Brink's Modern Internal Auditing

Transcription

1 Brink's Modern Internal Auditing A Common Body of Knowledge Seventh Edition ROBERT R. MOELLER WILEY John Wiley & Sons, Inc.

2 Preface About the Author xix XXV PART ONE CHAPTER 1 FOUNDATIONS OF MODERN INTERNAL AUDITING Foundations of Internal Auditing 1.1 Internal Auditing History and Background 1.2 Organization of This Book Note CHAPTER 2 Internal Audit's Common Body of Knowledge What Is a CBOK?: Experiences from Other Professions Institute of Internal Auditor's Research Foundation CBOK What Does an Internal Auditor Need to Know? Modern Internal Auditing's CBOK Going Forward 19 Notes 19 PART TWO CHAPTER 3 IMPORTANCE OF INTERNAL CONTROLS Internal Control Framework: The COSO Standard 3.1 Importance of Effective Internal Controls 3.2 Internal Controls Standards: Background (a) Internal Control Definitions: Foreign Corrupt Practices Act of 1977 (b) FCPA Aftermath: What Happened? 3.3 Events Leading to the Treadway Commission (a) Earlier AICPA Standards: SAS No. 55 (b) Treadway Committee Report 3.4 COSO Internal Control Framework (a) Control Environment (b) Risk Assessment (c) Control Activities (d) Communications and Information (e) Monitoring

3 3-5 Other Dimensions of the COSO Internal Controls Framework 3.6 Internal Audit CBOK Needs Notes CHAPTER 4 Sarbanes-Oxley and Beyond Key Sarbanes-Oxley Act Elements 54 (a) Title I: Public Company Accounting Oversight Board 55 (b) Title II: Auditor Independence 60 (c) SOx Title III: Corporate Responsibility 62 (d) Title IV: Enhanced Financial Disclosures 68 (e) Title V: Analyst Conflicts of Interest 72 (f) Titles VI through X: Fraud Accountability and White-Collar Crime 72 (g) Title XI: Corporate Fraud Accountability Performing Section 404 Reviews under AS 5 75 (a) Section 404 Internal Controls Assessments Today 75 (b) Launching the Section 404 Compliance Review AS 5 Rules and Internal Audit Impact of the Sarbanes-Oxley Act 87 Notes 87 CHAPTER 5 CHAPTER 6 Another Internal Controls Framework: CobiT 5.1 Introduction to CobiT 5.2 CobiT Framework (a) CobiT Cube Components: IT Resources (b) CobiT Cube Components 5.3* Using CobiT to Assess Internal Controls (a) Planning and Enterprise (b) Acquisition and Implementation (c) Delivery and Support (d) Monitoring and Evaluation 5.4 Using CobiT in a SOx Environment 5.5 CobiT Assurance Framework Guidance 5.6 CobiT in Perspective Notes Risk Management: COSO ERM 6.1 Risk Management Fundamentals (a) Risk Identification (b) Key Risk Assessments (c) Quantitative Risk Analysis 6.2 COSO ERM: Enterprise Risk Management 6.3 COSO ERM Key Elements (a) Internal Environment Component (b) Objective Setting (c) Event Identification

4 Vll (d) Risk Assessment 134 (e) Risk Response 136 (f) Control Activities 138 (g) Information and Communication 140 (h) Monitoring Other Dimensions of COSO ERM: Enterprise Risk Objectives 142 (a) Operations Risk Management Objectives 142 (b) Reporting Risk Management Objectives 143 (c) Legal and Regulatory Compliance Risk Objectives Entity-Level Risks 145 (a) Risks Encompassing the Entire Organization 145 (b) Business Unit-Level Risks Putting It All Together Auditing Risk and COSO ERM Processes Risk Management and COSO ERM in Perspective 147 Notes 149 PART THREE PLANNING AND PERFORMING INTERNAL AUDITS 151 CHAPTER 7 Performing Effective Internal Audits Organizing and Planning Internal Audits Internal Audit Preparatory Activities 155 (a) Determine the Audit Objectives 157 (b) Audit Scheduling and Time Estimates 158 (c) Preliminary Surveys Starting/the Internal Audit 160 (a) Internal Audit Field Survey 163 (b) Documenting the Internal Audit Field Survey 164 (c) Field Survey Auditor Conclusions Developing and Preparing Audit Programs 166 (a) Audit Program Formats and Their Preparation 167 (b) Types of Audit Evidence Performing the Internal Audit 172 (a) Internal Audit Fieldwork Initial Procedures 173 (b) Audit Fieldwork Technical Assistance 175 (c) Audit Management Fieldwork Monitoring 175 (d) Potential Audit Findings 176 (e) Audit Program and Schedule Modifications 178 (f) Reporting Preliminary Audit Findings to Management Wrapping Up the Field Engagement Internal Audit Performing an Individual Internal Audit 180 CHAPTER 8 Standards for the Professional Practice of Internal Auditing Internal Auditing Professional Practice Standards 184 (a) Background of the IIA Standards 184

5 V1U Contents (b) IIA's Current Standards: What Has Changed (c) 2009 New Internal Audit Standards 8.2 Content of the IIA Standards (a) Internal Audit Attribute Standards (b) Internal Audit Performance Standards 8.3 Codes of Ethics: The IIA and ISACA Notes CHAPTER 9 Testing, Assessing, and Evaluating Audit Evidence Gathering Appropriate Audit Evidence Audit Assessment and Evaluation Techniques Internal Audit Judgmental Sampling Statistical Sampling: An Introduction 204 (a) Statistical Sampling Concepts 205 (b) Developing a Statistical Sampling Plan 210 (c) Audit Sampling Approaches Monetary Unit Sampling 225 (a) Selecting the Monetary Unit Sample: An Example 225 (b) Performing the Monetary Unit Sampling Test 227 (c) Evaluating Monetary Unit Sample Results 228 (d) Monetary Unit Sampling Advantages and Limitations Variables and Stratified Variables Sampling Other Audit Sampling Techniques 232 (a) Multistage Sampling 232 (b) Replicated Sampling 232 (c) Bayesian Sampling Making Efficient and Effective Use of Audit Sampling 233 Notes 236 CHAPTER 10 Audit Programs and Establishing the Audit Universe Denning the Scope and Objectives of the Internal Audit Universe Assessing Internal Audit Capabilities and Objectives Audit Universe Time and Resource Limitations "Selling" the Audit Universe to the Audit Committee and Management Assembling Audit Programs: Audit Universe Key Components 247 (a) Audit Program Formats and Their Preparation 248 (b) Types of Program Audit Evidence Audit Universe and Program Maintenance 252 CHAPTER 11 Control Self-Assessments and Benchmarking 11.1 Importance of Control Self-Assessments 11.2 CSA Model

6 IX 11.3 Launching the CSA Process 255 (a) Performing the Facilitated CSA Review 257 (b) Performing the Questionnaire-Based CSA Review 259 (c) Performing the Management-Produced Analysis CSA Review 26l 11.4 Evaluating CSA Results 26l 11.5 Benchmarking and Internal Audit 262 (a) Implementing Benchmarking to Improve Processes 263 (b) Benchmarking and the IIA's GAIN Initiative Better Understanding Internal Audit Activities 269 Notes 269 PART FOUR ORGANIZING AND MANAGING INTERNAL AUDITOR ACTIVITIES 271. CHAPTER 12 Internal Audit Charters and Building the Internal Audit Function Establishing an Internal Audit Function Audit Charter: Audit Committee and Management Authority Building the Internal Audit Staff 275 (a) Role of the CAE 277 (b) Internal Audit Management Responsibilities 278 (c) Internal Audit Staff Responsibilities 278 (d) / Information Systems Audit Specialists 281 (e) Other Internal Auditor Specialists Internal Audit Department Organization Approaches 283 (a) Centralized versus Decentralized Internal Audit Organization Structures 283 (b) Organizing the Internal Audit Function Internal Audit Policies and Procedures Professional Development: Building a Strong Internal Audit Function 292 Note 292 CHAPTER 13 Internal Audit Key Competencies 13.1 Importance of Internal Audit Key Competencies 13.2 Internal Auditor Interview Skills 13.3 Analytical Skills 13.4 Testing and Analysis Skills 13.5 Internal Auditor Documentation Skills 13.6 Recommending Results and Corrective Actions 13.7 Internal Auditor Communication Skills 13.8 Internal Auditor Negotiation Skills

7 13-9 Internal Auditor Commitment to Learning Importance of Internal Auditor Core Competencies 304 CHAPTER 14 Understanding Project Management Project Management Processes 305 (a) Project Management Book of Knowledge 306 (b) Developing a Project Management Plan PMBOK Program and Portfolio Management Organizational Process Maturity Model Using Project Management for Effective Internal Audit Plans Project Management Best Practices and Internal Audit 318 Notes 319 CHAPTER 15 Planning and Performing Internal Audits 321 ' 15.1 Understanding the Environment: Launching an Internal Audit Documenting and Understanding the Internal Controls Environment Performing Appropriate Internal Audit Procedures Wrapping Up the Internal Audit Performing Internal Audits 328 CHAPTER 16 Documenting Results through Process Modeling and Workpapers Internal Audit Documentation Requirements Process Modeling for Internal Auditors 331 (a) Understanding the Process Modeling Hierarchy 332 (b) Describing and Documenting Key Processes 332 (c) Process Modeling and the Internal Auditor Internal Audit Workpapers 335 (a) Workpaper Standards 338 (b) Workpaper Formats 339 (c) Workpaper Document Organization 340 (d) Workpaper Preparation Techniques 344 (e) Workpaper Review Processes Internal Audit Document Records Management Importance of Internal Audit Documentation 349 Note 350 CHAPTER 17 Reporting Internal Audit Results 17.1 Purposes and Types of Internal Audit Reports 17.2 Published Audit Reports (a) Approaches to Published Audit Reports (b) Elements of an Audit Report Finding

8 XI (c) Balanced Audit Report Presentation Guidelines 362 (d) Alternative Audit Report Formats Internal Audit Reporting Cycle 366 (a) Draft Audit Reports 368 (b) Audit Reports: Follow-Up and Summary 371 (c) Audit Report and Workpaper Retention Effective Internal Audit Communications Opportunities Audit Reports and Understanding the People in Internal Auditing 376 PART FIVE IMPACT OF INFORMATION TECHNOLOGY ON INTERNAL AUDITING 379 CHAPTER 18 IT General Controls and ITIL Best Practices Importance of IT General Controls Client-Server and Smaller Systems' General IT Controls 383 (a) General Controls for Small Business Systems 384 (b) Smaller Systems' IT Operations Internal Controls 388 (c) Auditing IT General Controls for Smaller IT Systems Components and Controls of Mainframe and Legacy Systems 394 (a) Characteristics of Larger IT Systems 394 (b) Classic Mainframe or Legacy Computer Systems 396 (c) Operating Systems Software Legacy System General Controls Reviews ITIL Service Support and Delivery Infrastructure Best Practices 405 (a) ITIL Service Support Incident Management 407 (b) Service Support Problem Management Service Delivery Best Practices 414 (a) Service Delivery Service-Level Management 415 (b) Service Delivery Financial Management for IT Services 418 (c) Service Delivery Capacity Management 419 (d) Service Delivery Availability Management 421 (e) Service Delivery Continuity Management Auditing IT Infrastructure Management Internal Auditor CBOK Needs for IT General Controls 423 Notes 424 CHAPTER 19 Reviewing and Assessing IT Application Controls 19.1 IT Application Control Components (a) Application Input Components (b) Application Programs (c) IT Application Output Components

9 xii Contents 19.2 Selecting Applications for Internal Audit Reviews Preliminary Steps to Performing Applications Controls Reviews 437 (a) Conducting an Application Walk-Through 439 (b) Developing Application Control Objectives Completing the IT Application's Controls Audit 443 (a) Clarifying and Testing Audit Internal Control Objectives 444 (b) Completing the Application Controls Review Application Review Example: Client-Server Budgeting System 448 (a) Reviewing Capital Budgeting System Documentation 449 (b) Identifying Capital Budgeting Application Key Controls 450 (c) Performing Application Tests of Compliance Auditing Applications under Development 451 (a) Objectives and Obstacles of Preimplementation Auditing 452 (b) Preimplementation Review Objectives 453 (c) Preimplementation Review Problems 454 (d) Preimplementation Review Procedures Importance of Reviewing IT Application Controls 459 Notes 459 CHAPTER 20 Cybersecurity and Privacy Controls IT Network Security Fundamentals 462 (a) Security of Data 463 (b) Importance of IT Passwords 464 (c) Viruses and Malicious Program Code 465 (d) Phishing and Other Identity Threats 467 (e) IT System Firewalls 468 (f) Other Computer Security Issues IT Systems Privacy Concerns 469 (a) Data Profiling Privacy Issues 469 (b) Online Privacy and E-Commerce Issues 470 (c) Radio Frequency Identification 470 (d) Absence of U.S. Federal Privacy Protection Laws Auditing IT Security and Privacy Security and Privacy in the Internal Audit Department 474 (a) Security and Control for Auditor Computers 474 (b) Workpaper Security 475 (c) Audit Reports and Privacy 477 (d) Internal Audit Security and Privacy Standards and Training PCI-DSS Fundamentals Internal Audit's Privacy and Cybersecurity Roles 479 Notes 479

10 xiu CHAPTER 21 Computer-Assisted Audit Tools and Techniques Understanding Computer-Assisted Audit Tools and Techniques Determining the Need for CAATTs CAATT Software Tools 487 (a) Types of CAATTs: Generalized Audit Software 488 (b) Report Generators Languages 489 (c) Desktop and Laptop CAATTs 491 (d) Test Data or Test Deck Approaches 492 (e) Specialized Audit Test and Analysis Software 496 (D Embedded Audit Procedures Selecting Appropriate CAATT Processes Steps to Building Effective CAATTs Using CAATTs for Audit Evidence Gathering 503 Notes 504 CHAPTER 22 Business Continuity Planning and IT Disaster Recovery IT Disaster and Business Continuity Planning Today Auditing Business Continuity Planning Processes (a) Internal Auditor Centralized Data Center BCP Reviews (b) Client-Server Continuity Planning Internal Audit Procedures (c) Continuity Planning for Desktop and Laptop Applications Building the IT Business Continuity Plan (a) Risks, Business Impact Analysis, and the Impact Potential Emergencies (b) Preparing for Possible Contingencies (c) Disaster Recovery: Handling the Emergency (d) Business Continuity Plan Enterprise Training Business Continuity Planning and Service-Level Agreements Newer Business Continuity Plan Technologies: Data Mirroring Techniques Auditing Business Continuity Plans Business Continuity Planning Going Forward Notes of PART SIX INTERNAL AUDIT AND ENTERPRISE GOVERNANCE 529 CHAPTER 23 Board Audit Committee Communications 23.1 Role of the Audit Committee 23.2 Audit Committee Organization and Charters 23.3 Audit Committee's Financial Expert and Internal Audit

11 XIV Contents 23.4 Audit Committee Responsibilities for Internal Audit 539 (a) Appointment of the Chief Audit Executive 541 (b) Approval of Internal Audit Charter 542 (c) Approval of Internal Audit Plans and Budgets 543 (d) Audit Committee Review and Action on Significant Audit Findings Audit Committee and Its External Auditors Whistleblower Programs and Codes of Conduct Other Audit Committee Roles 547 CHAPTER 24 Ethics and Whistleblower Programs Enterprise Ethics, Compliance, and Governance 550 (a) Ethics First Steps: Developing a Mission Statement 551 (b) Understanding the Ethics Risk Environment 553 (c) Summarizing Ethics Survey Results: Do We Have a Problem? Enterprise Codes of Conduct 556 (a) Code of Conduct Contents: What Should Be the (b) Code's Message? 557 Communications to Stakeholders and Assuring Compliance 559 (c) Code Violations and Corrective Actions 560 (d) Keeping the Code of Conduct Current 56l 24.3 Whistleblower and Hotline Functions 562 (a) Federal Whistleblower Rules 563 (b) SOx Whistleblower Rules and Internal Audit 564 (c) Launching an Enterprise Help or Hotline Function Auditing the Enterprise's Ethics Functions Improving Corporate Governance Practices 569 Notes 569 CHAPTER 25 Fraud Detection and Prevention Understanding and Recognizing Fraud Red Flags: Fraud Detection Signs for Internal Auditors Public Accounting's Role in Fraud Detection IIA Standards for Detecting and Investigating Fraud Fraud Investigations for Internal Auditors Information Technology Fraud Prevention Processes Fraud Detection and the Internal Auditor 585 Notes 585 CHAPTER 26 HIPAA, GLBA, and Other Compliance Requirements 26.1 HIPAA: Healthcare and Much More (a) HIPAA Patient Record Privacy Rules (b) Cryptography, PKI, and HIPAA Security Requirements

12 xv (c) HIPAA Security Administrative Procedures 593 (d) Technical Security Services and Mechanisms 594 (e) Going Forward: HIPAA and E-Commerce Gramm-Leach-Bliley Act Internal Audit Rules 595 (a) GLBA Financial Privacy Rules 596 (b) GLBA Safeguards Rule 598 (c) GLBA Pretexting Provisions Other Personal Privacy and Security Legislative Requirements 600 PART SEVEN CHAPTER 27 THE PROFESSIONAL INTERNAL AUDITOR Professional Certifications: CIA, CISA, and More , Certified Internal Auditor Responsibilities and Requirements (a) The CIA Examination (b) Maintaining Your CIA Certification Beyond the CIA: Other IIA Certifications (a) (b) CCSA Requirements CGAP Requirements (c) CFSA W Requirements (d) Importance of the CIA Specialty Certification Examinations Certified Information Systems Auditor (CISA) Requirements Certified Information Security Manager Certification Certified Fraud Examiner CISSP Information Systems Security Professional Certification ASQ Internal Audit Certifications Other Internal Auditor Certifications CHAPTER 28 Internal Auditors as Enterprise Consultants Standards for Internal Audit as an Enterprise Consultant Launching an Internal Audit Internal Consulting Capability Ensuring an Audit and Consulting Separation of Duties Consulting Best Practices 635 (a) First Steps: Launching a Consulting Assignment 636 (b) Consulting Engagement Letters 637 (c) Consulting Process: Denning "As Is" and "To Be" Objectives 638 (d) Implementing Consulting Recommendations 640 (e) Documenting and Completing the Consulting Engagement Expanded Internal Audit Services to Management 640 Note 641

13 XVI Contents CHAPTER 29 Continuous Assurance Auditing and XBRL Implementing Continuous Assurance Auditing 644 (a) What Is a CAA Monitoring Process? 645 (b) Resources for Implementing CAA Benefits of CAA XBRL: Internet-Based Extensible Business Reporting Language 651 (a) XBRL Defined 652 (b) Implementing XBRL Data Warehouses, Data Mining, and OLAP 655 (a) Importance of Storage Tools 655 (b) Data Warehouses and Data Mining 656 (c) Online Analytical Processing Newer Technologies, the Continuous Close, and Internal Audit 659 Notes 660 PART EIGHT INTERNAL AUDITING PROFESSIONAL CONVERGENCE CBOK REQUIREMENTS 661 CHAPTER 30 ISO 27001, ISO 9000, and Other International Standards Importance of ISO Standards in Today's Global World ISO Standards Overview 666 (a) ISO 9001 Quality Management Systems and Sarbanes-Oxley 667 (b) IT Security Standards: ISO and (c) IT Security Technique Requirements: ISO (d) Service Quality Management: ISO ISO Quality Management Systems Auditing ISO Standards and Internal Auditors 678 Notes 678 CHAPTER 31 Quality Assurance Auditing and ASQ Standards Duties and Responsibilities of Quality Auditors Role of the Quality Auditor Performing ASQ Quality Audits Quality Auditors and the IIA Internal Auditor Quality Assurance Reviews of the Internal Audit Function 688 (a) Benefits of an Internal Audit Quality-Assurance (b) Review 689 Elements of an Internal Audit Quality-Assurance Review 690 (c) Who Performs the Quality-Assurance Review? Launching the Internal Audit Quality-Assurance Review 694 (a) Quality-Assurance Review Approaches 695

14 xvii 31.7 (b) Example Quality-Assurance Review of an Internal Audit Function 696 (c) Reporting the Results of an Internal Audit Quality-Assurance Review 702 Future Directions for Quality-Assurance Auditing 704 Notes 705 CHAPTER 32 Six Sigma and Lean Techniques Six Sigma Background and Concepts Implementing Six Sigma 709 (a) Six Sigma Leadership Roles and Responsibilities 711 (b) Launching the Six Sigma Project Lean Six Sigma Auditing Six Sigma Processes Six Sigma in Internal Audit Operations 719 Note 721 CHAPTER 33 International Internal Auditing and Accounting Standards " International Accounting and Auditing Standards: How Did We Get Here? Financial Reporting Standards Convergence IFRS: What Internal Auditors Need to Know International Internal Auditing Standards Next Steps in Internal Audit Standards 729 CHAPTER 34 CBOK for the Modern Internal Auditor Part One: Foundations of Modern Internal Auditing Part Two: Importance of Internal Controls Part Three: Planning and Performing Internal Audits Part Four: Organizing and Managing Internal Audit Activities Part Five: Impact of Information Technology on Internal Auditing Part Six: Internal Audit and Enterprise Governance Part Seven: The Professional Internal Auditor Part Eight: Internal Auditing Professional Convergence CBOK Requirements A CBOK for Internal Auditors 736 Note 737 Index 739