tolley's internal auditor's handbook - gbvtolley's internal auditor's handbook...
TRANSCRIPT
Tolley's InternalAuditor's Handbook
Andrew Chambers
Professor of Internal Auditing, London South Bank University
LexisNexis
Contents
Preface
PART I INTERNAL AUDIT ATTRIBUTES
Chapter 1 Understanding internal auditing
A IPPF Commentary
Introduction 1 .1
Internal audit qualifications and professional body membership 1.2
International certifications 1.3
UK qualifications 1.4
The status of The Institute of Internal Auditors' Code of Ethics 1.5
The Code of Ethics is binding even outside the internal audit role 1.6
Code and Standards applicable to all internal auditors 1.7
Code and Standards applicable to internal audit functions as well
as to individual auditors 1.8
Evolution of best practice 1.9
' Purpose, authority and responsibility of internal auditing 1.10
The assurance role " 1.11
The consulting role i 1.12
Purpose and responsibilities of internal audit 1.13
Authority of internal audit 1.14
Reporting responsibility of internal audit 1.15
Other and non-audit responsibilities of internal audit 1.16
Internal audit responsibility for fraud 1.17
Responsibility of internal audit for information technology 1.18
Internal audit charters 1.19
Sample Internal Audit Department Charter 1.20
B Practical guidance
Internal auditors as consultants . 1.21
Revised definition of 'consulting' in the context of internal auditing 1.22
'Consulting' in the first release of the new Standards 1.23
Defining the consulting role of internal auditors •. 1.24
ix,
Contents
Practice Advisories on 'consulting'
'Consulting' perceived as a central internal audit role
'Scope limitations' in the context of the internal auditconsulting role
Nature of internal audit 'consulting'
Internal audit professionalism when acting as consultants
Relationships and conflicts between the 'assurance' and'consulting' roles
Independence and objectivity in consulting
What sort of consultant?
Proficiency
Due professional care
Planning
Risk management, control and governance
Governance
Risk management
Control processes
Engagement planning
Engagement work programs
Engagement objectives
Engagement scope
Performing the engagement - recording information
Communicating results
Disseminating results
Monitoring progress
Management's acceptance of risks
Consulting activity by internal auditors — checklist
Discretion - imposition continuum
An introduction to operational auditing
Scope
Audit approach to operational audits
Example of the objectives-oriented audit approach
The '3 E's' or the '6 E's'
VFM Auditing
Environmental auditing
1.25
1.26
1.27
1.28
1.29
1.30
1.31
1.32
1.33
1.34
1.35
1.36
1.37
1.38
1.39
1.40
1.41
1.42
1.43
1.44
1.45
1.46
1.47
1.48
1.49
1.50
1.51
1.52
1.53
1.54
1.55
1.56
1.57
Contents
Quality audit 1.58
Checklist on internal audit charter 1.59
Internal audit charters 1.60
Example 1 1.61
Example 2 1.62
Example 3 1.63
C Case studies and exercises
Exercise on internal auditing as a profession 1.64
Case study on the place of consulting services in internal auditing 1.65
Chapter 2 Internal audit independence and objectivity
A IPPF Commentary
Introduction 2.1
Organisational independence and reporting 2.2
Independent determination of the scope of internal auditing, perfor-mance of work and communicating of audit results 2.3
Independent determination of the scope of the future plan of audit
engagements 2.4
The audit engagement plan 2.5
Independent performance of audit work 2.6
Independent communication of audit results 2.7
Individual auditor objectivity 2.8
Handling impairments to independence and objectivity 2.9
B Practical guidance
Internal audit independence and professionalism 2.10
The unit providing the audit service 2.11
The individual auditor 2.12
The professional bodies 2.13
Internal audit in groups of companies 2.14
Contracted-out internal auditing 2.15
Administrative, functional and engagement reporting for internal
audit 2.16
Administrative reporting 2.17
Engagement/task reporting 2.18
Functional reporting 2.19
Audit psychology — Introduction 2.20
Auditors' needs for acceptance and affiliation 2.21xi
Contents
Job satisfaction from internal auditing 2.22
Internal audit roles and role conflicts 2.23
Understanding relationship stresses 2.24
Relationships within the internal audit work group 2.25
The alienating and dysfunctional aspects of management control 2.26
C Case studies
Self-test questions 2.27
Chapter 3 Proficiency and care in internal auditing
A IPPF Commentary
Introduction 3.1
Differing levels of competence 3.2
Competence for assurance and consulting services 3.3
Ensuring individual and collective internal audit proficiency 3.4
Due professional care 3.5
Continuing professional development 3.6
Outsourcing internal audit 3.7
Internal auditors and fraud 3.8
Internal auditors and information technology 3.9
Auditing in an IT environment 3.10
B Practical guidance
Tell-tale signs of fraud 3.11
Altered attitudes ' 3.12
Extravagant lifestyle 3.13
Questionable friendships 3.14
Self-contained behaviour 3.15
Excessive private phone calls and internet access 3.16
Irregular private life 3.17
Poor job performance 3.18
Appearance of being under pressure on the job 3.19
Unclear explanation for exceptions 3.20
Conclusions 3.21
Areas vulnerable to fraud 3.22
Information which has been the object of fraud 3.23
E-fraud 3.24
xii
Contents
E-fraud facilitators 3.25
E-fraud countermeasures 3.26
E-fraud costs and risks 3.27
A useful source 3.28
Computer-assisted auditing techniques - automating the audit 3.29
Techniques for the review of systems controls 3.30
Integrated test facility (ITF) 3.31
Other techniques for the review of systems controls 3.32
Software for the review of real data 3.33
Embedded audit monitors and real-time auditing 3.34
Digital analysis tests and 'Benford's Law' 3.35
Electronic audit working papers 3.36
C Case studies
Not just a matter of early recognition of sales - the twisted yarn at
a carpet retailer 3.38
Desk-based exercise in designing an audit interrogation 3.39
Chapter 4 Quality assurance and improvement programme
A IPPF Commentary
Introduction 4.1
Timing requirement for implementation 4.2
Chief audit executive responsible for the quality assurance andimprovement programme 4.3Monitoring and assessing the overall effectiveness of the quality
assurance and improvement programme 4.4
Ongoing internal assessments 4.5
Periodic internal assessments 4.6
External assessments 4.7
External assessments by self-assessment with independentvalidation 4.8
Reporting on the quality programme 4.9
Use of 'Conforms with the International Standards for the Profes-sional Practice of Internal Auditing' 4.10
Engagement records and the quality assurance programme 4.11
B Practical guidance
Raising the standard - research into best practice internal audit inhousing associations 4.12
xiii
Contents
PART II PERFORMING INTERNAL AUDIT
Chapter 5 Managing the internal audit activity
A IPPF Commentary
, Introduction 5.1
Policies and procedures to guide the internal audit activity 5.2
Planning 5.3
Internal audit activity goals 5.4
Risk assessment as a component of audit planning 5.5
Communication and approval of internal audit activity plans 5.6
Internal audit resource management 5.7
Internal audit staffing plans and financial budgets 5.8
Charging for audit work • 5.9
Internal audit activity reports 5.10
Reporting to the board to senior management 5.11
Level of detail in audit activity reports 5.12
Managing coordination with other assurance and consulting
services 5.13
Audit risk for external and internal auditors 5.14
Internal audit coordination with external audit 5.15
Internal audit advice on external audit provision 5.16•s
Internal audit relationship with the audit committee 5.17
Not explored ; 5.18
Overall opinions and published reports on internal control by internal
audit 5.19
B Practical guidance
Strategic planning for internal audit 5.20
Issues impacting audit committee effectiveness 5.21
Audit committee inputs for assessing internal control effectiveness 5.22
Audit committee processes for assessing internal controleffectiveness 5.23Audit committee outputs from assessing internal control
effectiveness 5.24
C Case studies <,
Self evaluation questions on audit committees 5.25
Case studies for course on meeting the requirements of your auditcommittee 5.26
xiv
Contents
Case 9 5.27
Chapter 6 Nature of work
A IPPF Commentary
Introduction 6.1
Governance, risk management and control 6.2
Risk management 6.3
AS/NZS 4360: 2004 risk management standard and COSOon enterprise risk management 6.4
Internal control 6.5
Control self-assessment (CSA), or control risk self-assessment (CRSA) 6.6
Governance processes 6.7
B Practical guidance
Developments in internal control concepts and definitions over time 6.8
The meaning of internal control 6.9
The first definition of internal control (AICPA) 6.10
Administrative and accounting control 6.11
Traditional UK definitions of internal control 6.12
IIA definitions of internal control 6.13
Treadway, COSO and the UK equivalents 6.14
The COSO definition of internal control -. 6.15
Approximate matching of principal classifications of stated
objectives of internal control 6.16
Components of internal control 6.17
The Rutteman Report on internal control 6.18
The Turnbull Report on internal control 6.19
Would a more modest paradigm of internal control be better? 6.20
How COSO described the overlap between 'management'
and 'internal control' 6.21
Internal control and the management process 6.22
Risk assessment 6.23
A directed focus 6.24
Recent UK perceptions 6.25
Hampel 6.26
Turnbull 6.27
Internal control in the context of management theory 6.28xv
Contents
Implications for internal audit scope 6.29
Enterprise risk management (COSO) 6.30
How definitions of internal control have developed over theyears 6.31
COSO's Enterprise Risk Management Framework and Application
Guidance 6.32
Building on Internal Control - Integrated Framework 6.33
Defining 'enterprise risk management' 6.34
How the COSO ERM framework has been developed 6.35
The components of internal control and of enterprise risk
management 6.36
Stated rationale of enterprise risk management 6.37
Marrying the Enterprise Risk Management Framework with TheMA. Standards 6.38Responsibilities of the board and others for enterprise risk
management 6.39
Meaning of the 'portfolio' approach 6.40
Assessing the effectiveness of enterprise risk management, withreasonable assurance 6.41'Internal control' and 'enterprise risk management' - whichbelongs to which, or are they the same? 6.42Which is bigger - 'internal control' or 'enterprise riskmanagement'? - 6.43
Enterprise risk management as something less than all of the
management process / 6.44
Risk responses 6.45
Control risk self assessment • 6.46
Introducing CRSA 6.47
Defining CRSA 6.48
Letters of representation on risk management and internal control 6.49
Why CRSA? 6.50
The role of internal audit in control risk self-assessment 6.51
Internal audit as a facilitator of control risk self-assessment 6.52
Control risk self assessment as reassurance to internal
audit ., 6.53
Dealing with concerns about CRSA 6.54
Objectivity 6.55
The CRSA workshop 6.56xvi
Contents
Conclusion 6.57
CoCo's Sample Assessment Questions 6.58
The CSA workshop report 6.59
Business controls certificate - example wording 6.60
Letter of representation on risk management and internal control
- standard form of wording 6.61
Self-check questionnaire on internal control for managers to use 6.62
Internal control - a guide for management and staff 6.63
What is internal control 6.64
Practical advice on internal control 6.65
Key controls which should be in place 6.66
Control risk self assessment 6.67
Internal control for the smaller operating unit 6.68
The questionnaire 6.69
Balancing 'control by segregation' with 'control by supervision' 6.70
Segregation of duties 6.71
Segregation of fundamental responsibilities 6.72
Segregation of operations 6.73
Segregation of staff 6.74
Segregation of data 6.75
Segregation of bookkeeping steps s 6.76
Segregation of data entry 6.77
'Segregation' of authority to commit the business 6.78
'Segregation'of time 6.79
Segregation of knowledge 6.80
Segregation of 'operation' from 'review' 6.81
Postscript on segregation 6.82
Table: Control by segregation (ie 'separation') 6.83
Internal control when activities are outsourced 6.84
An altered definition for changing times 6.85
Post-1992 COSO 6.86
What is 'external' internal control? 6.87
JIT 6.88
Outsourcing 6.89
Outsourcing checklist 6.90
xvii
Contents
Internal auditing for the outsourced entity 6.91
Contractors and joint ventures 6.92
The importance of customers 6.93
Millennium risk 6.94
Internal control in cyberspace 6.95
Scope of directors' public reports on internal control when
internalcontrol is outsourced 6.96
Conclusions 6.97
The scope of corporate governance and the role of internal audit in
corporate governance 6.98
C Case studies and exercises
Internal audit role in the external aspects of corporate governance 6.99
Reputational crisis - case 6.100
Chapter 7 Engagement planning
A IPPF Commentary
Introduction 7.1
The audit engagement planning process 7.2
Understanding management's objectives for the activity to be
audited 7.3
Understanding the risks of the activity to be audited 7.4
Understanding the controls of the activity to be audited 7.5
Surprise audit engagements 7.6
Other sources of information to use in the planning phase of an audit
engagement ' 7.7
Surveys at the planning phase of an engagement 7.8
The audit engagement programme 7.9
B Case studies
Engagement planning [Practice Advisories 2200-1 and 2240-1] 7.10
Chapter 8 Performing the engagement
A IPPF Commentary
Introduction 8.1
Identifying information 8.2
Analysis and Evaluation 8.3
Audit testing •- ~ 8.4
Walk through tests 8.5
Compliance tests 8.6xviii
Contents
Weakness, or substantive, tests 8.7
Statistical sampling in internal auditing 8.8
Audit interviewing 8.9
Engagement records 8.10
Engagement Supervision 8.11
B Practical guidance
Audit testing 8.12
Types of audit test 8.13
Objectives of 'weakness' or 'substantive' tests 8.14
General testing principles 8.15
Sample selection - by judgement or randomly 8.16
Random number selection 8.17
Interval selection 8.18
Cluster selection 8.19
Stratified selection 8.20
Determining required sample size 8.21
Confidence and precision 8.22
Variability 8.23
Sampling plans 8.24
Estimation sampling - 8.25
Stop-or-go sampling 8.26
Discovery sampling 8.27
Variables sampling 8.28
Sample evaluation 8.29
Audit Interviewing 8.30
Types of audit 'interview' 8.31
The initial meeting 8.31
The tour of the premises 8.32
The fact-finding interview 8.33
Interviews to discuss audit findings 8.34
Interviewing Approach 8.35
Preparing for the interview 8.35
At the start of the interview 8.36
During the interview 8.37
xix
Contents
At the end of the interview 8.38
After the end of the interview 8.39
Interviewing style 8.40
Suitable types of question in appropriate contexts 8.41
Types of question to be wary of 8.42
Audit interviewing - practical tips 8.43
Audit engagement checklists 8.44
C Case studies
Audit testing ,. 8.45
Using random numbers in audit testing 8.46
Attribute sampling 8.47
Sampling for variables 8.48
Working papers: Case for consideration 8.49
Chapter 9 Communicating results
A IPPF Commentary
Introduction 9.1
Using the planning stage of the audit to consider approach to
communicating results 9.2
Communication style and approach 9.3
Quality of communications 9.4
Errors and omissions 9.5
Engagement disclosure on non-compliance with the Standards 9.6
Disseminating results 9.7
Reporting on audits of business processes 9.8
Communicating about fraud 9.9
Audit report writing 9.10
B Practical guidance
Audit reports and audit follow-up 9.11
Communicating audit findings and recommendations 9.12
Circulation of audit reports 9.13
Follow-up and the status of audit recommendations 9.14
Audit report structure 9.15
Writing style , 9.16
'Fog' or 'clarity' indices 9.17
xx
Contents
C Case studies
Published reports on internal control by internal audit 9.18
Internal audit coverage 9.19
Risk assessment 9.20
IT auditing 9.21
A multi-disciplinary function 9.22
Internal audit's mission 9.23
Scope of internal audit work 9.24
'External' internal control 9.25
Proactive role 9.26
The 'total audit' 9.27
The opinion on internal control 9.28
- Conclusion 9.29
Internal audit 9.30
Audit reports - case study 9.31
Effective use of English 9.32
Chapter 10 Monitoring progress
A IPPF Commentary
Introduction 10.1
Audit engagement follow-up -. 10.2
Internal audit's responsibilities for audit engagement follow-up 10.3
Audit engagement follow-up by a separate function 10.4
Management's responsibilities for follow-up 10.5
Approaches to audit engagement follow-up 10.6
Follow-up audit visits 10.7
Documenting follow-up 10.8
Chapter 11 Resolution of management's acceptance of risks
A IPPF Commentary
Introduction 11.1
Communicating sensitive information within and outside of the chain
of command 11.2
B Case studies
Case studies on whistleblowing 11.3
XXI
Contents
PART III SELECTED ADVANCED AUDIT ENGAGEMENTS
Chapter 12 The internal audit role in mergers and acquisitions
Introduction , 12.1
Definition of 'internal auditing' 12.2
Definition of 'assurance services' 12.3
Definition of 'consulting services' 12.4
Chapter 13 Auditing subsidiaries and remote operating units
introduction 13.1
Fact finding 13.2
Example fact finding programme 13.3
High level review programme 13.4
Example high level review programme 13.5
Chapter 14 Outsourced business activities, and implications for inter-nal audit
Meaning 14.1
Impact upon in-house personnel 14.2
Broadening scope of outsourcing 14.3
Cost-benefit issues 14.4
Cost escalation 14.5
Re-invigorating a business through outsourcing 14.6
Impact on human resource inventory 14.7
The decision to outsource 14.8
Core activities 14.9
Strategic implications 14.10
Implications for internal audit 14.11
Chapter 15 Reputational risk - control and audit
Questionnaire 15.1
General overview (1) 15.1
Financial performance, profitability and long-term investment value
(2) 15.2
The board, the chief executive and the senior management team (3) 15.3
Quality of products and services - brand image (4) 15.4
Treatment of staff (5) 15.5
Social responsibility (6) 15.6
Customer service (7) 15.7
xxii
Contents
Information and communication (8) 15.8
Chapter 16 Information technology
Standard Audit Programme Guide for auditing a business' use of
information technology 16.1
Management checklist version with example controls and measures 16.1
Standard Audit Programme Guide - systems 16.2
System interfaces for information processing facility 16.2
Chapter 17 Contracting
Standard Audit Programme Guide 17.1
Management checklist version with example controls and measures 17.1
Chapter 18 Understanding assurance
Introduction 18.1
Accountability, audit and control 18.2
Assurance hallmarks 18.3
The audit expectations gap 18.4
Audit regulation 18.5
Auditing statements only? 18.6
Auditing internal control 18.7
Hearing the other party 18.8
Five components of audit engagements 18.9
The 'three party' relationship % 18.10
Subject matter 18.11
Criteria 18.12
Evidence 18.13
Auditor reliance on others 18.14
Reasonable and limited assurance 18.15
Assurance in internal auditing 18.16
Common ground between external and internal audit 18.17
Transitioning beyond financial statement auditing 18.18
Deeper auditing 18.19
Conclusions 18.20
Chapter 19 The Board's Black Hole - filling their assurance vacuum
Introduction 19.1
BP 19.2
The Northern Rock bank 19.3
xxiii
Contents
Barings Bank 19.4
Enron 19.5
Shell 19.6
BAE 19.7
US hegemony 19.8
Board oversight 19.9
The board's assurance vacuum 19.10
Filling the vacuum with internal audit? 19.11
Internal audit independence from management 19.12
Internal audit directly interfacing with the main board 19.13
Not just assurance of systems and processes 19.14
All of corporate governance 19.15
A step beyond providing assurance to the board > 19.16
'Super auditors' 19.17
Too much to ask? 19.18
Conclusions and recommendations 19.19
Appendices
Appendix 1 The Institute of Internal Auditors Code of Ethics 607
Appendix 2 International Standards for the Professional Practice of
Internal Auditing 611
Appendix 3 Practice Advisories by Standard number, 1 January 2009 ^ 631
Appendix 4 Practice Advisories by Standard number, showing transitionfrom pre-2009 to 2009 set 635Appendix 5 Content Specification Outlines for the Certified InternalAuditor professional qualification of The Institute of Internal Auditors 641
Appendix 6 Certification in Control Self Assessment of The Institute ofInternal Auditors 653
Appendix 7 The Institute of Internal Auditors (UK) Practitioner of TheInstitute of Internal Auditors Programme - outline and contents 657
Appendix 8 The Institute of Internal Auditors (UK) Member of The
Institute of Internal Auditors Programme - outline and contents 681
Appendix 9 Websites for internal auditors 705
Index 715
XXIV