TABLE OF CONTENTS Preface Acknowledgments About the Authors Book design by Rule and Renco, www.ruleandrenco.com Illustration by Linda Frichtel Copyright © 2009 by The Institute of Internal Auditors Research Foundation (IIARF), 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201. All rights reserved. Printed in the United States of America. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form by any means — electronic, mechanical, photocopying, recording, or otherwise — without prior written permission of the publisher. The IIARF publishes this document for informational and educational purposes. This document is intended to provide information, but is not a substitute for legal or accounting advice. The IIARF does not provide such advice and makes no warranty as to any legal or accounting results through its publication of this document. When legal or accounting issues arise, professional assistance should be sought and retained. The Institute of Internal Auditors’ (IIA’s) International Professional Practices Framework (IPPF) comprises the full range of existing and developing practice guidance for the profession. The IPPF provides guidance to internal auditors globally and paves the way to world-class internal auditing. The mission of The IIARF is to expand knowledge and understanding of internal auditing by providing relevant research and educational products to advance the profession globally. The IIA and The IIARF work in partnership with researchers from around the globe who conduct valuable studies on critical issues affecting today’s business world. Much of the content presented in their final reports is a result of IIARF-funded research and prepared as a service to The Foundation and the internal audit profession. Expressed opinions, interpretations, or points of view represent a consensus of the researchers and do not necessarily reflect or represent the official position or policies of The IIA or The IIARF. FUNDAMENTAL INTERNAL AUDIT CONCEPTS Chapter 1 Introduction to Internal Auditing Learning Objectives Definition of Internal Auditing The Relationship Between Auditing and Accounting Financial Reporting Assurance Services: External Versus Internal 1-7 The Internal Audit Profession The Institute of Internal Auditors Competencies Needed to Excel as an Internal Auditor Internal Audit Career Paths Summary Review Questions Multiple-choice Questions Discussion Questions Case References Chapter 2 The International Professional Practices Framework: Authoritative Guidance for the Internal Audit Profession 2-1 Learning Objectives The History of Guidance Setting for the Internal Audit Profession The International Professional Practices Framework 1-1 1-1 1-2 1-7 1-8 1-11 1-14 1-18 1-20 1-21 1-22 1-23 1-24 1-25 ISBN 978-0-89413-643-6 09/09 First Printing 2-1 Internal Auditing: Assurance and Consulting Services, 2nd Edition Copyright 2009, The IIA Research Foundation 2-4 2-2 Mandatory Guidance 2-5 Strongly Recommended Guidance How the International Professional Practices Framework is Kept Current 2-25 Standards Promulgated by Other Organizations Summary Review Questions Multiple-choice Questions Discussion Questions Cases References 2-23 2-28 2-31 2-32 2-32 2-35 2-36 2-40 Chapter 3 Governance 3-1 Learning Objectives Governance Concepts The Evolution of Governance Summary Appendix 3-A: Summary of Key U.S. Regulations Appendix 3-B: Summary of Governance and Risk Management Codes From Other Countries Appendix 3-C: Other Governance References Review Questions Multiple-choice Questions Discussion Questions Cases References 3-1 3-2 3-14 3-17 3-18 3-20 3-24 3-26 The Impact of ERM on Internal Audit Assurance 4-19 Summary Review Questions Multiple-choice Questions Discussion Questions Cases References Chapter 5 Business Processes and Risks Learning Objectives Business Processes Documenting Business Processes Business Risks Business Process Outsourcing Summary Appendix 5-A: Student Organization Risk Assessment Example Review Questions Multiple-choice Questions Discussion Questions Cases References Chapter 6 Internal Control Learning Objectives Frameworks Definition of Internal Control 4-21 4-22 4-22 4-25 4-26 4-27 5-1 5-1 5-2 5-8 5-9 5-23 5-25 5-29 5-29 5-32 5-33 5-37 3-26 3-27 3-29 3-30 6-1 6-1 6-2 6-9 Chapter 4 Risk Management 4-1 The Components of Internal Control Learning Objectives 4-1 Internal Control Roles and Responsibilities Overview of Risk Management Limitations of Internal Control The Role of the Internal Audit Function in ERM Viewing Internal Control from Different Perspectives 4-2 4-16 Internal Auditing: Assurance and Consulting Services, 2nd Edition Copyright 2009, The IIA Research Foundation 6-10 6-16 6-18 6-21 5-26 Mandatory Guidance 2-5 Strongly Recommended Guidance How the International Professional Practices Framework is Kept Current 2-25 Standards Promulgated by Other Organizations Summary Review Questions Multiple-choice Questions Discussion Questions Cases References 2-23 2-28 2-31 2-32 2-32 2-35 2-36 2-40 Chapter 3 Governance 3-1 Learning Objectives Governance Concepts The Evolution of Governance Summary Appendix 3-A: Summary of Key U.S. Regulations Appendix 3-B: Summary of Governance and Risk Management Codes From Other Countries Appendix 3-C: Other Governance References Review Questions Multiple-choice Questions Discussion Questions Cases References 3-1 3-2 3-14 3-17 3-18 3-20 3-24 3-26 The Impact of ERM on Internal Audit Assurance 4-19 Summary Review Questions Multiple-choice Questions Discussion Questions Cases References Chapter 5 Business Processes and Risks Learning Objectives Business Processes Documenting Business Processes Business Risks Business Process Outsourcing Summary Appendix 5-A: Student Organization Risk Assessment Example Review Questions Multiple-choice Questions Discussion Questions Cases References Chapter 6 Internal Control Learning Objectives Frameworks Definition of Internal Control 4-21 4-22 4-22 4-25 4-26 4-27 5-1 5-1 5-2 5-8 5-9 5-23 5-25 5-29 5-29 5-32 5-33 5-37 3-26 3-27 3-29 3-30 6-1 6-1 6-2 6-9 Chapter 4 Risk Management 4-1 The Components of Internal Control Learning Objectives 4-1 Internal Control Roles and Responsibilities Overview of Risk Management Limitations of Internal Control The Role of the Internal Audit Function in ERM Viewing Internal Control from Different Perspectives 4-2 4-16 6-10 6-16 6-18 Internal Auditing: Assurance and Consulting Services, 2nd Edition Copyright 2009, The IIA Research Foundation 6-21 5-26 1. Types of Controls 6-22 Evaluating the System of Internal Controls – An Overview Summary Review Questions Multiple-choice Questions Discussion Questions Case References 6-28 6-29 6-29 6-31 6-33 6-34 Chapter 7 Information Technology Risks and Controls 7-1 Learning Objectives Key Components of Modern Information Systems IT Opportunities and Risks IT Governance IT Risk Management IT Controls Implications of IT for Internal Auditors Sources of IT Audit Guidance Summary Review Questions Multiple-choice Questions Discussion Questions Case References 7-1 7-7 7-9 7-3 6-26 Key Principles for Managing Fraud Risk 8-12 Governance Over the Fraud Risk Management Program Fraud Risk Assessment Fraud Prevention Fraud Detection Fraud Investigation and Corrective Action Understanding Fraudsters Implications for Internal Auditors and Others Summary Review Questions Multiple-choice Questions Discussion Questions Cases References Chapter 9 Managing the Internal Audit Function Learning Objectives Positioning the Internal Audit Function in the Organization Planning Communication and Approval Resource Management 9-9 Policies and Procedures 9-13 Coordination with Independent Outside Auditors Reporting to the Board and Senior Management Governance Risk Management Control Quality Assurance and Improvement Program (Quality Program Assessments) 9-20 Performance Measurements for the Internal Audit Function Use of Technology to Support the Internal Audit Process 8-15 8-18 8-22 8-24 8-26 8-28 8-30 8-34 8-35 8-35 8-38 8-40 8-43 7-10 7-12 7-17 7-20 7-21 7-23 7-24 7-25 7-28 7-30 Chapter 8 Fraud Risks and Controls 8-1 Learning Objectives Overview of Fraud in Today’s Business World Definitions of Fraud The Fraud Triangle 8-1 8-2 8-5 8-9 Internal Auditing: Assurance and Consulting Services, 2nd Edition Copyright 2009, The IIA Research Foundation 9-1 9-1 9-3 9-7 9-9 9-13 9-14 9-16 9-17 9-19 9-22 9-24 1. Types of Controls 6-22 Evaluating the System of Internal Controls – An Overview Summary Review Questions Multiple-choice Questions Discussion Questions Case References 6-28 6-29 6-29 6-31 6-33 6-34 Chapter 7 Information Technology Risks and Controls 7-1 Learning Objectives Key Components of Modern Information Systems IT Opportunities and Risks IT Governance IT Risk Management IT Controls Implications of IT for Internal Auditors Sources of IT Audit Guidance Summary Review Questions Multiple-choice Questions Discussion Questions Case References 7-1 7-7 7-9 7-3 6-26 Key Principles for Managing Fraud Risk 8-12 Governance Over the Fraud Risk Management Program Fraud Risk Assessment Fraud Prevention Fraud Detection Fraud Investigation and Corrective Action Understanding Fraudsters Implications for Internal Auditors and Others Summary Review Questions Multiple-choice Questions Discussion Questions Cases References Chapter 9 Managing the Internal Audit Function Learning Objectives Positioning the Internal Audit Function in the Organization Planning Communication and Approval Resource Management 9-9 Policies and Procedures 9-13 Coordination with Independent Outside Auditors Reporting to the Board and Senior Management Governance Risk Management Control Quality Assurance and Improvement Program (Quality Program Assessments) 9-20 Performance Measurements for the Internal Audit Function Use of Technology to Support the Internal Audit Process 8-15 8-18 8-22 8-24 8-26 8-28 8-30 8-34 8-35 8-35 8-38 8-40 8-43 7-10 7-12 7-17 7-20 7-21 7-23 7-24 7-25 7-28 7-30 Chapter 8 Fraud Risks and Controls 8-1 Learning Objectives Overview of Fraud in Today’s Business World Definitions of Fraud The Fraud Triangle 8-1 8-5 8-9 8-2 9-1 9-1 9-3 9-7 9-9 9-13 9-14 9-16 9-17 9-19 Internal Auditing: Assurance and Consulting Services, 2nd Edition Copyright 2009, The IIA Research Foundation 9-22 9-24 Summary 9-27 Review Questions Multiple-choice Questions Discussion Questions Case References 9-28 9-29 9-31 Chapter 12 Introduction to the Engagement Process 9-32 9-34 Chapter 10 Audit Evidence and Working Papers Learning Objectives Audit Evidence Audit Procedures Working Papers Summary Review Questions Multiple-choice Questions Discussion Questions Cases References 10-1 10-1 10-1 10-4 10-13 10-16 10-17 10-20 10-23 11-1 Learning Objectives Introduction to Audit Sampling Statistical Audit Sampling in Tests of Controls Nonstatistical Audit Sampling in Tests of Controls Statistical Sampling in Tests of Monetary Values Summary Review Questions Multiple-choice Questions Discussion Questions Cases 11-1 11-1 11-4 11-14 11-16 11-18 11-20 11-20 11-23 11-25 References 11-27 Learning Objectives Types of Internal Audit Engagements Overview of the Assurance Engagement Process The Consulting Engagement Process Summary Review Questions Multiple-choice Questions Discussion Questions Case References 12-1 12-3 12-3 12-12 12-13 12-14 12-15 12-17 12-19 12-20 Chapter 13 Conducting the Assurance Engagement 12-1 10-17 10-22 Chapter 11 Audit Sampling CONDUCTING INTERNAL AUDIT ENGAGEMENTS Internal Auditing: Assurance and Consulting Services, 2nd Edition Copyright 2009, The IIA Research Foundation 13-1 Learning Objectives Determine Engagement Objectives and Scope Understand the Auditee 13-8 Identify and Assess Risks 13-22 Identify Key Controls Evaluate the Adequacy of Control Design Create a Test Plan Develop a Work Program Allocate Resources to the Engagement Conduct Tests to Gather Evidence Evaluate Evidence Gathered and Reach Conclusions Develop Observations and Formulate Recommendations Summary Review Questions 13-1 13-3 13-28 13-30 13-31 13-43 13-48 13-33 13-36 13-38 13-39 13-41 Summary 9-27 Review Questions Multiple-choice Questions Discussion Questions Case References 9-28 9-29 9-31 Chapter 12 Introduction to the Engagement Process 9-32 9-34 Chapter 10 Audit Evidence and Working Papers Learning Objectives Audit Evidence Audit Procedures Working Papers Summary Review Questions Multiple-choice Questions Discussion Questions Cases References 10-1 10-1 10-1 10-4 10-13 10-16 10-17 10-20 11-1 Learning Objectives Introduction to Audit Sampling Statistical Audit Sampling in Tests of Controls Nonstatistical Audit Sampling in Tests of Controls Statistical Sampling in Tests of Monetary Values Summary 11-1 Review Questions Multiple-choice Questions Discussion Questions Cases References 11-1 11-18 11-27 Learning Objectives Types of Internal Audit Engagements Overview of the Assurance Engagement Process The Consulting Engagement Process Summary Review Questions Multiple-choice Questions Discussion Questions Case References 12-1 12-3 12-3 12-12 12-13 12-14 12-15 12-17 12-19 12-20 Chapter 13 Conducting the Assurance Engagement 10-23 11-25 12-1 10-17 10-22 Chapter 11 Audit Sampling CONDUCTING INTERNAL AUDIT ENGAGEMENTS 11-20 11-20 11-23 11-4 11-14 11-16 13-1 Learning Objectives Determine Engagement Objectives and Scope Understand the Auditee 13-8 Identify and Assess Risks 13-22 Identify Key Controls Evaluate the Adequacy of Control Design Create a Test Plan Develop a Work Program Allocate Resources to the Engagement Conduct Tests to Gather Evidence Evaluate Evidence Gathered and Reach Conclusions Develop Observations and Formulate Recommendations Summary Review Questions 13-1 13-3 13-28 13-30 13-31 13-33 13-36 13-38 13-43 13-48 Internal Auditing: Assurance and Consulting Services, 2nd Edition Copyright 2009, The IIA Research Foundation 13-39 13-41 Multiple-choice Questions Discussion Questions Case References 13-49 13-51 Chapter 15 The Consulting Engagement 13-54 15-1 Learning Objectives The Difference Between Assurance and Consulting Services Types of Consulting Services Chapter 14 Communicating Assurance Engagement Outcomes and Performing Follow-up Procedures 14-1 Selecting Consulting Engagements to Perform Learning Objectives The Consulting Engagement Process Engagement Communication Obligations Consulting Engagement Working Papers Perform Observation Evaluation and Escalation Process The Changing Landscape of Consulting Services Conduct Interim and Preliminary Engagement Communications 14-15 Capabilities Needed Summary Develop Final Engagement Communications Review Questions Distribute Formal and Informal Final Communications Multiple-choice Questions Perform Monitoring and Follow-up Discussion Questions Other Types of Engagements Cases Summary References Review Questions Multiple-choice Questions Discussion Questions Cases References 13-57 14-1 14-2 14-5 14-16 14-25 14-27 14-27 14-20 15-1 15-5 15-7 15-9 15-15 15-17 15-18 15-19 15-20 15-20 15-22 15-23 15-25 14-29 14-29 14-32 14-35 14-38 GLOSSARY APPENDICES Appendix A Appendix B The IIA’s International Standards for the Professional Practice of Internal Auditing INDEX Internal Auditing: Assurance and Consulting Services, 2nd Edition Copyright 2009, The IIA Research Foundation The IIA’s Code of Ethics 15-4 Multiple-choice Questions Discussion Questions Case References 13-49 13-51 Chapter 15 The Consulting Engagement 13-54 15-1 Learning Objectives The Difference Between Assurance and Consulting Services Types of Consulting Services Chapter 14 Communicating Assurance Engagement Outcomes and Performing Follow-up Procedures 14-1 Selecting Consulting Engagements to Perform Learning Objectives The Consulting Engagement Process Engagement Communication Obligations Consulting Engagement Working Papers Perform Observation Evaluation and Escalation Process The Changing Landscape of Consulting Services Conduct Interim and Preliminary Engagement Communications 14-15 Capabilities Needed Summary Develop Final Engagement Communications Review Questions Distribute Formal and Informal Final Communications Multiple-choice Questions Perform Monitoring and Follow-up Discussion Questions Other Types of Engagements Cases Summary References Review Questions Multiple-choice Questions Discussion Questions Cases References 13-57 14-1 14-27 14-27 14-35 14-38 14-25 14-2 14-5 14-16 14-20 15-1 15-5 15-7 15-9 15-15 15-17 15-18 15-19 15-20 15-20 15-22 15-23 15-25 14-29 14-29 14-32 GLOSSARY APPENDICES Appendix A The IIA’s Code of Ethics Appendix B The IIA’s International Standards for the Professional Practice of Internal Auditing INDEX Internal Auditing: Assurance and Consulting Services, 2nd Edition Copyright 2009, The IIA Research Foundation 15-4 CONTENTS OF CD-ROM Compliance and Ethics Program Maturity Assessment ACL Software Summary IDEA Software Case Study The IIA’s Code of Ethics Background Information The IIA’s International Standards for the Professional Practice of Internal Auditing Scenario 1: Code of Ethics and Business Conduct Case Studies Scenario 1 Activities Scenario 2: Employee Opinion Survey Case Study 1 Auditing Entity-level Controls Scenario 2 Activities Learning Objectives Scenario 3: Compliance and Ethics Program Maturity Assessment Importance of Entity-level Controls Scenario 3 Activities Historical and Current Perspectives on Entity-level Controls Scenario 4: Test of Compliance with SHR’s Gift Exchange Policy Definitions of Different Levels of Controls Scenario 4 Activities A Framework for Determining the Impact of Entity-level Controls on Testing Case Study 3 Performing a Blended Consulting Engagement Entity-level Controls and the COSO Internal Control – Integrated Framework Learning Objectives Testing Entity-level Controls Performing Risk Assessments Summary Performing Consulting Engagements Case Study Case Study Background Information Background Information Scenario 1: Ethical Behavior is Good Business Scenario 1: Risk Assessment and Consulting Processes Scenario 1 Activities Scenario 1 Activities Scenario 2: Using IT to Gain a Competitive Edge Scenario 2: Retail Operations Expansion Scenario 2 Activities Scenario 2 Activities Scenario 3: Brokerage Capability Expansion – International Online Trading Scenario 3 Activities (Advanced) Case Study 2 Auditing the Compliance and Ethics Program Learning Objectives What is Compliance? Taking an Integrated Systems Approach to Establishing and Maintaining a Compliance and Ethics Program The Federal Sentencing Guidelines and the Criteria for an Effective Compliance and Ethics Program Roles and Responsibilities for the Compliance and Ethics Program Internal Auditing: Assurance and Consulting Services, 2nd Edition Copyright 2009, The IIA Research Foundation CONTENTS OF CD-ROM Compliance and Ethics Program Maturity Assessment ACL Software Summary IDEA Software Case Study The IIA’s Code of Ethics Background Information The IIA’s International Standards for the Professional Practice of Internal Auditing Scenario 1: Code of Ethics and Business Conduct Case Studies Scenario 1 Activities Scenario 2: Employee Opinion Survey Case Study 1 Auditing Entity-level Controls Scenario 2 Activities Learning Objectives Scenario 3: Compliance and Ethics Program Maturity Assessment Importance of Entity-level Controls Scenario 3 Activities Historical and Current Perspectives on Entity-level Controls Scenario 4: Test of Compliance with SHR’s Gift Exchange Policy Definitions of Different Levels of Controls Scenario 4 Activities A Framework for Determining the Impact of Entity-level Controls on Testing Case Study 3 Performing a Blended Consulting Engagement Entity-level Controls and the COSO Internal Control – Integrated Framework Learning Objectives Testing Entity-level Controls Performing Risk Assessments Summary Performing Consulting Engagements Case Study Case Study Background Information Background Information Scenario 1: Ethical Behavior is Good Business Scenario 1: Risk Assessment and Consulting Processes Scenario 1 Activities Scenario 1 Activities Scenario 2: Using IT to Gain a Competitive Edge Scenario 2: Retail Operations Expansion Scenario 2 Activities Scenario 2 Activities Scenario 3: Brokerage Capability Expansion – International Online Trading Scenario 3 Activities (Advanced) Case Study 2 Auditing the Compliance and Ethics Program Learning Objectives What is Compliance? Taking an Integrated Systems Approach to Establishing and Maintaining a Compliance and Ethics Program The Federal Sentencing Guidelines and the Criteria for an Effective Compliance and Ethics Program Roles and Responsibilities for the Compliance and Ethics Program Internal Auditing: Assurance and Consulting Services, 2nd Edition Copyright 2009, The IIA Research Foundation