Sarbanes-Oxley and the New Internal Auditing Rules

Similar documents
Despite all of the cataclysmic predictions of computer systems and other

For more information on any of the above titles, please visit

JOHN BASCHAB JON PIOT

A Guide to Creating a Successful Algorithmic Trading Strategy

SOFTWARE EVOLUTION AND MAINTENANCE

COSO ENTERPRISE RISK MANAGEMENT

Corporate Recruiting Reports. Strategic OUTSOURCING. Staffing.org

THE TRAINER S BALANCED SCORECARD. Ajay M. Pangarkar Teresa Kirkwood. Foreword by Dr. David Norton

IT and Enterprise Governance By Michael J. A. Parkinson, CISA, CIA, and Nicholas J. Baker, CPA

AUDITING THE RISK MANAGEMENT PROCESS K.H. SPENCER PICKETT

ENGINEERING INNOVATIVE PRODUCTS

PROJECT MANAGEMENT CASE STUDIES, FOURTH EDITION

BUSINESS CPA EXAM REVIEW V 3.0. For Exams Scheduled After March 31, 2017

understanding business processes Brett CONSIDINE Alison PARKES Yvette BLOUNT

About the Pulse of Internal Audit

Documentation Management

Chapter 2 The Public Accounting Profession

WELDING INSPECTION TECHNOLOGY

Mc Graw Hill Education

ACCOUNTS PAYABLE A GUIDE TO RUNNING AN EFFICIENT DEPARTMENT SECOND EDITION MARY S. SCHAEFFER JOHN WILEY & SONS, INC.

Checklist for Higher Education

Corporate Governance Principles of Auditing: An Introduction to International Standards on Auditing - Ch 14

Sarbanes-Oxley Compliance Kit

The Future of Internal Auditing:

ISO/IEC INTERNATIONAL STANDARD. Systems and software engineering System life cycle processes IEEE

ISACA S IT Audit, Information Security & Risk Insights Africa 2014 MAY, 2014

Sarbanes-Oxley Act of 2002 Can private businesses benefit from it?

Oracle E-Business Suite Development and Extensibility Handbook

Understanding Changes to the Certified Internal Auditor Program for 2013

CORPORATE GOVERNANCE THEORY, SCOPE AND IMPORTANCE

Increasing External Auditor Reliance

Baptist Health South Florida

OXFORD UNIVERSITY PRESS SOUTHERN AFRICA

Audit Committee Member Roles and Responsibilities

ISO Internal Audit: A Plain English Guide

Kellogg. Branding. The Marketing Faculty of The Kellogg School of Management EDITED BY ALICE M. TYBOUT AND TIM CALKINS FOREWORD BY PHILIP KOTLER

Beyond Compliance. Leveraging Internal Control to Build a Better Business: A Response to Sarbanes-Oxley Sections 302 and 404

Using the COSO Map. Unpublished Article By Larry Hubbard

Specification for Quality Programs for the Petroleum, Petrochemical and Natural Gas Industry

Implementation Guide 1000

STANDING ADVISORY GROUP MEETING

Trends in Telephone Interpreting

EFFICIENT USE OF AUDIT COMMITTEES

MISSISSIPPI STATE UNIVERSITY INTERNAL AUDIT CHARTER

Guide to the Sarbanes-Oxley Act: Internal Control Reporting Requirements

Why Reporting Hotlines Are Considered a Best Practice

DAVITA INC. AUDIT COMMITTEE CHARTER

Should boards and CEOs care about COSO ERM 2017? By Tim J. Leech

i am pleased to transmit to you a summary of the Public Company Accounting

Leading the Global. Next Decade Doing More with Less The Lean Internal Audit Model. Larry Rieger

ACFE FRAUD PREVENTION CHECK-UP ASSOCIATION OF CERTIFIED FRAUD EXAMINERS

SOA and Mainframe Applications

Implementation Guides

Oracle Landed Cost Management

PROJECT MANAGEMENT BODY OF KNOWLEDGE

Effective implementation of COSO s new anti-fraud guidance

ISO & ISO TRAINING DAY 4 : Certifying ISO 37001

ETHICS HOW DO YOU AND YOUR ORGANIZATION MEASURE UP? Larry Finney, CPA

This charter defines the purpose, authority and responsibility of News Corporation s (the Company ) Corporate Audit Department.

Mr. Jim Sylph Technical Director International Auditing and Assurance Standards Board 545 Fifth Avenue, 14th Floor New York, NY 10017

Office of Internal Auditing

ACCA. Paper P1. Governance, risk and ethics. Pocket notes

AUDITING. Auditing PAGE 1

Gaining Financial Integrity Through Improved Internal Controls

This workbook supports BSBCUS401B Coordinate implementation of customer service strategies in the BSB07 Business Services Training Package.

Internal Financial Controls New perspectives as per Companies Act 2013 and CARO 2016

Sarbanes Oxley Impact on Supply Chain Management

The GMO Handbook. Genetically Modified Animals, Microbes, and Plants in Biotechnology. Edited by. Sarad R. Parekh, PhD

Auditing reborn. AUTHOR: ROBERT K. ELLIOTT SOURCE: CA Magazine v129 p36-8 Ag '96

University Retail Food Service Vendor Account Payable System (VAPS)

Benchmarking Report Share, Compare, Validate SAMPLE. Year: 2017 Your Organization Date

QA 2 / 2011 OCCURRENCE OF REVENUE FROM SALE OF GOODS

Job Interview Prep Kit

CONSIGNMENT AGREEMENT

Paper FAU. Foundations in Audit. Pocket Notes

) ) ) ) ) ) ) ) ) ) II.

AWS D14.3/D14.3M:2010 An American National Standard. Specification for Welding Earthmoving, Construction, and Agricultural Equipment

MY ACCOUNT. Terms of use. New South Wales South Australia Queensland Victoria

FIAT CHRYSLER AUTOMOBILES N.V. AUDIT COMMITTEE CHARTER

CHARTER OF THE SONOMA COUNTY INTERNAL AUDIT FUNCTION JANUARY 15, 2013

CHAPTER 15: ENTERPRISE RISK MANAGEMENT - SUPPLEMENTAL MATERIAL

2. The name of a private person bringing a civil action in the name of the U.S. is. 3. Medicare Part A pays primarily for.

AUSTRALIAN GAAS 2007 AUDITING STANDARDS CHECKLISTS

Copyright 2017 by the UBC Real Estate Division

Oracle Production Scheduling

LESSON #1. Spy On Your Biggest Competitors And Reveal What They re Doing Right Now

Combined Heat and Power Application

CONTENTS. Acknowledgments... iv. 1: Introduction : Why have organizations chosen to seek compliance with the Standards?...2

Enterprise Risk Management Handbook. June, 2010

Assessment of the Design Effectiveness of Entity Level Controls. Office of the Chief Audit Executive

Using Microsoft Dynamics AX 2012

Fraud Risk Management

Assurance Services. thinking strategically to your best advantage

Specification for Quality Programs for the Petroleum, Petrochemical and Natural Gas Industry (Draft 10)

PROFESSIONAL SCRUM WITH TEAM FOUNDATION SERVER 2010

Investment Professionals, Inc. Business Continuity Plan (BCP)

SOX FOR NPO S Focus on Control. Stephen L. Kuptz, CPA

IIA 2015 Worldwide survey of 15,000 internal auditors

Data Reliability - Internet

Southwest Airlines Co. Code of Ethics

Transcription:

Sarbanes-Oxley and the New Internal Auditing Rules ROBERT R. MOELLER John Wiley & Sons, Inc.

Sarbanes-Oxley and the New Internal Auditing Rules

Sarbanes-Oxley and the New Internal Auditing Rules ROBERT R. MOELLER John Wiley & Sons, Inc.

This book is printed on acid-free paper. Copyright 2004 by John Wiley & Sons, Inc. All rights reserved. Published by John Wiley & Sons, Inc., Hoboken, New Jersey Published simultaneously in Canada No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400, fax 978-750-4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, 201-748-6011, fax 201-748-6008, e-mail: permcoordinator@wiley.com. Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages. For general information on our other products and services, or technical support, please contact our Customer Care Department within the United States at 800-762-2974, outside the United States at 317-572-3993 or fax 317-572-4002. Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books. For more information about Wiley products, visit our web site at www.wiley.com. Library of Congress Cataloging-in-Publication Data Moeller, Robert R. Sarbanes-Oxley and the new internal auditing rules / Robert R. Moeller. p. cm. Includes bibliographical references and index. ISBN 0-471-48306-0 (CLOTH) 1. Auditing, Internal Law and legislation United States. 2. United States. Sarbanes-Oxley Act of 2002. I. Title. KF1357.M64 2004 346.73'063 dc22 2003018290 Printed in the United States of America. 10 9 8 7 6 5 4 3 2 1

To my best friend and wife, Lois Moeller

contents Preface xi CHAPTER 1 Introduction 1 Accounting and Auditing Scandals and Internal Audit 1 What Are the New Rules? 3 Who Will Find this Book Useful? 7 CHAPTER 2 Internal Audit and the Sarbanes-Oxley Act 9 Where Were the Auditors? Standards Failure 10 Sarbanes-Oxley Overview: Key Internal Audit Concerns 12 Impact of the Sarbanes-Oxley Act on the Modern 57 Internal Auditor CHAPTER 3 Heightened Responsibilities for Audit Committees 59 Audit Committee Charters and Other Requirements 60 Board s Financial Expert and Internal Audit 64 Helping to Establish Documentation Procedures 67 Controlling Other Audit Services 69 Establishing Open Communications 70 CHAPTER 4 Launching an Ethics and Whistleblower Program 71 Launching an Organization Ethics Program 72 Establishing a Mission or Values Statement 79 Codes of Conduct 81 Whistleblower and Hotline Functions 89 Auditing the Organization s Ethics Functions 99 vii

viii CONTENTS Chapter 5 COSO, Section 404, and Control Self-Assessments 103 SOA Section 404 104 COSO Internal Control Framework 123 Violation Penalties: Organizational Sentencing Guidelines 146 Control Self-Assessments 155 Chapter 6 IIA, CobiT, and Other Professional Internal Audit Standards 165 Institute of Internal Auditors Standards for Professional Practice 165 CobiT and Information Technology Governance 175 ASQ Audit Standards: A Different Approach 183 Chapter 7 Disaster Recovery and Continuity Planning after 9/11 189 Business Continuity Planning and the New Language of Recovery Planning 190 Continuity Planning and Service-Level Agreements 194 New Technologies: Critical Data Mirroring Techniques 195 Establishing Effective Contingency Policies: What Are We Protecting? 197 Building the Disaster Planning Business Continuity Plan 198 Testing, Maintaining, and Auditing the Continuity Plan 206 Continuity Planning Going Forward 211 Chapter 8 Internal Audit Fraud Detection and Prevention 213 Red Flags: Fraud Detection for Auditors 214 Public Accounting s New Role in Fraud Detection 220 IIA Standards for Detecting and Investigating Fraud 223 Fraud Investigations for Internal Auditors 225 Information Systems Fraud Prevention Processes 226 Chapter 9 Enterprise Risk Management, Privacy, and Other Legislative Initiatives 231 Enterprise Risk Management 231 Concurrent with SOA: Other Legislation Impacting Internal Auditors 243

Contents Chapter 10 Rules and Procedures for Internal Auditors Worldwide 257 ix SOA International Requirements 258 International Accounting and Auditing Standards 259 COSO Worldwide: International Internal Control Frameworks 267 ISO and the Standards Registration Process 272 ITIL Service Support and Service Delivery Best Practices 279 Chapter 11 Continuous Assurance Auditing Future Directions 293 Implementing Continuous Assurance Auditing 294 Internet-Based Extensible Mark-Up Languages: XBRL 302 Data Warehouses, Data Mining, and OLAP 306 Newer Technologies, the Continuous Close, and SOA 311 Chapter 12 Summary: Internal Auditing Going Forward 313 Future Prospects for Internal Auditors 313 Glossary 317 Index 321

H1 head xi preface After years of gradually changing, the profession of internal auditing in the late 1990s was very different from the internal auditing profession of an earlier decade. Perhaps one of the more significant changes was that the major public accounting firms were aggressively assuming responsibility for internal audit functions through what was called outsourcing. Many internal audit professionals suddenly found themselves working for their public accounting firms as outsourced internal auditors. Although there were many good things to say about this trend, new internal audit roles and responsibilities were evolving and the profession of internal auditing was changing. This was all happening during the dot-com bubble of the 1990s, during which time the stock market was going in only one direction up and some serious thinkers were predicting that there would never be another market downturn. A series of events in the later 1990s and early 2000 changed all of this and the rules. Suddenly we were faced with a series of corporate failures and accounting scandals, many of which were caused by corporate executives who liberally bent the rules or blatantly reported false financial results for their organizations. Corporate scandals are nothing new in the United States; there has been a major failure about once every ten years over the last century. However, this was different. The traditional watchdogs auditors and board members appeared to be asleep at the switch. There was a clamor to do something! The end result was that, in 2002, the U.S. Congress passed the Sarbanes-Oxley Act, a major new rule that impacts both internal and external auditors, corporate senior management, their boards of directors, and more. Among other matters, the act prohibited the public accounting practice of outsourcing internal audit services. The Sarbanes-Oxley Act, often referenced as just SOA, is the major new rule discussed throughout this book. Internal auditors now have some new responsibilities with regard to their audit committees and external auditors and for overall corporate governance. This book explains these changes and how internal audit can help with other requirements, such as launching an ethics and whistle-blower program or performing effective internal controls reviews under the COSO (Committee of Sponsoring Organizations) framework. xi

xii PREFACE Some of what we call new rules are not really rules at all but are best practices that have gained the attention of professionals worldwide. Business recovery and continuity procedures after the World Trade Center terrorist attack of September 11, 2001, are an example. Some organizations had processes in place that allowed easier recovery from that event, and we discuss those approaches. Even though internal auditors may not be initiating such practices, they need to have an understanding of such best practices as part of reviewing current approaches or recommending improvements. This book also discusses other new trends or legislation that is creating new rules for internal auditors. One of these is the overall emphasis on privacy and security in many areas. We discuss several here, with Healthcare and Insurance Portability and Accountability Act (HIPAA) and its privacy rules as an example. Although that legislation is directed at healthcare, its requirements regarding such things as electronic signatures will cause changes in a wide range of organizations and systems. Fraud detection and prevention is another trend that is becoming a new rule. Auditors, both internal and external, often treated fraud matters in the past as not my job ; however, the rules are changing here. The American Institute of Certified Public Accountants (AICPA) has issued new fraud-related auditing standards, with more changes to come. Risk management is yet another new rule area. As this book goes to press, a new COSO Enterprise Risk Management (ERM) framework has just been released in draft form. The book introduces this draft framework, which will soon become an important new rule for internal auditors. This book attempts to describe the new rules impacting internal auditors and other professionals as they exist in mid-2003. We may have missed the point in some areas, or things may change in directions different from what we have anticipated. However, the Sarbanes-Oxley Act of 2003, as well as a series of other matters occurring at about the same time, have created a series of new rules for internal auditors and management professionals, both in the United States and worldwide. Although some final rules are yet to be issued and other matters may change, this book outlines some of the new rules as well as evolving trends that impact internal audit professionals. ROBERT MOELLER

CHAPTER 1 Introduction ACCOUNTING AND AUDITING SCANDALS AND INTERNAL AUDIT Despite all of the cataclysmic predictions of computer systems and other process-related disasters, the world survived the Y2K millennium change to the year 2000 with no major problems. However, the following year, 2001, became a real disaster for many U.S. accountants and auditors, as well as business in general. The long-running stock market boom, fueled by dot-com Internet businesses, was shutting down with many companies failing and growing ranks of unemployed professionals. Those same boom years spawned some businesses following new or very different models or approaches. One business that received considerable attention and investor interest at that time was Enron, an energy trading company. Starting as an oil and gas pipeline company, Enron developed a business model based on buying and selling excess capacity first over its competitors pipelines and then moved to excess capacity trading in many other areas. For example, an electrical utility might have a power plant generating several millions of excess kilowatt-hours of power during a period. Enron would arrange to buy the rights to that power and then sell it to a different power company to get the latter out of a capacity crunch. Enron applied its trading concept in many other areas, such as telephone message capacity, oil tankers, and water purification. Enron quickly became a very large corporation and got the attention of investors. Its business approach was aggressive but appeared to be profitable. Then, in late 2001, it was discovered that Enron was not telling investors the true story about its financial condition. It was found to be using off balance sheet accounting to hide some major debt balances. It had been transferring significant financial transactions to the books of unaffiliated partnership organizations that did not have to be consolidated into its financial statements. Even worse, the off balance sheet entities were paper-shuffling transactions 1

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback