Brink's Modern. Internal Auditing. Eighth Edition. A Common Body of Knowledge ROBERT R. MOELLER WILEY

Transcription

1 Brink's Modern Internal Auditing Eighth Edition A Common Body of Knowledge ROBERT R. MOELLER WILEY

2 Contents Preface xvii PART ONE: FOUNDATIONS OF MODERN INTERNAL AUDITING Chapter 1: Significance of Internal Auditing in Enterprises Today: An Update Internal Auditing History and Background Mission of Internal Auditing Organization of this Book 9 Note 10 Chapter 2: An Internal Audit Common Body of Knowledge What Is a CBOK? Experiences from Other Professions What Does an Internal Auditor Need to Know? An Internal Auditing CBOK Another Attempt: The IIA Research Foundation's CBOK Essential Internal Audit Knowledge Areas 25 Notes 25 PART TWO: IMPORTANCE OF INTERNAL CONTROLS Chapter 3: The COSO Internal Control Framework Understanding Internal Controls Revised COSO Framework Business and Operating Environment Changes The Revised COSO Internal Control Framework COSO Internal Control Principles COSO Internal Control Components: The Control Environment COSO Internal Control Components: Risk Assessment COSO Internal Control Components: Internal Control Activities COSO Internal Control Components: Information and Communication COSO Internal Control Components: Monitoring Activities The COSO Framework's Other Dimensions 57 vii

3 Contents Chapter 4: The 17 COSO Internal Control Principles COSO Internal Control Framework Principles Control Environment Principle 1: Integrity and Ethical Values Control Environment Principle 2: Role ofthe Board of Directors Control Environment Principle 3: Authority and Responsibility Needs Control Environment Principle 4: Commitment to a Competent Workforce Control Environment Principle 5: Holding People Accountable Risk Assessment Principle 6: Specifying Appropriate Objectives Risk Assessment Principle 7: Identifying and Analyzing Risks Risk Assessment Principle 8: Evaluating Fraud Risks Risk Assessment Principle 9: Identifying Changes Affecting Internal Controls Control Activities Principle 10: Selecting Control Activities That Mitigate Risks Control Activities Principle 11: Selecting and Developing Technology Controls Control Activities Principle 12: Policies and Procedures Information and Communication Principle 13: Using Relevant, Quality Information Information and Communication Principle 14: Internal Communications Information and Communication Principle 15: External Communications Monitoring Principle 16: Internal Control Evaluations Monitoring Principle 17: Communicating Internal Control Deficiencies 83 Note 84 Chapter 5: Sarbanes-Oxley (SOx) and Beyond Key Sarbanes-Oxley Act (SOx) Elements Performing Section 404 Reviews under ASS ASS Rules and Internal Audit Impact of the Sarbanes-Oxley Act 120 Notes 121 Chapter 6: COBIT and Other ISACA Guidance Introduction to COBIT COBIT Framework Principle 1: Meeting Stakeholder Needs Principle 2: Covering the Enterprise End to End Principle 3: A Single Integrated Framework Principle 4: Enabling a Holistic Approach Principle 5: Separating Governance from Management Using COBIT to Assess Internal Controls Mapping COBIT to COSO Internal Controls 139 Notes 139

4 Contents ix Chapter 7: Enterprise Risk Management: COSO ERM Risk Management Fundamentals COSO ERM: Enterprise Risk Management COSO ERM Key Elements Other Dimensions of COSO ERM: Enterprise Risk Objectives Entity-Level Risks Putting It All Together: Auditing Risk and COSO ERM Processes 175 Notes 178 PART THREE: FLANNING AND PERFORMING INTERNAL AUDITS Chapter 8: Performing Effective Internal Audits Initiating and Launching an Internal Audit Organizing and Flanning Internal Audits Internal Audit Preparatory Activities Starting the Internal Audit Developing and Preparing Audit Programs Performing the Internal Audit Wrapping Up the Field Engagement Internal Audit Performing an Individual Internal Audit 213 Chapter 9: Standards for the Professional Practice of Internal Auditing What ls the IPPF? The Internal Auditing Professional Practice Standards: A Key IPPF Component Content of the IIA Standards Codes of Ethics: The IIA and ISACA Internal Audit Principles IPPF Future Directions 232 Notes 233 Chapter 10: Testing, Assessing, and Evaluating Audit Evidence Gathering Appropriate Audit Evidence Audit Assessment and Evaluation Techniques Internal Audit Judgmental Sampling Statistical Audit Sampling: An Introduction Developing a Statistical Sampling Plan Audit Sampling Approaches Attributes Sampling Audit Example Attributes Sampling Advantages and Limitations Monetary Unit Sampling Other Audit Sampling Techniques Making Efficient and Effective Use of Audit Sampling 269 Notes 271

5 Contents Preface Chapter 11: Continuous Auditing and Computer-Assisted Audit Techniques Implementing Continuous Assurance Auditing ACL, NetSuite, BusinessObjects, and Other Continuous Assurance Systems Benefits of CAA Computer-Assisted Audit Tools and Techniques Determining the Need for CAATTs Steps to Building Effective CAATTs Importance of Using CAATTs for Audit Evidence Gathering XBRL: The Internet-Based Extensible Marking Language 290 Notes 293 Chapter 12: Control Self-Assessments and Internal Audit Benchmarking Importance of Control Self-Assessments CSA Model Launching the CSA Process Evaluating CSA Results Benchmarking and Internal Audit Better Understanding Internal Audit Activities 312 Notes 313 Chapter 13: Areas to Audit: Establishing an Audit Universe and Audit Programs Defining the Scope and Objectives of the Internal Audit Universe Assessing Internal Audit Capabilities and Objectives Audit Universe Time and Resource Limitations "Selling" an Audit Universe Concept to the Audit Committee and Management Assembling Audit Programs: Audit Universe Key Components Audit Universe and Program Maintenance 330 PART FOUR: ORGANIZING AND MANAGING INTERNAL AUDIT ACTIVITIES Chapter 14: Charters and Building the Internal Audit Function Establishing an Internal Audit Function Audit Committee and Management Authorization of an Audit Charter Establishing an Internal Audit Function 338 Notes 345

6 Contents xi Chapter 15: Managing the Internal Audit Universe and Key Competencies Auditing in the Weeds: Problems with Reviews of Nonmainstream Audit Areas Importance of an Audit Universe Schedule: What Is Right or Wrong Importance of Internal Audit Key Competencies Importance of Internal Audit Risk Management Internal Auditor Interview Skills Internal Audit Analytical and Testing Skills Competencies Internal Auditor Documentation Skills Recommending Results and Corrective Actions Internal Auditor Negotiation Skills An Internal Auditor Commitment to Learning Importance of Internal Auditor Core Competencies 363 Chapter 16: Flanning Audits and Understanding Project Management The Project Management Process PMBOK: The Project Management Book of Knowledge PMBOK Program and Portfolio Management Flanning an Internal Audit Understanding the Environment: Flanning and Launching an Internal Audit Audit Flanning: Documenting and Understanding the Internal Control Environment Performing Appropriate Internal Audit Procedures and Wrapping Up the Audit Project Management Best Practices and Internal Audit 386 Note 387 Chapter 17: Documenting Audit Results through Process Modeling and Workpapers Internal Audit Documentation Requirements Process Modeling for Internal Auditors Internal Audit Workpapers Workpaper Document Organization Workpaper Preparation Techniques Internal Audit Document Records Management Importance of Internal Audit Documentation 410 Notes 410 Chapter 18: Reporting Internal Audit Results The Audit Report Framework Purposes and Types of Internal Audit Reports Published Audit Reports Alternative Audit Report Formats 425

7 Contents 18.5 Internal Audit Reporting Cycle Internal Audit Communications Problems and Opportunities Audit Reports and Understanding People in Internal Auditing 436 PART FIVE: IMPACT OF INFORMATION SYSTEMS ON INTERNAL AUDITING Chapter 19: ITIL Best Practices, the IT Infrastructure, and General Controls Importance of IT General Controls Client-Server and Small Systems General IT Controls Client-Server Computer Systems Small Systems Operations Internal Controls Auditing IT General Controls for Small IT Systems Mainframe Legacy System Components and Controls Internal Control Reviews of Classic Mainframe or Legacy IT Systems Legacy of Lange System General Control Reviews ITIL Service Support and Delivery IT Infrastructure Best Practices Service Delivery Best Practices Auditing IT Infrastructure Management Internal Auditor CBOK Needs for IT General Controls 483 Notes 484 Chapter 20: BYOD Practices and Social Media Internal Audit Issues The Growth and Impact of BYOD Understanding the Enterprise BYOD Environment BYOD Security Policy Elements Social Media Computing Enterprise Social Media Computing Risks and Vulnerabilities Social Media Policies 504 Chapter 21: Big Data and Enterprise Content Management Big Data Overview Big Data Governance, Risk, and Compliance Issues Big Data Management, Hadoop, and Security Issues Compliance Monitoring and Big Data Analytics Internal Auditing in a Big Data Environment Enterprise Content Management Internal Controls Auditing Enterprise Content Management Processes 520 Notes 521 Chapter 22: Reviewing Application and Software Management Controls IT Application Components Selecting Applications for Internal Audit Reviews 533

8 Contents xiii 22.3 Preliminary Steps to Performing Application Controls Reviews Completing the IT Application Controls Audit Application Review Example: Client-Server Budgeting System Auditing Applications under Development Importance of Reviewing IT Application Controls 557 Notes 558 Chapter 23: Cybersecurity, Hacking Risks, and Privacy Controls Hacking and IT Network Security Fundamentals Data Security Concepts Importance of IT Passwords Viruses and Malicious Program Code System Firewall Controls Social Engineering IT Risks IT Systems Privacy Concerns The NIST Cybersecurity Framework Auditing IT Security and Privacy PCI DSS Fundamentals Security and Privacy in the Internal Audit Department Internal Audit's Privacy and Cybersecurity Roles 584 Chapter 24: Business Continuity and Disaster Recovery Flanning IT Disaster and Business Continuity Flanning Today Auditing Business Continuity Flanning Process es Building the IT Business Continuity Plan Business Continuity Flanning and Service Level Agreements Auditing Business Continuity Plans Business Continuity Flanning Going Forward 605 Notes 606 PART SIX: INTERNAL AUDIT AND ENTERPRISE GOVERNANCE Chapter 25: Board Audit Committee Communications Role of the Audit Committee Audit Committee Organization and Charters Audit Committee's Financial Expert and Internal Audit Audit Committee Responsibilities for Internal Audit Audit Committee Review and Action on Significant Audit Findings Audit Committee and Its External Auditors Whistleblower Programs and Codes of Conduct Other Audit Committee Roles 626 Note 627 Chapter 26: Ethics and Whistleblower Programs Enterprise Ethics, Compliance, and Governance Ethics First Steps: Developing a Mission Statement 632

9 Contents 26.3 Understanding the Ethics Risk Environment Summarizing Ethics Survey Results: Do We Have a Problem? Enterprise Codes of Conduct Whistleblower and Hotline Functions Auditing the Enterprise's Ethics Functions Improving Corporate Governance Practices 651 Notes 651 Chapter 27: Fraud Detection and Prevention Understanding and Recognizing Fraud Red Flags: Fraud Detection Signs for Internal Auditors Public Accounting's Role in Fraud Detection IIA Standards for Detecting and Investigating Fraud Fraud Investigations for Internal Auditors Information Technology Fraud Prevention Processes Fraud Detection and the Internal Auditor 669 Notes 669 Chapter 28: Internal Audit GRC Approaches and Other Compliance Requirements The Road to Effective GRC Principles GRC Risk Management Components GRC and Internal Audit Enterprise Compliance Issues Importance of Effective GRC Practices and Principles 679 PART SEVEN: THE PROFESSIONAL INTERNAL AUDITOR Chapter 29: Professional Certifications: CIA, CISA, and More Certified Internal Auditor Responsibilities and Requirements Beyond the CIA: Other IIA Certifications Importance of the CIA Specialty Certification Examinations Certified Information Systems Auditor Certified Information Security Manager Certified in the Governance of Enterprise IT Certified in Risk and Information Systems Control Certified Fraud Examiner Certified Information Systems Security Professional ASQ Internal Audit Certifications Other Internal Auditor Certifications 700 Chapter 30: The Modern Internal Auditor as an Enterprise Consultant Standards for Internal Audit as an Enterprise Consultant Launching an Internal Audit Internal Consulting Facility 704

10 Contents xv 30.3 Ensuring an Audit and Consulting Separation of Duties Consulting Best Practices Expanded Internal Audit Services to Management 714 PART EIGHT: THE OTHER SIDES OF AUDITING: PROFESSIONAL CONVERGENCE Chapter 31: Quality Assurance Auditing and ASQ Standards Duties and Responsibilities of ASQ Quality Auditors Role of the Quality Auditor Performing ASQ Quality Audits Quality Assurance Reviews of the Internal Audit Function Launching the Internal Audit Quality Assurance Review Reporting the Results of an Internal Audit Quality Assurance Review Future Directions for Quality Assurance Auditing 744 Chapter 32: Six Sigma and Lean Techniques for Internal Audit Six Sigma Background and Concepts Implementing Six Sigma Six Sigma Leadership Roles and Responsibilities Launching an Enterprise Six Sigma Project Lean Six Sigma Auditing Six Sigma Processes Six Sigma in Internal Audit Operations 758 Notes 760 Chapter 33: ISO and Worldwide Internal Audit Standards ISO Standards Background ISO Standards Overview ISO IT Governance Standard ISO Standards and the COSO Internal Control Framework Internal Audit and International Auditing Standards 777 Notes 779 Chapter 34: A CBOK for the Modern Internal Auditor Part One: Foundations of Internal Auditing CBOK Requirements Part Two: Importance of Internal Controls CBOK Requirements PartThree: Flanning and Performing Internal Audit CBOK Requirements Part Four: Organizing and Managing Internal Audit Activities CBOK Requirements Part Five: Impact of IT on Internal Auditing CBOK Requirements Part Six: Internal Audit and Enterprise Governance CBOK Requirements Part Seven: Internal Auditor Professional CBOK Requirements 788

11 xvi Contents 34.8 Part Eight: The Other Sides of Internal Auditing: Professional Convergence CBOK Requirements A CBOK for the Modern Internal Auditor 789 Notes 794 About the Author 795 Index 797