Sarbanes-Oxley and the New Internal Auditing Rules ROBERT R. MOELLER John Wiley & Sons, Inc.
Sarbanes-Oxley and the New Internal Auditing Rules
Sarbanes-Oxley and the New Internal Auditing Rules ROBERT R. MOELLER John Wiley & Sons, Inc.
This book is printed on acid-free paper. Copyright 2004 by John Wiley & Sons, Inc. All rights reserved. Published by John Wiley & Sons, Inc., Hoboken, New Jersey Published simultaneously in Canada No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400, fax 978-750-4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, 201-748-6011, fax 201-748-6008, e-mail: permcoordinator@wiley.com. Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages. For general information on our other products and services, or technical support, please contact our Customer Care Department within the United States at 800-762-2974, outside the United States at 317-572-3993 or fax 317-572-4002. Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books. For more information about Wiley products, visit our web site at www.wiley.com. Library of Congress Cataloging-in-Publication Data Moeller, Robert R. Sarbanes-Oxley and the new internal auditing rules / Robert R. Moeller. p. cm. Includes bibliographical references and index. ISBN 0-471-48306-0 (CLOTH) 1. Auditing, Internal Law and legislation United States. 2. United States. Sarbanes-Oxley Act of 2002. I. Title. KF1357.M64 2004 346.73'063 dc22 2003018290 Printed in the United States of America. 10 9 8 7 6 5 4 3 2 1
To my best friend and wife, Lois Moeller
contents Preface xi CHAPTER 1 Introduction 1 Accounting and Auditing Scandals and Internal Audit 1 What Are the New Rules? 3 Who Will Find this Book Useful? 7 CHAPTER 2 Internal Audit and the Sarbanes-Oxley Act 9 Where Were the Auditors? Standards Failure 10 Sarbanes-Oxley Overview: Key Internal Audit Concerns 12 Impact of the Sarbanes-Oxley Act on the Modern 57 Internal Auditor CHAPTER 3 Heightened Responsibilities for Audit Committees 59 Audit Committee Charters and Other Requirements 60 Board s Financial Expert and Internal Audit 64 Helping to Establish Documentation Procedures 67 Controlling Other Audit Services 69 Establishing Open Communications 70 CHAPTER 4 Launching an Ethics and Whistleblower Program 71 Launching an Organization Ethics Program 72 Establishing a Mission or Values Statement 79 Codes of Conduct 81 Whistleblower and Hotline Functions 89 Auditing the Organization s Ethics Functions 99 vii
viii CONTENTS Chapter 5 COSO, Section 404, and Control Self-Assessments 103 SOA Section 404 104 COSO Internal Control Framework 123 Violation Penalties: Organizational Sentencing Guidelines 146 Control Self-Assessments 155 Chapter 6 IIA, CobiT, and Other Professional Internal Audit Standards 165 Institute of Internal Auditors Standards for Professional Practice 165 CobiT and Information Technology Governance 175 ASQ Audit Standards: A Different Approach 183 Chapter 7 Disaster Recovery and Continuity Planning after 9/11 189 Business Continuity Planning and the New Language of Recovery Planning 190 Continuity Planning and Service-Level Agreements 194 New Technologies: Critical Data Mirroring Techniques 195 Establishing Effective Contingency Policies: What Are We Protecting? 197 Building the Disaster Planning Business Continuity Plan 198 Testing, Maintaining, and Auditing the Continuity Plan 206 Continuity Planning Going Forward 211 Chapter 8 Internal Audit Fraud Detection and Prevention 213 Red Flags: Fraud Detection for Auditors 214 Public Accounting s New Role in Fraud Detection 220 IIA Standards for Detecting and Investigating Fraud 223 Fraud Investigations for Internal Auditors 225 Information Systems Fraud Prevention Processes 226 Chapter 9 Enterprise Risk Management, Privacy, and Other Legislative Initiatives 231 Enterprise Risk Management 231 Concurrent with SOA: Other Legislation Impacting Internal Auditors 243
Contents Chapter 10 Rules and Procedures for Internal Auditors Worldwide 257 ix SOA International Requirements 258 International Accounting and Auditing Standards 259 COSO Worldwide: International Internal Control Frameworks 267 ISO and the Standards Registration Process 272 ITIL Service Support and Service Delivery Best Practices 279 Chapter 11 Continuous Assurance Auditing Future Directions 293 Implementing Continuous Assurance Auditing 294 Internet-Based Extensible Mark-Up Languages: XBRL 302 Data Warehouses, Data Mining, and OLAP 306 Newer Technologies, the Continuous Close, and SOA 311 Chapter 12 Summary: Internal Auditing Going Forward 313 Future Prospects for Internal Auditors 313 Glossary 317 Index 321
H1 head xi preface After years of gradually changing, the profession of internal auditing in the late 1990s was very different from the internal auditing profession of an earlier decade. Perhaps one of the more significant changes was that the major public accounting firms were aggressively assuming responsibility for internal audit functions through what was called outsourcing. Many internal audit professionals suddenly found themselves working for their public accounting firms as outsourced internal auditors. Although there were many good things to say about this trend, new internal audit roles and responsibilities were evolving and the profession of internal auditing was changing. This was all happening during the dot-com bubble of the 1990s, during which time the stock market was going in only one direction up and some serious thinkers were predicting that there would never be another market downturn. A series of events in the later 1990s and early 2000 changed all of this and the rules. Suddenly we were faced with a series of corporate failures and accounting scandals, many of which were caused by corporate executives who liberally bent the rules or blatantly reported false financial results for their organizations. Corporate scandals are nothing new in the United States; there has been a major failure about once every ten years over the last century. However, this was different. The traditional watchdogs auditors and board members appeared to be asleep at the switch. There was a clamor to do something! The end result was that, in 2002, the U.S. Congress passed the Sarbanes-Oxley Act, a major new rule that impacts both internal and external auditors, corporate senior management, their boards of directors, and more. Among other matters, the act prohibited the public accounting practice of outsourcing internal audit services. The Sarbanes-Oxley Act, often referenced as just SOA, is the major new rule discussed throughout this book. Internal auditors now have some new responsibilities with regard to their audit committees and external auditors and for overall corporate governance. This book explains these changes and how internal audit can help with other requirements, such as launching an ethics and whistle-blower program or performing effective internal controls reviews under the COSO (Committee of Sponsoring Organizations) framework. xi
xii PREFACE Some of what we call new rules are not really rules at all but are best practices that have gained the attention of professionals worldwide. Business recovery and continuity procedures after the World Trade Center terrorist attack of September 11, 2001, are an example. Some organizations had processes in place that allowed easier recovery from that event, and we discuss those approaches. Even though internal auditors may not be initiating such practices, they need to have an understanding of such best practices as part of reviewing current approaches or recommending improvements. This book also discusses other new trends or legislation that is creating new rules for internal auditors. One of these is the overall emphasis on privacy and security in many areas. We discuss several here, with Healthcare and Insurance Portability and Accountability Act (HIPAA) and its privacy rules as an example. Although that legislation is directed at healthcare, its requirements regarding such things as electronic signatures will cause changes in a wide range of organizations and systems. Fraud detection and prevention is another trend that is becoming a new rule. Auditors, both internal and external, often treated fraud matters in the past as not my job ; however, the rules are changing here. The American Institute of Certified Public Accountants (AICPA) has issued new fraud-related auditing standards, with more changes to come. Risk management is yet another new rule area. As this book goes to press, a new COSO Enterprise Risk Management (ERM) framework has just been released in draft form. The book introduces this draft framework, which will soon become an important new rule for internal auditors. This book attempts to describe the new rules impacting internal auditors and other professionals as they exist in mid-2003. We may have missed the point in some areas, or things may change in directions different from what we have anticipated. However, the Sarbanes-Oxley Act of 2003, as well as a series of other matters occurring at about the same time, have created a series of new rules for internal auditors and management professionals, both in the United States and worldwide. Although some final rules are yet to be issued and other matters may change, this book outlines some of the new rules as well as evolving trends that impact internal audit professionals. ROBERT MOELLER
CHAPTER 1 Introduction ACCOUNTING AND AUDITING SCANDALS AND INTERNAL AUDIT Despite all of the cataclysmic predictions of computer systems and other process-related disasters, the world survived the Y2K millennium change to the year 2000 with no major problems. However, the following year, 2001, became a real disaster for many U.S. accountants and auditors, as well as business in general. The long-running stock market boom, fueled by dot-com Internet businesses, was shutting down with many companies failing and growing ranks of unemployed professionals. Those same boom years spawned some businesses following new or very different models or approaches. One business that received considerable attention and investor interest at that time was Enron, an energy trading company. Starting as an oil and gas pipeline company, Enron developed a business model based on buying and selling excess capacity first over its competitors pipelines and then moved to excess capacity trading in many other areas. For example, an electrical utility might have a power plant generating several millions of excess kilowatt-hours of power during a period. Enron would arrange to buy the rights to that power and then sell it to a different power company to get the latter out of a capacity crunch. Enron applied its trading concept in many other areas, such as telephone message capacity, oil tankers, and water purification. Enron quickly became a very large corporation and got the attention of investors. Its business approach was aggressive but appeared to be profitable. Then, in late 2001, it was discovered that Enron was not telling investors the true story about its financial condition. It was found to be using off balance sheet accounting to hide some major debt balances. It had been transferring significant financial transactions to the books of unaffiliated partnership organizations that did not have to be consolidated into its financial statements. Even worse, the off balance sheet entities were paper-shuffling transactions 1