. Just 14 hours after the spike in port 53 traffic was first noticed, the analysts were able to send an alert to 200,000 people warning them of the attack 28 Chapter 3: Internal Control System
29
in progress, telling them where to get the program to check their machines, and advising what to do to avoid the worm. This episode demonstrates the value of sharing intrusion detection logs in real time. Only in the regional and global aggregates was the attack obvious which allowed the expeditious response to slow and then stop the attacksand serve as a predictive control for many organizations. The technology, people, and networks that found the Lion worm were all part of the SANS Institute's Consensus Incident Database (CID) project that had been monitoring global Internet traffic since November 2000. CID's contribution the night of March 22 was sufficient to earn it a new title: Internet Storm Center. Today Internet Storm Center gathers more than 3 million intrusion detection log entries every day. It is rapidly expanding in a quest to do a better job of finding new storms faster, isolating the sites that are used for attacks, and providing authoritative data on the types of attacks that are being mounted against computers in various industries and regions around the globe. Internet Storm Center is a free service to the Internet community. The work is supported by the SANS Institute from tuition paid by students attending SANS security education programs. [21] Another source that can serve as a predictive control is CERT. The CERT Coordination Center (CERT/CC) is located at the Software Engineering Institute (SEI), a federally funded research and development center at Carnegie Mellon University in Pittsburgh, Pennsylvania. Following the Morris worm incident, which brought 10% of Internet systems to a halt in November 1988, the Defense Advanced Research Projects Agency (DARPA) charged the SEI with setting up a center to coordinate communication among experts during security emergencies and to help prevent future incidents. Since then, the CERT/CC has helped to establish other response teams, and their incident handling practices have been adapted by more than 200 response teams around the world. CERT focuses on protecting systems against potential problems, reacting to current problems, and predicting future problems. The organization's work involves handling computer security incidents and vulnerabilities, publishing security alerts, researching long-term changes in networked systems, and developing information and training to help entities improve security at their site. The security alerts and mailing lists are excellent sources for predictive controls. It could be argued that the internal auditor's experience and professional judgment have predictive powers of sorts. If the company is experiencing a high degree of pressure in the stock market (e.g., declining stock prices, earnings per share below street predictions), and there is a weakening or soft profitability (e.g., declining profits, declining revenues, economic woes of some sort), and personal weaknesses in executives (e.g., lifestyle is high or beyond means, weak personal ethics), then there is a high risk of financial fraud; that is, it could be predicted. Most major financial frauds of the past have these factors in common. For employees, it is opportunity (exposure) combined with personal weaknesses; and the possible result is theft. Many past employee thefts have these traits in common. Therefore, the professional judgment of auditors should be viewed as and used as a predictive control. For financial fraud, this "control" is effective if, and only if, the internal auditors report directly to the audit committee. Some emerging technologies are being used to build predictive models with a relatively high degree of accuracy. Technologies such as artificial neural networks (ANN) have been shown to be more accurate than other modeling tools at making predictions where the data is extensive or complicated. Studies have shown the ability of ANN to predict with a relatively high degree of accuracy such events as financial distress of a firm (e.g., bankruptcy). Therefore it is not beyond the realm of possibility to use an ANN to build a predictive model for control breaches, "training" it by using actual past data. However, it does take special skills to properly build such a system. ii. Prevention Secondly, activities should be implemented where the objective is to prevent malicious activities. For InfoSec and Internet resources, a multi-layered firewall is a good control. That is, a single firewall control, such as a router with filters, is a weak control (i.e., becomes an exposure). A better control is a firewall that has multiple layers: a combination of routers, filters, proxy servers, software, and so on, used to provide a shield that could be compared to an onion, with all its layers of skin. Preventive controls are also necessary in software Chapter 3: Internal Control System 29
30
applications to prevent errors in data. System access likewise needs preventive controls to prohibit unauthorized access of systems and data. iii. Detection It is much easier to develop controls for detection, the third perspective. For InfoSec, there are some developing, effective means of detecting general Internet attacks. For example, The Internet Storm Watcher [22] gathers information real-time from logs all over the Internet. When general attack is made, the Storm Watcher is able to spot it much like a weather system predicts a physical storm. Monitoring systems that measure traffic on specific ports of the Internet and then graph it can produce an outcome that can detect an intruder hacking into a system. There are more sophisticated intrusion detection systems, but any enterprise with risks associated with the Internet needs a detection system commensurate with its level of risk. Artificial neural networks mentioned above also have been shown to be able to detect fraudulent events or transactions. Studies have shown that a detective model can be built to recognize potential fraudulent transactions after having been trained by using actual past data (i.e., actual valid transactions and actual fraud transactions). Such a system could potentially then "sit" on top of the processing systems and filter transactions looking for potential fraudulent ones. Once a suspicious transaction is detected, the ANN would warn someone in IA directly, giving IA and the firm a chance to detect a fraudulent or irregular transaction as it is being conducted, rather than detecting it weeks or months later in an audit. There is a need to make sure such a system does not seriously impede the processing of transactions in the corporate system (i.e., IS performance). Again, it does take special skills and knowledge, as well as a set of transactions to do the training. iv. Correction The last perspective, correction, is another fruitful source of controls. For instance, logs that generate a list of detected errors and the procedures to correct them are a critical component of applications and systems. Other types of correction controls include disaster recovery plans, business recovery plans, and incident response plansall intended to correct the damage from major catastrophes.
b. Information Systems and Controls Model

A second model applies to controls in general: physical and computer. Computer control is subdivided into general and application controls (see Exhibit 3.15). Exhibit 3.15: IS Model of Controls Computer Controls General Controls Application Controls Passwords Input Controls Output Controls Locked Doors Processing Controls Batch Controls Physical Controls Independent Verification Accounting Records Segregation of Duties Transaction Authorization Supervision Access Control i. Physical Controls Physical controls involve controls of a manual nature (see Exhibit 3.16). Some examples follow for illustrative purposes and are not exhaustive.
30
Chapter 3: Internal Control System Exhibit 3.16: Physical Controls
31
1. Transaction authorization (manual procedures) 2. Segregation of duties (IS processes, accounting processes, etc.) (authorization versus processing, custody versus recordkeeping, and such that fraud requires collusion) 3. Supervision (compensating control when unable to use segregation of duties) 4. Accounting records 5. Access controls (direct, indirect) 6. Independent verification (performance, system integrity, data integrity) Transaction authorization needs physical controls (i.e., manual controls) to ensure all material transactions are processed by the accounting system with integrity and in compliance with management policies and objectives. Using management decision rules, certain recurring transactions become a programmed procedure, or operate under general authority. Other decisions of a non-routine nature need specific authority. Segregation of duties is another important type of physical control. Three good rules of thumb for developing controls using segregation of duties controls is: (1) separate authorization of transactions from processing them, (2) separate custody of assets from record keeping, and (3) create controls such that a successful fraud can only be perpetrated using collusion. The latter generally can be accomplished by separating steps of the process between different individuals. Also, make sure segregation of duties extends beyond the typical area of basic accounting functions. For example, segregation of duties has many applications in IS processes and database management. Some of the controls that illustrate proper segregation of duties in IS are: Separate systems development from computer operations. This control should both deter fraud and increase the quality of documentation. Separate new systems development from maintenance, which also should increase the quality of documentation. If this separation is not possible, systems analysis can be separated from programming. This alternate organizational structure could lead to weaker documentation and creates an exposure for programming, leaving it open to possible malicious code (e.g., back doors, salami slicing). Separate the database administrator (DBA) from other database and systems functions, computer operations, development, and maintenance. Separate data library function from computer operations, development, and maintenance. If the enterprise stores data tapes, backups, or other centralized storage, then a data librarian serves as custodian of the data asset. Some enterprises include original software and their licenses in the "library" as well. Documentation of in-house software, including original source code, should also be housed in the library. Software and data assets should be treated much like inventory assets when it comes to controls. That is, they need to have a custodian, strict procedures for checking assets in and out, and an adequate audit trail of transactions (where the assets go, why, and in this case, their safe return). If a permanent librarian is not feasible, the rotation of a person on an ad hoc basis should suffice as an adequate control. Use of a data control group. This group (or person) serves as a control between operations and end usersincluding management. They perform tasks such as: review and test computer procedures, monitor data processing, review and distribute computer output, serve as liaison with end users, and Chapter 3: Internal Control System 31
32
Chapter 3: Internal Control System review control logs from data processing. Therefore, this group, if employed, should be separated from operations and systems development.
Other segregations may be necessary depending on the circumstances, size, and other issues pertinent to the enterprise. (See Section 3.7(f) for more on segregation of duties.) Supervision is a vital part of physical controls. When segregation of duties becomes impractical, supervision is the default compensating control. This control includes formal reporting and procedures as well as physically supervising a person or process. Accounting records should be kept in such a way as to prevent unauthorized physical access. That is, safeguard documents (e.g., checks) and physical accounting records (ledger cards). Access controls (direct and indirect) are addressed in Section 3.8(b), and are a part of physical controls. Direct controls involve physical access to assets such as inventory or cash. Indirect controls relate to documents and processes that control such assets (e.g., credit memos, purchase orders, etc.). Management also will assess the integrity of the computer system and data on an ongoing basis as a part of independent verification. Internal controls should also be implemented for independent verification of data. A classic control in this category is the comparison of physical assets with accounting records, but it also includes controls such as reviewing management reports. ii. Computer Controls: General Computer controls are subdivided into general and application. This section addresses general computer controls. They would include controls such as locked doors for sensitive areas (e.g., data storage, mainframe room). They should also include controls regarding the development of new systems. These controls might include: Requiring a written request with justification from user(s) Requiring a written evaluation and authorization of this request by IS staff Requiring the design of the application by a cross-functional team that includes a CISA or CIA (to ensure the inclusion of adequate controls during development) Requiring adequate documentation procedures Requiring a written report on the testing (probably re-introduce CISA or CIA to the process at this point) Requiring full off-line testing for new applications, hardware, or systems before activation online, and Requiring training of new applications before implementation Major changes to existing software systems should generally follow the same set of controls. There should also be controls regarding computer operations. For example, the system should build a log of activities including application used, data used, and manipulations made, how long the user used the data or application, and the identification of users. Some operating systems have the ability to build this kind of log (see "Logs and Auditability" in this chapter for more information). There should be some kind of controls for the receipt of data for keying (if feasible) and for the distribution of output (e.g., data control group). Data backups (tapes or disks) should have controls for labeling (either internal or external labels). Other library-related controls may be needed for data backups. Access to programs and data are critical and need controls, and have already been discussed. Segregation of duties should be used to build independence (cannot alter programs or data), and to limit opportunities for concealment of fraud. 32 Chapter 3: Internal Control System
Chapter 3: Internal Control System iii. Computer Controls: Application
33
The next aspect of the IS controls models is application controls, which are more specific. They include input controls, processing controls, and output controls. Examples of input controls include: (A) Authorization. Proper authorization procedures and controls are essential to an effective internal control system. The fact the accounting system is a computer-based one does have some effect on these controls. Two basic control guidelines for authorization are: Controls should make sure transactions are properly authorized in accordance with management objectives and policies Embed controls where the computer performs the authorization An example of the latter would be credit limits. The software should have built-in controls that verify a customer has sufficient credit to issue an invoice without going over the credit limit, and that require special authorization (preferably from the credit department) to allow the invoice to be processed when the amount would put the customer over the credit limit. (B) Converting data into computer files. Controls should be developed to ensure the validity of data entry from the point of data capture and/or input. Use of batch control methodology, where applicable Record counts, batch totals, hash totals, computer editing controls, verification programs and controls (C) Subsequent accountability. Subsequent to data entry, application controls should be employed to make sure data has not changed and data maintenance is validated, where applicable. Examples include: Transmittal controls Routing slips Control totals (hash, amount totals, etc.) Examples of processing controls include the following: Batch control where applicable (not likely to apply in real-time systems)control totals, batch totals, hash totals, record counts Validity check test (e.g., valid data for the particular field, complimentary master record(s) exist, etc.) Limit test (data is within range of valid entries for the particular field, data is reasonable) Self-checking digit, where applicable (telecommunications) Example of output controls include the following: Controls to ensure reliability of computer output (e.g., error reports, printed reports, printed checks, etc.) Controls to ensure outputs are distributed with appropriate custody to authorized personnel only If batch methodology is employed, reconcile output control totals with processing and input control totals Develop controls using error reports for data that does not meet certain validity checks, including control procedures for follow-up of error reports for corrections Develop effective controls such as data control group, the computer itself, and users to perform these control tasks (from most effective to least)
33
34
c. An Internal Audit Function

The most important general control activity is an internal audit function. Each enterprise must have an independent source for developing and verifying controls, above and beyond what the external auditors might do in a financial audit. Internal audit is much broader and more flexible in the tasks it performs. A qualified group of people, and an adequate staff, are indispensable in effective control activities, and a successful internal control system. Major bankruptcies such as Enron have brought criticism to the possible lack of independence when the internal audit function has been outsourced to the external auditors responsible for the financial audit. Therefore, if it is outsourced, management should be careful to maintain a maximum degree of independence. The best situation is to have an IA department within the firm. In fact, the New York Stock Exchange and the IIA have asked the SEC to require an IA function for all companies with publicly traded stock. [23] This manual stresses the activities, qualifications, and duties that make the IA shop successful and productive. The IIA argues that an internal IA shop is a critical success factor in effective corporate governance, especially regarding security, auditability, and controls.
d. Corporate Governance
A key control strategy is an effective corporate governance structure. This strategy begins with the IA function and includes an effective audit committee and IT governance. i. Audit Committee Another key major control activity is an adequate audit committee. But having an audit committee is not the same as having an effective audit committee. For publicly traded companies, the SEC issued a ruling that took effect January 31, 2000, related to audit committees. The ruling [24] says in part: The Securities and Exchange Commission is adopting new rules and amendments to its current rules to require that companies include in their proxy statements certain disclosures about their audit committees and reports from their audit committees containing certain disclosures. The rules are designed to improve disclosure related to the functioning of corporate audit committees and to enhance the reliability and credibility of financial statements of public companies. The SEC basically requires publicly traded companies to not only have an audit committee but to include information on its activities in SEC reports. Companies that are not publicly traded but have a large number of stockholders are probably in need of an audit committee because of the fiduciary responsibility. A significant responsibility of the audit committee is to deal with risks of the entity. Therefore, businesses that have a relatively large risk of fraud, theft, security, or illegal activities should also have an audit committee. For example, financial institutions and other businesses that handle large volumes of cash daily are prime candidates for an audit committee because cash misappropriation is the highest of risks. Companies need an audit committee for several reasons. The main reason is the fiduciary responsibility the company has to the shareholders. Management should also expect the audit committee to assist them in ensuring the integrity of financial reports and in deterring fraud. The public expects no surprises in the financial health of the company, and it expects to be able to trust the financial reports. Audit committees should be able to serve as guardians of the public interest. The audit committee serves as an independent "check and balance" with the internal audit functionserving as a watchdog over financial statements, risks, and management assertionsand liaison with external auditors. They interact with both these groups with the objective of ensuring data integrity in financial statements and the avoidance of fraud or illegal activities. They also look for ways to identify adverse events. For instance, they might serve as a sounding board for employees who observe suspicious behaviors or outright fraudulent activities. The audit committee should have a willingness to challenge the internal auditor 34 Chapter 3: Internal Control System
35
function as well as management when necessary. For those entities that employ outside auditors, the audit committee should be best positioned to determine whether or not the provision of any particular service by the audit firm is inappropriate. In fact, they should be responsible for deciding which external auditor to hire. In general, they become an independent source of protection of the entity's assets from a variety of risks, in whatever fashion is appropriate. See Exhibit 3.17 for a list of audit committee oversight areas, based on a study by the Financial Executives International (FEI). Exhibit 3.17: Audit Committee Oversight AreasIn Order of Importance
1. Key areas of business and financial risk 2. Tone at the top/code of ethics 3. Internal controls and systems 4. External audit activity and relationships 5. Periodic financial reporting, including financial and accounting policies 6. Internal audit activity 7. Key personnel selection for critical financial/control positions Certain historical events remind managers, board members, auditors, and other stakeholders of the risks that exist even for those businesses that seem to be immune to fraud. These events also show the need for effective audit committees. Enron proved that large companies with billions of dollars in assets can go bankrupt under the noses of well-intended board members. Enron had $10 billion book value, $60 billion market value, and $1 billion in profits in its latest financial reports that were "not materially misstated," according to its external auditor, Arthur Andersen. Enron had an audit committee made up of distinguished members with financial accounting pedigrees. Yet this large firm went bankrupt once it booked a $600 million entry to revise its earnings in late 2001. In 1998, COSO issued a report, "Landmark Study on Fraud in Financial Reporting," covering 10 years and 200 randomly selected cases of alleged financial fraud investigated by the SEC from 1987 to 1997. The 200 randomly selected cases make up about two-thirds of all the SEC probes into fraud during the time period. The results of the study provide valuable information for any organization in protecting against fraud, but it is especially valuable in developing audit committees because of its applicability. The study develops several common factors about the companies (see Exhibit 3.18). Exhibit 3.18: Commonalities of Fraud Entities from COSO Study Smaller firms Lack of experience in board members Lack of independence of audit committee/board members Absence of audit committee or infrequent audit committee meetings Likelihood of involvement of executive managers in financial fraud Most of the auditors explicitly named in SEC enforcement releases were non-Big Five auditors Audit firms of all sizes were associated with companies committing financial statement fraud (i.e., you cannot depend on your external auditors to detect fraud based on their size) Chapter 3: Internal Control System 35
36
Cumulative amounts of frauds were relatively large in light of the relatively small sizes of the companies involved the average misstatement or misappropriation was $25 million A model of attributes is presented based on the existing standards, SEC rules, and the COSO fraud report (see Exhibit 3.19). The model attributes include independence, competence, organizational structure, leadership, and a proactive approach. Exhibit 3.19: Model of Attributes for Effective Audit Committee Independence (outside directors) Competence (knowledge and understanding of accounting, auditing, and internal controls; critical thinkers) Organizational Structure (reporting channels direct from internal audit function, external auditors, whistle blowers) Leadership (active, strong, decisive chair) Proactive Approach Audit committees need to be independent of management and even other board members in order to effectively assess events, accusations, and risks. The main ingredient for an effective independence is skepticism. Outside directors make it easier to provide both an appropriate degree of skepticism and independence. Members should also be competent. The entity should consider looking for outside directors, and locate people who are well qualified in the area of financial accounting, auditing, internal controls, and risk assessment/management. But competence should also include critical thinking skills. Audit committee members need to be able to sort through facts, exhibits, and circumstances to ascertain possible questionable areas. They also need to ask tough questions and foresee situations that contain high risk. Lastly, competence also includes experience; that is, experience being a board member for other organizations. Preferably experience also means experience as either a member of an audit committee or similar experience in auditing, security, risk, or internal controls. Thus a member of the audit committee should probably be the most seasoned of the members of the board. However, one recent study [25] revealed just the opposite:
Unlike their counterparts, audit committee directors, for the most part, had served on significantly fewer other committees and for a shorter period of time on the corporate board, which implied they were mere "babes in the woods." The organizational structure of the committee is also important. Some firms allow any employee to contact the audit committee anonymously to report suspicious behaviors, fraud, or illegal financial activities. Such a committee therefore serves as an ethics committee for financial reporting, fraud, and security (see item 2 in Exhibit 3.17). Whatever management can do to encourage reporting of these events and behaviors should be done. The audit committee will then have the opportunity to possibly identify fraudulent activities before they adversely affect the firm. Leadership refers to the chair of the audit committee. As in most committees, the chair sets the tone for the activities, approach (proactive vs. reactive), and behaviors of the group. The chair needs to be active (proactive), strong (a capable leader and competent audit committee member), and decisive. These attributes identify any good leader, but are essential for the audit committee to be effective. Lastly, the audit committee needs to be proactive. The recent study by the FEI mentioned earlier shows that more than half of the respondents polledchief financial officers and corporate controllersfelt that the audit committee needed to be more proactive. The same report suggests that audit committees need to challenge management assumptions and ask tough questions. Coca-Cola Company has a good set of such questions [26] that illustrate a proactive approach, questions the company's board asks the IA function each year: 36 Chapter 3: Internal Control System
37
Are there any significant accounting judgments made by management in preparing the financial statements that would have been made differently had the auditors themselves prepared and been responsible for the financial statements? Based on the auditors' experience, and their knowledge of the Company, do the Company's financial statements fairly present to investors, with clarity and completeness, the Company's financial position and performance for the reporting period in accordance with GAAP and SEC disclosure requirements? Based on the auditors' experience, and their knowledge of the Company, has the Company implemented internal controls and internal audit procedures that are appropriate for the Company? The model of attributes should empower the audit committee to serve its entity effectively in protecting the assets, inspecting suspicious behaviors or activities, ensuring the integrity of financial reports, and generally managing risks. There is also a list of attributes or situations to avoidthose that were common to the cases of financial fraud in the COSO study. The study mentioned that one consistent factor with the fraud cases was the absence of an effective audit committee. Often board members were neither independent (e.g., related to executives or owners) nor capable of dealing with audits and internal controls. Together, these two lists (Exhibits 3.18 and 3.19) will hopefully assist internal auditors in providing input into the board's decision about its audit committee, and in providing information on how to effectively interact with the audit committee. One of the most effective techniques against fraud or crime is an internal audit function with a direct connection to an audit committee on the board, where such committee members are able to understand and respond to audit evidence, reports, or internal control weaknesses. (See Section 9.2 for additional information on audit committees.) ii. Information Technology Governance Information technology governance is similar to corporate governance in its objectives and is a prime service of ISACA. That organization defines IT governance as: the responsibility of the board of directors and consists of the leadership, organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategies and objectives. The more an organization relies on IT, the more IT governance is necessary; or put another way, IT governance becomes an integral part of corporate governance. The objectives of IT governance are to (1) understand the issues and the strategic importance of IT, (2) ensure that the enterprise can sustain its operations, and (3) ascertain it can implement the strategies required to extend its activities into the future. The primary goal is to ensure that expectations for IT are met and IT risks are mitigated. IT governance should address the following: Appropriate and adequate business and IT performance measures Appropriate and adequate business and IT outcome drivers IT strategic and alignment issues Best practices in IT governance Questions boards and management should ask Questions such as "Is IT doing the right things?" "Are they doing them the right way?" "Are they being done well?" and "Is the enterprise actualizing benefits from IT activities?" should be answered by IT governance processes. IT governance should also lead to a structure through which the entity's overall objectives are set, the method of attaining those objectives is outlined, and the manner in which performance will be monitored Chapter 3: Internal Control System 37
38
is described. One performance measurement system being used is Balanced Scorecard (see Chapter 9). Evidence of the need for IT governance is the number of chief executives who have criticized the benefits of IT. [27] To promote IT governance, ISACA sponsors the IT Governance Institute and provides various support documents and services. [28] This organization also promotes CobiT as another tool that assists management in IT governance.
e. Logs and Auditability

The last control activities area is that of logs. The more an enterprise is dependent on systems, automation, and computers, the more invisible audit trails tend to become. Therefore, it is imperative that the internal control system has an adequate degree of controls related to electronic audit trails. One effective control is the implementation of computer logs. Detailed computer logs should be evaluated (i.e., are they necessary, how detailed the data should be) for access and log-in to the system, access and use of applications, access and use of data, changes to data, changes to applications, and changes to the operating system. When electronic logs cannot be generated, paper ones should be considered (e.g., changes in an application). If the entity is connected to the Internet, logs become even more important. Logs should be used to track data such as sites visited, files downloaded or uploaded, time spent on the Internet, etc. Sites visited could reveal access to illegal sites, and have in the past (i.e., child pornography). Files downloaded could reveal viruses, hacking tools, illegal software, or other types of files that are contrary to organizational policy or federal regulations. Hacking tools might be an indication of an employee preparing to hack into the organization's system. Logs should be developed and implemented that will assist in safeguarding assets and ensuring compliance with policy (e.g., computer usage). Logs are the enforcement control for policy, but the entity needs to make sure employees are told such actions are being recorded and even have employees sign policies that have this form of enforcement (e.g., e-mail policy).
f. Segregation of Duties
Another primary objective of internal controls is the effective use of segregation of incompatible duties. This proven technique for designing internal controls, policies, and especially organizational structures was developed by accountants and auditors. Three rules to observe are to separate transaction authorization from transaction processing, record-keeping from asset custody, and any series of transaction processing steps such that a collusion of individuals would be necessary to commit fraud. Where segregation of duties is not feasible, management should compensate by adding adequate supervision. For example, one large tire reseller did not segregate duties. Because the firm had several locations, it made use of a central tire warehouse. There was no security at the warehouse, and all salespersons had a key to it. One salesman stole tires, drove to a nearby city, sold them to an acquaintance, and covered his tracks with credit memos and phony invoices. No one suspected him, even though 75% of all credit memos came from one individual (proof that management must review reports). The custody of the tires should have been segregated from record-keeping of tire transactions (i.e., the sales force), and authorization of the credit memos should have been separated from the processing. (See "Physical Controls" in this chapter for more information.)
g. Investigation Procedures
Management must also consider what specific procedures should be employed to protect against internal threats. Key positions, including executives, may require a background search.
38
Chapter 3: Internal Control System SAM POLE COMPANY Corporate Audit Department Procedures Manual NO: 3.8 REV NO: DATE: PAGES:
39
[16]See [17]See [18]See
TITLE: Malicious Activities www.cert.org. www.securityfocus.com. www.incidents.org.
[19]BIND
is one of the name services on the Internettypically on Unix, Linux, etc.-based systems, though Windows XP does support BIND now.
[20]See [21]The
Internet Vulnerability U3 on the Top 20 List (see Exhibit 3.12).
information for this paragraph came from a web page at The Internet Storm Center's web site. The page is located at www.incidents.org/isw/iswp.php.
[22]See
www.incidents.org.
[23]Obviously,
the SEC may or may not have adopted this ruling. Visit the IIA site www.theiia.org or the SEC site www.sec.gov for clarification.
[24]SEC
Release No. 34-42266, File No. S7-22-99. See URL www.sec.gov/rules/final/34-42266.htm.
[25]Nikos
Vafaes, "On Audit Committee Appointment," Auditing: A Journal of Practice and Theory, Vol. 20, No. 1 (March 2001).
[26]Connie
McDaniel, vice president and controller of Coca-Cola Company, from a speech presented to the AAA, August 13, 2001.
[27]For
example, Jack Welsh, former chairman of General Electric, said, "IT has been the longest running disappointment in business in the last 30 years." World Economic Forum, 1997.
[28]See
www.itgi.org.
3.8 Malicious Activities

A brief description of aspects of malicious activities will assist in the development of effective specific controls. Areas to consider are computer crime, theft/financial fraud, and unauthorized access.
a. Crime and Misappropriation of Assets

Computer crime is becoming popular among those with a criminal mind. The average dollar value of a computer crime is far greater than the average dollar taken in a bank robbery. But just as important, internal auditors need to understand the subtle differences between various attackers and thieves as well as typical profiles of these perpetrators. Almost all of these crimes are driven by (1) opportunity (control weakness), (2) pressure (e.g., cash flow problems), and (3) rationalization.
39
40 i. Types of Crimes
Crimes associated with the theft of assets typically are carried out by employees. These frauds are conducted by employees who have some pressure to steal (personal cash flow problems), accompanied with weak personal ethics. If a weakness exists in the controls, the temptation can become too great for the employee to resist stealing from the organization. The rationalization is often that either the employee works hard and deserves the extra money, or he/she is "borrowing" the money and plans to repay it. One typical area for fraud and theft is performance bonuses. Such tactics can become the impetus (pressure) mentioned earlier, and the rationalization; and if accompanied by personal weak ethics and an exposure, the result can be fraud and theft. Another crime is financial fraud. By its very nature, it is virtually limited to executive management. Management can come under pressure by such circumstances as economic problems in the firm (poor performance of stock on the open market). Because of management's position, they are always in the position to have opportunity; that is, they can override controls. The pressure to perform can be rationalized as perform at any cost and lead to financial fraud. Lastly, there are those who break in from the outside (see below). Some of these attackers come to steal, kill, and destroy. Others come to playpossibly bringing a system down and making it unavailable. But all cause damages and bring about costs. As such they are considered computer crimes (e.g., the laws against spamming). ii. Types of Criminals Criminals can be broken down into different groups with specific profiles. The description of crimes includes a profile of the employee or manager who might commit a crime. The following describes the outside criminals. According to President Bush's Commission on Critical Infrastructure Protection, an estimated 19 million people worldwide have the skills to engage in malicious hacking. [29] The profile of the authors of the typical DDoS (and other Internet security incidents) is a male, 13 to 15 years old, with a lot of computer intelligence (neon hair and body piercing optional!). They usually begin malicious activities early. For example, Mixter (a self-proclaimed "white hat") started learning computers at six and malicious activity at 14. One way to think of the group of people who break into Internet systems is to subdivide it down by the objectives of the person: The groups are technically known as hackers, crackers, and script kiddies. The true "hacker" (sometimes referred to as a "white hat" [30]) actually tries to do service to the Internet community. Hackers look for vulnerabilities and weaknesses, and then communicate the "hole" to the entity. These people enjoy the intellectual challenge of their activities, and are technically defined as "hackers." [31] Even then, there are rouges in this group. A contract employee at Intel went beyond the scope of his work, for which Intel dismissed the white hat employee and had him arrested. Traditionally, "hacker" was a term that carried a positive connotation, a badge of honor regarding one's technical expertise. Then why is the popular press always referring to the "bad guys" as hackers? Because of the media's ignorance of the technical definitions. These people are actually "crackers" [32] (sometimes referred to as "black hats") whose intent is to steal or destroy. So although hacker and cracker are often used interchangeably, they are in fact technically different sub-groups. It is the cracker who writes malicious code such as DDoS. The term "script kiddie" refers to young computer enthusiasts who usually download the malicious code (e.g., viruses, DDoS) generated by crackers, rather than author it, and conduct mischievous exploits on unsuspecting entities, resulting in systems havoc. Most are not necessarily malicious, just bored. They are similar to street gangs, having created a way to tag the Internet (viral code), having invented their own form of graffiti (web site defacements), and having fought gang wars online (using thousands of remote PCs controlled by Internet Relay Chat (IRC) bots). [33] 40 Chapter 3: Internal Control System
41
One example is a female (rare among script kiddies) from Belgium who authored Sharpei, one of the first .Net viruses. She says writing these viruses and DDoS programs is "a form of art, just like other hobbies. Also, it's a fun way to practice programming." This statement reflects the attitude, and demonstrates the problem, with DDoS attackers. They do not see any real harm to their victims and are in it for the personal pleasure it brings.
b. Unauthorized Access and Authentication

Access control systems are used to authenticate and verify usually by using one of three basic approaches to security: (1) something you have, (2) something you know, and (3) something you are. [34] Specific controls range from access cards/readers (something you have), to passwords or PINs (something you know), to biometrics (something you are). The more risk that exists, the greater the need to consider a multi-faceted access control system in order to maintain adequate security. The most general authentication, authorization, and verification controls are password systems, firewalls, and occasionally access cards or biometrics. The weakness of these former two security methods is that they have been compromised, and intruders have caused great harm and significant financial losses. The latter approach, biometrics, has the potential to provide the greatest level of security because it involves something you are, and because they can be more reliable than the passwords or firewallsespecially stand-alone password or firewall systems. There is a difference between verification and identification. Verification is the process of confirming that the person carrying the token (badge, card, password, etc., which is the claim of identity) is the rightful owner of the token. Identification, on the other hand, is the recognition of a specific individual from among all the individuals enrolled on the system. Ideally, access control systems would do both. Passwords are the first line of defense in authenticating access to systems and data, and serve as a reasonably effective preventive system. One strategy is to create multi-faceted passwords, especially where remote access is frequent or e-commerce is employed. One current sophisticated approach is to generate password PINs over very short time frames, sometimes less than a minute. When remote users log in, they check a beeper for the most recent PIN and can only log in with both their password and the dynamic PIN. Another strategy is to combine passwords with network administration such that a matrix is developed for access. The columns are fields, files, or other data element. The rows are users. The cells are accessibility: read-only (RO), read/write (RW), or none. This matrix approach minimizes the exposure of data to internal users, narrowing authorization and access. (See Exhibit 3.8 for a password model to assist in developing the access control system.) Although they appear to be much less expensive than biometric systems, password systems might cost an organization. This cost usually happens in two ways: passwords that are forgotten and passwords that are stolen. The former requires time and resources to reset passwords. The latter is a security breach and can be much more costly if the system is compromised. Since the human brain is not a perfect storage system when it comes to complicated and long letter-number combinations, the more sophisticated passwords might be forgotten. In such situations, the password needs to be reset and a new password must be created. According to Mandylion Research Labs, resetting a password security system of a company with 100 workers would cost $3,850 per year. If the company has 1,000 authorized personnel, the same process would cost up to $38,500 per year! For remote access, one control might be the use of call-back systems. If remote access is stationary (i.e., the same person always accesses the system from the same phone), then this technique works well. Once a user logs in from remote location, the system hangs up the line and calls back on a pre-determined phone number. Where call-back systems are impractical, multi-faceted password systems should be employedmaybe biometrics. The most common biometric devices used for access control are fingerprint scanners, although facial and iris scanners and voice recognition systems are increasing in use. [35] Fingerprint scanners come in a variety of Chapter 3: Internal Control System 41
42
formats, from stand-alone devices to readers built into keyboards and mice. They are unobtrusive, inexpensive, and, essentially, they work. For example, the public benefits administrators in Texas and New York claim fingerprint identification has virtually eliminated fraud in their programs. [36] But of all types of biometrics available, the most practicalthe best solutionfor access control appears to be fingerprint recognition or keystroke recognition biometric systems. Keystroke recognition systems are trained to recognize the unique features of a person entering his/her password. Because it is only software, it is less expensive and easier to operate than fingerprinting and other biometrics. The fingerprint option should be considered as part of a smart card plus fingerprint plus password methodversus a stand-alone fingerprint system (if the risks warrant such a sophisticated access system). This system would provide a high level of reliability with a high level of user acceptance, and a relatively low level of cost. They are also readily available in the market. Of special importance is the emerging trend toward integration of biometrics into networks and systems. More time is being spent on integrating biometrics into existing processes and applications, where feasible and applicable, and into network access control systems. Biometric systems are being relegated as a commodity item, and this progression leads to a potentially enhanced level of interoperability, something the biometric industry needs. In recent months, an increasing number of devices, such as notebook computers and computer keyboards, now come equipped with integral biometric fingerprint readers, and some with smartcard readers as well, plus several variants of biometric mice. [37] This area provides a lot of promise for all concerned with InfoSec.
Corporate Audit Department Procedures Manual NO: 3.9 REV NO: DATE: TITLE: Specific Controls/CAATTs PAGES: [29]According to Computer Emergency Response Team. See "Combating Cyberthreats: Partnership Between Public and Private Entities," E. Lee, Information Systems Control Journal, Vol. 3, 2002.
[30]They
SAM POLE COMPANY
are called "white hats" because (a) they have obtained prior permission to "hack," (b) hacking is a part of their job description and they are an employee, (c) they have a contract to conduct a pen test (specific domain, specific time frame), and (d) they have an engagement letter to conduct the pen test.
[31]See [32]See
technical definition of hacker at www.pcwebopedia.com/TERM/h/hacker.html.
technical definition of cracker at www.pcwebopedia.com/TERM/c/crack.html. Likely a reference to safe crackers.

[33]According
to ZDNet associate editor Robert Vamosi. See "Can We Stop Script Kiddies? Yes! Here's How," ZDNet Reviews, May 15, 2002, online at www.zdnet.com.
[34]Liu
& Silverman, "A Practical Guide to Biometric Security Technology," IEEE Computer Society. Online at www.computer.org/itpro/homepage/Jan_Feb/security3.htm.
[35]"The
Lowdown on Biometrics," Government Computer News, 08/12/02. Online at www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn2&story.id=19567.

[36]Mark
Kellner, "Digital Security," Government Computer News, 08/12/02. Online at www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn2&story.id=19565.

[37]Julian
Ashbourn, "Biometrics: Making the Right Impression," SC Magazine, June 2002, pp. 5863.
42
43
3.9 Specific Controls/Caatts

One resource for internal auditors in developing an effective internal control system is proven controls and CAATTs, which includes people, techniques, and models. People would include the use of experts and professionals in the IA function, whether the corporation has a separate internal audit department, outsources the function, or relies on external auditors for the function. Regardless, management should make sure someone or some group is responsible for the internal audit tasksprimarily the design, development, implementation, and examination of the corporate internal control system. Management should require an appropriate certification of those to whom it entrusts its internal controls system. Some applicable certifications include: Certified Internal Auditor (CIA from IIA), Certified Information Systems Auditor (CISA from ISACA), Certified Information Technology Professional (CITP from AICPA), Certified Information Systems Security Professional (CISSP from International Information Systems Security Certification ConsortiumISC2), and Global Information Assurance Certification (GIAC by Sans Institute). Proven techniques include some already mentioned, such as an audit committee made up of qualified people who are independent of owners and executive management.
a. Monitoring Systems
One of the best detective tools is a good monitoring system. Examples are intrusion detection systems, passive logs, and traffic monitors. Intrusion detection systems are designed to detect crackers or hackers as they try to gain unauthorized access to the company's system. Steve Gibson reported 500,000 attempts a day detected at his site when a 15-year old hacker got mad at him. [38] His intrusion detection system worked better than most because he is an elite expert, but he wrote an open letter to hackers and admitted that his system could not withstand a direct ongoing assault by hackers. Traffic monitors provide information to techies that will indicate adverse activity such as a denial of service attack. They simply graph certain technical aspects of Internet activities and traffic, and visually indicate potential problem areas. The Internet storm watcher is one example of a broader monitoring systemmonitoring activity of the Internet as a whole. Passive logs can provide data that could help detect or correct adverse attacks after the fact.
b. Firewalls
Any server connected to the Internet should also have a firewall as a preventive scheme. A firewall is one or more elements such as software, hardware, or techniques that inhibit unauthorized activities from external users. A variety of firewall defenses can be assimilated, and should be done so with the level of risk in mind. The higher the risk probability and cost, the more complex and expensive the firewall needs to be.
c. Generalized Audit Software

Using generalized audit software (GAS)such as ACL, IDEA, PanAudit Plus, and othershas proven to be of immense value for internal auditors in detecting irregularities and fraud in computer systems. Audit software is also valuable in auditing operations. Using GAS and CAATTs is more than extracting data, dumping the data into a spreadsheet, sorting the data, producing a report (information), and manually reviewing the paper copy. CAATTs use these steps as the precursor to the real work: the critical analysis of data. Using GAS can bring both effectiveness (quality of the audit) and efficiency (significant productivity increases) to the IA function, and indeed has for many IA shops. One of the major benefits is the fact that auditors are able to examine all of the records, not just a sample. To use CAATTs or GAS, the internal auditor should follow these steps: Chapter 3: Internal Control System 43
44 1. Set the audit objectives. 2. Meet with the owner of the data and a programmer. 3. Formally request the data. 4. Create or build the input file definition of the GAS. 5. Verify data integrity for the data imported. 6. Gain an understanding of the data. 7. Analyze the data.
In the fifth step, verify data integrity, it is helpful to ask for a printout of the first 100 records along with the data. Once the data is fully imported and ready, a review of these 100 records can establish some reasonable reliability of the data set. The use of batch controls is very useful for this purpose, especially if the auditor can establish those controls from the live data. In the sixth step, this understanding can generally be gained by running some standard overview commands such as COUNT, STATISTICS, CLASSIFY, STRATIFY, and so on, on the data set. An internal auditor might run these types of tests: Reasonableness Completeness Gap Duplication Period-to-period (trends) Regression analysis Statistical analysis Transaction matching
d. Other Potential Controls/CAATTs

Other CAATTs include the following, which is not an exhaustive list, and some of which have been discussed previously in this chapter: Embedded audit modules Artificial neural networks System development life cycle Librarian Passwords Biometrics Intrusion detection system Firewalls Anti-virus software Digital certificates Digital signatures Encryption Proposed XBRL system Disaster recovery plan/business recovery plan (see Exhibit 3.10) Incident response plan
[38]Steve
Gibson is the founder of Gibson Research Corporation, frequent writer and speaker on high-tech topics, and is considered a pioneer in the Internet and its technologies. See Gibson's open letter to the hacker and his report of the incident at his corporate web site: www.grc.com.
44
45
References
Colbert, Janet L. and Paul L. Bowen. "A Comparison of Internal Controls: CobiT, SAC, COSO, and SAS 55/78," ISACA at www.isaca.org/bkr_cbt3.htm. Committee on Sponsoring Organizations, www.coso.org. Electronic Commerce, Gary P. Schneider,James T. Perry, 2000, Course Technology: Stamford, Conn. (2 2 security overview, Exhibit 3.1). Information Systems Audit and Control Association, www.isaca.org. Institute of Internal Auditors, www.theiia.org. Institute of Internal Auditors, Standards for the Professional Practice of Internal Auditing (SPPIA), www.theiia.org/ecm/guide-stand.cfm?doc_id=124. Information Systems Auditing and Assurance, James Hall, 2000, South-Western College Publishing. Singleton, T. "An Empirical Investigation of IS Audits and Software Piracy," Information System Audit & Control Journal, Vol. VI, 1997, pp. 3241. Singleton, T. "Stop Fraud Cold With Powerful Internal Controls" (Building an Internal Control Environment to Enhance Corporate Strategies), Journal of Corporate Accounting and Finance (Wiley), Vol. 13, Issue 4 (May/June 2002), pp. 2939. Singleton, T. "Effective Audit Committees for Cooperatives: Part IWhat, Why and How," The Cooperative Accountant, Summer 2002, pp. 2230. Singleton, T. "Managing the Most Critical Internet Security Vulnerabilities: One Effective Approach," EDPACS, Vol. XXX, No. 2 (August 2002), pp. 111. Singleton, T. "Managing Distributed Denial of Service Attacks," EDPACS, Vol. XXX, No. 5 (November 2002), pp. 7, 920. Singleton, T. "Biometric Security Systems: The Best InfoSec Solution?," EDPACS, forthcoming (January or February 2003).
Endnotes
1. See www.coso.org. 2. See www.isaca.org/cobit.htm. 3. This paragraph is from the ISACA web page on CobiT at www.isaca.org. 4. See www.isaca.org.
45
46
5. An exposure draft exists that will change the principles to: (1) security, (2) availability, (3) processing integrity, (4) online privacy, and (5) confidentiality. 6. See Exhibit 3.1 for a full diagram of Sections 3.5 through 3.9. 7. www.cert.org/present/cert-overview-trends/module-6.pdf.
8. SAS No. 78 revised SAS No. 55the same topic. 9. See www.cert.org. 10. See www.sans.org. 11. See www.securityresponse.symantec.com/avcenter or www.norton.com. 12. See www.ciac.org/ciac by U.S. Department of Energy. 13. See www.securityresponse.symantec.com/avcenter/ or www.norton.com. 14. See www.cert.org. 15. See www.securityfocus.com. 16. See www.incidents.org. 17. BIND is one of the name services on the Internettypically on Unix, Linux, etc.-based systems, though Windows XP does support BIND now. 18. See Internet Vulnerability U3 on the Top 20 List (see Exhibit 3.12). 19. The information for this paragraph came from a web page at The Internet Storm Center's web site. The page is located at www.incidents.org/isw/iswp.php. 20. See www.incidents.org. 21. Obviously, the SEC may or may not have adopted this ruling. Visit the IIA site www.theiia.org or the SEC site www.sec.gov for clarification. 22. SEC Release No. 34-42266, File No. S7-22-99. See URL www.sec.gov/rules/final/34-42266.htm. 23. Nikos Vafaes, "On Audit Committee Appointment," Auditing: A Journal of Practice and Theory, Vol. 20, No. 1 (March 2001). 24. Connie McDaniel, vice president and controller of Coca-Cola Company, from a speech presented to the AAA, August 13, 2001. 25. For example, Jack Welsh, former chairman of General Electric, said, "IT has been the longest running disappointment in business in the last 30 years." World Economic Forum, 1997. 26. See www.itgi.org. 27. According to Computer Emergency Response Team. See "Combating Cyberthreats: Partnership Between Public and Private Entities," E. Lee, Information Systems Control Journal, Vol. 3, 2002. 46 Chapter 3: Internal Control System
47
28. They are called "white hats" because (a) they have obtained prior permission to "hack," (b) hacking is a part of their job description and they are an employee, (c) they have a contract to conduct a pen test (specific domain, specific time frame), and (d) they have an engagement letter to conduct the pen test. 29. See technical definition of hacker at www.pcwebopedia.com/TERM/h/hacker.html. 30. See technical definition of cracker at www.pcwebopedia.com/TERM/c/crack.html. Likely a reference to safe crackers.
31. According to ZDNet associate editor Robert Vamosi. See "Can We Stop Script Kiddies? Yes! Here's How," ZDNet Reviews, May 15, 2002, online at www.zdnet.com. 32. Liu & Silverman, "A Practical Guide to Biometric Security Technology," IEEE Computer Society. Online at www.computer.org/itpro/homepage/Jan_Feb/security3.htm. 33. "The Lowdown on Biometrics," Government Computer News, 08/12/02. Online at www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn2&story.id=19567. 34. Mark Kellner, "Digital Security," Government Computer News, 08/12/02. Online at www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn2&story.id=19565. 35. Julian Ashbourn, "Biometrics: Making the Right Impression," SC Magazine, June 2002, pp. 5863. 36. Steve Gibson is the founder of Gibson Research Corporation, frequent writer and speaker on high-tech topics, and is considered a pioneer in the Internet and its technologies. See Gibson's open letter to the hacker and his report of the incident at his corporate web site: www.grc.com.
47
48
48
Part II: Management and Administration

Chapter List
Chapter 4: Department Organization Chapter 5: Personnel, Administration, and Recruiting
Chapter 4: Department Organization

Overview
TITLE: Introduction
4.1 Introduction
In order to achieve the goal of a world-class internal audit (IA) organization, standardized procedures must be developed and followed by the staff. Setting high standards will ensure that your department's work will be of sufficient quality to satisfy your mission and enable reliance by your independent auditors. Development of each auditor's individual professionalism can be greatly enhanced by understanding the company's expectations and being evaluated on compliance with approved departmental procedures.
a. Strategic Objectives
Internal audit consists of people and procedures. In order to maximize the productivity of a group, the group needs a mission and consistent procedures to attain departmental goals. This procedures manual, and this chapter in particular, provides a place to state the department mission and document departmental procedures to attain that mission. All organizations need a mission. They also need goalsshort-term and long-termthat can be linked directly to the mission of the organization. Other elements of management include feedback and mentoring, resources and training, and rewards. These elements can all be documented in a procedures manual. i. Mission Statement While each organization will need to personalize its own mission statement, the following is a general statement that might apply or could be modified to apply: The internal audit department will enhance corporate viability and/or profitability by providing management with expertise in developing and maintaining an effective control environment, conducting efficient and effective audits, and building a quality IA department that will contribute to the corporate mission. From the mission statement, the IA department (in conjunction with management) should establish strategic objectives to reach the mission. One example is: The department will strive to achieve world-class procedures and quality of services by adhering to professional standards, best practices, and proven quality improvement techniques. Another example is the actual mission statement of JPMorganChase, from the merger on December 31, 2002: The General Auditor and his global team are the Corporation's independent control assessment function, accountable for providing the Audit Committee, the Chairman, senior management, and regulators with reasonable assurance that the system of internal control achieves its objectives. Auditing's mission is to foster a continuous self-checking control environment in partnership with Chapter 4: Department Organization 1
Chapter 4: Department Organization senior management to identify opportunities to ensure the adequacy of the risk management and internal control processes. Auditing's primary objective is to identify emerging issues, detect control deviations, and track management's corrective actions.
Long-term and short-term goals should be linked to the mission statement. Mission statements are critical components of most quality improvement programs (see Section 9.4). Therefore, it is obvious that the first step in establishing the internal audit department is to develop an appropriate mission statement. ii. Why a Procedures Manual The mission statement, objectives, goals, and procedures of the internal audit department need to be documented in such a way that the resulting document can be used as a reference manual. Auditor and manager turnover is unavoidable. An appropriate manual will allow for smooth transitions. It will also document questions about issues such as travel and other policies. But it is also a dynamic entity, and should be updated with a conscientious approach to being current, correct, and consistent (e.g., with professional standards, with itself, with corporate policies and goals). iii. Major Challenges of the Department We have said that internal auditing involves people and procedures. In most cases, the procedures involve reviewing and evaluating controls, efficiency, effectiveness, and other aspects of the business. Efficiency generally relates to measures of operations or delivery of services, especially as a ratio of inputs to outputs. Effectiveness is a measure of how well the organization meets its goals. Effectiveness usually focuses on strategy and improvements to decision making. The review process creates at least two factors for audit management to consider. The first is the difficulty in measuring internal audit productivity, and the second factor relates to the potentially negative nature of the auditing business. Both of these factors must be addressed in a progressive internal audit department. Auditor productivity requires the development of a proactive spirit, a high degree of professionalism, and measurement techniques, including budgets and time reporting. The methodology contained in this manual includes a conscientious attempt to address all of these areas. Budgets are important. Time reportingalthough a laborious taskis necessary to properly analyze productivity. A proactive spirit and professionalism must be instilled in all staff members through the department's professional development program.
Auditors can reach beyond the negative aspects of the auditing business. A modern audit department proactively seeks positive deliverables from within the work of the organization. This effort may involve the development of preventive control procedures, and the recommendation of these to auditees before audits. The overreaching goal of the audit program should be to improve the control environment within the company (refer to the mission statement). It should not be to catch company units or individuals in violation of control procedures. It is critical that the audit department develop a "work with" attitude within the organization.
b. Essence of Internal Auditing

One of the major challenges of audit management is contributing to the organization's mission. It is often noted that internal auditors do not create, make, find, or deliver the organization's products or services. How does internal audit fit into the organization's mission? If audit programs were suspended, what would be the short-term and long-term effects? Company management will periodically examine the contribution of the internal audit program. Will your function pass this test? Unlike functions that produce products or services, audit results may be more difficult to measure. How is productivity of the internal audit function measured? Does your audit function have the 2 Chapter 4: Department Organization
Chapter 4: Department Organization internal system to measure and improve internal audit productivity? Other areas of organizations, and businesses in general, are monitored and pushed to greater limits and improvements in quality; why not internal audit? All too frequently, audit management becomes lax. Decisions to spread out and space out audits are all too easy. These types of issues do not exist in other functions: shipping is measured monthly, sales sometimes daily, accounting reports are issued monthly. With audit management comes the responsibility to push for greater volume, efficiency, and effectiveness (see definitions of each above). Audit management needs to employ any and all tools and procedures to measure and improve productivity. All of these procedures and methodologies should be carefully developed, documented in your procedures manual, and built into your audit culture. What happens if you become lax? Management does not look at internal audit every day, month, or quarter. Over time, an impression is recorded on the effectiveness and efficiency of the internal audit function. In many cases, change is made in dramatic fashion by changing audit management, or by eliminating, reducing, or outsourcing the function. The fact that all appears quiet may be only a warning for an impending storm.
Measuring efficiency in internal audit is generally a simple and feasible process. Measuring the inputslabor hours or some other quantitative measureis relatively simple. But outputs need to take on relevance to the organization rather than a simple number of audits conducted, or ignoring outputs and simply quantifying inputs. Effectiveness is quite different. Based on the definition of effectiveness, management of internal audit should first establish a reasonable, achievable, and relevant mission statement, with appropriate accompanying goals and strategies (both must be measurable). This mission should be compatible with the organization, culture, management's goals and objectives, and professional responsibilities. Then effectiveness becomes a measure of how well internal audit accomplishes the mission, as measured by how well it is reaching its goals associated with the mission statement. This measure is the one with which corporate management will be most concerned. To function effectively, internal auditors and the customers of audit services should possess a similar understanding of what makes internal auditing a value-added activity. Failure to reach this understanding could result in the perception that internal audit is simply an obstacle to achieving production objectives. This perception can result in underutilized audit services and ignored audit recommendations. [1] It is imperative that IA staff members articulate the mission of the IA function to its stakeholders effectively to avoid this unproductive environment.
c. Quality Assurance Reviews of Internal Audit

Recently, quality assurance reviews of internal audit functions have been on the rise. This internal or external review is a very positive development for internal auditing as a profession. To some extent, this trend is encouraged by the very nature of internal audit and the concern on the part of management about internal audit effectiveness and efficiency. Every dollar spent on internal audit is a dollar not earned on the bottom line. Why not challenge the spending, as is the case in other areas of the company? (Chapter 9 proposes a full quality assurance program administered by audit management.)
d. Outsourcing Internal Audits

In the 1990s, a manifestation of the concern of management about the effective use of corporate resources for internal auditing was the ever-expanding trend toward outsourcing the internal audit function. As noted earlier, internal auditing management requires a proactive approach, good personnel, personal development programs, structured procedures, a mission, short-term and long-term objectives, quality assurance reviews, productivity measures, and so on. However, there is no simple measurement tool such as Chapter 4: Department Organization 3
units booked, units shipped, financial statements produced on time with accuracy each month, comparable-store sales versus last year, capacity utilization, and so forth. Audit contribution is very difficult to measure! Therefore, when management is offered a simple, perhaps less expensive approach, it will be seriously considered. Is internal audit an organization's core competency? Can it be more efficiently and effectively implemented by the organization dedicated to internal audit as a core competency? These are questions currently being explored by many organizations. Clearly, there are many factors involved in the decision to outsource all or part of an internal audit function. A major element is size and ability to maintain various specialized skill sets, such as information systems (IS) audit. In smaller organizations, outsourcing of general IS audit may be effective and efficient. In larger organizations, with IS audit staffs, outsourcing certain very technical audits may be the advisable course of action. Outsourcing should be considered during the departmental planning process. That is, if there is a need for technical competencies not immediately available in the staff (e.g., Internet, encryption, intrusion detection), audit management should consider whether to outsource or develop the skill internally. The Institute of Internal Auditors (IIA) issued a report entitled, "Perspective on Outsourcing Internal Auditing." In it, the IIA takes the following view: The IIA's perspective is that internal auditing is best performed by an independent entity that is an integral part of the management structure of an organization. The IIA states unequivocally that a competent internal auditing department that is properly organized with trained staff can perform the internal auditing function more efficiently and effectively than a contracted audit service. Internal auditing by definition should be internal and integral to the organization, and the internal auditing department should be staffed with professional internal auditors who adhere to the Standards for the Professional Practice of Internal Auditing and the related Code of Ethics. One of the best evidences of internal auditing competence is the Certified Internal Auditor (CIA) designation. Most internal auditors are degreed professionals. In fact, many hold advanced degrees and have acquired specialized skills related to the organization for which they work. These professionals are aware of their responsibilities with regard to the organization and the Standards. The key proficiency of internal auditors is internal control in its broadest sense. Internal auditors provide management and the board of directors with competent evaluations of an organization's system of internal control and the quality of performance of assigned responsibilities regarding the reliability and integrity of information, compliance with laws, and regulations, the safeguarding of assets, the economical and efficient use of resources, and accomplishment of goals and objectives. Several common themes recur in control models, such as the Committee on Sponsoring Organizations (COSO) of the Treadway Commission, Criteria of Control Committee of the Canadian Institute of Chartered Accountants (CICA), and Cadbury Committee: "Internal control is management's responsibility; tone from the top is important; controls must be built in not on; and internal communication and people development are critical elements of the control framework." Internal auditors' value and effectiveness are linked not only to their attunement to management's philosophy and direction, but to their understanding of internal control and their direct knowledge of operating systems that are often in flux. Internal auditors are in touch with governance issues and are intimately acquainted with their organization's policies, procedures, operating practices, and personnel. They are able to devote their full attention and loyalty to the organization and to identify subtle changes and ambiguities that may signal trouble. Internal auditors can respond immediately to the concerns of senior management because they are familiar with their organizations' culture and processes, and their status as employees ensures confidentiality and loyalty. As long as internal auditing staffs are highly skilled, efficient, and responsive to management, organizations are best served by keeping the internal auditing function internal. The Enron fraud and disaster (bankruptcy) of 2001 also lends credence to the IIA's stance. Enron was questioned for its outsourcing of the internal audit function, and the possible loss of independence when its 4 Chapter 4: Department Organization
Chapter 4: Department Organization external auditor firm, Arthur Andersen, was awarded the outsourcing of the internal audit function.
ISACA Standards provide guidance in and issues related to outsourcing. Standard #010.010.020 says in section 2.1.1: "Where any aspect of the IS function has been outsourced to a service provider, these services should be included in the scope of the audit charter." Section 2.1.2 further states: "The Audit Charter should explicitly include the right of the IS Auditor to (1) review the agreement between the service user and the service provider (pre-effect or post-effect), (2) carry out such audit work as is considered necessary regarding the outsourced function, and (3) report findings, conclusions, and recommendations to service user management." Thus outsourcing is something to be considered during the development of the audit charter (see "Corporate Audit Charter" in this chapter).
e. Control Self-Assessment
In the 1990s, in reaction to the ever-expanding requirements for internal audit services and the need to control overhead costs, internal audit groups have been turning to control self-assessment (CSA) reviews, also known as self-audits. CSA reviews are performed by line managers under the direction of the internal audit program. Most line managers are concerned about controls over their operations and have a basic knowledge of control issues related to their function of operation. Of course, CSA is not performed by individuals independent of the operations under review and, therefore, will only supplement, not replace, internal audit activities.
In the current marketplace, all organizations are affected by global competition, as well as demands for greater accountability. Customer-focused organizations are attempting to reengineer systems and eliminate activities that do not add value to customers. These programs are changing business processes very rapidly, and in some cases, reducing the internal control systems. At the same time, the profession of internal auditing, through the IIA and other professional organizations including the American Institute of Certified Public Accountants (AICPA) and the Financial Executives International (FEI), have redefined internal control with a broader, more detailed definition, adding to the work of internal audit. In this period of rapid change, CSA has arisen as a means of raising control awareness and coverage. This innovative approach provides the internal audit department with an opportunity to meet its audit customers' (management's) needs while controlling auditing costs. CSA, or self-auditing programs, are usually built around self-audit questionnaires or audit programs. CSA programs are initiated by sending a letter about the program to line or operating managers explaining how the program will work, what their responsibilities will be (completion of the self-audit appraisal questionnaire) and how the information will be used by the internal audit department. The letter should point out that the information will not only be reviewed, but will also be verified during subsequent audits. A member of the audit department at the supervisor or manager level will review the CSA response and follow up on noted significant control weaknesses immediately if deemed necessary. All less significant issues will be followed up at the point of the next audit. The CSA reports will also be integrated into the audit planning process. It is advisable to assign a supervisor or manager who is acquainted with the subject operations and/or who will be assigned to subsequent audits. Over time, locations or operations subject to CSA reviews can be considered for extended audit intervals or lower risk assessments in the three-year plan. This process will have the effect of reducing the audit time and travel expenses. Of course, the quality of the CSA document and the seriousness with which local management implements the CSA program will be important factors. CSA programs are relatively new methods of delivery of the internal audit service. Each organization will develop a program that fits its organization. Another major benefit of this approach is that it allows the internal audit function to continue to evolve from the policing role to the facilitator of controls and policies role. Through CSA line or operations, managers assume more ownership and accountability for controls and participate in the process of reviewing and improving control effectiveness. Chapter 4: Department Organization 5
f. Integrating the Auditing Process

The core process in an internal auditing function is the auditing process. This core process is supplemented by tangent processes such as personal development and quality assurance. The auditing process is defined in this manual as consisting of three major aspects: 1. The Planning Process (see Chapter 6) 2. The Auditing ProcessPerformance (see Chapter 7) 3. The Reporting Process (see Chapter 8) We have learned that there exists the ability to link these processes and leverage work performed in one process to benefit the auditors, or reduce their work and thereby increase their productivity in a subsequent process. In addition, the methodology involves paying a great amount of attention to planning so that proper objectives are set and work is directed to the higher-risk areas within the organization. An example of the leverage is the use of information from the planning process, including the scope and auditee profile, in the resulting audit report. Good planning leads to improved effectiveness and better quality results. This methodology has been successfully implemented in a number of audit departments, and although at first it may appear overly structured, the implementation has resulted in a consistently high-level, quality audit product. There are no government or professional requirements for internal audit management to be so structured; however, it has been our experience that operating in an unstructured environment causes an erosion of management support and credibility over time. Audit departments do not need to implement all of these strategies; however, they support the practice and provide management with a clear understanding of the process. Without this process, management may sometimes question the value of contribution of internal auditing.
Corporate Audit Department Procedures Manual NO: 4.2 REV NO: DATE: TITLE: Corporate Audit Charter PAGES: [1]"Information Systems Personnel Express a Desire for Change in the Functioning of Internal Auditing," Dale L. Flesher and Jeffrey Zanzig, SOBIE conference proceeding, April 15, 2002.
SAM POLE COMPANY
4.2 Corporate Audit Charter

Audit departments should operate pursuant to a written charter indicating the purpose, authority, duties, and responsibilities of the function. The audit department charter should be formally approved by the audit committee and the board of directors, updated periodically, and distributed to all company management. (See Section 9.5, "Marketing the Audit Function.") The IIA Standards suggest the charter should (1) establish the department's position in the organization; (2) authorize access to records, locations, and personnel; and (3) define the scope of internal activities. (See Exhibit 4.1.) Exhibit 4.1: Sample Corporate Audit Charter[2] (a) Policy Statement 6 Chapter 4: Department Organization
It is the policy of Sam Pole Company (the Corporation) to maintain an audit department as a means of providing the Board of Directors and all levels of management with information to assist in the control of operations and to assist senior management in reaching a conclusion concerning the overall control over assets and the effectiveness of the system of internal controls in achieving its broad objectives. Additionally, the Audit Department will review the effectiveness and efficiency of operations and organizational structures. Complementary objectives of the corporate audit department are to develop personnel (see Chapter 5, "Personnel, Administration, and Recruiting," and Section 9.5, "Marketing the Audit Function"). (b) Responsibility of the Director of Auditing The Director of Auditing is responsible for properly managing the department so that (1) audit work fulfills the purposes and responsibilities established herein; (2) resources are efficiently and effectively employed; and (3) audit work conforms to the Standards for the Professional Practice of Internal Auditing. (c) Reporting and Relationship of Audit Committee The Director of Auditing will report to the Audit Committee for approval of audit scope, policy, and administration. The Director will report in writing on all internal reviews conducted in the Corporation and will attend the Committee meetings to report on significant recommendations and the operations of the internal audit function. (d) Independence Independence is essential for effective operation of the internal audit function. It is the policy of the Corporation, therefore, that all audit activities shall remain free of influence by any organizational elements. This objective shall include such matters as scope of audit programs, frequency and timing of examinations, and the content of audit reports.
(e) Scope of Audit Activities Audit coverage will encompass, as deemed appropriate by the Director of Auditing, independent reviews and evaluations of any and all management operations and activities to appraise: Measures taken to safeguard assets, including tests of existence and ownership as appropriate The reliability, consistency, and integrity of financial and operating information Compliance with policies, plans, standards, laws, and regulations that could have significant impact on operations Economy and efficiency in the use of resources Effectiveness in the accomplishment of the mission, objectives, and goals established for the Corporation's operations and projects Audit activities will be coordinated, to the extent possible, with the public accountants so as to enhance audit efficiency. (f) Access and Confidentiality In accomplishing activities, the Directors of Auditing and their staffs are authorized to have full, free, and unrestricted access to all Corporation functions, activities, operations, records, data files, computer programs, property, and personnel. Under appropriate circumstances, the Director of Auditing is specifically authorized to communicate directly to the Chairman, President, and/or the Board of Directors. It is expected that Directors of Auditing and their staffs will exercise discretion in the review of records to ensure the confidentiality of all matters that come to their attention. Chapter 4: Department Organization 7
8 (g) Responsibility for Corrective Action
The manager or head of the division, department, unit, or site audited is responsible for either planning or taking corrective action on recommendations made or deficient conditions reported by the auditor. If the proper corrective action is not taken, the Director of Auditing is responsible for presenting a report on significant matters to a senior financial officer and/or the Audit Committee.
(h) Limitation of Authority and Responsibility In performing their functions, the Director of Auditing and corporate audit staff members have neither direct authority over, nor responsibility for, any of the activities reviewed. Internal auditors will not develop and install procedures, prepare records, make management decisions, or engage in any other activity that could be reasonably construed to compromise their independence. However, in connection with the complementary objectives of this audit function, Internal Audit will recommend accounting and information systems policies and procedures for approval and implementation by appropriate management. Therefore, internal audit review and appraisal do not in any way substitute for other activities or relieve other persons in the organization of the responsibilities assigned to them.
The Information Systems Audit & Control Association (ISACA) Standards also address audit charters. Standard #010.010.010 states in section 2.1.1: The IS Auditor should have a clear mandate to perform the IS audit function. This mandate is ordinarily documented in an audit charter that should be formally accepted. Where an audit charter exists for the audit function as a whole, wherever possible the IS audit mandate should be incorporated. In Section 2.2.1 it further states: "The audit charter should clearly address the three aspects of responsibility, authority and accountability." Under responsibility, the first subtopic is mission statement. Other ISACA Standards affect the development of the audit charter, such as outsourcing mentioned previously. Thus ISACA Guidelines provide a lot of general guidance in developing the audit charter, mission statement, and other organizational documents.
Corporate Audit Department Procedures Manual NO: 4.3 REV NO: DATE: TITLE: Company Organization PAGES: [2]Note: Adapted from Guide to Accounting Controls, Price Waterhouse, 1981, Warren Gorham Lamont.
SAM POLE COMPANY
4.3 Company Organization

Auditors should be aware of their company structure and management organization. In order to provide this background, a section of the audit manual should be devoted to a description of the company's activities. This section can include a copy of the company's divisional or subsidiary organization structure. In addition to this structure, it is common to produce management organization charts. The senior management organization chart should be included in the internal audit manual. Exhibit 4.2, "Sam Pole Company Organization Chart," is an example of a high-level organization chart depicting the financial organization and the auditing 8 Chapter 4: Department Organization
Chapter 4: Department Organization organization. Exhibit 4.2: Sam Pole Company Organization Chart
The positioning of internal audit within a company can vary. There is a great debate in the profession that addresses the independence of internal auditing. The Sam Pole Company organization chart depicts the Director of Auditing reporting directly to the Board of Directors, with a dotted-line responsibility to the Chief Financial Officer (CFO) and Audit Committee. In some companies, the internal auditing function reports directly to the CFO. This organization may be appropriate if the circumstances warrant this reporting relationship. Whenever possible, the reporting relationship should be independent of the financial organization.
a. Audit Department Organization

The audit department organization chart should be included in the manual. If practical, it is beneficial to include the names of all the auditors in the department. This approach provides a level of personalization for the manual. However, this approach will require more frequent revisions. Exhibit 4.3 is the "Sam Pole Company Audit Department Organization Chart." The chart depicts an integrated audit department approach in which staff are available to managers of each audit discipline. This approach is unusual and was included in this version of the manual to provide a thought-provoking example. Most departments have organization charts which can be easily included in this section of the manual. The job classifications/descriptions that follow have been developed in a format consistent with this organization chart. Exhibit 4.3: Sam Pole Company Audit Department Organization Chart
10
Another method for improving commitment and team spirit is to include the names of all the department members on a departmental routing slip. This routing slip can augment the organization chart.
b. Job Classifications and Descriptions

Job descriptions formally define the functions, duties, and responsibilities of a position. They also indicate the knowledge and skills required for successful performance. As such, they provide a vehicle for defining different levels on the audit staff and also provide criteria for performance evaluation. The Corporate Audit Department currently has three levels of professional job classifications, in addition to the Director of Auditing. They are: Manager/Director, Senior Auditor, and Auditor. In addition, there is one administrative position: executive secretary. Job descriptions for the current professional positions can be found on the following pages. These job descriptions reference responsibilities for the major procedures contained in the processes in other sections of the manual. Therefore, they document the responsibilities of each staff member related to these methodologies.
Senior Officer for Administration and the Board of Directors (usually through the Audit Committee) for audit scope and policy. The position is responsible for properly managing the department so that (1) audit work fulfills the purposes and responsibilities established in the department charter, (2) resources are efficiently and effectively employed, and (3) audit work conforms to the Standards for the Professional Practice of Internal Auditing. DUTIES AND RESPONSIBILITIES: To direct independent reviews and evaluations of any and all management operations and activities to appraise: The reliability and integrity of financial and operational information 10 Chapter 4: Department Organization
POSITION NAME: REPORTS TO: FUNCTION:
DIRECTOR OF AUDITING
Chapter 4: Department Organization Compliance with policies, plans, standards, laws, and regulations that could have significant impact upon operations Measures taken to safeguard assets, including tests of existence and ownership as appropriate Economy and efficiency in the use of resources Effectiveness in the accomplishment of objectives and goals established for corporation operations and projects To coordinate activities to the extent possible with the public accountants to enhance audit efficiency. To exercise discretion in the review of records to ensure confidentiality. To present to a senior officer and/or the Audit Committee, a report on significant recommendations or deficiencies on which audited management has not taken proper corrective action.
11
To ensure that the department does not develop or install procedures, prepare records, make management decisions, or engage in any other activity that could be reasonably construed to compromise its independence.
The Director must have an in-depth knowledge of the audit profession as well as the audit function at Sam Pole Company, from both conceptual and technical viewpoints. Therefore, the Director should maintain an expert knowledge of auditing and the auditing profession. The Director must have excellent written and verbal communication skills as well as excellent editing skills. He/she is responsible for monthly activity reports to senior management and updates to the Corporate Audit Procedures Manual. The Director will perform a final review of corporate audit reports. The Director should have excellent interpersonal skills. These skills are critical to develop and maintain effective working relationships with all levels of management, the external auditors, consultants, and various industry representatives. The Director will also need to counsel managers and audit staff members as to their performance and career development. International: Sam Pole Company is a dynamic company with significant operations all over the world. The Audit Director will be involved with audits in foreign and domestic locations. This involvement will lead to travel to foreign and domestic locations, where in some cases English may not be the first language. CONTACTS&"para">Internally, the incumbent deals directly with all levels of management in the company. The incumbent works with the corporate audit staff, managers, and senior officers of the company. Externally, the incumbent maintains close relationships with the Institute of Internal Auditors (IIA), the Information Systems Audit and Control Association (ISACA), and the American Institute of Certified Public Accountants (AICPA) in order to keep abreast of trends and developments in the auditing profession. The incumbent has regular dealings with managers and partners of the company's external auditors to obtain material including information that should be disseminated to the audit staff and management of the company. The Director of Auditing develops contacts with suppliers of materials and other supplies for the functioning of the Audit Department.
QUALIFICATIONSMINIMUM KNOWLEDGE AND SKILLS: Chapter 4: Department Organization 11
12
This individual will have at least a four-year college degree and possess approximately 10 to 15 years of experience in internal auditing and external auditing, including at least seven years at the manager or director level. A CPA or CIA certification and CISA is desirable. Experience with financial, operational, and management auditing. Experience in a manufacturing and/or distribution environment. A good understanding of IS auditing. The ideal candidate will also possess foreign language skills.
POSITION AUDIT MANAGERINTERNATIONAL, PLANNING, AND CONTROL NAME: REPORTS Director of Auditing TO: FUNCTION: The position is responsible for overall audit planning, policies and procedures, coordination with external audit and consultants, and quality assurance. The position is responsible for ensuring that the overall audit function of the company monitors trends in the auditing field and applies them when appropriate to the practice of auditing in the company. The position is also responsible for coordinating/initiating all planning, quality assurance, and human resources-related functions for the Corporate Audit Department. Furthermore, the position is responsible for the preparation and implementation of a training plan for the department and the individual professionals therein and coordinating the activities of internationally based auditors. DUTIES AND RESPONSIBILITIES: The individual will have direct responsibility for preparing an Audit Department multi-year plan, and: Coordinate input from the Director of Auditing as well as audit managers in developing the plan Summarize input received from managers and Director of Auditing, with international plans, and produces a draft plan for discussion Update drafts based on input received until final draft is approved Prepare six-month and one-year plans for the three-year plan The individual will be responsible for the coordination and administration of the Audit Department, and: Develop and maintain the Audit Procedures Manual of the Corporate Audit Department Prepare the operating budget for the department for approval by the Director of Auditing Monitor expenses by overseeing purchases and payment of invoices, and recommending viable alternatives to the audit management Prepare annual summaries of external audit fees for the Director of Auditing Prepare periodic reports for senior management for the Director's review; also oversee the preparation and production of periodic and biannual audit report summaries to the Audit Committee Maintain a complete file on each member of the audit staff, with job descriptions, resumes, career actions, performance appraisals, training plans, and development records; produce and analyze reports on various personnel statistics Advise Corporate Audit management on training needs and availability The individual will be responsible for developing and implementing the department's Quality Assurance Program, and:
12
13
Maintain the department's policies regarding periodic reviews of entire assignments, summary reviews of all assignments, and external peer review Schedule staff for reviews of entire engagements Schedule staff for summary reviews of each engagement on an availability basis Prepare reports for the Director of Auditing, discussing the areas where improvement is needed in the audit process Internationally Based Auditors: The individual will be responsible for coordinating the activities of the internationally based auditors, and: Coordinate the development of the international audit plans and integrate them into domestic plans Monitor the activities of the internationally based auditors Provide guidance on company developments Audits: In addition to the significant administrative responsibilities discussed in the job description, the individual will be involved in selected audits, both domestic and international.
This position is responsible for maintaining expert knowledge of the auditing profession. The incumbent must keep abreast of new or proposed developments to the auditing function, and analyze their impact on the company. In addition, the incumbent is an authoritative source of information to the audit group regarding the practice of auditing. The incumbent must have an in-depth knowledge of the audit profession as well as the audit function at Sam Pole Company, from both conceptual and technical viewpoints. Also the incumbent should have a good understanding of the company's primary lines of business and organizational structureor if such knowledge is minimal, should be capable of quickly becoming familiar with these activities. The incumbent must have excellent written and verbal communications skills as well as excellent editing skills. In addition, the incumbent must prepare monthly activity reports to senior management and update (as necessary) the Corporate Audit Procedures Manual. The manager must review and edit corporate audit reports and be able to effectively communicate departmental policies and procedures to staff. The incumbent must have well-developed interpersonal skills. They are critical to develop and maintain effective working relationships with all levels of in-house management, the company's external auditors and consultants, and various industry representatives. The incumbent also needs to counsel audit staff members as to selected training and career development. The incumbent must develop and maintain ongoing contact with peers in industry for the purpose of gathering information and exchanging ideas. The incumbent must gather information on proposed legislation, analyze impact to the company, and draft statements for consideration by the Director of Auditing. The incumbent must interact with associations and institutions to keep abreast of developments and trends in the auditing profession and ensure that both the Audit Department and business units are kept informed. International: Sam Pole Company is a dynamic company with significant operations all over the world. Audit managers and staff will be involved with audits in foreign and domestic locations. This involvement will include travel, for periods of time, to foreign and domestic locations where, in some cases, English may not be the first language.
13
14 CONTACTSINTERNAL AND EXTERNAL:
Internally, the incumbent deals directly with all levels of management in the audit function to the company, in order to provide guidance when requested. The incumbent works with the Corporate Audit staff and senior officers of the company including cross-relationships with Human Resources, Officer Services, and Information Systems. Externally, the incumbent maintains close relationships with the Institute of Internal Auditors (IIA), the Information Systems Audit and Control Association (ISACA), and the American Institute of Certified Public Accountants (AICPA) in order to keep abreast of trends and developments in the auditing profession. The incumbent has regular dealings with managers and partners of the company's external auditors to obtain material including information that should be disseminated to the audit staff and management of the company. The Audit Manager develops contacts with suppliers of materials and other supplies for the functioning of the Audit Department. QUALIFICATIONSMINIMUM KNOWLEDGE AND SKILLS: This individual will have a four-year college degree and possess approximately five to eight years of experience in internal auditing. A CPA, CISA, or CIA certification is desirable. The ideal candidate will also possess foreign language skills.
POSITION AUDIT MANAGERFINANCIAL/OPERATIONAL AUDIT NAME: REPORTS Director of Auditing TO: FUNCTION: Responsible for properly maintaining the department so that (1) audit work fulfills the purposes and responsibilities established in the department, (2) resources are efficiently and effectively employed, and (3) audit work conforms to the Standards for the Professional Practice of Internal Auditing, published by the Institute of Internal Auditors (IIA) and the General Standards for Information Systems Auditing published by the Information Systems Audit and Control Foundation (ISACA). DUTIES AND RESPONSIBILITIES: To direct independent reviews and evaluations of any and all management operations and activities to appraise: Reliability and integrity of financial and operational information Compliance with policies, plans, standards, laws, and regulations that could have significant impact upon operations Effectiveness in accomplishment of objectives and goals established for the corporation and projects Measures taken to safeguard assets, including tests of existence and ownership as appropriate Economy, effectiveness, and efficiency in use of resources (operational audits) Effectiveness of organizational structures to achieve corporate goals and ability of management to plan, organize, direct, and control its function (management auditing) To coordinate activities to the extent possible with the public accountants to enhance audit efficiency. To exercise discretion in the review of records to ensure confidentiality of all matters that come to attention.
14
Chapter 4: Department Organization For All Assigned Audits:
15
Scope and Procedures. Implement the department procedures for audit planning, establishing scope, and determining appropriate audit procedures. Document Development/Review. Develop or review the following audit documents on audits assigned: Preliminary survey: Review planned survey; review survey results Audit time budget Planning memo Audit programs Pre-Audit Conference. Establish audit objectives to be discussed at the conference. Field Work. Perform or review field work, as appropriate. Workpapers. Perform a limited review, as appropriate, based on senior detail review of workpapers; approve reviewed workpapers for filing. Interim Recommendations. Prepare recommendations following field work and documentation of auditee position. Status Memo. The basis of memo contents, consider appropriateness of original audit plan and scope or need to modify to attain audit objective. Closing Conference. Plan and conduct audit closing conference. Report Preparation/Review. Develop, review, and approve revisions before submitting reports to the Director of Auditing and Audit Committee. Summary Memo. Review results of audit regarding attainment of objectives; review and approve comparison of actual to budgeted hours and explanation for variance. Audit Management Letter. Review and follow up on all profit center responses to the public accountants' Audit Management Letter, including a report to the Audit Committee. Performance Evaluation. Prepare evaluation of senior auditors and conduct review. Information Systems. Have sufficient basic IS knowledge to be able to discuss and determine application of IS audit resources. Decision-Making Responsibility/Conclusions. Responsible for administrative and audit related decision making and conclusions based upon completed audits. Counsel/Guide/Motivate. Provide direction to immediate assistants to enable them to counsel, guide, and motivate staff. Empower assistants to be effective. Participate directly in these activities when appropriate. Auditee Relationship. At executive management level, identify and develop audit opportunities to provide a more effective audit service to management. Other Matters: Special Investigations. Provide direction and guidance. Review results. Recommend action in coordination with other interested company and outside parties. Continuing Education. Pursue regular program for continuing education for self (related to certifications held). Pursue professional development for self, as appropriate (e.g., systems seminar in area of emerging systems development within the company, courses to pursue certification, management training). Review and approve suitable program for departmental staff. Special Projects. As assigned, may participate. Direct, review, evaluate, and report work of assistants. Professionalism. Demonstrate superior performance and direction in all attributes of professional conduct of self and staff, including professional codes of ethics (e.g., IIA, AICPA, ISACA) and corporate ethics. International: Sam Pole Company is a dynamic company with significant operations all over the world. Audit managers and Chapter 4: Department Organization 15
16
staff will be involved with audits in foreign and domestic locations. This involvement will include travel, for periods of time, to foreign and domestic locations where, in some cases, English may not be the first language. CONTACTSINTERNAL AND EXTERNAL: Internally, the incumbent deals directly with all levels of management in the audit function to the company, in order to provide guidance when requested. The incumbent works with the Corporate Audit staff and senior officers of the company especially with the accounting functions. Externally, the incumbent maintains close relationships with the Institute of Internal Auditors (IIA), the Information Systems Audit and Control Association (ISACA), and the American Institute of Certified Public Accountants (AICPA), if applicable, in order to keep abreast of trends and developments in the auditing profession. The incumbent has regular dealings with managers and partners of the company's external auditors to obtain material including information that should be disseminated to the audit staff and management of the company. Contact with organizations specializing in operational and management auditing must be maintained. QUALIFICATIONSMINIMUM KNOWLEDGE AND SKILLS: A degree in accounting or other qualified discipline CPA, CISA, or CIA certification Experience in a manufacturing and/or distribution environment Experience in a supervisory capacity and the ability to direct and develop others Experience with financial, operational, and management auditing
Responsible for properly maintaining the department so that (1) audit work fulfills the purposes and responsibilities established in the department, (2) resources are efficiently and effectively employed, and (3) audit work conforms to the Standards for the Professional Practice of Internal Auditing, published by the Institute of Internal Auditors (IIA) and the General Standards for Information Systems Auditing published by the Information Systems Audit and Control Foundation (ISACA). DUTIES AND RESPONSIBILITIES: This individual will have primary responsibility for reviews of the company's information systems (IS) environment: Reliability and integrity of information systems (IS) Compliance with policies, plans, standards, laws, and regulations that could have significant impact on IS or operations Effectiveness in accomplishment of objectives and goals established for IS Measures taken to safeguard IS assets, including tests of existence and ownership as appropriate Economy, effectiveness, and efficiency in use of IS Involvement in systems development audits to ensure controls are built in during the systems development life cycle (SDLC) process To develop an audit program to address systems in development including: Analyses of SDLC methodology, providing for internal audit input at key points in the process including the use of continuous assurance techniques including embedded audit modules and 16 Chapter 4: Department Organization
POSITION NAME: REPORTS TO: FUNCTION:
AUDIT MANAGERIS AUDIT Director of Auditing
17
intelligent agents Planning of audits of development projects (or ongoing audit involvements) to provide critical input while the project is in process
The individual will be responsible for taking a leadership position in expanding the use of computers by the audit staff: Expand use of computer-assisted audit techniques (CAATs) to support audit projects Monitor the department's data processing requirements for microcomputer based tools including audit software and administrative packages Establish and maintain an automated time and expenses reporting system The position is responsible for maintaining an expert knowledge of the IS audit profession. The individual must keep abreast of new and proposed developments in the IS auditing field and analyze the impact on the company. The individual should be an authoritative source of information to the audit group as regards the practice of auditing. The incumbent must have a good working knowledge of the information systems development at Sam Pole Company. Consideration should be given to attending IS Steering Committee meetings. The incumbent must have excellent written and verbal communication skills as well as excellent editing skills. The individual must prepare monthly activity reports to senior management on IS auditing activities. To coordinate activities to the extent possible with the public accountants to enhance audit efficiency. To exercise discretion in the review of records to ensure confidentiality of all matters that come to attention. The position will be responsible for working on selected financial and operational audits. These will supplement the primary area of responsibility of IS auditing. For All Assigned Audits: Scope and Procedures. Implement the Department procedures for audit planning, establishing scope, and determining appropriate audit procedures. Document Development/Review. Develop or review the following audit documents on audits assigned: Preliminary survey: Review planned survey; review survey results Audit time budget Planning memo Audit programs Pre-Audit Conference. Establish audit objectives to be discussed at the conference. Field Work. Perform or review field work, as appropriate. Workpapers. Perform a limited review, as appropriate, based on senior detail review of workpapers; approve reviewed workpapers for filing. Interim Recommendations. Interim recommendations following field work and documentation of auditee position. Status Memo. The basis of memo contents, consider appropriateness of original audit plan and scope or need to modify to attain audit objective. Closing Conference. Plan and conduct audit closing conference. Report Preparation/Review. Develop, review, and approve revisions before submitting reports to the Director of Auditing and Audit Committee. Chapter 4: Department Organization 17
18
Chapter 4: Department Organization Summary Memo. Review results of audit regarding attainment of objectives; review and approve comparison of actual to budgeted hours and explanation for variance. Audit Management Letter. Review and follow up on all responses to the public accountants' Audit Management Letter, including a report to the Audit Committee. Performance Evaluation. Prepare evaluation of senior auditors and conduct review. Information Systems. Have sufficient IS knowledge to be able to discuss and determine application of IS audit resources, to judge effectiveness of computer controls, and participate in systems development projects. Decision-Making Responsibility/Conclusions. Responsible for administrative and audit-related decision making and conclusions based upon completed audits. Counsel/Guide/Motivate. Provide direction to immediate assistants to enable them to counsel, guide, and motivate staff. Empower assistants to be effective. Participate directly in these activities when appropriate. Auditee Relationship. At executive management level, identify and develop audit opportunities to provide a more effective audit service to management.
Other Matters: Special Investigations. Provide direction and guidance. Review results. Recommend action in coordination with other interested company and outside parties. Continuing Education. Pursue regular program for continuing education for self (related to certifications held). Pursue professional development for self, as appropriate (e.g., systems seminar in area of emerging systems development within the company, courses to pursue certification, management training). Review and approve suitable program for departmental staff. Special Projects. As assigned, may participate. Direct, review, evaluate, and report work of assistants. Professionalism. Demonstrate superior performance and direction in all attributes of professional conduct of self and staff, including professional codes of ethics (e.g., IIA, AICPA, ISACA) and corporate ethics. SDLC/Systems Projects. Preferably ensure that a CISA (or staff member if a CISA is not available) is a part of any systems development teams or projects. International: Sam Pole Company is a dynamic company with significant operations all over the world. Audit managers and staff will be involved with audits in foreign and domestic locations. This involvement will include travel, for periods of time, to foreign and domestic locations where, in some cases, English may not be the first language. CONTACTSINTERNAL AND EXTERNAL: Internally, the incumbent deals directly with all levels of management in the audit function to the company, in order to provide guidance when requested. The incumbent works with the Corporate Audit staff and senior officers of the company, especially with Information Systems. Externally, the incumbent maintains close relationships with the Information Systems Audit and Control Association (ISACA), the Institute of Internal Auditors (IIA), and the American Institute of Certified Public Accountants (AICPA), where applicable, in order to keep abreast of trends and developments in the IS auditing profession. The individual has regular dealings with managers and partners of the company's external auditors to obtain material including information that should be disseminated to the audit staff and management of the company. The individual maintains contact with audit software vendors to stay abreast of developments in the field. QUALIFICATIONSMINIMUM KNOWLEDGE AND SKILLS:
18
19
A four-year degree in accounting and/or an IS degree A Certified Information Systems Auditor (CISA) certification; CPA or CIA is not essential but is an advantage Experience in a manufacturing and/or distribution environment Experience with computers, preferably both micro-computers (PCs) and either mainframe or mini-computers (mid-range) Experience with local area networks (LANs) or wide area networks (WANs) Experience in a supervisory capacity
POSITION NAME: SENIOR AUDITOR REPORTS TO: Internal Audit Manager FUNCTION: Plan, organize, conduct, supervise, and formally report on a scheduled audit. DUTIES AND RESPONSIBILITIES: Planning Scope and Procedures. Develop or supervise assistants in planning the scope of audits and selection and development of appropriate audit procedures for manager approval. Preliminary Survey. Direct the development and preparation of the survey approach. Participate and oversee work by assistants, if applicable. Audit Time Budget. Ensure establishing a practical budget, completing work on time, and evaluating performance and variance. Planning Memo. Review assistant input and document thorough and complete approved plan for specific audits after obtaining general guidelines from manager. Audit Programs Development/Changes. With manager approval, develop audit programs necessary to promote effective audit coverage. Pre-Audit Conference. Ensure that audit objectives have been clearly and completely set forth to the auditee before the audit. Field Work. Perform all field work in a competent and professional manner. Provide evidential support for all report recommendations. Identifying System Control Points. Document controls or perform expert review of work by assistants. Workpapers. Prepare selected workpapers and review assistants' workpapers. Interim Recommendations. Prepare recommendations for auditee consideration; review and evaluate assistants' recommendations, considering materiality, pertinence to audit and documentary evidence. Status Memo. Prepare or review draft and finalize status memo for presentation to manager. Closing Conference. Prepare or review agenda of recommendations and comments. Conduct with support from assistants. Report Preparation/Review. Prepare or review detailed recommendations and comments for materiality and relativity of items, adequacy of workpaper documentation and auditee position (if known). Responsible for completeness and accuracy of entire report subject to manager approval. Summary Memo. Prepare or review final summary memo based on review and evaluation of input by assistants. Submit future audit planning recommendations. Performance Evaluation. Complete timely performance evaluations for assistant on audit and review evaluations with them (if applicable). Information Systems. Apply, in appropriate circumstances, knowledge of basis IS audit techniques. Company Audit Procedures. Demonstrate complete comprehension and ability to (1) assess validity of existing policies and procedures, and (2) recommend sound alternatives. Decision-Making Responsibility/Conclusions. Demonstrate capacity and evidence for effective decision making and drawing sound conclusions. Auditee Relationships. Ensure continuing development of effective professional relationships with auditee personnel. Special Investigations. Possess ability to carry out assignments discreetly, effectively, and efficiently in sensitive, confidential circumstances. Chapter 4: Department Organization 19
20
Chapter 4: Department Organization Awareness of the State-of-the-Art. Demonstrate clear understanding of current developments, associating that understanding with company audit applications. Recommend adaptation, where appropriate, in our audit approach. Continuing Education. Pursue departmental-approved program for continuing education for self and recommend suitable programs for department associates. Pursue professional development (PD) for self, as appropriate, and recommend PD for department. Travel. Meet requirements and recommend improvements and alternatives to ensure timely, effective realization of the department audit plan. Special Projects. Participate, as assigned. Recommend special projects, based upon experience and/or need. Professionalism. Demonstrate superior performance in all attributes of professional conduct, including professional codes of ethics (e.g., IIA, AICPA, ISACA) and corporate ethics. Encourage others toward comparable performance.
International: Sam Pole Company is a dynamic company with significant operations all over the world. Audit managers and staff will be involved with audits in foreign and domestic locations. This involvement will include travel, for periods of time, to foreign and domestic locations where, in some cases, English may not be the first language. CONTACTSINTERNAL AND EXTERNAL: Internally, department management and associates; most levels of auditee management. Externally, technical and other business professionals through societies and association memberships. QUALIFICATIONSMINIMUM KNOWLEDGE AND SKILLS: Have achieved or work toward certification by examination Have a four-year degree in accounting (or qualified discipline) Have achieved high academic standing Have special skills or knowledge and the ability to instruct, train, and develop others in those skills Have apparent management potential
POSITION NAME: AUDITOR REPORTS TO: Senior Auditor FUNCTION: Plan, organize, conduct, and formally report on a scheduled audit. DUTIES AND RESPONSIBILITIES: Planning Scope and Procedures. Develop the scope for audits and selection and development of appropriate audit procedures for senior/manager approval. Preliminary Survey. Develop and prepare the survey. Audit Time Budget. Ensure establishing a practical budget, completing work on time, and evaluating performance and variance. Planning Memo. Provide input and document plan for specific audits after obtaining general guidelines from senior/manager. Audit Programs Development/Changes. With senior approval, develop audit programs necessary to promote effective audit coverage. Pre-Audit Conference. Ensure that audit objectives have been clearly and completely set forth to the auditee before the audit. Field Work. Perform all field work in a competent and professional manner. Provide evidential support for all report recommendations. Identifying System Control Points. Document controls. 20 Chapter 4: Department Organization
21
Workpapers. Prepare selected workpapers. Interim Recommendations. Prepare recommendations for auditee consideration; review, considering materiality, pertinence to audit and documentary evidence. Status Memo. Prepare draft status memo for presentation to manager. Closing Conference. Prepare preliminary agenda of recommendations and comments. Report Preparation/Review. Prepare detailed recommendations and comments. Summary Memo. Prepare preliminary summary memo. Submit future audit planning recommendations. Performance Evaluation. Complete timely performance evaluations for assistants on audit and review evaluations with them (if applicable). Information Systems. Apply, in appropriate circumstances, knowledge of basis IS audit techniques. Company Audit Procedures. Demonstrate complete comprehension and ability to (1) assess validity of existing policies and procedures, and (2) recommend sound alternatives. Decision-Making Responsibility/Conclusions. Demonstrate capacity and evidence for effective decision making and drawing sound conclusions. Auditee Relationships. Ensure continuing development of effective professional relationships with auditee personnel. Special Investigations. Possess ability to carry out assignments discreetly, effectively, and efficiently in sensitive, confidential circumstances. Awareness of the State-of-the-Art. Demonstrate clear understanding of current developments, associating that understanding with company audit applications. Recommend adaptation, where appropriate, in our audit approach. Continuing Education. Pursue departmental-approved program for continuing education for self. Pursue professional development (PD) for self, as appropriate. Travel. Meet requirements and recommend improvements and alternatives to ensure timely, effective realization of the department audit plan. Special Projects. Participate, as assigned. Recommend special projects, based upon experience and/or need. Professionalism. Demonstrate superior performance in all attributes of professional conduct, including professional codes of ethics (e.g., IIA, AICPA, ISACA) and corporate ethics. Encourage others toward comparable performance. International: Sam Pole Company is a dynamic company with significant operations all over the world. Audit managers and staff will be involved with audits in foreign and domestic locations. This involvement will include travel, for periods of time, to foreign and domestic locations where, in some cases, English may not be the first language.
CONTACTSINTERNAL AND EXTERNAL: Internally, department management and associates; most levels of auditee management. Externally, technical and other business professionals through societies and association memberships. QUALIFICATIONSMINIMUM KNOWLEDGE AND SKILLS: Have achieved or work toward certification by examination Have a four-year degree in accounting (or qualified discipline) Have achieved high academic standing Have ability to supervise and get along with people Have special skills or knowledge and the ability to instruct, train, and develop others in those skills Have apparent management potential
21
22
POSITION SENIOR AUDITOREUROPE (INTERNATIONAL LOCATION) NAME: REPORTS TO: Audit ManagerPlanning and Control FUNCTION: This position is responsible for performing audits in Sam Pole's European operations. Corporate audit procedures established in the United States, to the extent possible, will be followed by the Senior AuditorEurope. DUTIES AND RESPONSIBILITIES: The individual will have direct responsibility for preparing preliminary, annual, and multi-year audit plans for approval in the United States, for all European operations. The individual will prepare drafts of expense budgets for one-year plans as appropriate, for approval in the United States. The individual will maintain a copy of the Corporate Audit Policies and Procedures Manual of the Corporate Audit Department for use in Europe. The individual will maintain contact and develop lines of communication with auditees throughout the European operations. The individual will attempt to maintain knowledge of developments in the various European operations. This process will involve monitoring periodic management reports and staying apprised of economic developments in each country. Periodically, reports on these developments will be made to the ManagerPlanning and Control. For All Assigned Audits: Planning Scope and Procedures. Develop the scope for audits and selection and development of appropriate audit procedures for senior/manager approval. Preliminary Survey. Direct the development and preparation of the survey approach. Participate and oversee work by assistants, if applicable. Audit Time Budget. Ensure establishing a practical budget, completing work on time, and evaluating performance and variance. Planning Memo. Review assistant input and document a thorough and completely approved plan for specific audits after obtaining general guidelines from manager. Audit Programs Development/Changes. With manager approval, develop audit programs necessary to promote effective audit coverage. Pre-Audit Conference. Ensure that audit objectives have been clearly and completely set forth to the auditee before the audit. Field Work. Perform all field work in a competent and professional manner. Provide evidential support for all report recommendations. Identifying System Control Points. Perform expert review of work by assistants. Workpapers. Prepare selected workpapers and review assistants' workpapers. Interim Recommendations. Prepare recommendations for auditee consideration; review and evaluate assistants' recommendations, considering materiality, pertinence to audit and documentary evidence. Status Memo. Prepare or review draft and finalize status memo for presentation to manager. Closing Conference. Prepare or review agenda of recommendations and comments. Conduct with support from assistants. Report Preparation/Review. Prepare or review detailed recommendations and comments for materiality and relativity of items, adequacy of workpaper documentation and auditee position (if known). Responsible for completeness and accuracy of entire report subject to manager approval. Summary Memo. Prepare or review final summary memo based on review and evaluation of input by assistants. Submit future audit planning recommendations. Performance Evaluation. Complete timely performance evaluations for assistants on audit and review evaluations with them (if applicable). 22 Chapter 4: Department Organization
23
Information Systems. Apply, in appropriate circumstances, knowledge of basic IS audit techniques. Company Audit Procedures. Demonstrate complete comprehension and ability to (1) assess validity of existing policies and procedures, and (2) recommend sound alternatives. Decision-Making Responsibility/Conclusions. Demonstrate capacity and evidence for effective decision making and drawing sound conclusions. Auditee Relationships. Ensure continuing development of effective professional relationships with auditee personnel. Special Investigations. Possess ability to carry out assignments discreetly, effectively, and efficiently in sensitive, confidential circumstances. Awareness of the State-of-the-Art. Demonstrate clear understanding of current developments, associating that understanding with company audit applications. Recommend adaptation, where appropriate, in our audit approach. Continuing Education. Pursue departmental-approved program for continuing education for self and recommend suitable programs for the department. Pursue professional development (PD) for self, as appropriate, and recommend programs for the department, where appropriate. Travel. Meet requirements and recommend improvements and alternatives to ensure timely, effective realization of the department audit plan. Special Projects. Participate, as assigned. Recommend special projects, based upon experience and/or need. Professionalism. Demonstrate superior performance in all attributes of professional conduct, including professional codes of ethics (e.g., IIA, AICPA, ISACA) and corporate ethics. Encourage others toward comparable performance. International: Sam Pole Company is a dynamic company with headquarters in the United States and significant operations all over the world. All audit managers and staff are involved with audits in foreign and domestic locations. This involvement includes travel to foreign locations, where, in some cases, language differences may be encountered. The Senior AuditorEurope will possess multi-language skills and/or recommend alternative audit approaches, including use of outside accountants or other company personnel. CONTACTSINTERNAL AND EXTERNAL: Internally, the incumbent deals directly with all levels of management in the European headquarters and country operations. Requests for audit assistance by the operating units should be communicated to U.S. headquarters and considered during the planning process. The position works closely with the Director of Finance for European Operations. Externally, the incumbent should be a member of the Institute of Internal Auditors (in the United Kingdom) and other appropriate audit institutes in Europe. The incumbent will have regular dealings with managers and partners of the company's external auditors.
QUALIFICATIONSMINIMUM KNOWLEDGE AND SKILLS: Have achieved or work toward certification by examination Have a four-year degree in accounting (or qualified discipline) Have achieved high academic standing (i.e., honors) Have fluent command of English and other language skills Have experience in the multinational auditing environment Have ability to supervise and get along with people Have special skills or knowledge and the ability to instruct, train, and develop others in those skills Have apparent management potential Chapter 4: Department Organization 23
24 Independent thinker
SAM POLE COMPANY
TITLE: Audit Department Policies
4.4 Audit Department Policies

In addition to the specific department procedures and administrative programs (see Chapter 5), the department should have various policies. The examples of these policies include those in this chapter. However, these should not be considered all-inclusive by any means. All departments should have confidentiality, travel, and entertainment policies. These would be the minimum policies, and every effort should be made to document policies on a case-by-case basis as they arise. This section can be used as the area to record all department policies: Confidentiality Orientation (Training) Days Off for Extensive Travel Professional Certification
a. Confidentiality
In accordance with the approved Corporate Audit Department Charter under subsection Access and Confidentiality, "in accomplishing his activities, the Director of Auditing and his staff are authorized to have full, free, and unrestricted access to all corporation functions, activities, operations, records, data files, computer programs, property, and personnel." This access exposes the staff to confidential corporate information either by examination or discussion. The privileged permission to be informed of confidential information carries a responsibility for the Audit Department staff's confidentiality. Confidentiality is defined as to "hold secret." The only exception is to report to audit management and others on a defensible need-to-know basis. i. Policy All information known to require or deemed to (by a reasonable person test) require confidentiality should be kept so. ii. Discussion Corporate Audit Department management is forced to guard their responsibility for staff confidentiality to protect the department's reputation and credibility. This protection includes present staff, transfers, and past employees.
Breaches of confidentiality may be either intentional or by accident, as being overheard in public places, elevators, or restaurants.
24
25
We are involved in and knowledgeable of a number of sensitive company situations including union agreements, company politics, different pay scales, and special investigations that require good judgment and limited exposure of details. Another area of which the auditor must be constantly aware is gossip. Many people on the company grapevine feel creditability is given to their conversation if they can include, "I heard it from an auditor." So beware of the person who asks a lot of questions. It should be clear to current or past employees of the Corporate Audit Department violations of confidentiality or gossip may result in: Immediate termination Probation Suspension without pay Warning Lawsuit The consequences will be at the judgment of the Director of Auditing and/or Audit Committee. A lawsuit could result from third-party damage as defamation of character from a libelous or slanderous statement. (See "Responsibilities of an Auditor" in this chapter.)
b. Orientation (Training)
i. Objective Provide reasonable assurance that the new employee will become promptly productive. ii. Responsibility Orientation is the responsibility of the manager to whom the new employee reports. iii. Orientation Outline (See Section 5.6) Information about Sam Pole Company Information about the Internal Audit Department of the Company Introduction to audit staff personnel and other employees with whom the auditor will work Discussion of duties and responsibilities Control of work: Hours of work Time reports Paycheck distribution Travel regulations Expense report preparation Supplies Readings: Audit manual Standards Literature on modern internal auditing Recent audit reports See recommended reading list
25
26
c. Days Off for Extensive Travel Policy

No specific corporate policy has been set forth on this subject. Therefore, the following policy for the Internal Audit Department will apply: One day for each seven consecutive nights in an international location may be taken off with pay. One day for the first 14 consecutive days of domestic (North American) travel may be taken off with pay. For every additional seven consecutive and contiguous days thereafter, one additional day off may be taken. Such days must be utilized by the end of the calendar year or they are automatically forfeited.
d. Professional Certification Policy

In order to encourage professional development within the Corporate Audit Department at Sam Pole Company, the Company will support employees who wish to attain a recognized professional certification. The programs currently being supported include the Certified Internal Auditor (CIA), the Certified Information Systems Auditor (CISA), the Certified Public Accountant (CPA), the Certified Management Accountant (CMA), the Certified Fraud Examiner (CFE), and the Certified Information Systems Security Professional (CISSP). The successful completion of these written examinations will result in a demonstration of personal achievement and enhance the professional posture for the department. In order to encourage employees to attain professional recognition by passing an exam certification, the Company will assist staff members by providing: 1. The cost of registration and fees for the initial sitting for the examination. 2. Fifty percent of the cost for recognized preparation (review) courses to a maximum of $750. To avoid misunderstanding, selected courses should be approved by the Director of Auditing prior to registration and payment of fees. Attendance at classes is to be scheduled during non-working hours (Monday through Friday) or, preferably, on weekends. Staff assignments to projects will consider review course attendance, but Sam Pole work must take precedence in cases where staff members are required to fulfill Company commitments. 3. Time for sitting for examinations will be considered authorized excused leave. It is anticipated that the Company will benefit from the attainment of certifications through increased professional knowledge and adherence to professional standards and codes of conduct.
Endnote
1. "Information Systems Personnel Express a Desire for Change in the Functioning of Internal Auditing," Dale L. Flesher and Jeffrey Zanzig, SOBIE conference proceeding, April 15, 2002.
26
Chapter 5: Personnel, Administration, and Recruiting

Overview
TITLE: Introduction
5.1 Introduction
Internal audit consists of people, information systems, and procedures. Talented people following well-thought-out, tailored methodologies will produce consistent quality audit products. Organizations should not lose sight of the support role of audit. Like the accounting department and other important groups in an organization, audit does not produce the primary product or service. The audit mission (as defined in the audit department charter), however, is crucial to the organization's success, providing independent review and constructive advice. In order to attract and maintain qualified staff, the corporate Audit Department has put in place a personnel development program (see "Personal Development" in this chapter). However, the selection of the best individuals is the first step in the process.
a. Sources of Personnel
Internal auditors are typically accountants who have an interest in auditing. In many cases, this interest is combined with a desire to gain a good understanding of many business functions. The audit function exposes auditors to a large number of areas in a company's operations. Therefore, it is considered an excellent training ground. Consequently, some entry-level auditors will consider audit a stepping-stone in their career progression. If the audit department is successful and well respected, a percentage of auditors will choose to remain and progress to audit management positions. Because most organizations, including audit departments, have pyramid structures, these career path issues must be managed effectively to promote audit staff development and progression. Staff can be obtained from a number of sources, which include: Direct recruitment from colleges Transfers from other company functions Outside hires i. Direct Recruitment from Colleges To develop a professional-level internal audit program, most functions require a college degree for new hires. Colleges and universities develop students' basic skills and most include an auditing course in the accounting curriculuma requirement in most degree programs. In addition, most colleges and universities try to accommodate the 150-hour rule for the Certified Public Accountant (CPA) exam by offering graduate courses in accounting. A second auditing course is normally offered for those pursuing a master's degree.
Even more importantly, many universities are forming specialty degrees in systems, public accounting, and internal auditing. The Institute of Internal Auditors (IIA) has a "Model Curricula for Classroom Use" that was carefully constructed considering the Certified Internal Auditor (CIA), CPA, management consulting, computer sciences; and considering the standards of the American Assembly of Collegiate Schools of Business (AACSB), the International Association for Management Education, and the American Accounting Association (AAA). The IIA maintains information on its "IIA Academic Program" online including a 120-hour model curriculum, 150-hour model curriculum, and a list of Endorsed Internal Auditing Programs all online at their web site. [1] The first step in recruiting from colleges and universities is to identify the schools with which you may want to work, and review their curriculum and program for compatibility. One resource might be the IIA's list of Endorsed Internal Auditing Programs, especially if one is fairly close by. Students in these programs have already expressed an interest in internal audit, and are being educated more precisely (i.e., probably better qualified than other accounting students) for internal audit jobs. Once you identify a school, it is beneficial to develop a relationship with the accounting department and its students. Recruiting activities could include: Campus job placement department On-campus interview Job fairs Partnering with accounting department and its faculty Speaking to a class or accounting student club Most schools encourage on-campus recruitment activities and have structured means to accommodate them. For example, most schools have a department that specializes in job placementtypically called "Career Services" or a similar name. This group is one important contact because they can facilitate conducting interviews, screen candidates based on the audit department's criteria, and forward applicable student resumes. Most schools today are associated with some sort of job fair, either on campus or in the local area. Many professors or department chairs will also work with companies one-on-one. If, for example, the university is an endorsed IIA program and if an audit department wanted to hire regularly over time, then the department will probably be willing to partner with the audit department (company) and provide specialized services concerning recruitment. All universities encourage professionals, such as internal auditors, to visit campus to speak to either classes (e.g., auditing) or student clubs in accounting. These activities are opportunities to observe first-hand potential job candidates before getting involved with interviews, etc. Schools benefit tremendously by bringing the "real-world" professionals and their experience and views into the course. Accounting academics will appreciate any internal auditor who contacts them to schedule speaking engagements. All of these resources are valuable to recruitment because each one causes some of the work of the recruitment process to be transferred to the school, saving the audit department time and resources. And together, they can expose the audit department to the best and brightest students for entry-level jobs. ii. Transfers from Other Company Functions In some cases, candidates may be available within the company. Most companies have sophisticated human resource (HR) programs that can assist audit management with hiring and career progression issues. For instance, many firms are employing elaborate systems that gather individual skills, training, and abilities. These systems allow easy retrieval of people who fit a certain profile. Such a system is extremely helpful in locating people with the interest and abilities related to internal auditing, and thus if your organization is using this type of system, the corporate audit department needs to ensure coding is compatible with its needs. Audit functions should always attempt to hire the best possible candidates and never "settle" or accept an individual as an accommodation to another department. iii. Outside Hires An excellent source of outside candidates is from public practice. Approximately two-thirds of all entry-level auditors will leave public accounting within three years. Public accounting firms recruit primarily accounting 2 Chapter 5: Personnel, Administration, and Recruiting
Chapter 5: Personnel, Administration, and Recruiting graduates and, in most cases, provide them with formal hands-on training programs in the early years of the person's employment. Some also provide industry and computer training. Of course, large internal audit departments are capable of organizing and providing similar professional development programs. In most cases, however, they cannot provide the diversified experience available in public practice.
b. Recruitment Aids
Forethought and planning will improve recruiting results. Candidates will be favorably impressed when presented with company structure charts, organization charts, and a schematic of the personnel development program similar to the one presented in the manual. Some audit departments develop brochures describing functions, activities, and benefits (e.g., experience in many company operations, travel, and potential career progression). The development of a summary of the current staff with qualifications may also add value. Some departments that encourage career development in the audit department and within the company develop career summaries on current and preceding members of the department. An interview questionnaire for new internal auditors should be developed and used to summarize interviews and results. Exhibit 5.1 is a sample form. Exhibit 5.1: Interview Questionnaire for New Internal Auditors
c. Management Development Programs

People can be products too! Some audit departments develop or participate in management development programs. These programs can involve internal audit as an initial or mid-career step. For instance, new college graduates can be hired by internal audit and assigned to other company operations for portions of the year. After two or three years, they transfer to another unit on completion of a successful project. This process will add work to the audit management function, and it will also create a positive deliverable or product. Such programs would be discussed with senior management and/or the audit committee, and added to the audit department function directly in the audit charter. In some notable examples, personnel development programs have greatly enhanced the reputation of the audit function through the addition of a tangible measurable product: former audit personnel rising to higher level positions in the organization.
d. Certifications
Certifications, including Certified Internal Auditor (CIA), Certified Public Accountant (CPA), Certified Information Systems Auditor (CISA), and Certified Management Accountant (CMA) are significant personal achievements, and provide evidence of basic skill levels and knowledge. In today's business environment, the Certified Fraud Examiner (CFE) and Certified Information Systems Security Professional (CISSP) have become both valuable and relevant. Any of these certifications also add to internal audit's image. Policies can be developed to encourage staff members to attain certifications, which should be seriously considered in reviewing new-hire qualifications.
Corporate Audit Department Procedures Manual NO: 5.2 REV NO: DATE: TITLE: Personal Development PAGES: [1]See www.theiia.org/ecm/iiaap.cfm?doc_id=209 or www.theiia.org and do a search.
SAM POLE COMPANY
5.2 Personal Development

Internal auditing consists of quality people employing quality procedures and quality systems in an independent and proactive manner. In order to sustain the implementation of the most appropriate procedures and to provide for the continuing improvement of the auditors, a professional development program becomes a critical component of the internal audit practice. Consider the following quote from Future Shock, by Alvin Toffler: If society itself were standing still, there might be little pressure on the individual to update his own supply of images, to bring them in line with the latest knowledge available in society. So long as the society in which he is embedded is stable or slowly changing, the images on which he bases his behavior can also change slowly. But to function in a fast-changing society, to cope with swift and complex change, the individual must turn over his own stock of images at a rate that, in some way, correlates with the pace of change. His model must be updated. To the degree that it lags, his responses to change become inappropriate, he becomes increasingly thwarted, ineffective. Thus, there is intense pressure on the individual to keep up with the generalized pace. Today, change is so swift and relentless in the techno-sciences that yesterday's truths suddenly become today's fictions, and the most highly skilled and intelligent members of society admit difficulty in keeping up with the deluge of new knowledgeeven in extremely narrow fields. [2]
a. Introduction
In order to ensure that the Corporate Audit Department's education plan is implemented, the responsibility for coordination has been assigned to the Manager of Policies and Control. As Coordinator of Education, the Manager of Policies and Control will assist in the development of the departmental education plan and individual auditors' educational plans. He/she will work closely with the staff and managers to achieve the objectives of the Professional Development Program and report periodically to the Director of Auditing on the status of the program.
b. Objectives
The Corporate Audit Department Training Program has been designed to improve and maintain the professional competence of the corporate auditors so that they can effectively perform their function to the fullest extent. Additionally, it is intended to provide for personal professional growth and job satisfaction. The program, combined with on-the-job experience and training, and a comprehensive evaluation process, is intended to provide a basis for advancement in the Audit Department, or for potential placement in key financial or general management positions within the company. Every professional has a responsibility to maintain and advance his or her basic skills. The program is intended to provide a vehicle for the individual to accomplish this requirement. The program will be as successful for you as you make it. Additionally, to develop strong business acumen, daily reading of the general financial press is essential. Auditors are generalists, to a large degree, and should always be cognizant of current trends in business and finance, to ascertain the importance, if any, on their audit assignment.
c. Coordinator of Education
The Coordinator of Education is responsible for overseeing the educational needs of the department, and ensuring that those needs are adequately met. The Coordinator reports to the Director of Auditing regarding plans and resources needed to obtain and maintain an adequate level of knowledge and skills individually and corporately in the department. Duties include: Assists the Director and audit managers in surveying staff and analyzing training needs. Recommends comprehensive, systematic training program for the Corporate Audit Department. Coordinates the training activities for corporate auditors and makes staff aware of all training opportunities. Assists auditors in developing individual goals and training programs. Develops and implements evaluation programs for all training activities involving Internal Audit. Investigates specific training programs as requested by other members of the staff and authorized by the Director of Auditing. Assists in the evaluation of training programs and review regular (quarterly) training reports on staff members for the Director of Auditing. Develops policies and procedures for maintaining and using the staff library. Assures audit management that the library is adequately stocked and keeps staff informed of new acquisitions pertinent to their particular needs.
d. Corporate Audit Training Model

The Corporate Audit Training Model (Exhibit 5.2) includes a structured approach to core training critical for first- and second-year auditors. The model goes on to suggest a training program for auditors beyond the basic core programs. These are labeled as "advanced," for the third year and thereafter. Exhibit 5.2: Overview of Corporate Audit Training Model
The core of the Corporate Audit Program is on-the-job training through effective supervision and constructive evaluations covering areas of need. The program is two-fold: the Core Program covering new auditors, and the Advanced, covering education for career-minded internal auditors for periods beyond two years of work experience. On-the-job training is supplemented with the following types of formal and informal education: In-house seminars and self-study training through the use of audio and visual training courses, and online courses via the web. Teaching or speaking engagements to help broaden one's knowledge and communications skills. Attendance at various outside seminars, workshops, lectures, and conferences, etc.&"listitem"> Availability of a library of texts and reference materials covering internal auditing, as well as specific areas of business management, taxation, finance, purchasing, construction, contracts, etc. Online services: Examples include Lexis/Nexis, [3] the AICPA (Auditing Standards), [4] ISACA's K-net and CobiT, [5] and other providers of reference materials. Lexis/Nexis provides authoritative legal, news, public records, and business information online. K-net is a global knowledge network for IT governance, control, and assurance. CobiT is a generally applicable and accepted standard for information technology (IT) security and control practices, providing a framework for management, users, and information systems (IS) audit, control, and security practitioners. Specialized courses, when available and/or practical, specially designed to meet the internal auditor's needs. Routing of selected educational material to the Internal Audit staff to maintain current knowledge in the field.
The Core Program requires a minimum of two weeks, or 80 hours, per year of formal education or teaching. The Advanced Program requires a minimum of one week, or 40 hours, per year. These minimum requirements do not include self-study courses, outside professional meetings, on-the-job training, research, and the use of the library.
e. Core Program
First Year: During the first year of employment, attendance at various structured courses is required. The following schedule will be followed, interfaced with on-the-job training:
Chapter 5: Personnel, Administration, and Recruiting All new hires will attend an orientation program on the company and the Corporate Audit Department. All entry-level auditors will attend a one- to two-week course on Introduction to Corporate Auditing Procedures. This subject could be administered in-house by experienced corporate auditors, or provided by outside trainers. All auditors will attend at a minimum a five-day Introduction to Computer Auditing course. All staff members will attend audio/visual courses on audit-related topics during the year. There will be mandatory attendance at all staff meetings and in-house internal audit seminars on a regional and centralized basis. Second Year:
The training program will continue into subsequent years. By the end of the second year, the following should have been attained: Continuation of Corporate Auditing procedures at the Intermediate Level as well as attendance at courses relating to the evaluation of internal controls Attendance at an in-house or outside seminar on advanced computer audit techniques or software (i.e., Computer-Assisted Audit Tools and Techniques, or CAATTs) Participation in audio/visual courses on specific topics to be announced; that is, systems auditing, statistical sampling, fraud detection, Internet security, and so on Attendance at in-house Corporate Audit seminars (one week) and regularly scheduled staff meetings
f. Advanced Program
The Advanced Program will involve specific tailoring to meet each individual's development needs. As the internal auditor's career progresses, decisions need to be made regarding the individual's long-term objectives. If those objectives lie in the Internal Audit area, provision should be made for the attendance at Internal Audit management training and conferences. There may be a need for auditors to develop specific skills further. For instance, operational auditing or IS auditing skills may be required by the department, and/or requested by individuals in their career planning meetings. The professional development program can be tailored for each individual, to help meet departmental, as well as individual, goals. Included in the advanced stage of the program is an anticipation that the staff member will increase his or her involvement with professional organizations such as the IIA, American Institute of Certified Public Accountants (AICPA), American Management Association (AMA), Information Systems Audit and Control Association (ISACA), and participate in their educational programs. Staff members, at this level, should be strongly encouraged to develop their own expertise in specific areas and provide training courses to these organizations. Committee assignments can, in some cases, be considered as continuing education endeavors. These decisions must be made by audit management, and documented in the individual's professional development plan.
g. Record-Keeping
Each auditor is responsible for maintaining a chronological record of his/her training or educational accomplishments while on the Corporate Audit staff. This record will be forwarded quarterly to the Coordinator of Education. (See Exhibit 5.3, "Continuing Professional Education (CPE) Record.") Exhibit 5.3: Continuing Professional Education (CPE) Record NAME_________________________ DATE ORGANIZATION
PERIOD________________ CPE HOURS COURSE INSTRUCTOR PREPARATION TEACHING ATTENDE 9
10 CPE Provider #
TOTAL The coordinator will review the forms quarterly and submit them to the Director of Auditing for inclusion in each Auditor's personnel file. Certain continuing education credits needed to maintain various professional certifications should be pursued by each individual auditor and will be retained in his or her personnel file. Individuals should keep copies of course outlines as required by various certifications for CPE requirements. Performance evaluations will be conducted after each assignment or periodically by each level of supervision, and also placed in the file, so that needs analysis can be made to determine what additional education is required to maintain each staff member's proficiency. Training records will be used as a reference in scheduling staff members to various assignments. These assignments will help reinforce the retention of course curriculum obtained from the training programs. The Director and Audit Managers will periodically assess the auditor's training needs, using the CPE record and/or the section on development needs as shown on the performance evaluations. After training assessments are made, both individual and staff training goals and programs will be further developed as required.
10
Chapter 5: Personnel, Administration, and Recruiting The results of this training program should improve the professional competence of all staff members, thus providing the knowledge to function and cope with our fast-changing, complex environment.
11
Corporate Audit Department Procedures Manual NO: 5.3 REV NO: DATE: TITLE: Personnel Files PAGES: [2]Future Shock, Alvin Toffler, Bantam Book, August 1971.
[3]See [4]See [5]See
SAM POLE COMPANY
lexis.com and lexisnexis.com. www.aicpa.org. www.isaca.org.
5.3 Personnel Files

In order to properly manage the audit profession's department, personnel files will be maintained. Audit Department personnel files should be multi-partition files and include, but not be limited to: 1. Employee resume and a copy of the original Company application (if appropriate) 2. Periodic performance appraisals 3. Summary of salary history and promotions 4. Corporate Audit Department Background Information Form (Exhibit 5.4) Exhibit 5.4: Corporate Audit Department Background Information Form
11
12
5. Corporate Audit Department Interest Questionnaire (Exhibit 5.5) Exhibit 5.5: Corporate Audit Department Interest Questionnaire Form
12
13
These files should be maintained by the Audit Department in addition to files maintained by the Human Resources (HR) function. To facilitate the development and maintenance of these audit departmental files and facilitate the gathering of specific information necessary to proactively manage the corporate audit function, two departmental forms should be completed by all employees and updated annually. These forms are: Corporate Audit Department Background Information Form Corporate Audit Department Interest Questionnaire
a. Corporate Audit Department Background Information Form

This form (Exhibit 5.4) facilitates two-way communications and helps standardize the basic information required for each employee. The form should be kept in the inside cover of each personnel file. The form also serves to reinforce interest in certifications and professional activities and provides a feedback mechanism for information related to these activities.
b. Corporate Audit Department Interest Questionnaire

The Corporate Audit Department Interest Questionnaire (Exhibit 5.5) expands on the Corporate Audit Department Background Information Form by requesting additional information related to the audit professional's preferences. Not all preferences can be granted, but in some cases preferences can be considered in planning.
SAM POLE COMPANY
Corporate Audit Department Procedures Manual NO: 5.4 REV NO: DATE: TITLE: Periodic Performance Evaluation Review PAGES:
5.4 Periodic Performance Evaluation Review

Periodic performance evaluation is an essential part of our personnel development program. It is expected that all staff members will become familiar with and understand the reporting requirements and instructive guidelines. Staff evaluations, prepared accordingly, can then be expected to be fair and objective appraisals of Chapter 5: Personnel, Administration, and Recruiting 13
14
the person's performance. It cannot be emphasized too strongly the importance of timely, constructive interim feedback by the supervisor. Such feedback will help to shape the end-of-assignment evaluation and will expedite its completion and review in the shortest time. The Performance Evaluation Review Form is included as Exhibit 5.6. The report is to be prepared for staff personnel by the in-charge senior or manager promptly at the end of the assignment. Exhibit 5.6: Performance Evaluation Review Form
14
15
15
16
a. Performance Evaluation Review Guidelines for Preparation of Report

Continuous and timely review and evaluation of performance is essential to effective personnel development. To provide for that continuity, the Performance Review report should be prepared promptly by the Auditor's supervisor at the end of each assignment. The evaluation should be discussed with the Auditor in a constructive manner to encourage continuing efforts toward improvement in performance and the elimination of shortcomings. The completed report, signed both by the preparer and the person evaluated, will document the following: Accurate, complete record of the auditor's performance Notification of observed strengths and weaknesses Basis for assessing training and development needs (correlated with the auditor's departmental training record) Basis for appraisal toward promotion or for transfer, salary review and warning or other administrative action 16 Chapter 5: Personnel, Administration, and Recruiting
17
The periodic, end-of-assignment review should be reinforced through effective interim oral or written feedback by the supervisor during the assignment. Interim feedback is the continual process, an integral part of the supervisor's functions. Failure to provide timely feedback is a weakness in the supervisor's performance. The interim performance discussion should provide analysis of both strengths and areas for improvement, emphasizing constructive actions for improving performance. Although interim evaluations need not be in writing, the evaluation form can serve as a checklist for areas to be considered and for notes, as both a basis for that evaluation and a reference point for the end-of-assignment evaluation.
i. Preparation Report preparation is important, and ample time should be allotted to prepare the report. (A) Assignment Responsibilities and Circumstances. The form is designed to obtain specific answers to questions, amplified as appropriate by description, comment, or discussion. Regarding the level at which the person was used on the assignment, indicate the level at which he or she functioned rather than the actual level. Criteria should include the nature of the work, degree of supervision, and prior staffing of the assignments. The nature of the work, for the auditor's major responsibilities, should be described in sufficient detail. For example: internal control (sales, cash receipts, payroll): documentation, audit program, walk-through; inventory: observation, pricing finished stock; accrued liabilities: test for unrecorded liabilities. Unusually difficult or simple situations should be identified. (B) Manager/Director Approval. This approval is required on all evaluations prepared by staff-level personnel, namely supervising senior, senior, and so forth. Approval should be indicative of Manager/Director concurrence with the evaluation (see Manager/Director Comments section) and that it contains the appropriate information. When prepared by staff-level personnel, it is recommended that the report be read by the Manager prior to review with the individual. Manager/Director approval should occur after the report has been discussed with the individual and finalized. Any Manager/Director comments should be included in the evaluation at the time the individual signs off on the report. (C) Comments Section. When completing this section, the auditor's experience level should be considered in evaluating his or her performance. For example, the criteria for measuring a staff auditor's technical skills would differ significantly from those used in evaluating a senior. It is expected that completion of all categories will generally be appropriate except for the Development of Assistants category for evaluations of staff auditors. The boxes at the right margin are to be used to insert the abbreviation for the effectiveness level of each listed qualification. Effectiveness levels are defined on the last page. It is expected that everyone will become familiar with the definitions and use them as explained. Although the ratings "OUTSTANDING" and "UNSATISFACTORY" should be clearly explained, specific comments should also be given for other effectiveness levels for informative reporting to the auditor and the reader.
Areas noted for improvement should include any recommendations for the individual's development. In discussing weaknesses, the evaluation should assess the progress made in correcting those weaknesses during the course of the engagement. In situations when mitigating circumstances may have contributed to a weakness, appropriate details should be provided. However, it is not appropriate, for example, to discuss budget overruns when it clearly was not within the control of the individual. When one weakness impacts several qualification categories, the evaluation should clarify this fact so as not to mislead the reader into concluding that several weaknesses exist.
17
18
(D) Appraisal Section. The last page of the report summarizes the results of the performance evaluations, both interim and end-of-assignment. Where completing the sections dealing with Developmental Needs and Promotability, comments, reasons, and recommendations should be expressed clearly and constructively to provide reliable source information to audit management for future assignments and indicated training and development needs. The Manager/Director Comments section is required for all evaluations where that level of approval is necessary. The basis for approval may be discussions with the in-charge senior, review of work papers or personal contact. The Manager or Director may also include other significant comments. The Summary Evaluation section should be completed subsequent to the Comments section and should be supported by the written comments. Because it represents a summary of the written comments, emphasis is again placed on the need to rate individuals on the basis of their experience level and standards normally expected at that level. In rating an individual's effectiveness level, supervisors should refer to the definitions provided on the form. Ratings other than these should not be used. The most appropriate rating must be chosen. Written comments should explain borderline decisions. ii. Performance Appraisal Meeting Performance appraisal meetings provide a very important opportunity to discuss and improve employee performance. Such meetings are a major element in a personnel development program. At every opportunity, the Audit Department culture should emphasize the importance placed on continuing personnel improvement and development. The Audit Department is only as good as the personnel performing the work. To the extent that employees' performance can be improved, the overall quality of the audit products will be improved. It is important that adequate time be allowed to plan for and conduct a performance appraisal meeting. The meeting should be scheduled with the employee to reduce the anxiety usually associated with performance appraisal meetings. All attempts should be made to create a comfortable atmosphere and reduce or eliminate interruptions. The performance meeting presents an opportunity to review progress and priorities, resolve any problems with performance, discuss future potential development needs, and the needs to meet them&"para">Conducting the performance review can be a challenging endeavor, and efforts should be made to train supervisory staffs to better conduct performance review meetings. During the meetings, it is important to create two-way communications. One objective of the meeting is to get the employee to open up. The evaluator will be prepared with his or her comments. The meeting atmosphere should be informal and unhurried. This objective can be accomplished by meeting in a conference room or away from a manager or supervisor's desk, if possible. It is also important to emphasize the good work that the employee has accomplished. There should be an emphasis on "praise" in the appraisal. It is important that the reviewer probe and ask questions, and most importantly, listen to the answers. This approach will provide ample time for the employee to discuss thoughts on his or her mind. One of the objectives of the review process is to allow the employee to face up to any problems that might exist. In some cases, the best approach to mentioning a problem is to use the self-appraisal approach. Under the self-appraisal approach, the supervisor or manager will ask the employee to discuss his or her performance from their perspective. It is very important to always discuss the performanceand not the individual's personality. Any criticism should be made in a positive manner. For instance, talk about how the person can make needed improvements. There should be few surprises in the appraisal meeting. Problems should be discussed with the staff when they are recognized. This method will allow the supervisor to correct the problem earlier and also demonstrate by example the existence of the problem. When this method is not used, specific examples should be raised during the appraisal review meeting. However, this method is not as good an alternative as actually having mentioned the problems as they occurred.
18
19
Before the meeting is concluded, you should agree on a plan of action. Outline your thoughts on action points prior to the performance meeting. Focus on facts and avoid general judgments. Set objectives and goals, and agree upon completion dates.
SAM POLE COMPANY
Corporate Audit Department Procedures Manual NO: 5.5 REV NO: DATE: TITLE: Annual Staff Meeting/Conference PAGES:
5.5 Annual Staff Meeting/Conference

As pointed out in this manual, personnel development is critical to the development and maintenance of a quality audit program. The Core and Advanced Personnel Development Programs are set out in Personnel Development in this chapter. One of the key programs in any audit department is the Annual Staff Meeting/Conference. The meeting has many objectives, including: Setting aside some time for department-wide administrative updates Discussions of company developments Audit training Reports on results of quality assurance reviews and related changes Opportunity for feedback from the staff and for suggestions for improvement of department operations The location of the meeting is very important to the overall success of the meeting. Meetings should be planned outside the office for a maximum impact. In addition, it may be combined with a social or sports activity to help build morale and camaraderie among the staff. The program can include a State of the Department Address by the Chief Auditor. Presentations by department managers are also very important. Each functional leader should also provide an update on their administrative activities, including the quality assurance program and the personnel development program.
a. Group Discussions
In order to provide a form for feedback from the staff, consideration should be given to holding group discussions. These sessions would allow staff members to discuss any topic related to their department. Plan for a sufficient amount of timea minimum of two hoursfor group discussions. The staff should be broken down by groups, and these sub-groups should be provided with private meeting space to hold these discussions. In order to organize the group discussion, prepare a Group Discussions Instruction Sheet. Exhibit 5.7 illustrates this document for a fictional meeting. The groups should have a Group Leader and a Scribe. The role of the Group Leader and the Scribe should be set out in the Group Discussion Instruction Sheet. Exhibit 5.7: Group Discussions Instruction Sheet Objective To provide a forum for the staff to discuss their concerns and hear other members' concerns To provide feedback to Audit Management as to what are the main concerns of the staff and what possible solutions they project Group Leader's Role Chapter 5: Personnel, Administration, and Recruiting 19
20
Chapter 5: Personnel, Administration, and Recruiting Set the stage by informing the staff that this is their time to talk about anything related to the Corporate Internal Audit Department's organization or activities. Tell them you have a list of some items of potential interest you will use to generate conversation when there is none or to improve the productivity of the conversation if it gets way off course. Explain that there is a scribe to take notes on what is said, not who said it, and that we will provide feedback later in the day. Ask the group to begin and wait a few minutes. Give the group a good chance to start on their own. Keep the meeting moving. If too much time is spent on a topic, ask to move on to another topic.
Scribe's Role Listen carefully and make notes of key concerns, suggestions, items of interest, etc. If you don't understand what someone is trying to say, ask questions to clarify the issue. Observer's Role Listen in on a portion of each meeting Potential Topics 1. How important is audit planning? Is our approach adequate? How should we approach it? 2. Should we employ management by objectives and goal setting? 3. Should we require certification of some kind (CPA, CIA, CISA, CDP) within a given time frame? 4. How much of a factor should evaluations of performance be in determining raises and promotions? 5. Other: Annual Staff Meetings IS Audits/Training Participation in Audits Job/Career Future Audit Staff; Administrative Matters; Travel, Advances, Accommodations, etc.
The Leader's role is to set the stage by informing the staff that this meeting is their time and that they could talk about anything related to the department's organization or activities. The Leader should be provided with a list of some potential items of interest to generate conversation if necessary. However, there should be sufficient time allotted before this list is introduced to ensure that the staff has an opportunity to bring their own thoughts and ideas. The role of the Scribe is to listen carefully and make notes of key concerns, suggestions, and items of interest. Having someone perform this role frees the Group Leader to concentrate on the Leader's rolekeeping the meeting moving. The Scribe will produce a list that should be provided to audit management. The list should not indicate who made what recommendationanonymity adds credibility to comments by mitigating "groupthink" problems. In many group discussion meetings, an Observer is also involved. The Observer could be the Chief Auditor or Audit Management. The role is to listen in on a portion of each meeting to gain an understanding of the temperament and direction of each meeting. The Observer should not speak at any meeting. The purpose of the meeting is not to provide answers but to develop questions of interest and proposed solutions. Group discussions require feedback from Audit Management. The Scribe's individual meeting summaries should be combined for review by Audit Management at a subsequent meeting or responded to at the conclusion of the Annual Staff Meeting/Conference. The sooner the feedback is reviewed, the better. For instance, if simple issues or ideas are brought up that could be acted upon immediately, these responses 20 Chapter 5: Personnel, Administration, and Recruiting
21
should be included in the closing remarks of the Chief Auditor. Those issues and suggestions that require more careful attention should be thought through and summarized in a memorandum to all participants in the Annual Meeting. Annual Meetings usually prove to be very productive, if proper attention is paid to planning and arrangements.
SAM POLE COMPANY
TITLE: New Staff Orientation
5.6 New Staff Orientation

Welcome to Sam Pole Audit. We hope you find your position with us beneficial and rewarding. One of the first projects necessary to acquaint you with Sam Pole and Corporate Audit is orientation. Orientation is designed to formally introduce you to our company and significant department policies and procedures. A checklist has been provided to ensure your orientation is thorough and that you receive all materials. The checklist is to be signed off by you and the person making the orientation presentation. This form will be retained in your personnel file. Many of these items may already have been discussed during your interview with Sam Pole. However, orientation will give you a more detailed explanation. We encourage you to ask questions; people on the staff will be happy to help you, or many questions can be answered by reading the procedures manual. Please ask any questions you may have. These welcoming remarks are often used when new personnel join the department. A sample orientation checklist can be found in Exhibit 5.8. A general description is provided here for each item on the orientation checklist. Exhibit 5.8: Orientation Checklist DATE Introduction to Staff _______________ Facility _______________ Parking _______________ Key Personnel/Organization Review _______________ Annual Report Issued _______________ Employee Benefits _______________ Job Description _______________ Performance Evaluation Review _______________ Three-Month Probation _______________ Working Hours/Salary/Overtime _______________ Vacations _______________ Sick Leave _______________ Personal Leave _______________ Time Reports _______________ Travel _______________ INITIALS _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ 21
22 Cash Advances Air/Rail Travel Expenses Keys (Sign Out) Library Data Processing Security/Badges Professionalism Procedures Manual Safety Equipment Issues Hard Hat
Chapter 5: Personnel, Administration, and Recruiting _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________
_______________ _______________ Glasses All items listed above have been explained to me, and I have no further questions at this time. _________________________ __________ _________________________ __________ Orientation Supervisor Date Employee Signature Date
Introduction to Staff. The person presenting the orientation will introduce you to members of the staff in the office. That person will also identify those staff members who are not present and provide you with a list of the staff in the Audit Department. Facility. You will be given a guided tour of the Corporate Audit Department and other nearby facilities. Parking. Parking will depend on the division where you work. Additional parking facilities are available at a cost to you. When you are in the field, during your initial visit to the auditee's office, identify where you have parked and ask about their parking requirements. Organization. Organization charts of the Corporate Audit Department and the Corporation are in Chapter 4 of this manual. Annual Report. You will receive the current annual report of Sam Pole Corporation. Key officials are identified in the annual report, along with major components of the Sam Pole organization. You should study this report thoroughly. Employee Benefits. You will be issued employee benefit authorization cards that must be filled out and signed. You will be issued an employee benefits manual. Read it carefully, and if you have any questions, discuss them with Audit Department management. If we do not know the answers, we will obtain them from the Employee Benefits office or refer you to the Human Resources Department. Job Descriptions. Job descriptions are available in the Procedures Manual. Your job description will be carefully discussed with you during orientation. If you have any questions, please see the Manager. Performance Evaluation Reviews. The form that is used for performance evaluations will be discussed with you. It is contained in Chapter 5 of the procedures manual. Study the form; if you have any questions, please ask them. Three-Month Probation. All employees hired by the Corporate Audit Department are subject to a three-month probationary period. This procedure is for the evaluation of initial performance. Working Hours. Normally, the office hours are from 8:00 A.M. to 5:00 P.M. Monday through Friday. The exception to this standard is when auditing outside of your home location. If 40 hours can be accomplished Monday through Thursday by working 10-hour days, then at the discretion of audit management, you may return home Thursday night.
22
23
Auditing, however, is a concerted task-oriented profession. As professionals, when circumstances warrant, expect to spend the necessary additional hours to accomplish our objectives in a timely manner. Salaries. Professionals employed by the Corporate Audit Department are salaried personnel. Overtime is not paid. Vacations. The Corporate Audit Department follows vacation schedules as set forth in the Sam Pole personnel policy manual. Sick Leave. The Corporate Audit Department will follow Corporate sick pay policy. If you are sick, you are to notify the office and the in-charge auditor as early as possible in the morning. Personal Leave. Personal time is provided by the Corporate Policy providing three personal days per year. There are times when personal business, such as studying for certification exams, may be conducted during working hoursif prior permission is obtained from the Manager of Corporate Audit. Time Reports. Time reports are required on a semi-monthly basis. A form will be shown to you, and you will be instructed on how to complete it correctly. Travel. With audit functions situated away from home offices, there is a need for travel to these locations. For travel information, refer to the Corporate Audit Department procedures manualtravel policies. Advances. Each division may make temporary cash advances for expenses. Advances must be shown on expense reports and accounted for monthly. Unused advances must be remitted to the company monthly. Air/Rail Travel. Tickets for air/rail travel can be obtained from the travel department (and accounted for in the same manner as cash advances) or purchased directly by the auditor and reported on the expense report. Expenses. Sam Pole has issued a pamphlet, "Reporting of Travel and Business Expenses," to be used with the exception of those items that are specifically provided for by the Corporate Audit Department. Keys. The new employee will be given certain keys where appropriate. These must be signed out on the log maintained by the secretary at your location. Library. The department office library contains various Sam Pole manuals. You should become acquainted with these manuals. Other publications available for education or research are also in the office library. You will see these, as well as checkout procedure applicable to the local offices (see Recommended Reading List). Security Badges. Where badges are required, you will be evaluated on an as-needed basis before badges will be issued to you. Necessary security codes, computer/network passwords and log-in access, and/or badges will be arranged through the Manager of Corporate Audit. Professionalism. Corporate Audit is striving to make our department a world-class department. A friendly, courteous relationship with auditees, outside auditors, and other Sam Pole employees is paramount in establishing and maintaining good public relations. We consider ourselves professionals and should act and dress accordingly. Dress should be in good taste. Try not to have extremes in either direction. Procedures Manual. The master manual is retained in the office; in-charge auditors have a copy to be used at the work sites. A better option would be to keep an electronic copy of the manual on the Audit Department Intranet site for easier access (e.g., 24/7 availability to anyone). This manual was developed for the benefit of new employees and to document procedures to be followed. It is important to become familiar with the manual because we follow these procedures and are evaluated accordingly. Safety Requirements. There are occasions when we must work in areas that require safety equipment. Typically, the location will provide the equipment. In the division where visits to the factories are customary, the department issues a hard hat and safety glasses.
23
24
Endnotes
1. See www.theiia.org/ecm/iiaap.cfm?doc_id=209 or www.theiia.org and do a search. 2. Future Shock, Alvin Toffler, Bantam Book, August 1971. 3. See lexis.com and lexisnexis.com. 4. See www.aicpa.org. 5. See www.isaca.org.
24
Part III: Technical Procedures

Chapter List
Chapter 6: Audit Planning Chapter 7: Audit Performance Chapter 8: Audit Reporting
Chapter 6: Audit Planning

Overview
SAM POLE COMPANY Corporate Audit Department Procedures Manual NO: 6.1 REV NO: DATE: TITLE: Corporate Audit Planning, Scheduling, and PAGES: Staffing
6.1 Corporate Audit Planning, Scheduling, and Staffing

In January 2002, the Institute of Internal Auditors' (IIA) Standards for the Professional Practice of Internal Auditing (SPPIA) became effective. These standards emphasize the need for planning (see section 2010 in particular). One Guideline states, "The chief audit executive should establish policies and procedures to guide the internal audit activity" (IIA SPPIA, 2040). Under the Performance Standards of the SPPIA, the first topic is Planning (section 2010): "The chief audit executive should establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organization's goals." The Information Systems Audit and Control Association (ISACA) also has established a similar emphasis on planning. One guideline states, "The information systems auditor is to plan the information systems audit work to address the audit objectives and to comply with applicable professional auditing standards" (ISACAIS Audit Guideline 050.010 [Audit Planning]). Additionally, another ISACA guideline addresses planning related to day-to-day activities: "Before beginning an audit, the IS auditor's work should be planned in a manner appropriate for meeting the audit objectives" (ISACAIS Audit Guideline 050.010.2.1.1). Planning is a very basic element of all business activities. The Audit Department is no exception. The long-term departmental operating plan will demonstrate an organized approach to systematically auditing all company operations. In this book, a three-year operating plan has been developed. The extended cycle of audit coverage should be discussed with management and, if appropriate, with the Audit Committee. This process would establish the overall strategy for auditing company locations. In many companies, every aspect of the company's operations should be audited, to some extent, on a formal rotation basis (see Section 6.3). Even small operations should be considered for audit visits. The audit "deterrent factor" should not be underestimated. To accomplish the responsibility for planning for internal audit activities, a planning matrix (Exhibit 6.1) has been developed as a tool. It illustrates the flow and relationship of the three-year plan to the annual operating budget, six-month audit plan, three-month audit schedule, and two-month staff schedule. By beginning with the long-term planning exercise, the work investment naturally flows down to the planning for the shorter periods. Here is where the chief internal audit executive looks for integration of activities to save work later on. In formulating the three-year plan, one should consider the subsequent shorter-term plans by developing a long term in six-month or other appropriate sub-periods to feed into the shorter-term planning process. Exhibit 6.1: Corporate Audit Planning, Scheduling, and Staffing Three-Year Annual Budget Six-Month Audit Three-Month Two-Month Operating Plan and Plan Plan Audit Schedule Staff Schedule Document Forecast Plan detail of Schedule Notify 1
Purpose
2 department operating plan for Audit Committee and Management. Coordinate audit coverage with public accountants. Owner's request to provide total coverage of principal audit areas over a three-year cycle. Audit management decision regarding rotation. Timing Revision Timing: Annually in August calendar-year audit plan as basis for financial budget.
Chapter 6: Audit Planning audit assignments: three-month nature of audit; segment of scope; timing; six-month plan. manpower. supervision and staff of assignment schedules.
Basis
Audit plans: Second half current year; first half next year. Manpower, traveling, professional development and administration costs. Audit management discretion. Timing: Annually in August
Specific implementation of each six-month period of the three-year plan. Budget constraints. Audit management discretion. Timing:
Attainable audit objectives for three months based upon six-month plan. Management discretion.
Three-month audit schedule. Manager discretion.
Timing:
Timing: Beginning of first month of each two-month period; administrative assistant to staff Revision: As required Primary -Manager Secondary - Sr.
Semiannually: 60 Beginning of first month for days prior to six-month period each three-month period Revision: As required
Responsibility Primary -
Primary -
Primary Manager - P&C Secondary - Sr.
Primary Manager - P&C Secondary - Sr.
Manager - P&C Manager - P&C Secondary - Sr. Secondary - Sr.
a. Three-Year Operating Plan

One of the responsibilities designated by the Corporate Audit Charter is for the Director of Auditing of the corporation to establish a plan of audit. The three-year audit plan (Exhibit 6.2) provides long-term forecasting. It also establishes the coverage of audits for a three-year cycle approach to total coverage of locations, branches, or companies with the organization. The objective to audit all company operations over a period or cycle can be difficult to achieve. Of course, the number of personnel required on the staff to achieve this objective will need to be calculated. Exhibit 6.2: Sample Three-Year Audit Plan
Chapter 6: Audit Planning Sam Pole Company Corporate Audit Department Three-Year Audit Plan
Audit Audit Risk Risk Risk Risk Jan.June JulyDec. Estimated Audit Hours Unit Unit Factor Factor Factor Profile 20xx 20xx Jan.June JulyDec. Jan.June JulyD Number wt. 1 wt. 2 wt. 3 20xx + l 20xx + l 20xx + 2 20xx+
The three-year plan optimizes staffing requirements and the cost effectiveness of the Audit Department. The plan is based on materiality and exposure to risk for establishing priorities of the audit entities and number of hours for the audits. The three-year plan may be developed in detailed increments of six-month time periods. Circumstances that affect change to the plan are management requests and detailed monthly planning. i. Auditable Units In order to develop an audit plan, a company's auditable unit must be selected. An audit unit can be a subsidiary operation, a department, a division, a system, or even an account. For instance, the XYZ Company may be audited. Alternatively, the XYZ Company's sales cycle (sales, accounts receivable, and cash receipts systems) can be audited or its accounts receivable balance can be subject to audit verification. A logical approach for each company must be developed based on infrastructure, resources, system specifics, and corporate strategies. In many cases, combinations of audit types will result. Often, various audit units at a specific location will be combined to create a logical audit unit.
b. Risk Analysis
Risk analysis, or assessment, has become the preeminent method of guiding audits. External auditors have long begun their process of financial audits with the audit formulaassessing inherent risk, control risk, detection risk, and audit risk. In Statement on Auditing Standards No. 78, Consideration of Internal Control in a Financial Statement Audit, the American Institute of Certified Public Accountants (AICPA) institutionalized as guidelines the Committee of Sponsoring Organizations (COSO) model of internal control. The five major areas of internal control include (1) control environment, (2) risk assessment, (3) information and communication, (4) monitoring, and (5) control activities. The COSO model has also become a common methodology used to design the internal control environment (see Chapter 3). Lately, internal auditing has also put more focus on risk assessment. The current definition of internal auditing by the HA states: Internal auditing is an independent, objective assurance and consulting activity to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
In 2000, the IIA basically adapted risk assessment as the cornerstone of audits in its Standards. In the Nature of Work section (Standard 2100), the first standard relates to risk management (Standard 2110). It states: "The internal audit activity should assist the organization by identifying and evaluating significant exposures to risk and contributing to the improvement of risk management and control systems." In order to develop effective audit planning, some type of risk analysis is necessary because it provides strategic direction for limited resources. For example, one published survey on best practices for audit efficiency concluded that correlating audit efforts to the levels of risk and materiality helped increase audit efficiency. Thus auditors should try to limit procedures in low-risk areas and focus their attention on trouble spots. [1]
Depending on your company's specific operations and management concerns, the various risk factors are identified in the plan. Care must be taken to analyze the cost versus benefit of a complex risk-based audit plan. Many risk analyses result in a potentially complex summary of mostly subjective criteria, such as results of previous audits or the control concern level of management, and a restatement of obvious objective criteria, such as materiality. However, a basic summary of risk analysis should be performed. Since all risks are not equal, each risk factor is assigned a weighting factor. The following is an example: Risk Factor Weight Factor (1 = lowest, 5 = highest)
Materiality 5 Results of Prior Audits 3 For each audit, a score for each risk factor should be developed and multiplied by the risk factor weighting. For instance, a scale of 1 to 5 can be used with 5 representing high risk and 1 representing low risk or a good control environment. The following is an example: Risk Factor Weight Factor (1 = lowest, 5 = highest) Risk Score
Materiality 5 5 Results of Previous Audits 3 1 From this type of analysis, a risk profile can be developed to support decisions of audit frequency or scope. Finally, audit review and management judgment should be applied to the plan and risk assessment. All audit managers should be encouraged to provide input and review.
c. Annual Budget and Plan

The company utilizes many budgets to operate its various companies, divisions, and so on. Local budgets consolidate into corporate budgets, production forecasts, capital appropriations budgets, and many other budgets. Auditing, along with all other departments within the company, must comply with these accounting practices. Departmental budgets and plans are the direct responsibility of the Director of Auditing. Departmental budgets and plans include the annual departmental budget, the three-year audit plan, annual audit plan, and monthly staff assignments. Each kind of plan is discussed in more detail in subsequent sections. i. Annual Department Budget The Audit Committee requests the annual departmental budget each fiscal year. The Director of Auditing must present the departmental budget as a corporate cost center to the Chief Financial Officer (CFO) and the corporate budget department after the Audit Committee has approved it. The annual departmental budget covers all facets of the department's expenditures for the following calendar year. This budget includes the number of personnel, salaries, salary raises, supplies, conferences, travel, employment fees, benefits, and several other expenses. Once the budget is developed and approved, it becomes difficult to substantially change the direction of the department when additional costs will be incurred. However if circumstances warrant a scope change, discussions with the audit committee should be scheduled. ii. Annual Audit Plan An annual audit plan is primarily developed from the three-year plan and becomes a determinant in preparing the department budget. The annual audit plan is principally a summary of the next two applicable six-month periods of the three-year plan. The annual plan is used to support the manpower and travel expense estimates 4 Chapter 6: Audit Planning
Chapter 6: Audit Planning used in the annual budget.
d. Six-Month Audit Plan

Most audit departments prepare an annual audit plan. Our example is broken down into six-month modules to provide for synchronization with external auditors (if applicable). Most external auditors plan for the next annual audit in the spring (assuming a calendar year end). This plan may inhibit coordination if the internal audit plan is fixed for the calendar year. Therefore, the internal audit plan is projected for the year, but fixed in six-month modules to provide for some flexibility in the second half of the year. This flexibility is also desirable in order to be able to plan audits consistent with changes in the company's direction.
e. Three-Month Audit Schedule

The six-month plan is used to develop the department schedule for the next three months. The schedules are required to be in place at the beginning of each three-month period. Nevertheless, it is desirable that they be prepared at least 15 days before the beginning of the period.
f. Two-Month Staff Schedule

For the purpose of providing as much advance notice of pending audits as possible, a Corporate Audit Staff Schedule form is completed two months in advance for distribution. The form is designed by listing staff along the left side of the form and days of the month across the top. Assignments are written for each staff member across this matrix. The schedule allows the staff to plan the beginning of audits and project travel assignments for personnel purposes. Although the best intentions and forethought go into developing the Corporate Audit staff schedule, not all circumstances can be anticipated. Auditees may require or request different time periods for their audit than those scheduled. Management may request an audit not previously scheduled or change the timing of others. It means that auditors must remain flexible. When scheduling changes affect your plans, it may be possible to make other arrangements. Contact the Internal Audit Manager to see what can be worked out.
Corporate Audit Department Procedures Manual NO: 6.2 REV NO: DATE: TITLE: Internal Controls PAGES: [1]September 2000 issue, "Best Practices for Audit Efficiency." Found at www.aicpa.org/pubs/jofa/sep2000/dennis.htm.
SAM POLE COMPANY
6.2 Internal Controls

Evaluating internal controls is such a significant part of Audit Planning that a separate chapter has been devoted to the subject. Chapter 3 provides more information that is relevant to audit planning.
SAM POLE COMPANY Chapter 6: Audit Planning 5
6 Corporate Audit Department Procedures Manual NO: 6.3 REV NO: DATE: PAGES:
TITLE: Materiality
6.3 Materiality
A significant function of auditing is to express an opinion regarding the fair representation of financial statements and the adequacy of the system of internal controls or other audited areas. In forming this opinion, judgment must be exercised involving the materiality of exceptions to mathematical accuracy, auditing procedures, compliance with Generally Accepted Accounting Principles (GAAP) and consistency in the application of those principles. In their pronouncements, the American Institute of Certified Public Accountants (AICPA), the Securities and Exchange Commission (SEC), and Financial Accounting Standards Board (FASB) stress materiality. Bulletins of committees of the AICPA relating to accounting and auditing procedure remind readers that they apply only to "items material and significant in the relative circumstances" and that "items of little or no consequence may be dealt with as expediency may suggest." Regulations of the SEC require that the accountant express an opinion as to "any material differences between the accounting principles and practices reflected in the financial statements and those reflected in the accounts." How is the auditor to determine what is material, significant, or of consequence? The courts and the SEC have furnished a few guidelines, including: A. Where a misrepresentation would be likely to affect the conduct of a reasonable man with reference to a transaction with another person, the misrepresentation is material (Restatement of the Law of Contracts). B. A material fact . . . (is) a fact which if it had been correctly stated or disclosed would have deterred or tended to deter the average prudent investor from purchasing the securities in question (Securities and Exchange Commission. In Matter of Howard et al., 1 SEC 6). C. The term "material," when used to qualify a requirement for the furnishing of information as to any subject, limits the information required to those matters as to which an average prudent investor ought reasonably to be informed before purchasing the security registered (Securities and Exchange Commission. Regulation C, Rule 405, of Securities Act Regulations). D. The U.S. Supreme Court held that a fact is material if there is "a substantial likelihood that the . . . fact would have been viewed by the reasonable investor as having significantly altered the 'total mix' of information made available" (Basic, Inc. v. Levinson, 485 U.S. 224, 1988).
The FASB defined "materiality" in Financial Accounting Concepts Statement No. 2, Qualitative Characteristics of Accounting Information: "The magnitude of an omission or misstatement of accounting information that, in the light of surrounding circumstances, makes it probable that the judgment of a reasonable person relying on the information would have been changed or influenced by the omission or misstatement." As a response to some concerns raised by Chairman Levitt, the SEC issued Staff Accounting Bulletin (SAB) No. 99 in August 1999. The Bulletin contends that FASB's definition is similar to the interpretation of materiality upheld by the courts under federal securities laws. [2] From these definitions, we may conclude that materiality depends on surrounding circumstances, the setting in which the item appears, and the setting in which it will be used. If the probable effects of the itemwhether through omission or commissionwould be to give rise to misleading inferences by the person or class of persons whom it will logically reach, it is material, significant, consequential, and 6 Chapter 6: Audit Planning
Chapter 6: Audit Planning important. For this purpose, these four words are practically synonymous, although some make a distinction between material and significant, attaching material primarily to a dollar amount. Clearly, there are degrees of materiality and, as a consequence, there will be borderline cases. These will require all the good judgment that the auditor can summon. Standards that would guide an auditor in determining whether or not a deviation would require correction, disclosure, or qualification of an opinion would be of immense help to auditors. Research shows that the assessment of materiality differs among individual accountants and among public accounting firms and that it varies with the size and geographical location of the practice. In arriving at these decisions, the auditor should keep these matters in mind:
Relative size of the item. Failure to disclose a liability of $5,000 in the balance sheet of an enterprise with net assets of $40,000 would result in a material misstatement. In a balance sheet showing net assets of $3 million, it would ordinarily not be material. Absolute size of the item. In spite of the importance of relativity, size alone may be important. Many accountants would consider a large amount important, even though it is only 3 to 4% of net assets, or 3 to 4% of net income before taxes. The nature of disclosure. The fact that a company has pledged its accounts receivable as security for a loan is significant because it discloses that the company is using a comparatively expensive form of financing and is therefore a material facteven though the amount may not be material in relation to the working capital. Use to be made of the report. If it is known that the report will be used for the sale of stock or for obtaining long- or short-term credit, the effect the item might have on purchasers or long- or short-term creditors would be considered. Evidence of a desire to mislead. The existence of an incentive for error would be considered. An accidental error would have less significance than a deliberate departure from accepted procedure. Favorable or unfavorable effect of adjustment or disclosure. Unfavorable ones are usually given more weight. Stability of income. If net pre-tax income fluctuates widely, unusual items are more important. Effect of future earnings. Items whose effect will continue into the future are more important than those with only current significance. Materiality may determine not only the need for exception or disclosure but also the extent of the audit work necessary to sustain an informed opinion. Inventories of a manufacturing company are of greater relative importance that those of a personal service organization, not only in size and amount but also because of the greater number of ways in which they may be improperly handled, both physically and in the records. Where accounts receivable consist of relatively few, but large, balances, the percentage of accounts confirmed should normally be much higher than if they comprise a large number of small balances, even though the total may be the same. In summary, sound judgment is required in determining what is or is not material. No definition of materiality need deter you from recommending adjustments of errors or omissions on the books or financial statements. Auditees, as mentioned earlier, generally wish to have errors or deficiencies corrected.
Corporate Audit Department Procedures Manual NO: 6.4 REV NO: DATE: TITLE: Types of Audits PAGES: [2]C.T. Grant, C.M. Depree Jr., and G.H. Grant, "Earnings Management and the Abuse of Materiality," Journal of Accountancy, September 2000, pp. 4143. Chapter 6: Audit Planning 7
SAM POLE COMPANY
6.4 Types of Audits

The following descriptions are of the audit types performed by the Internal Audit Department. The majority of audits performed by the department are financial, operational (managerial), and information systems. (For a discussion of control self assessment (CSA) or self audits, see Section 4.1(e).) The type of audit performed on a particular auditable unit can be any combination of the types described below. The type of audit to be performed is determined in the initial planning process.
a. High-Level Review of Procedures

A high-level review is a special type of review that measures general compliance with key corporate policies and with sound business practices. The objectives of this review are to provide the auditor with an understanding of an operation and to determine the nature of detailed testing that may be needed in certain areas. Procedures for this review follow the general guidelines for external auditors, as specified in Statement on Auditing Standards (SAS) No. 36: Review of Interim Financial Information. These procedures consist primarily of inquiries and analytical review concerning significant accounting matters related to financial information being reviewed. Additionally, the internal auditor should obtain an understanding of the entity's systems of accounting and internal controls. Our high-level review includes other tests outlined in greater detail than in SAS No. 36. Compliance and some substantive tests are to be performed over certain areas of an entity; including cash, accounts receivable, credit, travel and expense, brand sales, product costing, marketing variable, fixed assets, debts, and inventory.
b. Financial Audit
A financial audit is a study of the current financial position of an operation to evaluate the fair presentation of the financial position as reported on the balance sheet, income statement, and the statement of cash flows. Full financial audits of significant company operations and subsidiaries are typically performed by external, independent auditors. In some cases, however, full financial audits may be performed by Sam Pole's internal auditors. The primary reason for a financial audit is to assure parties relying on financial statements that the data are presented fairly in accordance with GAAP. A financial audit would be appropriate before tax reporting, expansion ventures, mergers, acquisitions, disposal, economy fluctuations, and periodic presentations of financial position.
The approach to a financial audit would be governed by the purpose of the audit. If current liquidity were of prime importance, collectibility of trade receivables, short-term investments, turnover of inventory, and liquidation of accounts payable would be considered. If expansion or acquisition were of prime importance, both long- and short-term debt would be considered. If economic fluctuations called for entrenchment, then purchasing practices, inventory stockpiling, overhead reductions, and other operating costs would be considered. Regardless of the purpose of the audit, financial controls would always be of prime consideration in evaluating audit risk. In all financial audits, the general ledger, general and specific journals, voucher registers, bank reconciliation, and account analyses would be reviewed. These records would tell the auditor where the operation's assets were utilized and why. Depending on the purpose of the audit, a review of the following reports would be 8 Chapter 6: Audit Planning
Chapter 6: Audit Planning considered: Accounts Receivable Aging Accounts Payable Aging Inventory Aging Discount Income versus Discount Expense Physical Inventory Reconciliations Inventory/Receivable Turnover Ratios Variance Analyses Standard Cost Revisions Transportation Costs Capital Expenditures versus Return on Investments Purchasing Cost Savings These records and reports would tell the auditor where the operation was, where it is, and how it got there. They would highlight efficiencies and inefficiencies in vital areas such as credit and collections, inventory control, production scheduling, capital investments, and purchasing coordination. Given all the above factors, the audit plan would then be devised, giving consideration to: Objective of the audit Time requirements Staff requirements Starting and concluding dates Auditor assignments
c. Operational/Managerial Audit
An operational audit can be defined as an extension of a financial audit. A financial audit tells where the entity was and where it is; an operational audit tends to answer the questions why the entity is where it is and how it got there. In this sense, the operational audit falls into the category of a management service by evaluating the four functions of management: (1) planning, (2) organizing, (3) directing, and (4) controlling. The operational audit can be broken down further as a functional review; for example, Purchasing as a department versus the overall Procurement operation in coordination with production scheduling and market forecasting. There are several reasons for performing an operational: compliance with policies and procedures, excessive customer returns, equipment down time, adverse variances, proposed product changes, theft, or personnel turnover. The timeliness of an operational audit is determined by the reason for the audit and the areas to be audited. To formulate the approach to an operational audit, an auditor must first establish the scope. This step determines the extent of the audit. The next step is to become familiar with an auditee's operation, its purpose in the total structure of the entity, its history, its staff, and its reporting path. The reporting path is of prime importance because this path is the communication route along which audit results and conclusions will flow. The auditor should advise the location's management in advance of a planned visit so that suitable working and living accommodations may be arranged. The prime records to be obtained in an operational audit are the organizational chart of the function/operation, applicable policy guides, and procedures directives. These will outline each employee's responsibility and authority. The function's/operation's performance reports for at least one year prior to the audit should be reviewed to determine trends that have developed over the past year. These records and reports could indicate such trouble areas as segregation of duties, imbalance in reporting path, over- or under-staffing, noncompliance with corporate policies and procedures, weaknesses in internal controls, or inadequate job rotations. These indications could aid the auditor in determining priorities as to depth of investigation and areas of potential improvement. Reports must be informative and timely, and directed to the proper levels of Chapter 6: Audit Planning 9
10 management.
d. Compliance Audit
A compliance audit involves two different, though closely related, types of issues: 1. The nature and scope of the transaction against which the compliance is to be ascertained 2. The degree to which it is practicable, or even desirable, to determine the compliance Therefore, a compliance audit can be defined as a rerun of a given task over a prescribed course that is monitored by various checkpoints to reach a desired conclusion. Reasons for a compliance audit can vary with the size and complexity of the organization, type of product, market involvement, quantity and locations of sites or levels of standardization. A compliance audit may be performed due to a recent history of excess customer returns, unusual buildup of inventory, increase in scrap, increase in bad debt write-offs, proposed realignment of responsibilities, manpower turnover, or a routine review of procedures.
e. Contract Audit
A contract audit is defined as the review and evaluation of a contract (terms, conditions, etc.) and its related financial transactions. The terms construction and contracts are sometimes used interchangeably in the audit profession because a construction project requires a contract. Contracts, however, cover a wide range of areas such as repairs, maintenance, rentals, and consulting. Contract audit objectives are segregated into: Corporate Audit Objectives: Assess the adequacy of internal accounting control systems and operating procedures. Monitor compliance with corporate policies and procedures, contractual provisions, budgetary guidelines, and operating safeguards and controls. Highlight problem/opportunity areas and make appropriate recommendations to management for the development of new operating and control procedures. Contract Audit Objectives: The contract specifically includes the right-to-audit clause. Controls exist to assure that construction or other costs, which are billed by the contractor, are in accordance with the terms of the contract. Contactor controls and procedures are adequate to assure that the billed costs are proper and reasonable. Controls exist to assure that other charges to the project are proper and reasonable. Contract audits are appropriate on a continuing basis when: Contracts are issued for significant amounts. Actual expenditures exceed budget. Control weaknesses are noted during a financial audit. A unit experiences management turnover. Integrity of personnel is questioned. A request is received from management (corporate or unit).
10
Chapter 6: Audit Planning The approach to a contract audit includes the following steps:
11
1. Review the contract to determine that it is in accordance with established company policies (e.g., competitive bidding). 2. Document and evaluate the system of internal control. 3. Review pertinent data (project expenditures) to determine test criteria. 4. Perform a review to ascertain that all expenditures (included in test) are accurate, properly supported, and in agreement with terms and conditions of contract. 5. If considered necessary, visit the contractor's office and review records to determine that charges to the company are proper. Ongoing contract audits require the preparation of periodic interim reports to management advising on situations encountered so that prompt corrective action can be taken. A formal report is also required on completion of an assignment, and status reports to audit management should also be issued from time to time.
f. Desk Review
In a desk review, the internal auditor will obtain a package of financial and other documentary information from the auditee and perform limited procedures. In most cases, all procedures will be performed from corporate offices and not at the auditee location.
Several benefits result from frequent desk reviews. First, the internal auditor can determine if the auditee is currently in compliance with previous recommendations. Second, internal auditors can expand the coverage of their audits to nearly the entire organization without making trips to every location. A related benefit is reduced travel time and travel expenses. Finally, the desk review is ideal for training new internal auditors, allowing them to gain an understanding of an entity's operations prior to doing a field audit. A desk review can be combined with a control self-assessment review, see Chapter 4.1(e).
(g) Follow-Up Audits

Follow-up audits are performed 6 to 12 months after a major audit has been completed, to ensure that previously accepted audit recommendations have been effectively implemented. These audits are typically performed if the audit identified significant conditions.
h. Information Systems Audits [3]

Information systems (IS), or electronic data processing (EDP), audits are the examination of significant aspects of the IS environment. The company may have several different IS environments, such as: mainframe, mini-computer, microcomputer (PCs), local area networks (LANs), wide area networks (WANs), electronic data interchange (EDI), and Internet hosts (servers, electronic commerce). The nature of business systems changed dramatically in the 1990s. More and more businesses went to real-time, online systems. The Internet expanded into the World Wide Web (WWW, web) where a geometric growth of pure digital business transactions has occurred (i.e., electronic commerce). In general, more accounting functions are computerized and more business transactions are now entirely in digital form. Therefore, IS audits are becoming increasingly more important for data integrity, system availability, and security. For those businesses that have some or all of their business transactions embedded within IS, the availability of the system has become critical to the success of the firm. Even for external audits, the "white box" technique [4] of financial audits is becoming more necessary and will become more and more common. The internal auditor should have identified audit units for each of the IS environments above applicable to the firm. The COSO model is an excellent way of identifying such units. Using both COSO and other sources, the Chapter 6: Audit Planning 11
12
following is a list of major audit units to be considered for each environment, although it is not comprehensive: System Control Activities: General Controls Review. Review of general control units such as organizational structure policies and controls related to all information systems or technologies. This review could be done in conjunction with other audits (i.e., integrated approach). An examination of general controls might include units such as: Access Security "Top Secret," RAC-F, ACF-2 System Availability/Continuity of Operations Documentation Standards Program Development and Change Control Program change control"PanValet" Disaster Recovery/Business Recovery System Control Activities: Application Controls Review. Application controls are embedded in the code. Hopefully, internal auditors (such as CIAs or Certified Informations Systems Auditors, or CISAs) provided guidance in developing the controls as each application was being produced. Basically, auditors will examine software systems' controls for processing applications such as: Revenue cycle programs (e.g., accounts receivable, sales) Expenditure cycle programs (e.g., accounts payable, purchases) Payroll cycle programs Inventory cycle programs General ledger All other financial applications Physical Control Activities. An examination of various physical controls. They include controls such as: Transaction authorization Segregation of duties Compensating controls (often necessary in IS environments) Accounting records (especially audit trails) Independent verification (management's assessment of individuals, integrity of Accounting Information System (AIS), and integrity of the data in the records) Detailed Examination of Operating System. Audit specific to MVS operating system, AS/400, Unix, Linux, Novell, Windows, etc. The audit should have at least these objectives: Protect itself from users Protect users from each other Protect users from themselves Be protected from itself Be protected from its environment i. General Controls: Disaster Recovery Review A Disaster Recovery Plan (DRP) is a comprehensive statement of all actions to be taken before, during, and after a disaster, along with documented, tested procedures that will ensure the continuity of operations. [5] The DRP starts with a written plan that also identifies the procedures for restoring operations with the DRP elements. The procedures should rank critical applications for the restoring process so as to minimize the loss of critical transactions during the down time. The plan also identifies the DRP team. Every organization needs an appropriate DRP. A review of the DRP includes at least the following items: 12 Chapter 6: Audit Planning
13
Backup Site. An offsite facility equipped to restore operations (e.g., hot sites, such as the recovery operations center); cold sites, with equipment backup separate; and mutual-aid pact). Backup Data. An offsite receptacle for archived data, stored frequently and timely (e.g., online data vaulting and data sets such as tapes, disk packs, etc., stored in a fireproof vault, etc.). This process should have been tested for reliability. Backup Software. Backup copies of all relevant software and applications. These should be stored offsite at the site backup or with the data backup. Backup Resources. Items such as paper supplies (e.g., continuous forms for printing invoices or checks) and other supplies necessary for systems to function. These items should be stored at or near the backup site. Backup Documentation. Any manuals or documentation that are necessary for operations. Again, stored at or near the backup site. Backup Team. The identification of the DRP team, with responsibilities for each member having been described in the written DRP. All of the DRP recovery processes should be made the responsibility of various team members with overlap or backups for personnel in case of the greatest tragedythe death of a DRP team member. Critical Applications. A ranking of all applications to be restored. The ranking provides a way to prioritize DRP recovery processes. Tested. Has the plan been tested in a realistic manner? ii. Applications Controls Review: Further Guidance Application controls can be tested and examined using the system model: input controls, processing controls, and output controls. A. Input Controls. Input controls would focus on maintaining the integrity of data entry and assertions such as completeness and existence (occurrence). They are designed to ensure that the transactions that bring data into the system are valid, accurate, and complete. Data input procedures can be either source document-triggered (batch) or direct input (real-time). Source document input requires human involvement and is prone to clerical errors. Direct input employs real-time editing techniques to identify and correct errors immediately. The following is a list of some input control areas for which to plan and investigate: Source document controls Data coding controls Batch controls (where applicable) Validation controls (e.g., field characteristics) Input error correction controls B. Processing Controls. Processing controls are the most important and most difficult because they involve the computer processing steps inside the system. Applications and systems need expert design features to have adequate processing controls, which can be provided by CIAs, CISAs, or other qualified auditors. The following is a list of some processing control areas for which to plan and investigate: Run-to-run controls (during posting, etc.) Operator intervention controls (i.e., minimize human intervention, build audit trails when they do) Audit trail controls (building an adequate digital audit trail of internal processing activities) Logic testing (formulas, etc.) The latter area is a real key to most systems and is extremely valuable for reviews of new or significantly revised applications. In order to conduct a white-box-type IS audit, an in-depth understanding of the internal logic of the application being tested is imperative. There are several techniques for testing logic directly. Chapter 6: Audit Planning 13
14
These approaches use small numbers of specially and expertly crafted test transactions used to verify aspects of the application's logic and controls. With known variables and calculated results, auditors can then conduct precise tests, obtain computerized results, and compare them against the objective set. The following list is indicative of the types of tests that could be run to test application logic: Authenticity Tests. Verify that an individual, a programmed procedure, or a message attempting to access a system is authentic. Accuracy Tests. Ensure that the system processes only data values that conform to specified tolerances. Completeness Tests. Identify missing data within a single record and entire records missing from a batch or file. Redundancy Tests. Determine that an application processes each record only once. Access Tests. Ensure that the application prevents authorized users from unauthorized access to data. Audit Trail Tests. Ensure that the application creates an adequate audit trail. This test should verify that the system produces complete transaction listings, and generates error files and reports for all exceptions. Rounding Error Tests. Verify the correctness of rounding procedures. Failure to properly account for this rounding difference can result in an imbalance between the total (control) interest amount and the sum of the individual interest calculations for each account. Rounding problems are particularly susceptible to so-called salami slicing, a criminal technique that tends to affect a large number of victims, but the harm to each is immaterial. Each victim only sees one of the small pieces and is usually unaware of being defrauded. Operating system audit trails and audit software (i.e., GAS) can detect excessive or unusual file activity. In the case of the salami fraud, there would be thousands of entries into the computer criminal's personal account that may be detected using generalized audit software (GAS) or computer-aided auditing tools (CAATs). C. Output Controls. Lastly, internal auditors should plan for an examination of output controls. Output controls are intended to ensure that system output is not lost, misdirected, or corrupted, and that privacy is not violated. The type of processing method in use influences the choice of controls employed to protect system output. Batch systems are more susceptible to exposure and require a greater degree of control than real-time systems. These controls are much easier to audit than processing or input controls. The following is a list of some output control areas for which to plan and investigate: Batch systems output controls Output spooling controls (print spooler) Print program controls Bursting controls (if applicable) Waste controls Data control group control Report distribution controls End user controls Real-time systems output controls Another key element to IS audits is the use of computer-assisted audit tools and techniques (CAATTs). The internal auditor should make an assessment of applicable tools and techniques for the specific unit and audit objectives. The following is a list of possible tools and techniques, but is not fully inclusive: Generalized audit software (GAS) Embedded audit modules (EAM) Generalized data input systems (GDIS)
14
15
i. E-Commerce Audits
Electronic commerce (e-commerce) has some special considerations beyond those identified in the IS audits section because the IS audit is typically conducted on the "back office" system. E-commerce is the "front end" system. The audit of e-commerce will focus on controls, access, security, and availability. The higher risks in e-commerce at the present are viruses, hackers and crackers, and activities intended to crash the system. Some CAATs provide auditors the ability to probe for weaknessesto play the devil's advocate on their own systems (e.g., SAINT). These tools are extremely beneficial in doing e-commerce audits. A review should include the following applicable units or areas, although this list is not exhaustive: Unauthorized access [6] Firewalls [7] Intrusion detection Data encryption [8] Transaction and access logs Challenge-response activities Authentication methods [9] E-commerce protocols [10] Non-repudiation controls System availability, fail-safe controls Anti-virus protection
j. International Audits
An international audit is a full-scope audit of a particular division or subsidiary. These are performed on a regular basis or on request. The scope of this type of audit includes a financial section, an operational section, an IS section, and a section addressing the unique characteristics of the location's customs and duties and governmental affairs. Depending on staff levels, distance and capabilities, international audits may be a good candidate for outsourcing.
Corporate Audit Department Procedures Manual NO: 6.5 REV NO: DATE: TITLE: Time Reporting PAGES: [3]See Section 3.6 for more on IS audits. Some of the material in this section is from the following book: James A. Hall, Information Systems Auditing and Assurance, SouthWestern College Publishing, 2000.
[4]This
SAM POLE COMPANY
term refers to the approach where the auditor audits through the computer system rather than around it (i.e., black box).
[5]James [6]More
A. Hall, Information Systems Auditing and Assurance, South-Western College Publishing, 2000.
than passwords, because secured access for e-commerce is usually multi-faceted. For example, a firewall, intrusion detection system, and passwords combined for access control(s).
[7]Overlaps [8]Online
with unauthorized access and system availability.
and offline: almost all credit card theft over the Internet has been from files on the system, not from stealing them during transactions.
15
16
[9]Digital
signatures, digital certificates, call-back modems, multi-faceted access methods (e.g., a password and a PIN generated via pager; an access ID and password, and another ID and password for access to applications or data).
[10]For
example, SSL, SET, S-HTTP.
6.5 Time Reporting

Planning and budgeting are important procedures that should be performed as integral elements of every audit. Time records aid these functions because they provide cumulative data regarding the actual time spent accomplishing specific assignments on previous or similar engagements. As a result, the senior auditor can use this data, along with an evaluation of the procedures to be performed and the capabilities of the applicable personnel in order to better estimate (budget) the time required for the current audit. Other benefits of time reporting are: Providing the quantitative support necessary at the staff level. Accurate budgeting of all audit activities throughout the year will summarize into a viable total from which to determine the number of auditors required. Adding to job control. Prompt time reporting enables the in-charge manager to effectively analyze how much time has been spent, how matters stand against the budget, and how much further time is required for completion. Supporting productivity. Time reporting provides the ability to monitor actual time spent on audits versus administrative and other lost productive time. The following discussion is an explanation of a basic time reporting form as well as a listing of basic reports. Each audit assignment should be given a number indicating the year and the audit numberbeginning with 001, followed by 002, etc. Task and audit type codes should be added as described below.
a. Form: Corporate Audit Time Report

A form is to be completed semimonthly and approved by the senior, supervising senior, or manager. A sample of this form is provided at the end of this section (Exhibit 6.4). To use the Corporate Audit Time Summary: 1. Complete the form in detail. Be neat. 2. Account for eight hours per day and 40 hours per week. 3. Corporate Audit time reports are due semimonthly. 4. Record time accurately to within half hour.
b. Report for the Period Ending

The form is designed to be used for either the first through the fifteenth, or the sixteenth through the thirty-first of the month.
c. Auditor's Name/Employee Number

The auditor to whom the time report pertains should sign the time report. Each auditor should have been assigned an employee for time reporting purposes. 16 Chapter 6: Audit Planning
17
d. Job Number
Each assignment will have a specific job number. Job numbers assist in the identification and accumulation of time reported by several individuals on various jobs. If you are asked to perform a task, obtain the appropriate job number from your supervisor or get the number from the planning memo in the administrative binder for that job.
e. Audit Codes
Audit codes relate to the type of audit. A listing of these and task codes follows. (See Exhibit 6.3.) Exhibit 6.3: Time System Codes: Audit Type Codes and Task Codes Audit Type Codes 01 High-Level Review 05 Contract Audit 02 Financial Audit 06 Other Audit 03 Operational Audit 04 IS Audit 99 Nonaudit [a]Details to be listed on back of time report. Task Type Codes 01 Planning/Planning Memo 40 Pre-implementation System Review 02 Audit Program/ICEG Development 41 Post-implementation System Review 03 Technical Research 42 SystemsOperational 04 Supervision 50 Contract Review 05 Review Workpapers 51 Contract Procedures/Controls 06 Write Reports/Memos 52 Contract Billing 07 General 53 Investigation 08 Cash 54 Benefit Plans 09 A/R Confirmation 55 Projects[a] 10 Inventories/Physical Observation 60 Quality Control 1 I Supplies Inventory 61 Performance Evaluation 12 InventoriesG/L 62 Orientation 13 Other Assets 63 Scheduling 14 Liabilities 64 Interviewing/Recruiting 15 Revenue/Expense 65 Education and Training Administration 16 Payroll 66 AdministrativeOther[a] 17 Revenue SystemCycle 70 Staff TrainingInternal 18 Expenditures SystemCycle 71 Conferences/Seminars 19 Payroll SystemCycle 72 Education CourseCPE 20 Production SystemCycle 73 Professional Organization 21 Auditee Conferences 74 Self Study 22 Permanent Files 75 Time Report Input 23 System Files 80 Sick 24 TravelWork Time 81 Personal 25 TravelOther 82 Vacation 30 Data Center Review 83 Holiday Chapter 6: Audit Planning 17
18 31 Applications Review 84 Compensation 32 Production/Maintenance 90 AdministrativeDepartment[a] 33 Computer Program Changes 91 Peer Review 34 Conversions 92 Status Reports 35 IS Operating System 99 Other [a]Details to be listed on back of time report.
f. Task Codes
Task codes should be used to detail the specific work performed. A listing of these codes follows. (See Exhibit 6.3.) Consult your supervisor or the job budget in the planning memo for the proper task code.
g. Hours
Only total hours for the semimonthly period need to be recorded in the "hours" column. The daily hours are accumulated on the right side of the sheet. Hours should be reported to the half hour.
h. Productive Time
Record all time applicable to the job. This record includes time spent working at the job site, in the office at night, in the motel, or at home. Think of reporting time as though you were going to bill your time to the auditee. Remember, future projects will be understated if actual time spent on an audit is not recorded and remains hidden. Record travel as work time only between the normal work hours of 8:00 A.M. and 5:00 P.M., or normal hours applicable to your organization. This travel time should be charged to the normal job number, audit code, and task 24.
i. Nonproductive Time
Record travel time outside normal working hours of 8:00 A.M. to 5:00 P.M., Monday through Friday or after a 40-hour week of flexible hours has been worked. An example is to assume you left the job at 4:00 P.M. after you have spent seven hours on the audit at the job site. One hour should be recorded as productive time and the remainder of the time spent traveling should be recorded as nonproductive. Travel time is defined as the time required to commute to the airport, from departure airport to destination airport, and the commute from destination airport to office, home, or motel. If you are traveling by automobile, it is that time you leave the home, office, job site, etc., until you arrive at your destination. Travel during non-work hours should be charged to the job number, audit code 99, and task 25. Other nonproductive timeincluding vacation, holidays, sick leave, personal leave, training, and seminarshas specific task codes that are self-explanatory. Time charged to the administrative category must be explained on the back of the time report to avoid making it a catch-all task code. All nonproductive charges go to job number 000, audit code 99, with the appropriate task. "Administrative" is defined as work that is beneficial to all jobs, not just one. If an auditor is writing the report for job number 01-010 in the office, it would be chargeable to job number 01-010. But, if the same person were writing a policy statement that applies to office procedure and would affect the conduct of all jobs, then the hours would be charged to administrative. One would normally expect very little staff time charged to the administrative category. As a general rule, all staff time should be charged to a job. However, time spent filling out time reports, expense reports, etc., should be considered administrative.
18
19
j. Summarizing Time
Each individual's time is entered into a time reporting application after it has been approved. Once all time sheets are input, the data is compiled into various reports by the application. The following reports should be considered: Report 10Listing of employee names and numbers Report 20Listing of job numbers and job names Report 30Listing of audit numbers and names Report 40Listing of task numbers and task names Report 50Semimonthly input summarized by employee number within date Report 60Listing of hours by job number, employee, and task Report 70Listing of hours by employee, by job, and by task Report 80Listing of hours by audit, by job, employee, and task Report 90Listing of total audit and non-audit hours by employee Report 100Listing of non-audit hours by employee, by task Report 110Listing of budgeted versus actual hours by job, by task Report 120Listing of budget to actual hours for all jobs
Exhibit 6.4: Sample Corporate Audit Time Summary Form
SAM POLE COMPANY
TITLE: Expense Reporting
6.6 Expense Reporting

All approved expense reports should be submitted to the Audit Director. A copy should be retained for the department's records. This process will provide a means for reconciling the monthly Departmental Budget Progress Reports on a timely basis and will provide auditors with a record, if necessary.
19
20
a. Travel Expenses
General guidelines for travel arrangements and travel expenses: Airfare. Flight arrangements should be made through the travel department in accordance with corporate policy. Lodging. Lodging arrangements are to be made through the travel department, but are first to be approved by the manager level or above. Meals. Reasonable meal expenses will be reimbursed. Local Transportation. The decision of whether to lease a car or use cabs is to be discussed at the manager level or above. Car rental is to be arranged through the travel department. Telephone. Non-excessive expenses for personal calls will be reimbursed. Personal calls, however, should be limited to one per day. Advances. Expense advances are to be obtained through the accounting department and are to be approved by the manager level or above. Expense Report Settlements. Individual auditors are responsible for settling their own expense reports with the accounting department. Mileage. Mileage expenses will be reimbursed at the current rate acceptable by the Internal Revenue Service. This list serves as only a general guideline, and exceptions will occur; you will be asked, however, to explain deviations. When in doubt, general company guidelines apply. Before leaving on a trip, any expected exceptions must be discussed at the manager or director level.
Endnotes
1. September 2000 issue, "Best Practices for Audit Efficiency." Found at www.aicpa.org/pubs/jofa/sep2000/dennis.htm. 2. C.T. Grant, C.M. Depree Jr., and G.H. Grant, "Earnings Management and the Abuse of Materiality," Journal of Accountancy, September 2000, pp. 4143. 3. See Section 3.6 for more on IS audits. Some of the material in this section is from the following book: James A. Hall, Information Systems Auditing and Assurance, SouthWestern College Publishing, 2000. 4. This term refers to the approach where the auditor audits through the computer system rather than around it (i.e., black box). 5. James A. Hall, Information Systems Auditing and Assurance, South-Western College Publishing, 2000. 6. More than passwords, because secured access for e-commerce is usually multi-faceted. For example, a firewall, intrusion detection system, and passwords combined for access control(s). 7. Overlaps with unauthorized access and system availability. 8. Online and offline: almost all credit card theft over the Internet has been from files on the system, not from stealing them during transactions. 9. Digital signatures, digital certificates, call-back modems, multi-faceted access methods (e.g., a password and a PIN generated via pager; an access ID and password, and another ID and password for access to 20 Chapter 6: Audit Planning
Chapter 6: Audit Planning applications or data). 10. For example, SSL, SET, S-HTTP.
21
21
22
22
Chapter 7: Audit Performance

Overview
SAM POLE COMPANY Corporate Audit Department Procedures Manual NO: 7.1 REV NO: DATE: TITLE: Corporate Audit Performance Process Matrix PAGES:
7.1 Corporate Audit Performance Process Matrix

This chapter presents a number of audit tasks and documents that are necessary for effective audits. They also are compatible with audit standards such as the Institute of Internal Auditors' (IIA's) Standards for the Professional Practice of Internal Auditing. [1] The audit process begins with the notification of the auditee and concludes with the performance evaluation of each staff member on the project. The corporate audit performance matrix (Exhibit 7.1) summarizes the activities contained within our sample audit process. This sample process places a heavy emphasis on organization and implementation of all authorized department procedures. It is a structured program with a great deal of attention to planning. The importance of structuring the audit process and following documented department procedures cannot be overemphasized. It is through strict adherence to procedures performed by competent staff that good audit reports will result. Exhibit 7.1: Corporate Audit Performance Process Matrix Assignment Engagement Check List MemoNotice to Auditee (Section 7.2) Establish Announce audit. control over audit; assign number and log it. Begin two Approximately weeks before four weeks audit; before audit complete one week after report is issued. Senior I.A. Manager Planning Memo Status Memo Tentative Audit Audit Report Recommendations Distribution Worksheet Worksheet
PURPOSE
TIMING
Establish audit objective, scope, and approach. Before or at beginning of audit
Track report Interim field audit Document report of significant findings. preparation and significant issuance. findings/problems As required, based Promptly upon audit Upon disclosure completion of upon existing circumstances field work
AUTHOR ADDRESSEE COPIES Workpapers Unit Head None CONTENTS Chapter 7: Audit Performance
Senior I.A. Manager
Auditor Auditee Workpapers
Auditor Auditee Workpapers
Senior/Manager Workpapers None
Unit Controller, Manager, others Manager
2 Calendar of Audit entity or Audit audit location, audit objective, checkpoints objectives, audit audit scope period start date, timing, end date, request budget response hours detailed by area, significant audit areas/audit, approach staffing APPPROVAL None None Manager
Chapter 7: Audit Performance Outline of significant audit developments, timing problems, need to alter objective or scope, high-level budget/actual hours comparison Findings documentation, status and disposition Calendar of checkpoints; distribution of copies
ID of au transmi Audit C highligh audited scope o auditors conclus detailed comme recomm (for ma only) None
None
Senior
Manager
The example included in this manual requires the audit team to formally notify the auditee and develop a detailed audit plan and budget. The purpose of the detailed plan is to ensure that the objectives of the audit are the most appropriate for the circumstances. Given the limitation of time for each audit, the scope and objectives should be seriously considered not only by field staff auditors, but also by the audit management. This process is institutionalized through the development of a proper audit planning document. The budget will help guide the staff to put their time into the proper areas. It will also assist audit management in explaining why audits have taken more or less time than originally planned. Budgets also help refine the long-term planning process and provide improved credibility for the audit function. One must always keep in mind that it is very difficult to measure audit productivity. With budgets in place, some of the management and auditee doubts are mitigated.
a. Assignment Log and Checklist

At the commencement of an audit assignment, a number is given to the audit project. The number consists of two digits for the year and a three-digit number designating the particular engagement. One of the first steps in the audit performance process is to initiate an assignment checklist (see Exhibit 7.2). The checklist is used as an overall control form and should be the first paper seen on the top of a workpaper binder set. This checklist is a guide to ensure that all critical elements of the audit performance process are completed. Exhibit 7.2: Sam Pole Company Corporate Audit Department Assignment Checklist Audit #01 -nnn Company: _______________________________________________ Location: ________________________________________________ Assignment: ______________________________________________ Date: __________________________________________________ Date ___/___/___ 1. Notice to Auditee 2 Chapter 7: Audit Performance
Chapter 7: Audit Performance 2. Planning Memo 3. Field Work ___/___/___ Preaudit Conference ___/___/___ Begun ___/___/___ Status Memo ___/___/___ Completed ___/___/___ 4. Closing Conference ___/___/___ 5. Senior Finalization of workpapers ___/___/___ 6. Manager review (two days before outside deadlines) ___/___/___ 7. Audit Report draft ___/___/___ 8. Summary Memo ___/___/___ 9. Audit Report issued ___/___/___ 10. Performance Evaluations Name Completed by Date Supervising: ________________________________________ ___/___/___ In Charge: __________________________________________ ___/___/___ Assistant: ___________________________________________ ___/___/___ i. Audit Performance Process Log ___/___/___
In order to maintain control over all audit assignments, a log is kept by the department administrator. The log consists of a column to the left indicating the year and audit number. These are followed by columns to the right indicating the status of the audit and the beginning of the report initiation and completion process.
b. Description of Notice to Auditee

As discussed in Corporate Audit Performance Process Matrix in our example, we have opted to notify auditees in advance of audits. In general, it is more appropriate to notify the auditee that an audit will take place. This notification allows for a more orderly project. In some cases, this approach may not be appropriate. For instance, petty cash counts are usually performed on a surprise basis. Some audit departments do not notify auditees because they can improve or address areas that may come under audit procedures. If the notice of audit provides the impetus for the auditee department to improve, that result is accomplishing the spirit of the audit mission. What follows in Exhibit 7.3 is a sample notice to the auditee. The manual should contain a sample so that there is a consistency within the audit function and between all audits. Exhibit 7.3: Sample Notice to Auditee Chapter 7: Audit Performance 3
4 September 10, 200x Mr. E.S. Jones Sam Pole Company 2010 Main Street Anytown, USA Dear Mr. Jones:
In accordance with our audit plan, we have scheduled an audit during the period from September 1 through September 9, 200x. It will be performed under the supervision of Mr. Justin Tyme, who will arrive in the office on September 1st. A full financial audit will be conducted, including the evaluation of internal controls and tests of transactions supporting related account balances as well as verification of physical inventory valuations and circulation of customer accounts receivable balances. Please contact me if you have any questions related to our visit or if you have areas of concern that you may wish to have reviewed. Very truly yours,
Newley A. Pointed Audit Manager
c. Preliminary Survey
i. Purpose The purpose of a preliminary survey is to Gain a basic understanding of the entity to be audited, especially related to risk assessment Begin the planning process These purposes relate to Generally Accepted Auditing Standards and IIA Standards. The following standards apply to the practical aspects of the audit planning process including: adequate skills, competencies, and knowledge; adequate resources; the underlying role of risk assessment; and the nature of the work. Attribute Standard No. 1210 (Proficiency). Internal auditors should possess the knowledge, skills, and other competencies needed to perform their individual responsibilities. The internal audit activity collectively should possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities. Attribute Standard No. 1210.A1. The chief audit executive should obtain competent advice and assistance if the internal audit staff lacks the knowledge, skills, or other competencies needed to perform all or part of the engagement. Performance Standard No. 2010 (Planning). The chief audit executive should establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organization's goals. (Note: Subsection A1 further states that a "risk assessment should be undertaken at least annually.") Performance Standard No. 2030 (Resource Management). The chief audit executive should ensure that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the 4 Chapter 7: Audit Performance
Chapter 7: Audit Performance approved plan. Performance Standard No. 2100 (Nature of Work). The internal audit activity evaluates and contributes to the improvement of risk management, control and governance systems. Auditors should obtain background information about the activities to be audited. This process is accomplished by performing, as appropriate, an on-site survey to become familiar with risks, and activities and controls to be audited; to identify areas for audit emphasis; and to invite comments and suggestions. To perform an audit in accordance with Generally Accepted Auditing Standards and IIA's Standards, a properly conducted preliminary survey is required. ii. Progression of and Procedures for Preliminary Survey Review the scope of the pending audit. The comprehensiveness of the survey depends on the scope of audit. For example, if the audit is limited in scope, then the survey will be limited. A memo should be prepared discussing: Purpose of the engagement Nature of the final report, if any Timing of the engagement Auditee contacts
Arrange a preliminary meeting with management. The purposes of this meeting are to: Meet management and inform them of the objectives of the survey Arrange for working space Prepare preliminary time tables Gain the confidence of location management Gain an understanding of management's objectives Gain understanding of problems as perceived by local management Gain understanding to determine if a new risk assessment needs to be undertaken Write a memo documenting the preliminary meeting with management. The following information should be included in the memo: Time, date, and participation (who was there) Summary of topics discussed Potential problem areas noted Potential conflicts Office policies peculiar to that location After a memo is prepared documenting the preliminary meeting with management, the fieldwork portion of the survey is ready to begin. Complete preliminary survey field procedures. The field survey procedures for a full scope audit are: Through interview, observation, and documentation, gain an understanding of the following characteristics of the entity:
6 Brief history of entity Size of entity Products produced Process flow Principal customers Principal supplies Current trends
The understanding should be documented in memorandum form. The purpose is to provide the reader with an overall understanding of the entity as it relates to Sam Pole Company. Perform a cursory review of the accounting system by obtaining and preparing the appropriate documents and memoranda: Obtain an organizational chart Determine the extent of information system (IS) and information technology (IT) usage Briefly describe the following systems. Note the volume of transactions and the apparent control points and control weaknesses: Purchasing, accounts payable, and cash disbursements Order entry, sales, accounts receivable, and cash receipts Product inventory, aging and obsolescence review procedures Supply inventory system Cost accounting system Environmental accounting system (if applicable) Fixed assets and depreciation General ledger system The following questions should be answered for each system: What is the job? Who does it? Why is it done? How is it done? Where is it done? When is it done? How is it monitored? How much does it cost? Prepare a schedule of all significant books of original entry. For computer systems' master files, and transaction registers. Prepare a schedule of primary management reports. Overview systems flowcharts may be prepared for any of the accounting systems if they enhance the understanding. In connection with the review of the accounting system, the following documents should be identified, if available: Internal accounting procedures and practice manuals Governmental regulatory reports 6 Chapter 7: Audit Performance
Prior audit reports, both internal and external Authoritative accounting publications related to the industry Industry standards Perform a risk analysis: Professional practice standards (see "Purpose") require the auditor to exercise due professional care. Due professional care is not intended to mean that the auditor is infallible or that extraordinary performance is to be expected. But it does require that reasonable care be taken. In order to exercise due professional care, the auditor must be aware of potential risks. A risk can be defined as an exposure to loss or to less than the maximization of efficiency resulting from the lack of internal controls. Common risks include: Inadequate controls Inadequate planning and organizing Inadequate directing and controlling Perhaps the easiest and most expedient means to detect common risks is a cursory internal control review using standard internal control questionnaires. These questionnaires will contain questions that point out unique risks for each system under review. An analysis of answers to the forms will aid the auditor in determining: (1) if the nature of the weakness is confined to a single system, and (2) if the nature of the weakness is pervasive throughout the entire organization. For example, if auditors note a lack of segregation of duties of cash, they should determine whether it is unique to cash or pervasive throughout the whole system of internal control. If the weaknesses are pervasive throughout the whole system, then the problem would be one of inadequate planning and organizing. If the weaknesses are confined only to cash, then the problem would be one of inadequate directing and controlling. Collation of risksTo assess the effectiveness of internal controls, it is necessary to relate risks to exposure, to controls, to planned audit effort, and then to the eventual results of the audit procedures. A suggested format is to schedule the above on work-papers that will be used during the actual performance of the audit. Evaluation of risksEvaluation of risks consists of the auditor's evaluation of the exposure resulting from the lack of functioning of an internal control over the particular risk. It consists of the auditor's answers to the question, "What is the maximum exposure to the corporation if this particular internal control is not functioning effectively?" In answering the question, the auditor must consider any compensating controls that may be in existence. To write an effective audit plan, it will be necessary to identify, relate, and evaluate the risks.
d. Planning Memo
i. Purpose The planning memo outlines the manner in which the department audit plan is to be implemented for a specific audit, special assignment, or other activity. Planning represents an extremely important aspect of auditing and is required by the IIA and the American Institute of Certified Public Accountants' (AICPA) Statement on Auditing Standards of Field Work No. 1. Before each assignment, a planning memo is required to establish coordination between internal audit staff and management. This document will ensure that the objectives and scheduling of the audit are being Chapter 7: Audit Performance 7
communicated and understood by all involved. Properly implemented, it ensures that the more experienced auditors (management) consider scope and procedures prior to implementation. ii. Objective The planning memo serves several purposes; namely, to document audit objectives, auditee background information, and financial highlights; to describe significant audit procedures, budgeted hours, engagement timing and personnel assigned. iii. Procedure Planning memos are to be typed on interoffice stationery and addressed to the Director of Auditing. A copy is also included in the workpapers. The planning memo should be completed far enough in advance of an assignment for manager review and approval. Prior to preparing the memo, the senior auditor, if circumstances warrant, may have to visit the audit site to conduct a preliminary survey to obtain sufficient information to complete the planning memo. Only in unusual circumstances will the planning memo be accepted after the audit has been started. If after the audit begins, conditions change affecting the initial planning memo, an addendum should be written and forwarded to the manager. The addendum should explain and document the reason for the changes, even if previous approval has been obtained. iv. Format The format designed to be used consistently for a planning memo is shown in Exhibit 7.4. A brief explanation for each section follows: IntroductionThe first brief paragraph outlines what was stated in the "Notice to Auditee" (see "Corporate Audit Performance Process Matrix"). It should contain the name and location of the entity to be audited, scheduled dates to begin and complete field work, a brief description of the type of audit, and the audit date(s). ObjectiveThe deliverable product of an assignment requires a conclusion that will provide management with either assurances or reasons for action concerning, for example, account balances, internal controls, various functions or operational procedures, etc. Prior to the audit, we must plan for the objective to direct our efforts toward that end result. Establishing objectives encourages an orderly work process and concentration of the audit effort toward a predefined goal. Consideration should be directed toward potential high-risk and material areas. ScopeOnce the objective is documented, the planning memo then logically leads into the scope section. If the objective is to state an opinion on the adequacy of a certain system, then the scope will explain compliance, and the substantive testing necessary to arrive at an opinion. Areas of emphasis should be defined along with significant audit steps and procedures. BackgroundBackground information is necessary in order to give the reader a description of the entity or area to be audited. It does not need to be long or detailed, but should contain the entity name, location, and procedures or description of operations. Facts that are unusual or pertinent should be identified. Examples include situations where the controller is new, the location is known to have had internal control problems in the past, sales have fallen off heavily, or operating costs have increased substantially. Financial HighlightsThe financial highlights section includes a summary of major account balances. Accounts outlined in the objective section are also included in order to bring these accounts to the attention of the reader. Comparative figures for two corresponding periods should be included. Significant Audit Areas/Audit ApproachThis section identifies and outlines the more significant areas mentioned in the scope section. It also states the audit approach to be used in these areas. This method will assist all parties in understanding the areas of concern and how these areas are to be 8 Chapter 7: Audit Performance
Chapter 7: Audit Performance audited.
Staff and TimingThis section lists the staff assigned to the audit, their job level, and the dates assigned to the audit. Planning in this area is necessary to ensure that the fieldwork will be completed within the audit budget. BudgetThe audit budget is a compromise between what audit management would like to accomplish and that for which it can effectively allow time in meeting the overall department objectives. Normally, total hours will be estimated in a three-year plan. An appraisal is made of the objective and scope of work to be performed and the number of hours to complete each area of the assignments. The hours for each area should agree with total budgeted hours. Exhibit 7.4: Sample Planning Memo Date: October 20, 200x From: Senior To: Manager Subject: Planning MemoSam Pole's Best Ozone Paint Manufacturing Facility Field work for the manufacturing facility interim audit will begin on Monday, October 26, 200x, and will be completed on Friday, November 20, 200x. The interim audit as of September 30, 200x, will include a financial audit. A year-end audit will also be performed by the internal audit department in January 200x. Objective The interim audit will be conducted to determine the adequacy of internal accounting controls (through a review of accounting systems and a test of transactions) as a basis for the formulation of year-end balances. A year-end review will also be conducted to determine the validity of accounting data that will be included in your company's consolidated general ledger trial balance as of December 31, 200x. ScopeInterim The audit will include the documentation, review, and detail compliance testing of existing key internal accounting controls in significant financial areas as of September 30, 200x, trial balance. Emphasis will be on inventory, sales billing, accounts payable, and payroll. A variation analysis will be performed of all accounts with significant changes in comparison with the 200x year-end balance. A review of the August 31, 200x, physical inventory compilation and a follow-up of previous audit comments will also be conducted. Background Sam Pole's Best Ozone Paintlocated in Anytown, AZ, USAis a key location for the company's ozone paint manufacturing. It joined the company in 200x and experienced several startup problems.
Financial Highlights For the six months ended June 30 ($000's omitted) Balance Sheet Inventories Other Current Assets Total Current Assets Net Fixed Assets 200x 200x $ 4,000 $ 5,000 100 300 4,100 5,300 13,000 15,000
10 Total Assets $17,100 $20,300 Total Liabilities 12,000 14,000 Equity 5,100 6,300 Net Liabilities and Equity $17,100 $20,300 Income Statement 200x 200x Net Sales $24,000 $35,000 Cost of Sales 18,800 23,500 Gross Profit 5,200 11,500 SG&A 3,200 7,500 Net Income Before Taxes $ 2,000 $ 4,000 Significant Audit Areas/Audit Approach
InventoryInventory is considered to be the most significant area at Sam Pole's Best Ozone Paint manufacturing facility. Our audit procedures will include observation of the physical inventory, testing of the system of internal controls, testing of the inventory compilation, review, and testing of the roll forward from the physical to September 30, 200x. PayablesPayables are significant because of the amount of volume and its interrelationship with inventory. Our procedures will include flowcharting and testing of the system, testing of cutoff, vouching of selected account, reviewing and preparing reconciliations of vendor statements and examining subsequent payments.
Other Balance Sheet AccountsOur approach to auditing these accounts will be to perform an analytical review to compare current-year balances to prior-year and accounting for all significant changes. Substantive audit procedures will be used on all material balances. Other Areas Other areas that will be given emphasis in the current audit include: Analysis of repair and maintenance accounts Analysis of all outside service accounts Review of controls over customer returns Staff and Timing The audit will be conducted by both the Internal Audit Manager and J. Smith, a new audit senior. Field work will begin on October 26 and will last for two weeks. Budget (in Hours) Planning Supervision General Meetings, tours, etc. Analytical review Flowcharting and review of systems controls: Inventory ledger 8 10 Chapter 7: Audit Performance 6 2 4 4 4 12
Chapter 7: Audit Performance Purchasing/Accounts Payable 8 Payroll 8 Sales/Billing Cycle Tests Trial Balance Cash Accounts Receivable Inventory Fixed Assets Other Assets Accounts Payable Accruals Income and Expense Internal Control: Questionnaire Review Travel Finalization of W/P Report TOTAL: 10 3 2 4 20 6 3 6 4 6 4 4 8 16 152
11
e. Audit Status Report

The purpose of a status report is to provide audit management with a progress report of the assignment. On assignments scheduled for more than four weeks, a status report is required. A typical report would outline significant findings, audit scope changes and rationale, work completed, and an estimate of time to complete the assignment. This information documents and enables the manager to make a decision on additional scope changes, staffing (increase or decrease), and staff schedule changes. The in-charge auditor has the responsibility for the status report. In some instances, due to the importance of the matter, the manager will issue a memo to the Director of Auditing. A formal status report is not usually required for a short period assignment. However, an informal report can be phoned into the manager, describing significant findings, the status of the work completed, the estimate of time of completion, and other situations affecting the audit. Communication keeps the manager aware of current situations and assists in the decision making on that assignment as well as scheduling other audits. It also provides documentation, as required in our corporate audit performance process, in our project control file.
f. Developing Audit Recommendations

An audit recommendation is a condition that, in the auditor's judgment, requires change or action and is of sufficient magnitude to warrant the attention of management. Discovery of an exception is the starting point in developing a recommendation. When an exception is revealed during audit testing, development of a recommendation may require a series of expanded audit tests, research, and communication. The problem or situation as it exists must be fully defined and explained. The ability to express the results of an audit in well-written audit recommendations is a measure of assurance that management will take appropriate action Chapter 7: Audit Performance 11
12
and one of the principal bases on which audit performance will be judged. Each auditor must assume individual responsibility for improving proficiency in this respect. A. Basic Criteria Some basic criteria for effective writing that should be observed in the preparation of audit recommendations are: 1. Accuracy. Recommendations in audit reports must be verified thoroughly so that there are no factual errors. The auditor should be careful not so use data that could be misleading. 2. Objectivity. Include all significant, relevant information, even if it indicates disagreement with the auditor's position. Do not rely on inferences and implications. Adequate background information should be provided so that the reader can grasp the significance of the situation being reported. 3. Readability. In preparing an audit recommendation, the auditor should be continuously conscious of how it will be perceived by the reader. Avoid disagreeable or inflammatory tone, sarcasm, ridicule, or oratory. Try to foresee the reader's reactions to certain words or phrases. Be tactful. The use of correct grammar and proper punctuation is an imperative for well-written recommendations. 4. Clarity. To the extent possible, clarity should be interpreted as requiring that every statement cannot only be understood, but that it cannot reasonably be misunderstood. B. General Characteristics 1. Evaluate the significance of what you are reporting. 2. Write in simple, non-technical, clear language. 3. If you refer to a form number, state its name or subject somewhere in the report. 4. If you use abbreviations, spell out their meaning when they first appear. 5. Reasonable logic is important. 6. Be concise. Avoid wordiness and inclusion of extraneous matter. 7. Do not be evasive. If you have something to say and can support it, then say it. 8. Write constructively. Stress the need for improvements in the future rather than focusing on deficiencies in the past. 9. Provide support to all information in recommendations. 10. Present relevant comments and reviews of the issues being discussed. 11. Clearly identify opinions, especially if they concern significant matters. 12. Do not generalize by simply saying that a practice "weakens controls." Specify how it weakens controls. C. Development Process The following steps should be followed in order to provide for systematic development of a recommendation after an exception is revealed: 1. The problem or situation as it exists must be fully defined and explained. 2. The criteria or standards for an activity should be re-evaluated as to applicability and adequacy at this point in the development of the recommendation. Some criteria regarding the performance of the activity must be established based on authority, generally accepted principles, or reasonableness. 3. It is necessary to look at the effect and significance of the problem. Through further testing and gathering of data, the extent of a problem and its importance must be determined. Efforts should be made to obtain quantification in the gathering of measures of effect. 4. If the effect is minimal, this condition is the auditor's notice to discuss the problem with the operating level of management. A recommendation is not required in an audit report when the effect is minimal. 12 Chapter 7: Audit Performance
Chapter 7: Audit Performance 5. If, in the auditor's opinion, the effect is significant, the auditor should proceed with the development of the recommendation. 6. The auditor must seek to find out, through expanded testing and gathering of data, what caused the problem or situation. Frequently, this step is the most difficult one in the development of an audit recommendation. However, without it, you have an incomplete recommendation and can offer management only a correction of the existing problem. You cannot provide a statement of action that will give assurance that a situation will not recur.
13
If the actual cause of the problem cannot be disclosed through expanded testing and gathering of data, the auditor should discuss the situation with responsible management. In this discussion, the auditor should seek to obtain a response as to what would improve the condition or situation. Based on the outcome of this discussion with the auditee, the auditor will be guided as to the statement of action that should be made for correcting the condition. If an actual cause of the condition is revealed, the statement of action should be directed at the correction of the cause. A discussion with the responsible management as to the problem, the criteria, the effect, and the cause should be held to obtain their comments in order to further substantiate the accuracy of the developed recommendation. D. Developing Recommendation Data 1. Statement of Condition. In this section, the auditor should state the circumstances surrounding the recommendation. In a logical sequence, present the facts and specific illustrations describing the condition. Each statement of condition must contain sufficient qualitative and quantitative information to fully support the conclusions or main point. The statement of condition should be brief, but not to the point where completeness is sacrificed. 2. Criteria. The criteria represent the standards against which the auditor is measuring a questionable condition or practice. The criteria applied may vary; however, the auditor should concentrate on the criteria that are important to the objective of the audit. Some examples of criteria are: a. Written requirements (laws, regulations, instructions, manuals, directives, etc.) b. Independent opinion of experts outside the organization c. Prudent business practice d. Verbal instruction e. Managerial expertise f. Unwritten overall objectives as explained by management officials g. Common sense Published criteria may be directly quoted, summarized, or paraphrased. If criteria are not already set forth in writing, the auditor may have to obtain information that will serve as evidence of criteria. If common-sense subjective judgment is to be used as a criterion, it should be both logical and convincing to the reader. 3. Effect. Effect is the actual or potential adverse impact, which has resulted or can result from the condition being questioned, in dollars or other terms. Some examples of effect are:
a. Uneconomical or inefficient use of resources (time, money, labor) b. Loss of potential income c. Violation of law d. Funds spent improperly e. Information or records that are meaningless or inaccurate f. Ineffectiveness; the job not being accomplished as well as it could be or as intended g. Inadequate control or loss of control over resources or actions h. Lack of assurance that the job is being done properly i. Lack of assurance that objectives are being met. If the auditor does not present information on the actual or potential adverse effect, the reader might assume that the Chapter 7: Audit Performance 13
14
Chapter 7: Audit Performance apparent lack of concern means that the recommendation is not very important. If the effect is not significant, the recommendation should not be included in the report. Caution should be exercised not to create an issue larger than facts actually warrant. 4. Cause. The cause is the underlying reason why questionable behavior or condition occurs. This sensitive, and usually highly judgmental, area requires the most penetrating efforts and insights of the auditor. As a minimum effort, the auditor should have explored the situation thoroughly enough to be able to generate what is termed a "first-level statement of action." That is, one that is sufficiently detailed or specific enough to enable the recipient of the recommendation to correct the conditions. It is necessary to get as close to the real cause of the problem as possible, or at least to one or more causes that will put the recommendation in perspective; make the recommendation convincing and lead to a sensitive, specific statement of corrective action. Simply stating that the problem or adverse condition exists because someone did not comply with company policy is not very meaningful. Also, this approach usually confines the auditor to the rather superficial statement of action to "comply with company policy." Some examples of cause are: a. Lack of training b. Lack of communications c. Unfamiliarity with requirements d. Negligence or carelessness e. Guidelines or standards (criteria) are inadequate, not provided, obsolete, or impractical f. Conscious decision or instruction to deviate from requirements (for any of a variety of reasons) g. Lack of resources (funds or staff) h. Failure to use good judgment or common sense i. Dishonesty or personal gain j. Lack of effective or sufficient supervision, or lack of supervisory review k. Unwillingness to change l. Lack of planning, faulty or ineffective organizational arrangement, or delegations of authority 5. Statement of Action. Generally, each recommendation will result in one or more statements of action. Experience indicates a great receptivity to constructive audit statements of action. Some basic guidelines for developing statements of action are: a. Present statements of action as a logical sequence to the related statement of conditions. b. Present statements of action that are as specific, realistic, and as helpful as possible and related directly to the cause of the weakness or deficiency. State what action will provide a meaningful solution to the problems, and not simply recommend that "regulations be complied with," "controls be strengthened," or "procedures be established." c. Direct the statements of action toward the audited organization and to the specific persons, by title, who have responsibility and authority to take corrective action. d. Do not include statements of action on which adequate action has been taken before the report is issued. Instead, report, in the body of the recommendation, what action has been taken to correct the situation and only present additional statements of recommended action as warranted. e. Avoid the use of extreme language in making statements of action, such as "immediately," "expedite," "without delay," "as soon as possible," unless the nature of the problem is so serious that such language seems particularly appropriate. f. The expression "for consideration" should not be used in presenting statements of
14
15
action. Since the Audit Department is a staff function and its service advisory, all statements of action are "for consideration." g. Material, thoughts, or information that were not developed in the body of the recommendation should not be introduced in the statement of action. The statement of action should follow logically from what is presented in the recommendation. i. Recommendation Worksheet A form should be created for the purpose of writing up the recommendations as they are initially discovered (see Exhibit 7.5 for an example of a worksheet format). A copy should then be given to the auditee. There are many good reasons for following this procedure. Exhibit 7.5: Recommendation Worksheet Example Audit Job No.______ Recommendation No.______ Workpaper Ref.______ Auditee ______ Audit Date ______ Statement of Condition: (What is) _________________________________ Criteria: (What it should be) ______________________________________ Effect: (So what?) _______________________________________________ Cause: (Reason for deviation)______________________________________ Statement of Action: ____________________________________________ Present Status: ________________________________________________ Recommendation corrected during audit____________________________ Auditee agreed with recommendation______________________________ Detailed support for adjustment/correction provided to auditee ____________ In process of implementing ________________________________________ Auditee disagrees with recommendation/comment ______________________ Preparer signature: ____________________________ Senior Auditor signature: _______________________ Provide a copy of this completed form to auditee ASAP/Use form for the Closing Conference.
1. If recommendations are neat and well written at the time of discovery and copies given to the auditee, valuable research and input can be obtained before the closing conference. This makes the closing conference more productive as both sides are knowledgeable on the subject. Generally, the auditee is blindsided at the closing conference if recommendations have not been previously presented. 2. The procedure lends itself to better written, more factual audit recommendations because the material is fresh on the auditor's mindpreferable to writing the recommendation later in time (i.e., at the end of the audit). Strengths and weaknesses can be reconciled to improve the quality of the Chapter 7: Audit Performance 15
16
Chapter 7: Audit Performance recommendations. 3. Why take many recommendations to the closing conference when a "climate for change" can be initiated during the course of the audit? Too many recommendations presented at one time tends to make the auditee nervous and worrisome about how the report is going to look to others. Tentative recommendations should be provided to the auditee periodically, once a week, and not on a daily basis. 4. If the recommendation has been resolved by the auditee during the audit, it is much more agreeable to the auditee if only mention is made summarizing items corrected during the audit. 5. The interim communication also gives the auditor a written workpaper document to use in discussing recommendations at the closing conference. 6. Once written recommendations are resolved to the degree possible, corrections should be made and submitted for typing the final report.
ii. Form Format The form is designed to be as functional as possible, but it is limited in space to encourage factual, precise write-up of recommendations. Recommendation/Discussion ItemA recommendation is a material exception to corporate policy, procedures, as examples, which are controllable by the auditee. The auditee is required to submit a written response to the recommendations. A discussion item is also an exception that may be material, but is not controlled by the auditee. Therefore, the auditee is not required to respond to the discussion item. AuditWrite the name of the branch or location in the space provided to facilitate audit identification. SubjectIdentify the subject area where the exception occurred as payroll, accounts payable. For example: CAJ No.Corporate Audit Job Number CAR No.Corporate Audit Recommendation Number Corporate Audit Job Numbers will be standardized and assigned by the audit division offices. The Corporate Audit Recommendation Number is the sequenced number of the recommendation developed as the audit work progresses. The Corporate Audit Recommendation Number is to be used as a control point. Recommendation/FactsRemembering that a statement of action is a call for action by management and must be written on that basis, the facts follow the attributes of a recommendation: A. Statement of condition (what is) B. Criteria (what it should be) C. Effect (so what?) D. Cause (reason for deviation) Present StatusA space provided for comments by the auditee to elaborate on original intentions or reaction to the audit recommendation. It may only be necessary to check one of the preprinted comments such as "Recommendation Implemented During Audit."
Corporate Audit Department Procedures Manual NO: 7.2 REV NO: DATE: TITLE: Workpapers PAGES: [1]The Institute of Internal Auditors officially revised the "Red Book," or Standards for the Professional Practice of Internal Auditing. At the end of 2001, this new version became effective for auditors and 16 Chapter 7: Audit Performance
SAM POLE COMPANY
Chapter 7: Audit Performance interested parties.
17
7.2 Workpapers
Workpapers serve mainly to aid the auditor in conducting work and provide important support for the auditor's opinion. Such language as "Workpapers are a record ... of tests and procedures," "Workpapers, accordingly, may include work programs, analysis memoranda, letters of representation, confirmations, abstracts of company documents, schedules, and commentaries prepared by the auditor," further attempt to describe workpapers and some of their contents. Other comments, such as "Workpapers should fit the circumstances and the auditor's needs on the engagement to which they apply," are from Statement of Auditing Standards (SAS) No. 1, Section 338. Although SASs are written for public accountants, these comments are also applicable to internal auditors. For external auditors to rely on our workpapers, internal auditors must produce documents of the same quality. It is imperative that standards of compliance be established to help ensure quality workpapers. Before preparation, give consideration to the objectives for creating your workpapers. Only information supporting your objectives should be included. Envision how the workpaper will look after it is completed. Does it appear logically organized, relevant, and neatwithout half erasures, with figures and comments not crowded together? Is it completewithout loose ends that need to be addressed? A second thought, and one that should be seriously considered, is that the IRS can and has subpoenaed internal auditors' workpapers into court. The question is, would you be embarrassed if your workpaper was made a document of the court? What if the court made an enlargement of your workpaper and it was displayed on a screen for all to see? Other factors to consider in developing workpapers are: Control Retention Headings Permanent files: contents and format Current files: contents and format General organization Detailed workpaper section organization Indexing and cross referencing Referencing Standard tick marks
a. Control
For Corporate Audit purposes, workpapers are confidential documents used to support our conclusions. In order to maintain our independence and protect confidentiality, audit bags containing workpapers must be locked if left overnight at the auditee's office. During working hours, workpapers should be retained in a controlled, orderly fashion. That is, they should not be left lying around the work area or left out in the auditee's office where they can be seen, handled, or misplaced by the auditee employees. In the office, workpapers should be filed in secured cabinets. During work hours, care should be exercised ensuring that visitors do not inadvertently observe confidential information lying on desks. Prior to leaving Chapter 7: Audit Performance 17
18 the office, workpapers should be secured in locked cabinets or desks.
b. Retention
The retention period for both workpapers and reports is five years. If an exception arises in which the retention period is to be extended beyond this period, a notation indicating the destruction date should be boldly printed on the outside cover of the workpaper binder or on the face of the report.
c. Headings
In order to standardize Corporate Audit workpaper headings, the following information should be used for all workpapers: Description on Workpapers Location of Workpapers Name of auditeelocation Top-Center As-of date of audit Top-Center Identification of workpaper Top-Center Initials of auditor performing the work Bottom-Right (area provided) Initials of in-charge senior manager Bottom-Right Workpaper index (red pencil only) Bottom-Right (area provided) WORKPAPER "DOS" AND DON'TS"
Do
1. While the audit is in progress, prepare a to-do list of points that have not been resolved. 2. Resolve points with auditee at one time during the day. 3. For those workpapers kept by hand, be neat, write legibly, use a medium-hard lead pencil, keep figures in proper columns. For workpapers on computer, develop a professional look with consistent formatting. 4. If done by hand, use a ruler; single line for subtotals, double line for totals. If done by computer, use the same guideline. 5. Avoid crowding on a single page. 6. Be accurate; be sure amounts are accurate and footings are correct. If using a computer, double-check all formulas. It is recommended that the auditor print out the worksheet formulas and audit them before relying upon them. 7. Head every workpaper (see headings above). 8. Identify the source of information on each workpaper, reference books or original entry, voucher numbers, conversations with employees, and so forth. Distinguish between fact and opinion. 9. If a workpaper is "prepared by auditee," indicate so with "PBA" on the workpaper. Indicate the name of employee performing the task. 10. Initial and date each workpaper (printed version if using a computer). 11. Indicate analysis that requires more than one workpaper by: 1 of 5, 2 of 5, etc. 12. Adequately explain all tick marks other than the standard tick marks. Summarize explanations at the bottom of each workpaper by using a legend. 13. Use proper grammar. 14. When referring to auditee employees, spell their names and titles completely and correctly. 15. Indicate clearly the extent of tests made. 16. Write your opinions and conclusions, using care to differentiate among facts, opinions, and explanation. 17. If memoranda are done by hand: All memoranda should be prepared on memo pad paper. Skip every other line and write only to the right-hand margin line. If memoranda are done by computer, set formatting according to this guideline. 18 Chapter 7: Audit Performance
Chapter 7: Audit Performance 18. Write on just one side of a working paper, if done by hand. 19. Remove all items that have no value in supporting the conclusion.
19
20. Verify that the final figures on each workpaper agree with the lead sheets, working trial balance, and cross-reference thereto. 21. Reference and cross-reference to other workpaper and interim recommendation worksheets. 22. Leave enough space on each workpaper to clearly identify adjusting entries and comments. If using a spreadsheet, avoid using "comments" for substantive remarks; rather, add a column for remarks on the worksheet. 23. Use legal size paper; set electronic document margins to the equivalent size. 24. Use red pencil; use red fonts if the workpaper is in electronic form.
Don't
1. Do not prepare workpapers without first considering the objectives. 2. Do not follow previous audit workpapers blindly, but have a logical reason for changes. 3. Do not prepare separate income and expense account analyses when the accounts can be more effectively covered in conjunction with balance sheet items. 4. Do not leave open points or questions on your workpapers. 5. Do not merely cross over points or questions, but explain disposition. 6. Do not repeat scope of work when steps are outlined in the audit program. Indicate the audit program followed. 7. Do not make workpapers available to anyone without prior approval from the manager.
d. Permanent Files: Contents and Format

Permanent files are to be used for documents that will be needed in audits for a number of years. The binder should be labeled "Permanent Folder" and contain an index showing the contents of the folder. Permanent files should be economical in content. They should not be cluttered with documents that cannot effectively help or provide information for future audits. Exhibit 7.6 outlines the format of the permanent file. This outline will also act as the index for the file. For example, consider A-Corporate Audit Reports/Responses. The first report entered into the permanent folder will be indexed in A-1, the second in A-2, and so on. Each document entered into the permanent file must include the date and initials of the auditor. Revisions of modifications must also be initialized and dated. Use red pencil for this purpose. Exhibit 7.6: Permanent Files Index Sam Pole Company Corporate Audit Department Permanent Folder Index A. Corporate Audit Reports/Responses B. Reports (Other) C. Carry Forward Comments D. Organization Charts/Key Personnel E. Internal Control Questionnaire/Audit Programs F. Contracts/Lease Agreements G. Labor Agreements H. Historical Information/Pictures/Nature of Business Unit I. Correspondence (Major) J. Excerpts from Meeting (i.e., plant, branch, board) Chapter 7: Audit Performance 19
20 K. Company Directives Memoranda L. Account Analysis M. Other
e. Current Files: Contents and Format

The criterion for determining whether information should be included either in the permanent file or the current file is the useful life of the information. Place information into the permanent file if the usefulness of the information is longer than two years. The majority of information obtained during an audit usually applies to the current year and will only be used for comparison and guidance in the subsequent year. Accordingly, such expected useful life would be less than two years and is filed in the current file.
f. General Organization
Use the printed workpaper binder cover and back furnished by the department. Note that certain information is to be completed on the cover of the binder: company identification, contents of the binder, the names of auditors who worked on sections included in the binder, review signatures, and the name of the audit office producing the file. Acco fasteners have 2 3/4-inch centers with 2-inch capacity. If files exceed two inches, Acco fasteners of greater capacity can be obtained. All workpapers are to be 8 1/2 inches by 14 incheslegal size paper. If auditee documents are less than legal size, attach the document to heavy-grade legal size paper and then file it. Do not waste memo or 17-column paper for this purpose. Create dividers by using heavy-grade paper and attaching a tab at the bottom of the sheet. A second method is to use 14-column paper as a wraparound for the individual section. The section name and indexing letter should be indicated in red at the bottom right-hand corner after the 14-column paper is folded in half.
g. Detailed Workpaper Section Organization

Each job will have a systems binder to be updated yearly. The following sequence will be utilized to organize the systems binder where the "S" denotes systems documentation work: SA-1 SA-2 SA-3 SA-4 SA-5 SA-6 SA-7 Flowchart (manual/IS) Narrative description List of key reports (official report title and informal user name) Internal control questionnaire Summary of major strengths and weaknesses Audit approach memo Other systems information as needed
The compliance and substantive work for each account will be organized in the following sequence in a separate current file: A/C A/P A Overall scope and conclusion Audit program Lead sheets
20
21
A-1 to Account detail (substantive testing), cycle testing (compliance testing), comments for future audits A-nn and confirmation forms: detailed audit work supporting lead sheet balances Note The audit procedures performed and workpapers generated should be organized in a manner deemed to be logical and expedient in the senior's judgment. SA-1, Flowcharting. Include both the manual and data-processing flow of documents as you flowchart the system. Graphically depict the inputs, processing, and outputs of each system. SA-2, Narrative system description. Narratives may be used to describe a system on a step-by-step basis. The narrative system description can supplement flowcharts or stand alone if it best fits the system. SA-3, Key reports listing. The key report listing should list important reports by their official title and also by informal names used by the auditee. This listing will greatly assist the following year's audit. SA-4, Internal control evaluation guide. The internal control evaluation guide should be developed to include only questions applicable to the section involved. "A," the cash section, should include the internal control questionnaire evaluations guides only for cash. SA-5, Summary of major strengths and weaknesses. Once the flowchart and internal control questionnaire have been prepared, a summary of the system's major strengths and weaknesses should be prepared. This summary will aid in the development of the audit approach. SA-6, Audit approach memo. Based on the above procedures, the auditor should have a good idea of the strengths and weaknesses of the system. The logic behind the selected audit procedures should be written up in a memorandum and included in this section. A/C, Overall scope and conclusion. This workpaper will be the last item completed in the section, but it is the first in the organization sequence. Identify the work involved to support your conclusionprocedures such as sample size, extent of testing, and compliance with audit program. In the conclusion section, state your opinion based on the testing performed in the scope. Make references and cross-references to adjustments and recommendations or comments that were the result of your work. A/P, Audit programs. Audit programs should include all the steps necessary to test the system and reach a logical conclusion. Such tests will include substantive tests of account balances and compliance tests of the system. A, Lead sheets. The auditor should give advance thought to the preparation of lead sheets. Minimum information includes a comparative schedule showing account balances at the prior year audit date and the book balance for the current audit date. Also, columns are prepared for adjustments and final balances. These schedules should reference the working trial balance. A-1 to A-NN, Account detail (substantive testing). The evidential matter obtained through two general classes of auditing procedures: (1) test of details of transactions and balances and (2) analytical reviews of significant ratios and trends, and the investigation of unusual fluctuations and questionable items. A-100 to A-NNN, Cycle testing (compliance testing). The purpose for tests of compliance is to provide reasonable assurance that accounting control procedures are being applied as prescribed.
h. Indexing and Cross Referencing

Workpapers should be indexed using the prescribed standard index. Each schedule should be marked in red pencil (or font) in the designated box at the bottom right corner. The index can then be utilized throughout the files whenever a cross-indexing reference is made to that particular schedule or to an amount therein. An index has been assigned to each major account classification. Single alpha letters are used for asset section designations. Double alpha letters are used for liabilities or capital accounts. Numbers are used to indicate accounts in the income statement. These sections will be preceded by "PL" before the number indicated later in the index sample. The first section of the indexing system is referred to as the administrative section. The index to reference this section is "AD." Chapter 7: Audit Performance 21
22
The workpaper sections will include subaccounts under the major account classification. For example, cash, the major account, also includes subaccounts of Cash in Bank, Cash on Hand, and so on. The lead sheet (indexed "A") for this section should show the applicable subaccount balances for the current period and the prior period. These columns should be footed to show the total balance in the major account. The analysis of the subaccounts should be documented on supporting schedules (i.e., A-1Analysis of Cash in Bank, A-2Analysis of Cash on Hand, etc.). Occasionally, a section within a file binder may become too large to control effectively. In that instance, the section may be extended into another binder. The indexing for the extended file binder becomes X. For example, if section CC Accounts Payable becomes too large, part of the file can be stored in another file binder indexed CCX. Appropriate referencing should be indicated in the working papers. Three separate sections have been included for the work performed on confirmations, inventory observation, and inventory compilation. The section for confirmations is to be used when the number of confirmations sent is too large to be practically included in the applicable account classification. The other two sections are to be used when a physical inventory observation and a review of the inventory compilation are included within the scope of the audit. Be sure to appropriately reference these sections in the working papers. The following is a listing of the indexes that should be used: Index Description Administrative AD1 Copy of the audit report AD2 Assignment checklist AD3 Copy of financial statements AD4 Summary memoin-charge AD5 Manager commentsinterpretive comments, major problems and their solutions AD6 Working trial balances AD7 Adjusting journal entries AD8 Analytical review and interim financial statements AD9 Audit planning memo AD 10 Time budget AD11 Interim audit recommendations and comments summary (AUD form 1) AD12 Prior audit reports and follow-up AD13 Other correspondence AD14 As needed Assets A Cash B Securities and other negotiable assets C Sales, shipping, and trade receivables D E F G H I M Inter-company receivables (Used for other accounts) Inventory Prepaid expenses and other assets (Used for other accounts) (Used for other accounts) Other tangible assets
22
Chapter 7: Audit Performance S Property, plant, and equipment Liabilities BB Notes payable CC Accounts payable DD Accounts payable inter-company FF Compensation GG (Used for other accounts) HH Other liabilities and deferred credits WW Capital stock and surplus PP Notes and inter-company debt Income Statement and Other PL1 Sales and revenue PL2 Cost of goods sold PL3 Selling, general, and administrative expenses X Extended file
23
i. Referencing
Normally, detail sub-schedules support the amounts shown on the lead schedules. Also, the lead schedules support the amounts shown on the trial balance. These workpapers should be cross-referenced to one another. Referencing should be done by inserting the page index next to the corresponding amount. Writing the page index to the right of the amount indicates "going to" a certain page. Writing a page index to the left of the amount indicates "coming from" a certain page. The referencing of final totals (double underscored) may be done by inserting the page index directly below the applicable amount. When referencing on the same page, either a circled number or a circled capital letter should be used. A circled number is used when referencing a number to a number. A circled capital letter is used when referencing a number (or any other section or symbol on the workpaper) to a note. All referencing should be done in red pencil (or font if electronic).
j. Standard Tick Marks

Standardizing certain tick marks will result in uniformity and time saving for the preparer and reviewer by duplicating the tick marks and writing one explanation. Tick marks should be simple in design. Always explain tick marks in a legend located in the workpapers. Use a "Standard Tick Mark Sheet" to explain standard tick marks. Basic tick marks should be placed after the figure being checked. Prepare all tick marks in red pencil (or font if electronic). Standard tick marks are as follows: F (under number) footed F (to right of number) cross-footed T/B agreed to trial balance G/L agreed to general ledger SAM POLE COMPANY Corporate Audit Department Procedures Manual NO: 7.3 REV NO: DATE: TITLE: Audit Objectives PAGES:
23
24
7.3 Audit Objectives

As described in Chapter 6 of this manual, the Corporate Audit Department may be responsible for conducting a variety of different types of audits. These types of audits may have different overall objectives that the auditor must satisfy through the performance of audit procedures. The most common type of audit for which auditors are responsible is the financial audit. Broadly described, the overall objective of a financial audit is to assure that the financial statements are fairly stated, that they are in conformity with Generally Accepted Accounting Principles (GAAP), and that the accounting principles that were applied are consistent from year to year. In order to satisfy this overall objective, it is necessary to satisfy specific objectives that apply to the various accounts that comprise the financial statements. The following is a listing of objectives that apply to the various audit areas (accounts) that normally are included in a financial audit. This listing is not all-inclusive, and all of the objectives may not apply in every circumstance. They should be used as a guide and should be included, excluded, and/or modified as dictated by the audit situations encountered. The list provides examples of assessing the five major management assertions in financial statements: existence or occurrence, rights and obligations, presentation and disclosure, valuation or allocation, and completeness.
Cash
Cash recorded properly represents cash and cash items on hand, in transit, or in banks. Adequate disclosure is made of restricted or committed funds and of cash not subject to immediate withdrawal. All receipts are properly identified, deposited, and recorded. There is a proper accounting for all inter-company and inter-bank transfers. All bank accounts and cash on hand are subject to effective custodial accountability procedures and physical safeguards.
Receivables
Recorded receivables exist and are carried at net collectible amounts. All collections are properly identified, control totals are developed, and collections are promptly deposited. Billings and collections are properly recorded in individual customer accounts. Allowance for doubtful accounts is adequate.
Inventories
Periodic physical inventories, or cycle counts, are taken and are valued in accordance with company policies that are in accordance with GAAP. The quantities properly represent products, materials, and supplies on hand, in transit, in storage, or on consignment that belong to the company. All receipts, transfers, and withdrawals of stock are properly and accurately recorded. All production activity and costs are properly and accurately reported and maintained in up-to-date cost records. The items are priced in accordance with GAAP, consistently applied, at the lower of cost or market. Excess, slow-moving, obsolete, and defective items are reduced to net realizable values. Adequate provision for losses on purchases or sales commitments exist. The ending inventories are determined as to quantities, prices, computations, excess stocks, and so on, on a basis consistent with the inventories at the end of the preceding year.
24

Investments
25
The physical evidence of the ownership of investments is on hand or held in custody or safekeeping by others for account of the company. The basis on which the investments are stated conforms to GAAP and is consistently applied. All purchases or sales are initiated by authorized individuals and are properly approved. Income from investments is accounted for properly.
Fixed Assets
All recorded assets exist. The basis upon which the property accounts are stated is proper, conforms to GAAP, and has been consistently followed. All productive asset transactions are initiated by authorized individuals after advance approval has been obtained. The additions during the period under audit are proper capital charges and represent actual physical property installed or constructed. Adequate cost records are maintained for all in-progress and completed projects. Physical inventories of recorded productive assets are taken at periodic intervals. Depreciation charged to income during the period is adequate but not excessive, and has been computed on an acceptable basis consistent with that used in prior periods. The balance in accumulated depreciation accounts is reasonable, considering the expected useful lives of the property units and possible net salvage values.
Other Assets
Recorded prepaid and deferred expenses represent proper charges against future operations. The additions during the audit period are proper charges to those accounts and represent actual cost. Amortization or write-offs against revenues in the current period, and to date, are reasonable under the circumstances, and have been computed on an acceptable basis consistent with prior periods.
Purchasing, Accounts Payable, and Disbursements
All costs are properly recorded and classified as expense, inventory, fixed assets, and other assets. All purchase requisitions are initiated and approved by authorized individuals. All material and services received agree with original purchase orders. All invoices processed for payment represent goods and services received and are accurate as to terms, quantities, prices, extensions, and account distributions. All checks are prepared on the basis of adequate and approved documentation and are compared with supporting data. All checks are properly approved, signed, and mailed. All disbursements are properly recorded. All accrued expenses relate to goods and services received as of the end of the fiscal period.
Notes and Loans Payable
All amounts owed are properly recorded. Accrued interest is recorded. Compliance with all provisions of loan agreements has occurred. All debt transactions are initiated by authorized individuals and are approved by the Board of Directors or executives to whom this authority has been delegated.
25
26
Capital Stock and Surplus
The capital stock and surplus accounts are properly classified, described, and stated in accordance with GAAP, and are not in conflict with the requirements of the corporate charter (or articles of incorporation) or with the applicable statutes of the state of incorporation. Transactions in the capital stock and surplus accounts during the audit period are properly authorized or approved where necessary, and are recorded in accordance with GAAP.
Revenues, Costs, and Expenses
Reported revenues, costs, and expenses are properly applicable to the accounting period under examination. Reported revenues and applicable costs are recorded on a timely basis. Charges to customers are for valid claims for sales rendered in accordance with established pricing policies. Costs and expenses are properly matched with revenues. Recognition has been given to revenues, costs, and expenses (including losses) which should be so recognized. Revenues, costs, and expenses are appropriately classified and described in the statement of income.
Payroll
Compensation costs reflect the aggregate cost of employee services during the period and are distributed to appropriate inventory and expense accounts. Compensation rates are in accordance with applicable union agreements and/or approved rates. Additions, separations, wage rates, salaries, and other deductions are authorized and recorded on a timely basis. Employee time and attendance data are properly reviewed, approved, and processed on a timely basis. Payroll deductions are determined in accordance with legal requirements or employee authorizations and are paid to the government, unions, and other specified parties in a timely fashion. Payments for compensation and benefits are made only to bonafide employees. All authorized employee benefit plans and related costs are appropriately controlled and administered.
Travel and Entertainment Expense
All expenses recorded must be "ordinary," meaning "customary and usual" within the experience of the particular community. All expenses recorded must be "necessary," meaning "appropriate and helpful" for the development of the entity's business. Sufficient documentation must exist. Specifically, the amount, time, place, business purpose, and business relationship of the entertained party must be recorded. Reimbursements to employees must be fully accountable, so as not to be considered compensatory. If any reimbursements are compensatory, appropriate tax information must be retained.
Endnote
1. The Institute of Internal Auditors officially revised the "Red Book," or Standards for the Professional Practice of Internal Auditing. At the end of 2001, this new version became effective for auditors and interested parties.
26
27
27
28
28
Chapter 8: Audit Reporting

Overview
SAM POLE COMPANY Corporate Audit Department Procedures Manual NO: 8.1 REV NO: DATE: TITLE: Corporate Audit Report Process PAGES:
8.1 Corporate Audit Report Process

The Corporate Audit Report is perhaps the most significant product of the audit function. The procedures contained in this section of the manual are designed to help ensure that the best possible quality product is prepared. The objectives of the report process include: To ensure the development of comprehensive and accurate reports To provide guidelines resulting in timely issuance of final reports To provide the opportunity to convey additional related information to readers of the report Since the audit report is the most significant product issued by the Audit Department, the report format should be carefully considered. It is the policy of Sam Pole Company to issue a summary-and-detail report for each significant audit completed. The purpose of the summary report is to provide, in brief presentation format, the essence of the scope and results of the audit. It also allows for a profile section to convey additional information of interest to the Audit Committee and senior management. The thoughtful and creative use of the profile section provides a vehicle for the Audit Department to convey information beyond the negative reporting process that is inherent in internal auditing. To put it another way: the use of the profile section enables us to convey information that may contribute positively to the management of the corporation. In some instances, this information would be basic financial or operational, which helps put the audit results in the proper context. Detailed descriptions of the summary and detailed report formats, with examples, are contained in other sections of the manual. The reporting process begins with the draft audit comments and follows through to the issuance of reports and the report to the Audit Committee (if appropriate). The corporate audit reporting process matrix, Exhibit 8.1, summarizes the activities contained in this process. Exhibit 8.1: Corporate Audit Reporting Process Matrix Assign No. Report Assign No. Draft Distribution Comments Worksheet Document audit Log/track findings, report comments, and preparation recommendations and for review, distribution
PURPOSE
Draft to Draft Reports Auditee Formalize audit Obtain conclusions, agreement on findings, facts and comments, and circumstances, recommendations substance, and
Inclusion of Auditee Comments Incorporate auditee responses into draft reports
Issue Fina Report to Manageme Apprise Aud Committee o audit results
2 approval, and resolution As disclosed or periodically during audit for review, approval, and reporting In office upon completion of field work
Chapter 8: Audit Reporting materiality of issues for audited entity Within two weeks following exit conference
TIMING
PREPARED BY REVIEWED BY RESPONSIBILITY
Staff or Senior Senior or Manager Senior or Manager Per tentative recommendations worksheet
Regularly from completion of field work to issued report Senior Senior Manager Manager Senior Per distribution worksheet
Senior Manager Manager
Senior/Manager Develop comments into summary and detailed reports (see AU/ED)
agre plan actio Within 30 Promptly upon 30 d days reply and follo following resolution of tran receipt Director of of fi Auditing repo consideration Senior Manager Aud Director of Senior/Manager Man Auditing afte Manager Manager Man Audit report to: Audit Committee
CONTENTS DOCUMENTATION
Manager
Manager
Manager
DISTRIBUTION
Auditee Revise comments and detailed responses reports for auditee responses; comment in summary report on responses Comptroller Financial, and Chief official at audited unit: Accountant of audited manager entity
(See Distribution Section AU/ED)
IA M
Audit workpapers Audit workpapers
Audit workpapers Audit workpapers
Audit Corporate workpapers Secretary; IA Manager, workpapers
Wor IA M Aud Com files
a. Draft Reports
The audit report process begins with a review of the tentative audit recommendations worksheets prepared during the audit performance process. Each individual page contains comments accumulated during the audit process. These pages will have been preliminarily reviewed by the auditee during the audit process. The manager will review all comments in conjunction with his review of the workpapers, ensuring that all comments are adequately supported. Within approximately one week from the completion of the audit field workor the closing conference of the audit teamthe audit manager or his designee will draft an audit finding and recommendation for each of the tentative audit recommendation worksheets. These comments will then form the basis of the detailed audit report draft.
The audit manager will begin the preparation of the summary audit report. Information regarding the scope and highlight sections will be based on information contained within the planning, status, and summary memos as well as the detailed finding and recommendation report. The Director of Auditing will review the draft and provide input. 2 Chapter 8: Audit Reporting
b. Draft to Auditee
Various practices regarding distribution of draft audit reports to auditees exist within the internal auditing profession. The trade-off issues involve the interest in accuracy and fair presentation versus the issue of timeliness. Some audit departments believe that timeliness is not the most critical factor, and obtaining input from auditees and incorporating it in the audit report provides for increased accuracy and a more level "playing field." Still other audit departments believe that the function of the audit is to issue comments as soon as possible, and they bypass or reduce the auditee review process. The auditee will then issue a response and discussion of implementation plans. The policy of Sam Pole Company is to review comments with the auditee as they are developed. Once the audit draft has been developed, the draft is forwarded to the auditee for review. Auditees will have two weeks to review the comments and prepare a paragraph detailing their actions or position on the comment. Exhibit 8.2 provides an example of a transmittal of the report draft to audit entry, and Exhibit 8.3 is an example of a transmittal of the report to senior financial officials. Exhibit 8.2: Transmittal of Report Draft to Audit Entity Example Date: [date] To: Financial Official, Audited Entity From: Audit Manager Subject: Corporate Audit Report Draft The enclosed draft of a report on the recently completed [kind of audit] at [audit location] is for limited distribution to you and the Audit Director. Please review the draft to confirm (or not) that the recommendations and comments agree with those presented to and discussed with you at the closing audit conference. Also include your response in one or two paragraphs for inclusion in the detailed audit report. Please reply to me or [designate] by phone by [date], so that we may proceed to issue the final report.
/S/ Manager Enclosures cc: Audit Director
Exhibit 8.3: Transmittal of Report Draft to Senior Financial Officials Example Date: [date] To: J.K. Smith From: L. Gordon Subject: Corporate Audit Report Draft The enclosed draft of a report on the recently completed [kind of audit] at [audit location] has been reviewed with [financial official] at [audited entity], who is in agreement with the content of the report and detailed comments. I would appreciate receiving your comments, if any, by [date] on the issues discussed in the report so that we may proceed to issue the final report at the next meeting of the Audit Committee.
4 /S/ Audit Manager Enclosures cc: Audit Director
c. Inclusion of Auditee Comments

In the example here, the auditees' responses have been incorporated into the audit report. Upon receipt of the auditee's comments, the Audit Manager will review their comments and integrate them into the draft audit report. The revised draft, with the auditee comments clearly identified, will be provided to the Director of Auditing for review. The Director of Auditing, upon satisfaction with the foregoing steps, will approve the final audit report for issuance. The Audit Manager will be advised of any final changes to the report and will have the report dated, processed, and transmitted in final form for signature and reproduction.
i. Audit Report Responses The objectives of monitoring audit report responses are: To provide a framework to monitor, obtain, and evaluate such responses from audited units To enable the Director of Auditing to report on the adequacy of responses to, as appropriate, senior management and the Audit Committee Each auditor will develop and implement procedures to attain the objectives outlined above and ensure that the total audit process is completed for both this department and the public accountants. In cases when audited units have not responded within the prescribed period of time, standard 30-day (overdue reports) and 60-day (delinquent reports) letters are to be issued by the affected auditor and Director of Auditing, respectively. (See Exhibits 8.4 and 8.5.) Exhibit 8.4: Overdue Response to Audit Report30-Day Letter Example Date: [date] To: Financial Official, Audited Entity From: Audit Manager Subject: Response to Audit Report [The Corporate Audit Department]/[public accountants] issued its report, dated _____________ on the results of its examination [covering internal accounting controls]/[of balance sheet accounts]/ of [______________________] for the period ended _____________ [date]. This letter is to remind you that a written response to the audit report is due no later than 30 days following the report transmittal date. Please advise when we can expect your response.
Audit Manager cc: Audit Director Public Accountants (if appropriate)
Chapter 8: Audit Reporting Exhibit 8.5: Delinquent Response to Audit Report60-Day Letter Example Date: [date] To: Financial Official, Audited Entity From: Audit Manager Subject: Response to Audit Report Sixty days have now passed since [The Corporate Audit Department]/[public accountants] issued its report, dated ______________, on the results of its examination [covering internal accounting controls]/[of balance sheet accounts]/ of [_____________________] for the period ended ______________ [date]. You will recall that ____________, our manager in _______________, reminded you one month earlier that corporate policy requires a written response to the audit report no later than 30 days following the report transmittal date.
In the event you have compelling reasons for not responding, please call me or _____________ immediately. Otherwise, we expect your response within a week's time. My responsibilities to the Audit Committee and senior management require regular reports on the adequacy and timeliness of responses to audit reports.
Audit Manager cc: Audit Director Public accountants (if appropriate)
In addition to monitoring and accounting for responses, each manager is responsible for evaluating them to determine that satisfactory management action has or will be taken. Evaluation of responses is to be documented in the workpapers or, when pertinent, advised in writing to the public accountants. Management recommendations issued by the public accountants require similar responses from appropriate division or department management. A letter should be sent to the appropriate auditee which includes the company policy on responding to comments by public accountants and includes the public accountants' comments or is a transmittal for the comments. (See Exhibit 8.6.) Exhibit 8.6: Transmittal of Policy on Reports of Public Accountants Date: To: From: Subject: Purpose [date] Division or Department Manager Audit Director Reports of Independent Public Accountants
This memorandum provides additional procedures implementing the policy covering the distribution of reports of independent accountants and, when required, management responses to them. Policy The Sam Pole Company auditing policy states the following: Audit findings, recommendations and other matters deemed to be significant by the public accountants are reported directly by them to the Audit Manager, Chief Financial Officer, and the Chapter 8: Audit Reporting 5
6 Audit Committee. The policy further requires with respect to management responses:
A prompt formal written response to the Audit Manager, covering internal control and management recommendations made by both the public accountants and corporate auditors. Responses are due no later than 30 days following the date of the auditor's report and in the format as shown on attached Exhibit 8.7. Insert comments here or note regarding attachment of comments from public accountants.
Subsequent audit procedures to test completed/proposed corrective action would be adequately documented and outlined for either Corporate Audit or public accountants' performance. When responses do not deal satisfactorily with audit recommendations, the auditor should advise the auditee and Audit Manager, in writing, concerning additional audit requirements and resolution of the issues. Exhibit 8.7 is the standard form on which the audited unit should reply. These should be sent to the unit along with the final report. Exhibit 8.7: Audit Response Example Company: ________________________________________________________ Operating Unit: ___________________________________________________ Audited By: ______________________________________________________ Submitted By: ____________________________________________________ NO. RECOMMENDATION IMPLEMENTATION RESPONSIBLE PERSON TARGET DATE
ii. Additional Procedures The following amplifies the policies covering the distribution of public accountants' reports and related responses to ensure that they are distributed properly: Reports of Independent (Public) Accountants Reports on internal control recommendations are issued to the individual with overall responsibility for the location under audit (i.e., President, General Manager, Plant Manager) and the Chief Financial Officer. Copies are distributed to the Vice President and Comptroller, the Secretary (for the official company record), and the Audit Manager. Management Responses Audited entities respond in writing to internal control recommendations in accordance with the aforementioned policy. The response is addressed to the Director of Auditing, with copies to the Vice 6 Chapter 8: Audit Reporting
Chapter 8: Audit Reporting President and Comptroller, other key financial officials and the public accountants. The additional procedures outlined above enable implementation of effective and consistent practices to monitor and report on the results of audits by public accountants in the United States and other countries.
d. Issue Final Report to Management

After approval by the Director of Auditing, the final report will be distributed in accordance with the distribution policy discussed in the following sections of the manual. It should be noted that there will be different levels of distribution for the summary and detailed reports. However, anyone receiving the summary report can request a copy of the detailed report. i. Audit Report Format The audit report and the detailed recommendations and comments section have a standard format that will be adequate for writing most reports. There may be times when it will be appropriate to deviate from the standard format. These instances must be discussed with the manager before proceeding. Exhibit 8.8 is an example of an audit report. Exhibit 8.8: Corporate Audit Report Example Company Location: Audit Date: Audit Manager: Date Completed: Audit Office: Auditors: Date of Report: The Audit Committee Sam Pole Company This report summarizes the results of our audit of the company's accounting records and selected internal control procedures. Detailed recommendations and comments, after review with local management, were provided to the local accounting personnel for written responses to this office, and to other key officials, and to the public accountants for their information. Sam Pole Company Profile The manufacturing plant produces approximately NNN square yards of carpet tile per month. Comparative operating data are as follows: 2002 2003 $xxx,xxx $xxx,xxx xxx,xxx xxx,xxx xxx,xxx xxx,xxx x,xxx xxx x,xxx xxx
Sales Cost of Sales Inventory SALES Backlog Number of Employees Scope of Audit
Our examination included a review and evaluation of accounting systems, internal control procedures, and tests of account balances. Chapter 8: Audit Reporting 7
8 Conclusion
In our opinion, internal controls are adequate, and account balances, as adjusted, are fairly stated in all material respects. Quantities of inventory on hand December 31, 200x, are fairly stated. Weaknesses outlined in the detailed recommendations and comments provided to local management did not have a material effect on the account balances at December 31, 200x. Summary The significant matters discussed in the detailed report include the following: A Disaster Recovery Plan should be developed for the data processing operation. Procedures to ensure that computer program changes are properly authorized should be developed. Documentation for significant computer applications is weak and should be improved. Manager Internal Audit Department Distribution: Headquarters President Chief Financial Officer Local President Local Accountant
ii. Standard Format I. Audit ReportSummary Heading Salutations Lead Paragraph Profile Scope Conclusion Summary Manager's Signature Distribution I. Audit ReportSummary Heading. The heading is preprinted on the Corporate Audit Report preprinted form. Company/location, Audit Date, Audit Office, and Audit Manager are all self-explanatory. Date Audit Completed. The date of the closing conference or last day of fieldwork, whichever is later. II. In-Depth Recommendations and CommentsDetail Cover Page (Optional) Heading Lead Paragraph Categories Recommendations Comments Discussion Items Manager's Signature Exhibits (Optional)
Chapter 8: Audit Reporting Auditors. All auditors who participated in the audit. Use the first two initials in all names. Date of Report. The date the report is issued for distribution. Salutation. This item will generally be addressed as follows: The Audit Committee Sam Pole Company
Lead Paragraph. The lead or introduction paragraph indicates to the Audit Committee that this report is a summary of the results or our audit or review. It refers to the detail section that recommendations and comments have been discussed with local management and require a response. It also states that the detail has been distributed to key officials and the public accountants. It should not be necessary to restate the auditee's name or dates, because this information is included in the heading. Profile. "Profile" is generally preceded by "plant, company, or department," which refers to the auditee. The profile section is intended to be informative to the reader. In some instances, the reader has not had the opportunity to visit the auditee's facility. The profile section should be designated to be a "stage setter" for the reader. It should help the reader visualize the entity, number of employees, production, or implications of adjustments attributable to company size. The profile, as the situation warrants, may be excluded or contain a narrative description or financial schedules. The profile should not dominate the report. Instead, it should be limited in size to approximately one informative paragraph. Comparative financial information, if included, should not leave the reader with unanswered questions. Significant variations should be explained. Keep in mind that the profile should not distract from the purposes of the report, which are the summary, scope, and conclusion sections. Scope. The scope section has two principal functions. One is to identify exactly what was done during the audit and the second is to delineate in writing that which was not done.
The scope should clearly state the work that was limited to or restricted to the payroll system, as an example. If internal controls were reviewed on certain systems, but not others, it must be clearly indicated. A general statement such as, "we reviewed the plant's systems of internal controls," is not specific to the reader and leaves the audit open for question later. To state "certain" systems were reviewed is better, but not as good as indicating that specific systems such as payroll, accounts payable, and accounts receivable were not reviewed. Clearly stating what was done in the audit leaves no doubt as to what was not done. In certain situations, it may be necessary to clearly qualify the scope section by saying, "we did not review, test, etc." Conclusion. The conclusions can only be written on the basis of the work performed in the scope section and subject to the major exceptions contained in the summary section. No new or additional information can be interjected into the conclusion that has not been specifically stated in these two areas (scope and summary). The auditors should conclude or state their opinion on the fairness of the account balances, financial statements, the adequacy of internal controls, or the reliability of systems. Summary. The summary component summarizes the detailed recommendations and comments section of the report. The detailed recommendations and comments section does not accompany the audit report issued to the Audit Committee. Therefore, the summary never contains information not published in the detailed Chapter 8: Audit Reporting 9
10 recommendations and comments section.
Of the five attributes that are used as a basis for writing a recommendation, only a statement of condition and a statement of action are used to write the points of the summary. The summary only includes major or material exceptions resulting from the audit. Considerable thought should be given to what is included in the summary and, second, to how it is written. Problems may arise if the auditor overreacts or improperly states the situation. Therefore, the summary may indicate that an audit disclosed no material weaknesses. Other recommendations and comments that are not considered "material" should be addressed in the summary by referring to them in total as one item covered by a few sentences. Statement of action to summary items may either be included with the summary items individually or prepared in a trailing paragraph to the last summary item. Discussion items may be included in the summary if material. Because discussion items are written with the same attributes as recommendations, the statement of condition and statement of action will be included. Discussion items are generally only used when auditees object to recommendations on the grounds that they have no control over the subject. If auditors feel strongly that the item should be included in the report, the discussion item approach is a way around the situation. Discussion items do not require a response from the auditee, but still communicate the problem to management and the Audit Committee. Examples of summary items are as follows: Accrued payroll was understated $1 million at December 31. It was recommended that management investigate and adjust the account. This account was adjusted January 7, 200x. Contract terms covering sales of real estate should be reviewed by counsel and entries properly recorded in accordance with Generally Accepted Accounting Principles (GAAP). Fifty thousand dollars were lost due to weak internal controls in the data processing area. We recommend system changes to help prevent future occurrences. Manager's Signature. The Audit Manager is responsible for the review and signing of the audit report issued to the Audit Committee of the Board of Directors. He may assign this responsibility to others under certain circumstances. Distribution. The distribution is a multi-step process. After the report is written in draft form, a copy is sent to the Director of Auditing and the auditee simultaneously. A specific designed cover letter is used to convey the drafts to the auditee. This cover letter indicates the draft has been sent to the auditee first for comments and that time is of the essence. The second step toward distribution, after review and corrections are accomplished, is to send the draft to the Corporate Controller and Director of Auditing, or the next level of authority over the auditee. After the drafts clear the second step and adjustments or corrections are made, it may be necessary to send a copy to the auditee and Director of Auditing, a second time. But, pending this situation, the report is ready for distribution. Standard distributions for the report consist of: Sam Pole Company Audit Committee Chief Operating Officer Company Level
10
Chapter 8: Audit Reporting Director of Auditing Chief Financial Officer
11
Division/Branch/Department (as applicable) Branch Manager/Division President Comptroller Chief Accountant, etc. Public Accounting Firm Partner Manager II. In-Depth Recommendations and CommentsDetail This section is issued with the audit report, but is not distributed to everyone on the distribution list. See distribution of the audit report in a prior section. Because this section may become separated from the audit report, it must be written to stand alone as an independent document. Exhibit 8.9, "Corporate Audit Detail Recommendations and Comments," presents an example of this report. Exhibit 8.9: Corporate Audit Detail Recommendations and Comments Example SAM POLE COMPANY Corporate Audit Recommendations & Comments December 31, 200x These detailed recommendations and comments supplement our report to the Audit Committee, in which we concluded that account balances as adjusted were fairly stated in all material respects and controls were adequate at December 31, 200x. These detailed recommendations and comments were reviewed with appropriate levels of management and, in accordance with corporate policy, are subject to their written response. Disaster Recovery In the event of emergency or disaster in which the AS/400 system is not available for long-term use, there are no contingent plans in effect for the continuance of processing on the AS/400. This weakness could result in a delay of processing transactions and have an adverse effect on business operations. Recommendations/Comments We recommend that management initiate efforts to develop a Disaster Recovery Plan. In the event that the AS/400 System is disabled, contingency plans would then be in place to allow continued processing at an off-site facility. A Disaster Recovery Plan should meet the following criteria: Chapter 8: Audit Reporting 11
12
Chapter 8: Audit Reporting To identify a location for further processing. This site could be a cold site in which a third party has another AS/400, which the company would have access to, or an arrangement with IBM that would permit them to be provided with another AS/400 on short notice. A list of contacts and responsibilities in the event of emergency. A list of programs and data files needed for recovery, including a ranking of critical applications and adequate method of creating, testing, and storing data backups. Detailed instructions on execution of a Disaster Recovery Plan.
Program Change Control Program change control is not formally addressed. Requests for changes to programs should be authorized by user departments. To be properly controlled, a formal authorization form should be developed, indicating the reason for the change, user approval to initiate the project, and final sign-off. Only properly authorized, changed programs should be placed into production libraries. Recommendation All program change requests should be properly authorized in writing by the manager or supervisor of the user departments. When the program change has been made, the manager or supervisor of the user department should sign the program change form, signifying that the program has been changed according to the original instructions. The program change form should then be filed in numerical sequence. A copy of the program change form should also be filed with the system's documentation such that a record of each change made to the system is kept in chronological sequence. Documentation Good documentation of computerized applications is necessary to document the methods and formulas utilized in the computer operation, to provide a tool to train new personnel, to provide operators with instructions, and to assist programmers with systems development and program modification work. We believe documentation is an important area and should be implemented. This process may require management support for the development of a plan to document systems by certain key target dates. We suggest that documentation along the following lines be considered: Systems documentation includes: System description System flowcharts, showing the flow of data through the system and the relationship between processing and computer steps Input descriptions Output descriptions File descriptions Copies of authorizations and their effective dates for system changes that have been implemented. Program documentation consists of: Brief narrative description Flowcharts Sources statements or parameter listings Control features File formats and record layouts Record of program changes Input/output formats Operating instructions. 12 Chapter 8: Audit Reporting
Chapter 8: Audit Reporting Operation documentation includes: Descriptions of functions Inputs and outputs Sequence of cards, tapes, disks, and files Setup instructions and operating system requirements Operating notes listing program messages, halts, and action to signal the end of jobs Control procedures to be performed by operations Recovery and restart procedures Estimated normal and maximum run-time Instructions to the operator in the event of an emergency User documentation consists of: Description of the system Error correction procedures List of control procedures and an indication of who is responsible for performing those procedures Cutoff procedures for submission of data to the data processing department Description of how the user department should check reports for accuracy Application analyst support (i.e., name of contact) Impact on operations (i.e., resources consumed, response time, turn-around time, elapsed time, manual labor time, user training/impact. Testing plan (i.e., individuals responsible and titles, testing schedule, test results)
13
Authorization (i.e., data center approval, programmer and project manager, quality assurance, and user approval) A log to permit the tracing of transmittals through the change control cycle. Establishment of formal testing procedures to include: Identification of the person responsible When the test will take place/begin When the test will be completed Details of the test Actual results of the test Approval of test results by the data center, programmer, and user. Manager Internal Audit Department
Cover Page. An optional cover page may be developed to separate the audit report from the detailed recommendations and comments section. If you elect to insert this page, it could contain "Detailed Recommendations and Comments" as a title and be centered on the page. Heading. The heading consists of the auditee name, the name of the section, "Corporate Audit Detailed Recommendations and Comments," and the "as of" date of the audit. Lead Paragraph. The purpose of the lead or introduction paragraph is to convey to the reader three points. First, this document supplements the summary audit report to the Audit Committee. Second, there is a summarized restatement of the conclusion. Finally, a written response is required. For example: These detailed recommendations and comments supplement our summary audit report to the Audit Committee of the Board of Directors in which we concluded that internal controls for the payroll and account balances were fairly stated in all material respects as of April 30, 200x. These detailed Chapter 8: Audit Reporting 13
14
Chapter 8: Audit Reporting recommendations and comments were reviewed with appropriate levels of branch management and are subject to their written response in accordance with corporate policy.
Categories. For purposes of organization, subtitles are used to group recommendations and comments relating to the same subject; that is, all recommendations and comments relating to accounts payable should be numbered under the subtitle "accounts payable." The subtitles are typed on the left margin in bold type and underlined. To emphasize the subtitle, double spacing is used before and after the subtitle. The numbering sequence starts with the first recommendation and is continuous to the last recommendation under that subtitle. Numbers start over for each subtitle. Recommendations. Use "recommendations" rather than "findings" to describe the audit exceptions because it has a more positive connotation. Recommendations are one of the five attributes that make up a finding, as published by the Institute of Internal Auditors. In lieu of saying, "These are our findings," inferring something wrong was found, present a more positive image by saying, "These are our recommendations for improvement." Do not report something was wrong merely that the auditee can improve existing conditions. A more positive approach implies professionalism by suggesting improvements as opposed to dwelling on or publishing problems and failings. Comments. Comments differ from recommendations in that the five attributescondition, criteria, effect, cause, and recommendationare not present. Comments are more of a remark or brief statement of fact or opinion. To lessen the confusion, the attribute recommendation has also been renamed statement of action. Care should be used in that generally, anything material enough for the report should be adequately supported. Discussion Items. Discussion items are developed and written as recommendations, but differ in that the auditee is not required to respond to these items. Discussion items are used in instances where auditees object to an item being included in the report when they are not directly responsible for the situation. The auditors feel strongly that the situation needs exposure in a written report. A compromise is the discussion item approach, which could be used only as a last resort. Manager's Signature. The manager is responsible for signing the recommendation and comments section. Exhibits. The exhibit section is optional, but should be considered if additional information will help make the audit recommendations and comments clear to the auditee or management. Exhibits may take the form of photographs, flowcharts, financial schedules, adjustment schedules, or other sundry schedules of supporting information. Like pictures, exhibits are worth a thousand words. Supporting exhibits not only add clarity, but if properly done, add a degree of professionalism to the auditor's work.
e. Open Audit Results and Comments

A task listing will be prepared containing all open audit issues and comments on date of implementation. This list will be used to monitor the implementation of audit comments. Periodically, management will be queried on the status of open issues. Follow-up compliance audits will take place one year after the date of the audit, and these task lists will be updated and, in most instances, closed out.
SAM POLE COMPANY
TITLE: Report to Management
14
15
8.2 Report to Management

The report to management should summarize the activities of the department in the interim since the last report to management. These activities should include audits performed and planned or changes made to plans. All department administrative activities including quality assurance, personal development programs, and participation in other company-sponsored programs should be considered. The report should be prepared on a detailed basis prior to the next scheduled Audit Committee meeting. This process will enable auditors to inform management of some of the items that will be included in the administrative section of the report to the Audit Committee. It will also enable auditors to integrate the text of this material into the Audit Committee report to save work when that report is being developed. Communications with management is a very important element of an internal audit function. It is more important than in some other operations because the management issues and output of the audit function are more qualitative than quantitative. In a manufacturing or distribution operation, one can measure the output in units and analyze it in many ways. Audit functions have a lot of control over the quantity and quality of the work they perform. However, it is difficult for management to understand the issues involved in running a successful audit function and producing quality audit reports. Audit management has a number of opportunities to express their issues and report on activities. The formal process involves issuing audit reports (see "Corporate Audit Report Process") and issuing reports to the Audit Committee (see "Report to Audit Committee"). In this section, we deal with the opportunity to report on a somewhat more detailed basis to management. As noted earlier in this section, if possible, the Report to Management should be prepared prior to Audit Committee meetings. This sequence will enable the material developed for this report to be reworked for inclusion in the report to the Audit Committee. There are no formal guidelines for what should be included in the Report to Management. Therefore, wide latitude should be used to help explain issues and promote progress achieved within the audit operation. Exhibit 8.10 is an example of a Report to Management. The format is simple and self-explanatory. However, great care should be taken to include all relevant activities on a prospective basis, as well as activities that have already taken place. In order to demonstrate the tone and range that a Report to Management can take, a number of sample report elements have been included in the example. In addition, the report could be patterned after other similar reports required within the organization. Some of the sections that should be considered include: Corporate Audit Department personnel issues; activities related to the external accounting firm; education; internal audit reports issued, pending and in process; and budget status. Exhibit 8.10: Report to Management Example SAM POLE COMPANY INTEROFFICE CORRESPONDENCE TO: Senior Management OFFICE: New York FROM: Chief Auditor OFFICE: New York SUBJECT: Internal Audit Status Report DATE: September 10, 200x This report summarizes the department and my activities since the status report date July 15, 200x. BUDGET FOR 200x The Budget for 200x has been drafted and will be presented to you and the Audit Committee on schedule. Due to the addition of a Director and an operational audit unit, the total budget will grow beyond normal inflation. INTERNAL AUDITS
15
16
Chapter 8: Audit Reporting Audit Reports We continue to strive for timely report issuance. At this date, we have the following audit report status: Issued Since July Status Report XYZ Subsidiary Tulane Contract Audit Purchasing Department Audit Pending Issuance Transportation Department ABC Subsidiary Physical Inventories In cases where reports are to be issued upon completion of location audits, inventory audit findings will also be included. In other cases, only exception reports will be issued regarding observations and review of compilations. We observed these physical inventories since the July status report: XYZ Subsidiary ABC Subsidiary Main Supplies Inventory
ORGANIZATION/PERSONNEL The department is currently comprised of 37 professionals and two secretaries at September 1, which reflects the termination of John Doe and the resignation of Jane Smith in the East and the hiring of Pay Plum (CPA-CISA) as a semi-senior in the West. We continue to attempt further East staff reduction by transfer to other departments. To date, the West manager is pleased with the performance of his staff. He is now recruiting another semi-senior. Total East West International Professionals 35 15 14 6 Secretaries 2 1 1 0 37 16 15 6 Annual performance reviews were discussed with each eligible East staff member in conjunction with salary increases granted effective September 1. The staff generally responded receptively to constructive criticism designed to insist on or encourage, at minimum, competent professional performance. With certain exceptions, staff members considered salary increases equitable.
EDUCATION/TRAINING Advance Systems, Inc. Jim will lead a one-day, in-house, videotape-supported orientation program on IS audit concepts for the East staff (scheduled for August 25 at the East office). The West staff participated in a similar program on August 15. These in-house seminars are designed to provide basic background and set the tone for maximum benefit from the MPC Institute course. MPC Institute The MPC Institute staff will conduct, at their New York offices, a week-long seminar beginning on September 14, for the entire professional staff, concentrating on auditing in a contemporary computer environment. We have also invited Sam Pole personnel from other departments/locations to join us for some of the more technical sessions dealing with controls, to convey to them the significance of controls and also to improve their understanding of the auditor's purpose and responsibilities in a computer environment. 16 Chapter 8: Audit Reporting
Chapter 8: Audit Reporting Other In a less formal, yet structured manner, individual staff members are involved with IIA self-study courses dealing with internal audit theory and practice, and statistical sampling. This work is monitored by our Personnel Development Coordinator. In order to enable staff members to prepare for the CPA examination and still fulfill audit schedule responsibilities, we have arranged with XYZ to use their self-study guides, at no cost to Sam Pole.
17
MANAGEMENT DEVELOPMENT PROGRAM PARTICIPANTS OFF-STAFF ASSIGNMENTS Bill Clark, between audit assignments, will assist the CFO during October in assembling, reviewing, and analyzing operating companies' 200x budget proposals. We have also offered to assist the Director of Financial Analysis on 200x budget matters, by making Peter Daily (East) or Rod Stewart (West) available for six weeks to two months. These opportunities have a two-fold purpose: (1) to broaden participants' exposure and experience in Sam Pole, and (2) to add another dimension in the evaluation process from sources outside internal audit.
We do foresee a potential problem associated with these off-staff assignments. The demand for Management Development Program participants to work outside the department is likely to conflict with our peak workload periodthe Fallwhen we experience our heaviest external audit coordination commitment. We are developing our audit plans and schedules to attempt effective attainment of both goals. SPECIAL STAFF ASSIGNMENTS New Jersey Mill John Jones continues to assist in the development of a plant cost accounting manual. We have received favorable feedback regarding his contribution. Out-of-pocket expense and pro-rata salary is billed to the plant, relieving department expenses. Atlanta Foundry At the ADC Division's request, Jane Paul and Marc John were given a two-week assignment to develop overview flow charts of the plant cost accounting system. Having completed a portion of the work, continuing the assignment has been suspended pending agreement on the scope of the work. Out-of-pocket expenses were billed to ABC. POLICY STATEMENTS Compliance Program Results of circularization for employee acknowledgment of compliance with our code of conduct are virtually complete. Responses received at this office disclosed no conflict or other situations that warrant reporting. We plan to issue a brief formal report on the results of our review. Policy Statement Booklet The supply of booklets in New York is exhausted. We have submitted suggested changes to the text of the booklet to the General Council. We also offered to assist them toward publication of the next revision.
OTHER MATTERS Security As noted in my prior status reports and memos, we have been working with the Finance Director to assess ways to improve the corporation's focus on security. We are considering the need for centralizing the responsibility for all aspects of security within the company. Our recommendation was for a high-level survey of our current practices and security plans. To further our groundwork, we have set up a meeting with the General Council to apprise him of our activities to date and get his Chapter 8: Audit Reporting 17
18
Chapter 8: Audit Reporting input. Professional Activities As president of the New York Chapter, ISACA, John Jones presides over monthly board meetings and plans education events for members. On July 24, the Chief Auditor addressed our external audit firm's seminar for internal auditors on internal audit department practices. Marc John serves on the IIA Board of Governors and as Chairman of the Editorial Committee. Jane Paul serves on the IIA International Research Committee.
Regards,
The Report to Management should be addressed to the management reporting line of the Chief Auditor. This report is generally not copied to the Audit Committee, but should be copied to the President or CEO, if appropriate.
SAM POLE COMPANY
TITLE: Report to Audit Committee
8.3 Report to Audit Committee

In addition to the distribution of reports as audits are completed, periodically a summary report will be made to the Audit Committee. This report will include a report on internal controls and summary of items of significance, the summary of the Corporate Audit Department reports, and Audit Department status reports. This report provides the opportunity to explain the accomplishments of the department and should be viewed as a critical Audit Department product. Exhibit 8.11 presents a sample of a report to the Audit Committee. Also review Section 9.5, "Marketing the Audit Function." Exhibit 8.11: Report to Audit Committee Example SAM POLE COMPANY 101 Mapole Street East Flagstaff, AZ 12345 February 28, 200x Gentlemen: I am pleased to present this report to the Audit Committee, comprising: 1. Report on internal controls and summary of items of significance 2. Summary of Corporate Audit Department reports 3. Corporate Audit Department status report Audits in process and concluded since our report dated December xx, 200x, have not disclosed any developments that require action by the Committee.
18
19
I look forward to meeting with you to review the contents of this report and any other matters you may wish to discuss. Very truly yours,
S. Jones Internal Audit Director
SAM POLE COMPANY Report to the Audit Committee February 28, 200x SECTION I Report on Internal Controls Sam Pole Company maintains systems of internal accounting controls and procedures designed to provide reasonable assurance that all transactions are properly recorded in the books and records, that prescribed policies and procedures are adhered to, and that the corporation's assets are protected from unauthorized use. Based on continuing reviews of internal controls at company locations, nothing has come to our attention since our prior report that would indicate that the existing systems of internal controls are not effective. However, as commented on in our December report, the company must be continually alert, so that the changing conditions in Sam Pole Company's operations primarily reductions in the number of salaried employeesare not accompanied by a weakening of existing internal controls, more specifically, the segregation of duties. We plan to continually focus on such areas of potential weaknesses and report situations where we believe action is required. Summary of Items of Significance Although we have made recommendations to management to improve internal controls, nothing of a significant nature was disclosed that would require action by the Audit Committee. We have received full cooperation from all levels of management and have been permitted access to all requested company records and documents.
SECTION II Summary of Corporate Audit Department Reports The following audit reports, issued since the December 5, 200x, Audit Committee meeting, are enclosed for your review: Corporate Data Center Sam Pole Antenna Company Payroll System Products Company Sales CompanyTrading and Logistics
19
20
Recommendations relate to internal controls that can be improved; however, no material exceptions were noted. In the event of significant findings, we would promptly advise the Committee and issue a preliminary report. Our comments and recommendations have involved matters significant to the organizational units audited. Based on our evaluation of auditee responses, we believe that our recommendations have been or are being given considerable management attention and action. SECTION III Audits and Related Activities Audit Activities Audits pertinent to annual corporate financial statement reporting centered primarily on completing interim and year-end audits under the rotation plan with our external auditors. We also continued our reviews of automated systems, including customer accounts receivable, salaried payroll, and accounts payable.
Supplies Inventories At the December meeting of the Audit Committee, we reported on our management-requested special review of supplies inventories. Since our last report. . . Steering Committee The Director of Auditing, while not a member, attends by invitation the Information Resource Steering Committee meetings. Briefly, this involvement provides input to the Committee and knowledge of company plans to the Director. As a result of attending these meetings, we are planning special audit training in the following areas . . . Disposition Audits As previously reported, we have been significantly involved in disposition audits of the various units. Most recently, we assisted in the development of data that allowed for timely ... Administrative and Other Matters Professional Staff The current field staff, meeting our authorized complement, totals 20: six in New York and fourteen in Denver (as compared to 19 in 200x). Our current three-year plan indicates a need for approximately 21 auditors. We will adjust this plan and reevaluate staffing requirements after developing the rotation program, based upon the company's new operating structure, with the public accountants. High turnover has continued in Denver, due to the company's situation and increased salaries available in an area with a high employment rate. Future recruiting, unless otherwise required, will be at the entry level.
We are pleased to report that we have promoted Mr. Sharp to manager in New York and Jane Pink to supervising senior in Detroit. Two individuals transferred from the audit staff one to the Controller's staff and the other to MIS. Quality Assurance Program 20 Chapter 8: Audit Reporting
21
A responsibility of the Director, as described in the department's charter, is that audit work conform to the Standards for the Professional Practice of Internal Auditing. The Standards call for an independent external review at least once every three years, to appraise the quality of the department's operations. Accordingly, we have tentatively agreed to reciprocal department reviews with IPL Corporation in 200x and 200x. Preliminary discussions will be held in late February, with a review of our department planned for June 200x. We have been planning this independent review of our total department performance for several years. Initially, we had each audit group perform a high-level quality assurance review. In 200x, we had a more in-depth review in New York and Detroit with a good appraisal (on a test basis) of the adequacy of each other's performance. We are now looking forward to this independent peer review to see how we can improve our operations. Professional Certification We have developed a professional certification policy for the internal audit department. We are strongly encouraging certification (CPA, CIA, CISA, CMA, etc.) within the first five years or before promotion to senior. We are providing partial company assistance to provide further incentive and yet ensure the individual's own sincere interest. A copy of the policy for your review is enclosed in Appendix XX. (Not shown heresee "Policies" section of the manual).
21
22
22
Part IV: Long-Term Effectiveness

Chapter List
Chapter 9: Managing the Effectiveness of the Audit Department

Overview
TITLE: Introduction
9.1 Introduction
The internal audit (IA) function should be more than activities as prescribed by management and professional organizations. By choice, the IA department can be a "world-class" entityachieving excellence and maintaining it. But that will only happen with a great deal of commitment and effort. There are a number of methods, techniques, programs, and tools available to assist IA in attaining the highest level of excellence possible. In order to achieve the status of a world-class entity, and to be as effective as possible, IA will need to address issues such as corporate governance, quality assurance, continuous improvement systems, and marketing the IA function.
SAM POLE COMPANY
TITLE: Corporate Governance
9.2 Corporate Governance [1]

Recent financial failures such as Enron, WorldCom, and Adelphia remind managers, board members, auditors, and other stakeholders of the risks that exist even for those businesses that seem to be immune to fraud. These events also show the need for effective corporate governance. Enron proved that large companies with billions of dollars in assets can go bankrupt under the noses of well-intended board membersand despite the fact an internal audit function is present. (Note: At one time, Enron outsourced its IA to its external auditorArthur Andersen.) Earlier in 2001, Enron had a $10 billion book value and a $60 billion market value. Their latest audited financial reports showed $1 billion in profits. Enron had an audit committee made up of distinguished members with financial accounting pedigrees. Yet this large firm went bankrupt after booking a $600 million entry to revise its earnings in late 2001, followed by a loss of confidence in credit markets. In 2002, the U.S. Congress passed the Sarbanes-Oxley Act as a result of these and other financial failures. In general, the law supports efforts to make corporate governance more effective. For example, at least one member of the audit committee is required to be an expert in financial accounting, members are required to be independent, and the committee is required to perform certain interactive activities and processes associated with auditssuch as being responsible for hiring external auditors and maintaining regular communications with the IA function. (See also Sections 1.6(e) and 3.4(e) for more on the Sarbanes-Oxley Act.) Chapter 9: Managing the Effectiveness of the Audit Department 1
Effective corporate governance is a synergy between internal auditors, the board of directors, senior management, and external auditors. The importance of corporate governance is illustrated by a McKinsey report that stated that investors are willing to pay a premium on shares of companies that had a corporate governance framework in place: 12 to 14% in North America and Western Europe, 20 to 25% in Asia and Latin America, and 30% in Eastern Europe and Africa. [2] The IIA believes that good corporate governance principles could prevent some of the frauds that have been investigated by the Securities and Exchange Commission (SEC). The National Association of Corporate Directors has recommended that the SEC require public companies to disclose the extent to which they meet endorsed standards developed by the listing exchanges. Codes of governance in the United Kingdom, Canada, South Africa, and other countries already require disclosure of conformity to certain recommended governance practices. In the United States, governance policies and practices vary considerably from state to state, and from company to company. One emerging model has been proposed by the Corporate Governance Center at Kennesaw State University in Kennesaw, Georgia [3]; it has been endorsed by the IIA. Their model of principles includes:
1. Interaction. Sound governance requires effective interaction among the board, management, the external auditor, and the internal auditor. 2. Board Purpose. The board of directors should understand that its purpose is to protect the interests of the corporation's stockholders while considering the interests of other stakeholders (e.g., creditors, employees, etc.). 3. Board Responsibilities. The board's major areas of responsibility should be monitoring the chief executive officer (CEO), overseeing the corporation's strategy, and monitoring risks and the corporation's control system. Directors should employ healthy skepticism in meeting these responsibilities. 4. Independence. The major stock exchanges should define an "independent" director as one who has no professional or personal ties (either current or former) to the corporation or its management other then service as a director. The vast majority of the directors should be independent in both fact and appearance so as to promote arms-length oversight. 5. Expertise. The directors should possess relevant industry, company, functional area, and governance expertise. The directors should reflect a mix of backgrounds and perspectives. All directors should receive detailed orientation and continuing education to assure they achieve and maintain the necessary level of expertise. 6. Meetings and Information. The board should meet frequently for extended periods of time and should have access to the information and personnel it needs to perform its duties. 7. Leadership. The roles of board chair and CEO should be separate. 8. Disclosure. Proxy statements and other board communications should reflect board activities and transactions (e.g., insider trades) in a transparent and timely manner. 9. Committees. The nominating, compensation, and audit committees of the board should be composed only of independent directors. 10. Internal Audit. All public companies should maintain an effective, full-time internal audit function that reports directly to the audit committee. In addition, the IIA recommends: Internal Controls. The board of directors of all publicly traded companies should be required to publicly disclose an assessment of the effectiveness of internal controls within their organizations. Such disclosures should address internal controls broadly, rather than being limited to accounting controls over the recording and reporting of financial information. This recommendation includes the suggested usage of the Committee of Sponsoring Organizations (COSO) model described in Chapter 3. Internal Audit Function. All publicly held companies should establish and maintain an independent, 2 Chapter 9: Managing the Effectiveness of the Audit Department
adequately resourced, and competently staffed internal auditing function to provide management and the audit committee with ongoing assessments of the organization's risk management processes and the accompanying system of internal control. If an internal audit function is not present, the board of directors should be required to disclose in the company's annual report why the function is not in place. Consideration of the work of internal auditors is essential for the audit committee to gain a complete understanding of an organization's operations. Internal Audit Independence. In establishing and providing oversight for an internal audit function, audit committees should ensure that the function is structured in a manner that achieves organizational independence and permits full and unrestricted access to top management, the audit committee, and the board. Internal Audit Professionalism. In establishing and providing oversight for the internal auditing function, audit committees should charge chief audit executives (CAE) with the responsibility of ensuring that internal audit work is performed in accordance with the IIA's Standards. Internal auditors, and especially CAEs, should demonstrate their professional competency by attaining appropriate professional certification. Insight into the audit committee element of corporate governance can be drawn from a study by COSO. In 1999, COSO issued a study on the SEC enforcement activities from 1987 to 1997. The study analyzed 200 randomly selected cases of alleged financial fraud investigated by the SEC during the decade, which is about two-thirds of all the SEC probes into fraud during the time period. The results of the study provide valuable information for any organization in protecting against fraud, but prove especially valuable in developing audit committees. The "COSO Landmark Study on Fraud in Financial Reporting" points to several common factors about the companies in the study (see Exhibit 9.1). Exhibit 9.1: Commonalities of Fraud Entities from COSO Study Smaller firms vs. larger firms were investigated Lack of experience in board members Lack of independence of audit committee/board members Absence of audit committee or infrequent audit committee meetings Likelihood of involvement of executive managers in financial fraud Most of the auditors explicitly named in SEC enforcement releases were non-Big Five auditors Audit firms of all sizes were associated with companies committing financial statement fraud (i.e., you cannot depend on your external auditors to detect fraud based on their size) Cumulative amounts of frauds were relatively large in light of the relatively small sizes of the companies involved-the average misstatement or misappropriation was $25 million First, most fraud in financial reporting among public companies was committed by smaller corporationswell below $100 million in assets. Most were not listed on the New York or American Stock Exchanges. Second, the boards of directors of the companies investigated were dominated by insiders and directors with significant equity ownership. They also had little apparent experience in serving on the boards of other companies.
Third, most audit committees of the firms investigated met only about once a year, or the company had no audit committee at all. The absence of an active audit committee leaves a gap in the enterprise internal control environment. Last, the riskiest group of perpetrators was executive managers83% of the cases appeared to involve either the CEO or chief financial officer (CFO), and the CEO appeared to be involved in the financial frauds in 72% of the cases. This statistic is particularly chilling because of the role executives play in the business, of their Chapter 9: Managing the Effectiveness of the Audit Department 3
ability to override internal controls, and of the difficulty in recognizing the involvement of executives in financial frauds. One way to provide a control against management fraud is to have an effective, aggressive audit committee that is willing to challenge management, when necessary, and an audit committee vigilant in looking for signs indicative of ongoing fraud in management. From this data, a model for audit committees can be developed. This model of attributes was developed based on existing standards, SEC rules, and the COSO fraud report (see Exhibit 9.2). The model attributes include independence, competence, organizational structure, leadership, and a proactive approach. Exhibit 9.2: Model of Attributes for Effective Audit Committee [4] Independence (outside directors) Competence (knowledge and understanding of accounting, auditing, and internal controls; critical thinkers) Organizational Structure (reporting channels direct from internal audit function, external auditors, whistle blowers) Leadership (active, strong, decisive chair) Proactive Approach These points are made to assist IA in providing input into audit committee members, board members, and other responsibilities it has related to both corporate governance and quality. IA is an integral part of effective corporate governance.
Corporate Audit Department Procedures Manual NO: 9.3 REV NO: DATE: TITLE: Quality Assurance PAGES: [1]Much of this section comes from the IIA's "Recommendations for Improving Corporate Governance," a position paper presented to U.S. Congress, April 8, 2002. It is available online at www.theiia.org/ecm/guide-pc.cfm?doc_id=3602.
[2]Global
SAM POLE COMPANY
Investor Opinion Survey: Key Findings, 2002, McKinsey. Available online at www.mckinsey.com/practices/corporategovernance/PDF/GloballnvestorOpinionSurvey2002.pdf.
[3]Corporate
Governance Center, Kennesaw State University, 21st Century Governance and Financial Reporting Principles for U.S. Public Companies, 2002. The University of Delaware also sponsors a Center for Corporate Governance at www.be.udel.edu/ccg/staff.htm.
[4]From
"Effective Audit Committees for Cooperatives: Part I What, Why and How," The Cooperative Accountant, Summer 2002, pp. 2230, T. Singleton.
9.3 Quality Assurance

Quality assurance provides a similar service to IA that IA provides to management. It is an independent review of the quality of its service, much like a review of quality of earnings, operations, and so on, that IA provides. IIA Attribute Standard No. 1300 requires directors to develop and maintain a QA program.
a. Objective
The objective of the quality control program is to ensure that all assignments are completed in accordance with the department, IIA, and Information Systems Audit and Control Association (ISACA) standards where applicable.
b. Responsibility
It is the responsibility of the Director of Auditing to have quality audits completed on all assignments and to maintain a quality control program to evaluate the operations of the department. The Director of Auditing will appoint a Quality Assurance Coordinator, who will be responsible for the quality control program, and for keeping the Director of Auditing informed of all results.
c. Method
The program is in four parts: 1. Summarized review of all assignments by unassigned auditors 2. Detailed review of selected assignments 3. Annual self-assessment of department-wide standards, policies, and procedures 4. Tri-annual external review i. Summarized Review of All Assignments by Unassigned Auditors Objective. The objective is to ensure that all assignments meet minimum standards for planning supervision, and documentation. Responsibility. The manager on the engagement is responsible for ensuring: The workpapers are complete. The work was properly planned. The work was properly supervised. The workpapers were properly reviewed. It is the responsibility of the Quality Assurance Coordinator to have all assignments reviewed for meeting of minimum department standards. The Coordinator is also responsible for communicating the deficiencies noted to the Audit Manager and to follow up on correcting the deficiency. Method. Unassigned auditors will be required to review assignments on which they did not work. The review will be completed by answering the questions in the quality control checklist (see Exhibit 9.3 for checklist). All "no" and "N/A" answers must be fully explained. The completed checklist, together with the workpapers, are then forwarded to the Quality Assurance Coordinator for follow-up. Exhibit 9.3: Quality Assurance Checklist I. GENERAL A. Is the General section complete? B. Are the workpapers in a binder and ready for filing? C. Are all review notes and pending matters complete and removed from the binder? D. Are workpapers properly ordered? Do they contain indexes and lead sheets where appropriate? E. Is the engagement checklist complete? __________ __________ __________ __________ __________
Chapter 9: Managing the Effectiveness of the Audit Department F. Have all employee evaluation forms been completed? G. Was timely notice given to auditee? H. Has the auditee response been: 1. Received? 2. Reviewed: By Manager? By In-Charge? II. REPORTING AND CONTROL SECTION A. Audit Report 1. Is a final copy included in the workpapers? 2. Is the report in standard format? The following should be included: a. Introduction b. Profile and/or financial highlights c. Scope of audit d. Conclusion e. Summary f. Other comments g. Detailed recommendations 3. Do the detailed recommendations contain the following five attributes? a. Statement of condition b. Criteria c. Cause d. Effect e. Statement of action 4. Was the report issued timely? If not, is the reason explained on the report distribution worksheet? B. Is a copy of the year-end financials, or other meaningful reports, included? C. Summary Memorandum 1. Is it completed? 2. Was it prepared by senior or other appropriate individual? 3. Does it contain the following: a. Audit objectives b. Audit results c. Auditee background information d. Budgeted hours to actual hours analysis, and explanations of significant variations e. Comments for subsequent audits, if applicable D. Manager Comments Are all significant accounting and auditing problems fully documented? E. Working Trial Balance (for year-end financial audits) Is a working trial balance complete and cross-referenced to the supporting workpapers? F. Audit Planning Memorandum 1. Was it completed prior to the audit field work? __________
__________ __________
____________ __________
__________ __________ __________ __________ __________ __________ __________
__________ __________ __________ __________ __________ __________ __________ __________ __________ __________ __________ __________ __________ __________ __________ __________
__________ __________
Chapter 9: Managing the Effectiveness of the Audit Department 2. Approved by manager and Director of Auditing? 3. Does it contain the following: a. Audit objectives b. Background information c. Financial highlights d. Description of significant audit procedures e. Budgeted audit hours f. Timing of audit g. Auditors assigned G. Audit Programs 1. Are they complete? 2. Are they approved by manager and senior? 3. Are changes approved by manager and senior? H. Fluctuation Analysis Has it been completed and are all significant fluctuations explained? I. Time Budget 1. Is it completed? 2. Does it agree to hours reported per semimonthly Corporate Audit progress reports? J. Audit Recommendation Summary/Interim Recommendation Worksheet 1. Is it complete? 2. Are comments appropriately cross-referenced to detailed workpapers? 3. Are all recommendations not included in the detailed Report of Recommendations and Comments explained? K. Were prior audit reports included? Did the auditee implement the items noted? Have the comments been repeated in the current year's report? L. Is the notice to auditee and other appropriate correspondence included in the binder? M. Noted for Future Audits 1. Has consideration been given to developing CAAPs? 2. Are the significant comments included in the summary memorandum? N. Is the closing conference documented? III. AUDIT WORKPAPERS A. Have they been properly reviewed, as evidenced by: 1. All workpapers referenced? 2. All workpapers signed off? 3. Do all workpapers contain headings? 4. Do workpapers contain evidence of review? 5. Have internal controls been considered and, if appropriate, tested? 6. Are conclusions on major accounts or areas stated and properly supported? Chapter 9: Managing the Effectiveness of the Audit Department __________ __________ __________ __________ __________ __________ __________ __________ __________ __________ __________ __________ __________ __________ __________ __________ __________ __________ __________ __________
__________ __________ __________ __________ __________ __________
__________ __________ __________ __________ __________ __________ 7
Chapter 9: Managing the Effectiveness of the Audit Department 7. Were all material adjustments approved by the senior and manager? 8. Do the workpapers include a final report copy? __________ __________
The Quality Assurance Coordinator will review all deficiencies noted with the senior and the manager of the assignment. The manager is responsible to see that the deficiencies are corrected. Once all deficiencies are corrected, the Quality Assurance Coordinator will sign off on the engagement checklist. ii. Detailed Review of Selected Assignments Objective. The objective of this phase of the quality control program is to see that Corporate Audit workpapers: Support the conclusions reached Are efficient Are appropriate in the circumstances Comply with department and professional standards Responsibility. The selection of assignments to be reviewed will be made by the Quality Assurance Coordinator (see Exhibit 9.4 for criteria). The Coordinator will assign the detail review of workpapers to two seniors, preferably from two different locations or groups. Exhibit 9.4: Selection of Assignments for Detailed Review 1. Audits and special projects would be selected to meet the following criteria: Minimum 10% of all assignments Minimum 10% of audit hours incurred during the year At least one assignment for each senior or supervising senior At least one of all types of audits: Financial Systems review Special projects Data center audits 2. Assignments will be selected at random, supplemented by the Quality Assurance Coordinator's judgment, to meet all of the above criteria. Method. Workpapers will be reviewed in detail using a published checklist (if appropriate). All "no" answers will be reviewed with the manager and the senior in-charge. All noted items, or the fact that there are no items, will be reported to the Quality Assurance Coordinator in selected assignment review memoranda. The Quality Assurance Coordinator will summarize all items noted in these reviews and prepare the selected assignments review memo to the Director of Auditing. iii. Annual Self-Assessment of Department-Wide Standards, Policies, and Procedures Objective. The objective of this review is to ensure that the department is in compliance with department, corporate, and professional standards (e.g., IIA, ISACA). Responsibility. The Quality Assurance Coordinator is responsible for completion of this review. Method. The Quality Assurance Coordinator will compare the actual operating procedures of the department with the Standards of Professional Practice of Internal Audit, ISACA Standards, and other corporate and department standards as appropriate. This process will be accomplished through 8 Chapter 9: Managing the Effectiveness of the Audit Department
review of documentation, interviews, and actual experience. Upon completion, the Quality Assurance Coordinator will prepare the annual report to the Director of Auditing. iv. Tri-Annual External Review Objective. The objectives of this review are to: Obtain an outside view of the department's performance versus professional and internal standards Obtain suggestions for improving operating efficiencies Responsibility. It will be the responsibility of the Director of Auditing, upon the recommendation of the Quality Assurance Coordinator, to have a tri-annual review performed. Method. The method of reviewpublic accounting, other internal auditors, or an IIA teamwill be decided upon a complete review of the alternatives. Items that must be considered are: Cost Confidentiality of records Expertise in performing reviews Knowledge of business and operating environment
d. Reports
There are several key reports. They include: Annual Report to the Audit Committee of the Board of Directors Annual Report to the Director of Auditing Selected Assignments Review i. Annual Report to the Audit Committee of the Board of Directors This report is a summarized one, prepared by the Director of Auditing, sent to the Audit Committee, reporting on the quality control program and the results of the annual self-assessment. ii. Annual Report to the Director of Auditing This report is a summarized one of the quality control program for the year that includes results of the annual self-assessment, summary of deficiencies noted, and suggestions for improvement. iii. Selected Assignments Review This report is a summary memorandum and detailed checklist, enumerating the deficiencies and findings from the detailed review of selected audits, prepared for each assignment selected in the annual review process discussed below. This memo is first reviewed with the assignment manager and in-charge accountant before being given to the Quality Assurance Coordinator.
e. Summary of Review
The Quality Assurance Coordinator prepares a summary of the detailed deficiencies noted in the ongoing review of all workpapers. This memorandum is sent to the Director of Auditing and is discussed with the entire staff during an annual meeting.
10
f. Quality Assurance Checklist

Prepared by unassigned auditors, the checklist will be completed on all assignments after they have been approved for filing by the manager, and the report has been issued (see Exhibit 9.3 for a checklist). Upon completion, the checklist will be forwarded to the Quality Assurance Coordinator who is responsible for follow-up, to ensure the elimination of any deficiency noted.
SAM POLE COMPANY
Corporate Audit Department Procedures Manual NO: 9.4 REV NO: DATE: TITLE: Continuous Improvement Systems for Internal PAGES: Auditors
9.4 Continuous Improvement Systems for Internal Auditors

Continuous quality improvement methodologies can provide the tools to lead IA into becoming, or maintaining, a world-class status. Most of the current continuous improvement programs were designed for manufacturing and then adopted to service organizations. They include: Total Quality Management (TQM), Six Sigma, Baldrige National Quality Program, Kaizen, Theory of Constraints, Balanced Scorecard, Value-Based Metrics (VBM), and the International Organization for Standardization (ISO) 9000 family. Other improvement methodologies that are not necessarily continuous include Activity-Based Costing and Business Process Reengineering (BPR). From these systems, the ones that should be most applicable to the IA department are Balanced Scorecard, VBM, ABC, TQM, ISO 9000, and maybe Baldrige.
a. Balanced Scorecard [5]

The center of the Balanced Scorecard System is the entity's strategy and vision. For the IA department, that would be related to the mission statement discussed in Section 4.1 (a) i. The strategic objectives related to audits and services provided by IA are translated into measures that can be used to track how IA's services create value for its customers (see Section 9.5(b) later in this chapter for discussion of IA's "customers"), how internal processes can be enhanced, and how the investment in people supports improved future performance. The Balanced Scorecard System combines both financial and non-financial performance measures; in fact, users of Balanced Scorecard only have about 20% of their measures as financial. Users of Balanced Scorecard learn to take advantage of non-financial measures successfully. Measures are made from four perspectives (presented as originally developed for businesses in general see Exhibit 9.5): Customers. Focuses on the external environment to understand, discover, and emphasize customer needs. Common measures include customer satisfaction, customer loyalty, and customer retention. Internal Business Processes. Focuses internally along a value chain comprising innovation, operations, and post-delivery service processes. Common measures include research and development expenditures, sales from new products, productivity, cycle time, and throughput efficiency. Learning and Growth. Provides the foundation, or infrastructure, needed to meet the objectives from the other two operational perspectives. Common measures include employee satisfaction, dollars spent on training, and voluntary turnover. Financial. Focuses on shareholders. Every measure in the Balanced Scorecard System should be part of a causal link that ends in financial measures. Common measures include economic value-added (EVA), return on investment, and net income. Exhibit 9.5: Balanced Scorecard System Model 10 Chapter 9: Managing the Effectiveness of the Audit Department
11
Some of the above measures and concepts do not apply to IA, or do not directly apply. The Internal Audit department would obviously use what can apply and ignore the rest. For customers, the customer satisfaction component is important and can be measured by a survey instrument. Customer loyalty and retention, however, do not easily apply (i.e., captive audience exists). In the area of internal business processes, innovation could be things such as new computer-aided audit tools and techniques (CAATTs) applied to audits, and even Balanced Scorecard System itself being applied to IA. Post-delivery services could include gathering empirical data, on the effectiveness of audit recommendations from audits (i.e., were they implemented, what improvements were realized, etc.), or follow-up procedures to audit recommendations. Applicable measures include productivity, cycle time, and efficiency. The documents and processes recommended throughout the manual provide source documents to assist in these measures, recognizing that an appropriate Balanced Scorecard System would likely include other documents and measures. Comparing budgeted hours for audit projects versus actual time is a good measure for efficiency (see Exhibit 6.2 and Section 6.1(a), "Three-Year Operating Plan"). For Learning and Growth, employee satisfaction within the department can easily be measured, if it can be done anonymously. Training can be measured by PD/CPE hours and the annual staff conference (see Section 5.5). Voluntary turnover can be measured from the Human Resource Summary recommended in Section 9.5(d) (see Exhibit 9.6). Exhibit 9.6: Summary of Personal Activities
11
12
Financial could be measured by using IA as a profit center, or even a cost center with budget variances. Shareholders could be extended to stakeholders as a more effective scope. Stakeholders would include: executive management (CEO, CFO, etc.), the Audit Committee, the Board of Directors in general, and shareholders or the public. That focus is more aligned to the responsibilities of the IA function. Altogether, the Balanced Scorecard System provides an excellent model for IA to use in pursuing world-class quality in its processes, duties, and services. Balanced Scorecard can be adopted, fairly easily, by the IA department.
b. Value-Based Metrics
A system similar to Balanced Scorecard is Value-Based Metrics (VBM). Like Balanced Scorecard, the VBM approach ties measures into strategic objectives. VBM are particularly useful as the basis for incentive compensation, resource allocation, investor relations, and other areas. The true drivers of VBM are often non-financial. In the VBM system, VBM and targets are set that are aligned (linked) to business strategies. The following is a sample of possible non-financial measures in VBM: innovation, growth, operating effectiveness, operating efficiency, employee skills and training, on-time delivery of services, customer satisfaction and retention, and value chain.
c. Activity-Based Costing
Activity-based costing (ABC) is a cost accounting theory used to allocate overhead costs to products based on the cost of the activities that are required to produce the product or deliver the service. The allocation bases are cost drivers&"drive" the costs. An ABC system usually involves two stages. In the first stage, costs are allocated to activity pools according to the type of activity carried out in each pool. For example, a pool for training would include costs associated with the Annual Staff Conference, Continuing Professional Education/Professional Development (CPE/PD) 12 Chapter 9: Managing the Effectiveness of the Audit Department
13
seminars attended by staff, and other training costs. In the second stage, costs are allocated from the activity pools to a cost object, such as a good or service (e.g., an audit project).
Appropriate application of ABC for service entities can be effective if the entity focuses on core activities and reducing non-core activities. For IA, the core activity would be audits. While ABC is not a continuous improvement program, it can help to control departmental overhead on a continual basis and keep it current.
d. Total Quality Management

Total Quality Management (TQM) is another strategic approach to business improvement. Its unique feature is the emphasis of quality from the customer's viewpoint, rather than the producer's. Quality is, therefore, defined by customers; that is, the product or service must meet or exceed the requirements or expectations of customers for that product or service. These expectations may involve attributes such as performance, reliability, durability, responsiveness, aesthetics, after-sale service, timeliness of delivery, and product or service features. TQM may use a variety of tools and techniques to seek continuous improvement of quality, productivity, flexibility, durability, and customer responsiveness. Entities that use TQM need to commit to [6]: Even better, more appealing, less-variable quality of the product or service Even quicker, less-variable response from design and development through supplier and sales channels, offices, and plants all the way to the final user Even greater flexibility in adjusting to customers' shifting volume and mix requirement Even lower cost through quality improvement, rework reduction, and non-value adding waste elimination Total Quality Management (TQM) is an applicable continuous improvement approach, which applied appropriately, should be effective in achieving and maintaining high quality.
e. ISO 9000 Family [7]

The International Organization for Standardization (ISO) is another continuous improvement system. ISO has been developing voluntary technical standards over almost all sectors of business, industry and technology since 1947. ISO standards were, before ISO 9000 and ISO 14000, principally of concern to engineers and other technical specialists concerned by the precise scope addressed in the standard. Then, in 1987, came ISO 9000, followed nearly 10 years later by ISO 14000, which have brought ISO to the attention of a much wider business community. However, both ISO 9000 and ISO 14000 are known as generic management system standards. Generic means that the same standards can be applied to any organization, large or small, whatever its product even if the "product" is actually a service in any sector of activity, and whether it is a business enterprise, a public administration, or a government department. Management system refers to what the organization does to manage its processes, or activities. In a very small organization, there is probably no "system," as such, just "our way of doing things," and "our way" is probably not written down, but all in the manager's or owner's head. The larger the organization, and the more people involved, the more the likelihood that there are some written procedures, instructions, forms or records. These help ensure that everyone is not just "doing his or her thing," and that there is a minimum of order in the way the organization goes about its business, so that time, money and other resources are utilized efficiently. To be really efficient and effective, the organization can manage its way of doing things by systemizing it. This ensures that nothing important is left out and that everyone is clear about who is responsible for doing what, when, how, why and where. Management system standards provide the organization with a model to follow in setting up and operating the management system. This model incorporates the features that experts in the field have agreed upon as representing the state of the art. A management system that follows the model or "conforms to the Chapter 9: Managing the Effectiveness of the Audit Department 13
14
standard"is built on a firm foundation of state-of-the-art practices. Both ISO 9000 and ISO 14000 are actually families of standards. Both families consist of standards and guidelines relating to management systems, and supporting standards on terminology and specific tools, such as auditing (the process of checking that the management system conforms to the standard). ISO 9000 is primarily concerned with "quality management." The standardized definition of "quality" in ISO 9000 refers to all those features of a product (or service) that are required by the customer. "Quality management" means what the organization does to ensure that its products conform to the customer's requirements. If a business or organization has invested time, energy and money to meet the ISO criteria, it obtains an ISO 9000 certificate. While the IA department will probably not seek the certificate unless the entire organization does, the principles of ISO 9000 can guide IA into becoming a world-class IA function.
f. Baldrige National Quality Program/Baldrige Award [8]

The Malcolm Baldrige National Quality Award was created by Public Law 100107, signed into law on August 20, 1987. The award program, responsive to the purposes of Public Law 100107, led to the creation of a new public-private partnership. Principal support for the program comes from the Foundation for the Malcolm Baldrige National Quality Award, established in 1988. The award is named for Malcolm Baldrige, who served as secretary of commerce from 1981 until his tragic death in a rodeo accident in 1987. His managerial excellence contributed to long-term improvement in efficiency and effectiveness of government. The Baldrige National Quality Program (BNQP) is supervised by the National Institute of Standards and Technology, and it makes awards each year. Applicants must meet stringent self-assessment criteria before being selected for the Baldrige Award. The Award criteria, continually improved since 1988, include seven categories: 1. Leadership 2. Strategic planning 3. Customer and market focus 4. Information and analysis 5. Human resource focus 6. Process management 7. Business results The criteria are built on a set of core values and concepts that are embedded behaviors in well-managed companies. Such companies use the Baldrige criteria to assess their management systems and improve performance in their most vital areas. Although BNQP applies only to organizations as a whole, the principles could be followed without officially applying for the Baldrige Award with successful results.
g. Conclusions
An overlap in criteria between these programs is clearly evident (e.g., customer focus). It is recommended that IA and the Director of Audit in conjunction with corporate management consider using one of these programs, or some other continuous improvement system, in addition to the quality assurance program in order to establish and maintain a world-class audit function.
SAM POLE COMPANY
Corporate Audit Department Procedures Manual NO: 9.5 REV NO: DATE: TITLE: Marketing the Audit Function PAGES: Chapter 9: Managing the Effectiveness of the Audit Department
14

[5]For
15
the definitive book on Balanced Scorecard, read The Balanced Scorecard by R.S. Kaplan and D.P. Norton, Harvard Business School Press, 1996. Parts of this section are based on this book.
[6]According
to TQM expert Richard Schonberger. See Total Quality Management: A Survey of Its Important Aspects by C. Carl Pegels, from Boyd & Fraser Publishing Co., 1995.
[7]Much [8]For
of this section was taken from the ISO web site at www.iso.org.
more information on Baldrige, see www.quality.nist.gov/.
9.5 Marketing the Audit Function

A series of books was published in the 1980s that examined what made successful companies so. Strengths included an obsession with quality, building a family or families out of employee groups, sound long-range planning, price value of products and services, and closeness to the customer. The need to be close to the customer and driven to satisfying the customer are basic principles learned in business school but sometimes businesses or operations, such as audit functions, lose this focus. Audit departments need to be addressing all of these areas of their operations. Should an audit department get close to customers? Should IA have marketing functions? Do auditors produce products? Within the limits of independence and objective review of operations and financial position, the answers are yes. Who are your customers as the IA department? There are many types, and they may not all want the same products. The objective of this section is to remind auditors to think about who their customers are, what products are produced, and to attempt to improve the delivery of the products by using some basic marketing concepts.
a. What Is Marketing?
A conventional definition of marketing includes all the steps to place a product in the hands of a consumer. Marketing should be involved when the product is being developed to consider whom the different customers are and how the product should be delivered to each. For instance, the audit department produces audit reports. Who reads the audit reports? The answer may include divisional financial managers and controllers, divisional operations managers, corporate financial managers and the CFO, corporate managers and the CEO, the audit committee, and the independent auditors. These are all customers, and they may want different products. The audit report is discussed in Section 8.1 and includes a two-level reporting process that allows for some product differentiation and divides the product logically to allow for different combinations for different customers. Marketing involves studying the customers' wants and satisfaction with the product. Does the corporate CEO want the same level of detail as the divisional controller? There is a very good chance the CEO does not. The audit report product has been designed, as discussed in Section 8.1, to allow for a summary audit report and a detailed audit report. To respect the time commitments of the CEO-type customer, the summary report is limited to two pages. The reader of the summary report is always offered the full detailed report on request. To help differentiate this important report from others arriving on the customer's desk, a color banner is suggested to highlight the product.
15
16
b. Understanding the Customers

Marketing requires understanding the needs of customers and assessing their understanding of the product and their satisfaction with the product. Marketing and successful acceptance of products can be enhanced by studying and understanding customers' profiles, including age, background, time commitments, priorities, and need for information. For example, most financial managers have a financial background that enables them to understand more fully financial audit reports; however, corporate financial managers may not have the same time available for every division and may only want summary information on non-problem audit reports. Operations managers may not understand as fully the implications of the audit findings. Consider adding a separate background report or glossary when applicable. To respect the time availability of customers and the need to commit the audit department to clear reporting of results, an opinion paragraph is included in the summary audit report. Some audit departments include a quantified score or grade for each audit. Therefore, by considering the customer, the audit department adds value to its product by constructing products that customers (users) want and with which they will be satisfied.
c. Getting the Audit Message Out

In addition to audit reports, the Audit Department produces many products including written reports such as: reports to the Audit Committee, reports to management, and budget reports. The preparation of all reports should include the study and evaluation of the intended customer and how the product could be developed and delivered in a better, more comprehensive, and more highly productive way. Audit Department brochures are marketing tools that can help the department improve the understanding of the IA function and improve its image. This brochure is a form of adverting, the objective of which is to show the product or service in a positive way while still respecting the professional image. The brochure becomes a recruitment tool as well as an orientation tool for new Audit Committee members and corporate and other senior management. The department brochure could include a message from the CEO and the Chief Auditor, and sections on Audit Department objectives and services, management's requests, who to contact, staff qualifications and organization, the role of the Audit Committee, what to do if a fraud is suspected, and other important information. Audit staff should be encouraged to be professionally active to develop professionally, to gain solid knowledge of emerging developments and solutions, and to promote the audit department. High visibility in the audit profession will also enhance the Audit Department image. Reports on professional activities should be included in reports to management and reports to the Audit Committee. As discussed above, these are different customers with different information needs, which should be considered as the product (report) is developed. Issuing control-related brochures to improve the organization's system of internal control can add value and reduce the negative reporting image of internal audit. For example, a brochure on basic personal computer controls (backups, password security, etc.) can improve individual employees' control awareness and improve the overall system of internal control. (See Chapter 3 for more details on internal controls that might be useful in developing such a brochure.) This approach markets the Audit Department in a positive way.
d. Human Resources
As discussed in more detail in Chapter 5, audit departments are developers of people. The department can be used as a training ground for financial and operational managers. If this approach is taken, human resource development becomes a significant Audit Department product. To manage this program, a summary should be kept of all audit personnel hired each year with information on promotions, transfers, and separations. From this summary (see Exhibit 9.6), statistics can be developed on number of personnel transferred and promoted.
16
17
Using the Audit Department as a training ground also helps address the issues of career-path opportunities for the Audit Department. It produces a tangible additional and positive audit product for the organization. Of course, it requires more work on the part of audit management. Planned turnover will result, and staff scheduling becomes more complex. If the Audit Department is going to be used as a training ground, a formal Management Development Training Program should be developed outlining the plan's objectives and guidelines.
e. Summary
Marketing considerations are important elements in every business operation, including the audit function. Constantly be on the look-out for opportunities to market the audit function and produce positive deliverables and new products and services.
Endnotes
1. Much of this section comes from the IIA's "Recommendations for Improving Corporate Governance," a position paper presented to U.S. Congress, April 8, 2002. It is available online at www.theiia.org/ecm/guide-pc.cfm?doc_id=3602. 2. Global Investor Opinion Survey: Key Findings, 2002, McKinsey. Available online at www.mckinsey.com/practices/corporategovernance/PDF/GloballnvestorOpinionSurvey2002.pdf. 3. Corporate Governance Center, Kennesaw State University, 21st Century Governance and Financial Reporting Principles for U.S. Public Companies, 2002. The University of Delaware also sponsors a Center for Corporate Governance at www.be.udel.edu/ccg/staff.htm. 4. For the definitive book on Balanced Scorecard, read The Balanced Scorecard by R.S. Kaplan and D.P. Norton, Harvard Business School Press, 1996. Parts of this section are based on this book. 5. According to TQM expert Richard Schonberger. See Total Quality Management: A Survey of Its Important Aspects by C. Carl Pegels, from Boyd & Fraser Publishing Co., 1995. 6. Much of this section was taken from the ISO web site at www.iso.org. 7. For more information on Baldrige, see www.quality.nist.gov/.
17
18
18
Index
A
AICPA Founding, 7 SysTrust, 7883 Association of Information Technology Professionals (AITP), 41 Auditing Frauds COSO Study (SEC fraud violations), 99, 115117, 344345 Equity Funding, 1973, 1920 Ivar Kreuger, 1932, 8 McKesson & Robbins, 1938, 89 South Sea Bubble, 6 Ultramares, 1925, 7 Risk Assessment, 97104, 230231 Standards AICPAGAAS, 52 IIASPPIA, 4648, 97, 227, 263, 265 ISACAStandards, 4852 SDLC, 5357, 90
Index
Index
Index
Index
C
COSO (Treadway Commission) COSO, 13 COSO Model, 7274, 85, 243 Computer Crimes Criminals/Intruders, 70, 92, 123 Denial of Service/Distributed DoS, 100, 106 Financial Fraud, 122 Misappropriation of Assets (theft), 122 Unethical E-Mail, 94, 102 Viruses/Worms, 94, 100101 Virus Hoaxes, 94, 101102, 106
Index
Index
Index
Index
E
Ethics, 4145 IIA Code of Ethics, 4244 ISACA Code of Professional Ethics, 4445
Index
Index
Index
Index
F
Federal Laws Copyright Laws, 30, 8788 Foreign Corrupt Practices Act, 1977, 30, 87 Income Tax (Sixteenth Amendment), 1913, 7, 29,61 Sarbanes-Oxley Act, 2002, 31, 8889, 342 Securities Act, 1933, 78, 29, 61, 87 Securities Exchange Commission Act, 1934, 78, 29, 61, 87
Index
Index
Index
Index
G
GAO Yellow Book, 15
Index
Index
Index
Index
I
Information Systems Audit & Control Association CobiT, 7475 Founding, 1969, 2122, 48 Institute of Internal Auditors Founding, 1941, 1014 SAC Study, 2021, 7677 Internal Audit Annual Staff Meeting, 214216 Audit Recommendations, 275283, 311, 318320 Budget Planning, 232 Continuous Improvement Activity-Based Costing, 358, 630 Balanced Scorecard, 356358 Baldrige National Quality Program, 361362 ISO 9000, 360361 Total Quality Management (TQM), 360 Value-Based Metrics, 358 Coordinator of Education, 192 Corporate Audit Charter, 144147 Corporate Audit Training Model, 193195 CPE, 197 Department Policies Confidentiality, 177178 Days Off for Extensive Travel, 179 Orientation/Training, 178179 Professional Certification, 180 Job Descriptions, 149176 Marketing, 363365 Mission Statement, 136137 Orientation, 217220 Outsourcing, 139141 Performance Evaluation, 204213 Personnel Files, 199203 Planning Memo, 269275 Preliminary Survey, 236269 Professional Certification, 185, 336 Quality Assurance, 347355 Recruiting Aids, 184185 Management Development Programs 185 Sources, 182184 Reporting Expense Reporting, 256 Time Reporting, 250255 Scope, 314 Types Compliance Audits, 241 Contract Audits, 241242 Index 1
2 Desk Review, 242243 E-Commerce Audits, 249 Financial Audits, 238240 Follow-Up Audits, 243 High-Level Review of Procedures, 238 Information System Audits, 243248 International Audits, 249 Operational Audits, 240 Workpapers, 284294 Internal Auditing Audit Committee, 31, 114119, 331336, 342346 Control Self-Assessment, 141142 Corporate Governance, 114119, 342346 IT Governance, 119120 Independence, 6061 Materiality, 235237 Responsibilities, 5961 Internal Controls Basic Assumptions, 6970 Business Recovery/Disaster Recovery, 9496, 245246 CAATTs Authentication, 124125 Biometrics, 124125 Call-back Modems, 125 Computer Logs, 120 Firewalls, 126127 Generalized Audit Software, 127128 Internet Storm Watcher, 105106 Intrusion Detection Systems (monitoring), 126 Passwords, 9293, 124 CobiT, 7475 Computer Controls, Application, 112113, 244, 246248 Computer Controls, General, 111112, 243244 COSO Model, 7274, 85, 243 COSO Study (SEC fraud violations), 99, 115117, 344345 Cost-Benefit Analysis, 71 Definitions, 6566 Models, 68, 91 PDC Model (expanded), 105108 Physical Controls, 109111, 244245 Policies Business Recovery/Disaster Recovery, 9496 Computer Usage, 92 E-Mail, 94 Password, 9293 Privacy, 95 SDLC, 90 Security, 92 Risk Assessment, 97104 SAC/eSAC, 7677 Sarbanes-Oxley Act, 8889 Segregation of Duties, 121 SysTrust, 7883
Index
Index
Index
Index
Index
Index
Index
S
Sarbanes-Oxley Act (2002) Corporate Governance, 342 Internal Controls Requirements, 8889 Legal Requirements, 31 SEC, 78, 29, 61, 87, 114115 COSO Study (SEC fraud violations), 115117, 344345 Sarbanes-Oxley Act, 31, 8889
Index
Index
Index
List of Tables
Sam Pole Company Corporate Audit Department Three-Year Audit Plan

Financial Highlights For the six months ended June 30 ($000's omitted)
List of Tables
List of Tables
List of Tables
List of Exhibits
Exhibit 2.1: ISACA Auditing Standards Guidelines Exhibit 2.2: SDLC Steering Committee/Cross-Functional Team Matrix Exhibit 2.3: SDLC Guidelines

Exhibit 3.1: Internal Control Environment Model Exhibit 3.2: Controls Decision Making Overview Exhibit 3.3: COSO Model Exhibit 3.4: eSAC Model Exhibit 3.5: SysTrust Model Exhibit 3.6: Comparison of Internal Control Models Exhibit 3.7: Internal Control System Model Exhibit 3.8: Password Policy Exhibit 3.9: E-Mail Questionnaire Exhibit 3.10: Disaster Recovery Plan Exhibit 3.11: Anti-Virus System/Model Exhibit 3.12: A Basic Vulnerability Plan Exhibit 3.13: Sample Questionnaire/Inquiry Exhibit 3.14: SANS Institute: Top 20 Most Critical Internet Security Vulnerabilities (ver. 2.502) Exhibit 3.15: IS Model of Controls Exhibit 3.16: Physical Controls Exhibit 3.17: Audit Committee Oversight AreasIn Order of Importance Exhibit 3.18: Commonalities of Fraud Entities from COSO Study Exhibit 3.19: Model of Attributes for Effective Audit Committee

Exhibit 4.1: Sample Corporate Audit Charter Exhibit 4.2: Sam Pole Company Organization Chart Exhibit 4.3: Sam Pole Company Audit Department Organization Chart

Exhibit 5.1: Interview Questionnaire for New Internal Auditors Exhibit 5.2: Overview of Corporate Audit Training Model Exhibit 5.3: Continuing Professional Education (CPE) Record Exhibit 5.4: Corporate Audit Department Background Information Form Exhibit 5.5: Corporate Audit Department Interest Questionnaire Form Exhibit 5.6: Performance Evaluation Review Form Exhibit 5.7: Group Discussions Instruction Sheet Exhibit 5.8: Orientation Checklist

Exhibit 6.1: Corporate Audit Planning, Scheduling, and Staffing Exhibit 6.2: Sample Three-Year Audit Plan List of Exhibits 1
2 Exhibit 6.3: Time System Codes: Audit Type Codes and Task Codes Exhibit 6.4: Sample Corporate Audit Time Summary Form
List of Exhibits

Exhibit 7.1: Corporate Audit Performance Process Matrix Exhibit 7.2: Sam Pole Company Corporate Audit Department Assignment Checklist Exhibit 7.3: Sample Notice to Auditee Exhibit 7.4: Sample Planning Memo Exhibit 7.5: Recommendation Worksheet Example Exhibit 7.6: Permanent Files Index
List of Exhibits

Managing The Audit Function 3rd Edition - John Wiley & Sons

Diunggah oleh

Informasi Dokumen

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Managing The Audit Function 3rd Edition - John Wiley & Sons

Diunggah oleh

Hak Cipta:

Format Tersedia

toc

1. Auditing, InternalHandbooks, manuals, etc. 2. Corporations AuditingHandbooks, manuals, etc. I. Sin

Part I: Fundamentals of the Internal Auditing Function

Part I: Fundamentals of the Internal Auditing Function

Part I: Fundamentals of the Internal Auditing Function

Part I: Fundamentals of the Internal Auditing Function

1.2 History of Auditing [1]

1.3 History of Internal Auditing

1.4 Auditing Government Agencies

1.5 History of Information Systems Auditing

a. Birth of Information Systems Auditing

c. AUDITAPE: Breakthrough for Information Systems Auditors

d. Equity Funding Scandal: Abuse of Information Technology

e. Systems, Auditability, and Control Research StudyInstitute of Internal Auditors

f. Electronic Data Processing Auditors Association

Chapter 1: Background i. Microcomputers and Networks

18 advantage of the opportunities that e-commerce offers.

1.6 History of Federal Regulations Related to Auditing

a. Income Tax Law (Sixteenth Amendment): 1913

b. Securities and Exchange Commission Acts: 1933, 1934

c. Foreign Corrupt Practices Act: 1977

d. Copyright Laws: 1976 et al.

e. Sarbanes-Oxley Act: 2002

1.7 Professional Organizations Related to Internal Auditing

Chapter 1: Background www.theiia.org www.isaca.org www.aicpa.org www.aaa-edu.org www.fei.org www.agacgfm.org www.cfenet.com

a. Institute of Internal Auditors

b. Information Systems Audit and Control Association

c. American Institute of Certified Public Accountants

d. American Accounting Association

e. Financial Executives International

f. Association of Government Accountants

g. Association of Certified Fraud Examiners

Chapter 2: Auditing Standards and Responsibilities

SAM POLE COMPANY

a. Institute of Internal Auditors (IIA) [2]

b. Information Systems Audit and Control Association (ISACA) [3]

Chapter 2: Auditing Standards and Responsibilities

SAM POLE COMPANY

2.3 Professional Auditing Standards

a. Institute of Internal Auditors

b. Information Systems Audit and Control Association [5]

030Professional Ethics and Standards

.010Irregularities and Illegal Acts

060Performance of Audit Work

070Reporting 080Follow-Up Activities

.010Report Content and Form .010Follow-Up

Chapter 2: Auditing Standards and Responsibilities

c. American Institute of Certified Public Accountants

SAM POLE COMPANY

2.4 Systems Development Life Cycle Standards

Chapter 2: Auditing Standards and Responsibilities

12 SAM POLE COMPANY

Chapter 2: Auditing Standards and Responsibilities

2.5 Professional Development

SAM POLE COMPANY

2.6 Responsibilities of a Corporate Auditor

Chapter 2: Auditing Standards and Responsibilities

Chapter 2: Auditing Standards and Responsibilities

b. Objective and Scope

c. Responsibility and Authority

Chapter 2: Auditing Standards and Responsibilities

Chapter 2: Auditing Standards and Responsibilities

Chapter 2: Auditing Standards and Responsibilities