Brink s-modern-internal-auditing-7th-edition PDF

Preview

Summary

Brink’s Modern Internal Auditing Brink’s Modern Internal Auditing A Common Body of Knowledge Seventh Edition ROBERT R. MOELLER John Wiley & Sons, Inc. Copyright
C 2009 John Wiley & Sons, Inc. All rights reserved. Published by John Wiley & Sons, Inc., Hoboken, New Jersey. Published sim...

Description

Accelerat ing t he world's research.

Brink s-modern-internal-auditing7th-edition Sumayyah Helomayahijab

Related papers

Download a PDF Pack of t he best relat ed papers 

ERP Syst ems and Audit ing: a Review Charalambos Spat his

Int ernal audit independence and object ivit y: emerging research opport unit ies Nava Subramaniam Int ernal Audit Independence and Object ivit y: Emerging Research Opport unit ies Arut Sulis

Brink’s Modern Internal Auditing

Brink’s Modern Internal Auditing A Common Body of Knowledge Seventh Edition

ROBERT R. MOELLER

John Wiley & Sons, Inc.

Copyright


C

2009 John Wiley & Sons, Inc. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey. Published simultaneously in Canada. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400, fax 978-646-8600, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, 201-748-6011, fax 201-748-6008, or online at http://www.wiley.com/go/permissions. Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages. For general information on our other products and services, or technical support, please contact our Customer Care Department within the United States at 800-762-2974, outside the United States at 317-572-3993 or fax 317-572-4002. Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books. For more information about Wiley products, visit our Web site at http://www.wiley.com. Library of Congress Cataloging-in-Publication Data: Moeller, Robert R. Brink’s modern internal auditing : a common body of knowledge / Robert Moeller. – 7th ed. p. cm. Includes index. ISBN 978-0-470-29303-4 (cloth: alk. paper) 1. Auditing, Internal. I. Title. HF5668.25.B74 2009 657′ .458–dc22 2008048335 Printed in the United States of America. 10

9

8

7

6

5

4

3

2

1

Contents

Preface

xix

About the Author

xxv

PART ONE

FOUNDATIONS OF MODERN INTERNAL AUDITING

1

CHAPTER 1

Foundations of Internal Auditing

3

1.1 1.2

CHAPTER 2

Internal Auditing History and Background Organization of This Book Note

5 8 10

Internal Audit’s Common Body of Knowledge

11

2.1 2.2 2.3 2.4

12 13 18 19 19

What Is a CBOK?: Experiences from Other Professions Institute of Internal Auditor’s Research Foundation CBOK What Does an Internal Auditor Need to Know? Modern Internal Auditing’s CBOK Going Forward Notes

PART TWO

IMPORTANCE OF INTERNAL CONTROLS

21

CHAPTER 3

Internal Control Framework: The COSO Standard

23

3.1 3.2

23 25

Importance of Effective Internal Controls Internal Controls Standards: Background (a) Internal Control Definitions: Foreign Corrupt Practices Act of 1977 (b) FCPA Aftermath: What Happened? 3.3 Events Leading to the Treadway Commission (a) Earlier AICPA Standards: SAS No. 55 (b) Treadway Committee Report 3.4 COSO Internal Control Framework (a) Control Environment (b) Risk Assessment (c) Control Activities (d) Communications and Information (e) Monitoring

26 28 28 30 30 31 33 39 41 43 46 v

vi

Contents

3.5 3.6

CHAPTER 4

53

4.1

54

4.3 4.4

CHAPTER 6

50 51 51

Sarbanes-Oxley and Beyond

4.2

CHAPTER 5

Other Dimensions of the COSO Internal Controls Framework Internal Audit CBOK Needs Notes

Key Sarbanes-Oxley Act Elements (a) Title I: Public Company Accounting Oversight Board (b) Title II: Auditor Independence (c) SOx Title III: Corporate Responsibility (d) Title IV: Enhanced Financial Disclosures (e) Title V: Analyst Conflicts of Interest (f) Titles VI through X: Fraud Accountability and White-Collar Crime (g) Title XI: Corporate Fraud Accountability Performing Section 404 Reviews under AS 5 (a) Section 404 Internal Controls Assessments Today (b) Launching the Section 404 Compliance Review AS 5 Rules and Internal Audit Impact of the Sarbanes-Oxley Act Notes

Another Internal Controls Framework: CobiT

55 60 62 68 72 72 74 75 75 76 84 87 87 89

5.1 Introduction to CobiT 5.2 CobiT Framework (a) CobiT Cube Components: IT Resources (b) CobiT Cube Components 5.3 Using CobiT to Assess Internal Controls (a) Planning and Enterprise (b) Acquisition and Implementation (c) Delivery and Support (d) Monitoring and Evaluation 5.4 Using CobiT in a SOx Environment 5.5 CobiT Assurance Framework Guidance 5.6 CobiT in Perspective Notes

90 92 94 94 96 98 100 102 103 107 110 111 111

Risk Management: COSO ERM

113

6.1

114 115 118 121 124 126 127 129 132

Risk Management Fundamentals (a) Risk Identification (b) Key Risk Assessments (c) Quantitative Risk Analysis 6.2 COSO ERM: Enterprise Risk Management 6.3 COSO ERM Key Elements (a) Internal Environment Component (b) Objective Setting (c) Event Identification

vii

Contents

6.4

6.5

6.6 6.7 6.8

(d) Risk Assessment (e) Risk Response (f) Control Activities (g) Information and Communication (h) Monitoring Other Dimensions of COSO ERM: Enterprise Risk Objectives (a) Operations Risk Management Objectives (b) Reporting Risk Management Objectives (c) Legal and Regulatory Compliance Risk Objectives Entity-Level Risks (a) Risks Encompassing the Entire Organization (b) Business Unit–Level Risks Putting It All Together Auditing Risk and COSO ERM Processes Risk Management and COSO ERM in Perspective Notes

134 136 138 140 141 142 142 143 143 145 145 145 146 146 147 149

PART THREE

PLANNING AND PERFORMING INTERNAL AUDITS

151

CHAPTER 7

Performing Effective Internal Audits

153

7.1 7.2

154 155 157 158 159 160 163 164 165 166 167 171 172 173 175 175 176 178

7.3

7.4

7.5

7.6 7.7 CHAPTER 8

Organizing and Planning Internal Audits Internal Audit Preparatory Activities (a) Determine the Audit Objectives (b) Audit Scheduling and Time Estimates (c) Preliminary Surveys Starting the Internal Audit (a) Internal Audit Field Survey (b) Documenting the Internal Audit Field Survey (c) Field Survey Auditor Conclusions Developing and Preparing Audit Programs (a) Audit Program Formats and Their Preparation (b) Types of Audit Evidence Performing the Internal Audit (a) Internal Audit Fieldwork Initial Procedures (b) Audit Fieldwork Technical Assistance (c) Audit Management Fieldwork Monitoring (d) Potential Audit Findings (e) Audit Program and Schedule Modifications (f) Reporting Preliminary Audit Findings to Management Wrapping Up the Field Engagement Internal Audit Performing an Individual Internal Audit

178 179 180

Standards for the Professional Practice of Internal Auditing

183

8.1

184 184

Internal Auditing Professional Practice Standards (a) Background of the IIA Standards

viii

Contents

8.2

8.3

CHAPTER 9

186 187 187 188 191 196 198

Testing, Assessing, and Evaluating Audit Evidence

199

9.1 9.2 9.3 9.4

199 200 202 204 205 210 214 225 225 227 228

9.5

9.6 9.7

9.8

CHAPTER 10

(b) IIA’s Current Standards: What Has Changed (c) 2009 New Internal Audit Standards Content of the IIA Standards (a) Internal Audit Attribute Standards (b) Internal Audit Performance Standards Codes of Ethics: The IIA and ISACA Notes

Gathering Appropriate Audit Evidence Audit Assessment and Evaluation Techniques Internal Audit Judgmental Sampling Statistical Sampling: An Introduction (a) Statistical Sampling Concepts (b) Developing a Statistical Sampling Plan (c) Audit Sampling Approaches Monetary Unit Sampling (a) Selecting the Monetary Unit Sample: An Example (b) Performing the Monetary Unit Sampling Test (c) Evaluating Monetary Unit Sample Results (d) Monetary Unit Sampling Advantages and Limitations Variables and Stratified Variables Sampling Other Audit Sampling Techniques (a) Multistage Sampling (b) Replicated Sampling (c) Bayesian Sampling Making Efficient and Effective Use of Audit Sampling Notes

Audit Programs and Establishing the Audit Universe

228 229 232 232 232 233 233 236 237

10.1

CHAPTER 11

Defining the Scope and Objectives of the Internal Audit Universe 10.2 Assessing Internal Audit Capabilities and Objectives 10.3 Audit Universe Time and Resource Limitations 10.4 “Selling” the Audit Universe to the Audit Committee and Management 10.5 Assembling Audit Programs: Audit Universe Key Components (a) Audit Program Formats and Their Preparation (b) Types of Program Audit Evidence 10.6 Audit Universe and Program Maintenance

247 248 251 252

Control Self-Assessments and Benchmarking

253

11.1 11.2

253 254

Importance of Control Self-Assessments CSA Model

238 242 244 245

ix

Contents

11.3

PART FOUR

CHAPTER 12

Launching the CSA Process (a) Performing the Facilitated CSA Review (b) Performing the Questionnaire-Based CSA Review (c) Performing the Management-Produced Analysis CSA Review 11.4 Evaluating CSA Results 11.5 Benchmarking and Internal Audit (a) Implementing Benchmarking to Improve Processes (b) Benchmarking and the IIA’s GAIN Initiative 11.6 Better Understanding Internal Audit Activities Notes

263 265 269 269

ORGANIZING AND MANAGING INTERNAL AUDITOR ACTIVITIES

271

Internal Audit Charters and Building the Internal Audit Function

273

12.1 12.2 12.3

12.4

12.5 12.6

CHAPTER 13

Establishing an Internal Audit Function Audit Charter: Audit Committee and Management Authority Building the Internal Audit Staff (a) Role of the CAE (b) Internal Audit Management Responsibilities (c) Internal Audit Staff Responsibilities (d) Information Systems Audit Specialists (e) Other Internal Auditor Specialists Internal Audit Department Organization Approaches (a) Centralized versus Decentralized Internal Audit Organization Structures (b) Organizing the Internal Audit Function Internal Audit Policies and Procedures Professional Development: Building a Strong Internal Audit Function Note

255 257 259 261 261 262

274 274 275 277 278 278 281 281 283 283 285 290 292 292

Internal Audit Key Competencies

293

13.1 13.2 13.3 13.4 13.5 13.6 13.7 13.8

293 294 296 296 298 301 301 302

Importance of Internal Audit Key Competencies Internal Auditor Interview Skills Analytical Skills Testing and Analysis Skills Internal Auditor Documentation Skills Recommending Results and Corrective Actions Internal Auditor Communication Skills Internal Auditor Negotiation Skills

x

Contents

13.9 13.10 CHAPTER 14

305

14.1

305 306 310 311 315

14.5

15.2 15.3 15.4 15.5

Understanding the Environment: Launching an Internal Audit Documenting and Understanding the Internal Controls Environment Performing Appropriate Internal Audit Procedures Wrapping Up the Internal Audit Performing Internal Audits

Documenting Results through Process Modeling and Workpapers 16.1 16.2

16.3

16.4 16.5

CHAPTER 17

Project Management Processes (a) Project Management Book of Knowledge (b) Developing a Project Management Plan PMBOK Program and Portfolio Management Organizational Process Maturity Model Using Project Management for Effective Internal Audit Plans Project Management Best Practices and Internal Audit Notes

Planning and Performing Internal Audits 15.1

CHAPTER 16

304 304

Understanding Project Management

14.2 14.3 14.4

CHAPTER 15

Internal Auditor Commitment to Learning Importance of Internal Auditor Core Competencies

Internal Audit Documentation Requirements Process Modeling for Internal Auditors (a) Understanding the Process Modeling Hierarchy (b) Describing and Documenting Key Processes (c) Process Modeling and the Internal Auditor Internal Audit Workpapers (a) Workpaper Standards (b) Workpaper Formats (c) Workpaper Document Organization (d) Workpaper Preparation Techniques (e) Workpaper Review Processes Internal Audit Document Records Management Importance of Internal Audit Documentation Note

318 318 319 321 321 323 325 326 328

329 330 331 332 332 334 335 338 339 340 344 347 347 349 350

Reporting Internal Audit Results

351

17.1 17.2

351 353 354 358

Purposes and Types of Internal Audit Reports Published Audit Reports (a) Approaches to Published Audit Reports (b) Elements of an Audit Report Finding

xi

Contents

17.3

17.4 17.5

PART FIVE

CHAPTER 18

362 363 366 368 371 372 373 376

IMPACT OF INFORMATION TECHNOLOGY ON INTERNAL AUDITING

379

IT General Controls and ITIL Best Practices

381

18.1 18.2

382 383 384 388

18.3

18.4 18.5

18.6

18.7 18.8

CHAPTER 19

(c) Balanced Audit Report Presentation Guidelines (d) Alternative Audit Report Formats Internal Audit Reporting Cycle (a) Draft Audit Reports (b) Audit Reports: Follow-Up and Summary (c) Audit Report and Workpaper Retention Effective Internal Audit Communications Opportunities Audit Reports and Understanding the People in Internal Auditing

Importance of IT General Controls Client-Server and Smaller Systems’ General IT Controls (a) General Controls for Small Business Systems (b) Smaller Systems’ IT Operations Internal Controls (c) Auditing IT General Controls for Smaller IT Systems Components and Controls of Mainframe and Legacy Systems (a) Characteristics of Larger IT Systems (b) Classic Mainframe or Legacy Computer Systems (c) Operating Systems Software Legacy System General Controls Reviews ITIL Service Support and Delivery Infrastructure Best Practices (a) ITIL Service Support Incident Management (b) Service Support Problem Management Service Delivery Best Practices (a) Service Delivery Service-Level Management (b) Service Delivery Financial Management for IT Services (c) Service Delivery Capacity Management (d) Service Delivery Availability Management (e) Service Delivery Continuity Management Auditing IT Infrastructure Management Internal Auditor CBOK Needs for IT General Controls Notes

390 394 394 396 397 399 405 407 409 414 415 418 419 421 422 422 423 424

Reviewing and Assessing IT Application Controls

425

19.1

426 427 429 434

IT Application Control Components (a) Application Input Components (b) Application Programs (c) IT Application Output Components

xii

Contents

19.2 19.3

CHAPTER 20

Selecting Applications for Internal Audit Reviews Preliminary Steps to Performing Applications Controls Reviews (a) Conducting an Application Walk-Through (b) Developing Application Control Objectives 19.4 Completing the IT Application’s Controls Audit (a) Clarifying and Testing Audit Internal Control Objectives (b) Completing the Application Controls Review 19.5 Application Review Example: Client-Server Budgeting System (a) Reviewing Capital Budgeting System Documentation (b) Identifying Capital Budgeting Application Key Controls (c) Performing Application Tests of Compliance 19.6 Auditing Applications under Development (a) Objectives and Obstacles of Preimplementation Auditing (b) Preimplementation Review Objectives (c) Preimplementation Review Problems (d) Preimplementation Review Procedures 19.7 Importance of Reviewing IT Application Controls Notes

452 453 454 455 459 459

Cybersecurity and Privacy Controls

461

20.1

462 463 464 465 467 468 469 469 469 470 470 471 472 474 474 475 477

IT Network Security Fundamentals (a) Security of Data (b) Importance of IT Passwords (c) Viruses and Malicious Program Code (d) Phishing and Other Identity Threats (e) IT System Firewalls (f) Other Computer Security Issues 20.2 IT Systems Privacy Concerns (a) Data Profiling Privacy Issues (b) Online Privacy and E-Commerce Issues (c) Radio Frequency Identification (d) Absence of U.S. Federal Privacy Protection Laws 20.3 Auditing IT Security and Privacy 20.4 Security and Privacy in the Internal Audit Department (a) Security and Control for Auditor Computers (b) Workpaper Security (c) Audit Reports and Privacy (d) Internal Audit Security and Privacy Standards and Training 20.5 PCI-DSS Fundamentals 20.6 Internal Audit’s Privacy and Cybersecurity Roles Notes

436 437 439 442 443 444 448 448 449 450 451 451

477 477 479 479

xiii

Contents

CHAPTER 21

Computer-Assisted Audit Tools and Techniques 21.1 21.2 21.3

21.4 21.5 21.6

CHAPTER 22

Understanding Computer-Assisted Audit Tools and Techniques Determining the Need for CAATTs CAATT Software Tools (a) Types of CAATTs: Generalized Audit Software (b) Report Generators Languages (c) Desktop and Laptop CAATTs (d) Test Data or Test Deck Approaches (e) Specialized Audit Test and Analysis Software (f) Embedded Audit Procedures Selecting Appropriate CAATT Processes Steps to Building Effective CAATTs Using CAATTs for Audit Evidence Gathering Notes

481 482 484 487 488 489 491 492 496 496 501 501 503 504

Business Continuity Planning and IT Disaster Recovery

505

22.1 22.2

506 508

22.3

22.4 22.5 22.6 22.7

IT Disaster and Business Continuity Planning Today Auditing Business Conti...