Preface
Part One: Foundations of Modern Internal Auditing
Chapter 1 Significance of Internal Auditing in Enterprises Today: An Update
1.1 Internal Auditing History and Background
1.2 Mission of Internal Auditing
1.3 Organization of this Book
Notes
Chapter 2 An Internal Audit Common Body of Knowledge
2.1 What is a CBOK? Experiences from Other Professions
2.2 What Does an Internal Auditor Need to Know?
2.3 An Internal Auditing CBOK
2.4 Another Attempt: The Institute of Internal Auditor’s Research Foundation’s CBOK
2.5 What Does an Internal Auditor Need to Know?
Notes
Part Two: Importance of Internal Controls
Chapter 3 The COSO Internal Controls Framework
3.1 Understanding Internal Controls
3.2 Revised COSO Framework Business and Operating Environment Changes
3.3 The Revised COSO Internal Controls Framework
3.4 COSO Internal Control Principles
3.5 COSO Internal Control Components: The Control Environment
3.6 COSO Internal Control Components: Risk Assessments
3.7 COSO Internal Control Components: Internal Control Activities
3.8 COSO Internal Control Components: Information and Communication
3.9 COSO Internal Control Components: Monitoring Activities
3.10 The COSO Framework’s Other Dimensions
Chapter 4 COSO 17 Internal Control Principles
4.1 COSO Internal Control Framework Principles
4.2 COSO Control Environment Principle 1: Integrity and Ethical Values.
4.3 COSO Control Environment Principle 2: Role of the Board of Directors
4.4 COSO Control Environment Principle 3: Authority & Responsibility Needs
4.5 COSO Control Environment Principle 4: Commitment to a Competent Workforce
4.6 COSO Control Environment Principle 5: Hold People Accountable
4.7 COSO Risk Assessment Principle 6: Specify Appropriate Objectives
4.8 COSO Risk Assessment Principle 7: Identify and Analyze Risks
4.9 COSO Risk Assessment Principle 8: Evaluate Fraud Risks
4.10 COSO Risk Assessment Principle 9: Identify Changes Affecting Internal Controls
4.11 COSO Control Activities Principle 10: Select Control Activities the Mitigate Risks
4.12 COSO Control Activities Principle 11: Select and Develop Technology Controls
4.13 COSO Control Activities Principle 12: Policies and Procedures
4.14 Information and Communication Principle 13: Use Relevant Quality Information
4.15 Information and Communication Principle 14: Internal Communications
4.16 Information and Communication Principle 15: External Communications
4.17 Monitoring Principle 16: Internal Control Evaluations
4.18 Monitoring Principle 17: Communicate Internal Control Deficiencies
4.19 IPPF Internal Auditor Principles
Note
Chapter 5 Sarbanes-Oxley (Sox) and Beyond
5.1 Key Sarbanes-Oxley Act (SOx) Key Elements or Titles
5.2 Performing Section 404 Reviews under AS5
5.3 AS5 Rules and Internal Audit
5.4 Impact of the Sarbanes-Oxley Act
Notes
Chapter 6 COBIT and other ISACA Guidance
6.1 Introduction to COBIT
6.2 COBIT Framework
6.3 COBIT Principle 1: Meeting Stakeholder Needs
6.4 COBIT Principle 2: Covering the Enterprise End to End
6.5 COBIT Principle 3: A Single Integrated Framework
6.6 COBIT Principle 4: Enabling a Holistic Approach
6.7 COBIT Principle 5: Separating Governance from Management
6.8 Using COBIT to Assess Internal Controls
6.9 Mapping COBIT to COSO Internal Controls
Notes
Chapter 7 Enterprise Risk Management: COSO ERM
7.1 Risk Management Fundamentals
7.2 COSO ERM: Enterprise Risk Management
7.3 COSO ERM Key Elements
7.4 Other Dimensions of COSO ERM: Enterprise Risk Objectives
7.5 Entity Level Risks
7.6 Putting it All Together: Auditing Risk and COSO ERM Processes
Notes
Part Three: Planning and Performing Internal Audits
Chapter 8 Performing Effective Internal Audits
8.1 Initiating and Launching an Internal Audit
8.2 Organizing and Planning Internal Audits.
8.3 Internal Audit Preparatory Activities.
8.4 Starting the Internal Audit
8.5 Developing and Preparing Audit Programs.
8.6 Performing an Internal Audit
8.7 Wrapping up the Field Engagement Internal Audit
8.8 Performing an Individual Internal Audit.
Chapter 9 Standards for the Professional Practice of Internal Auditing
9.1 What is the IPPF?
9.2 The Internal Auditing Professional Practice Standards: A Key IPPF Component
9.3 Content of the IIA Standards
9.4 Codes of Ethics: The IIA and ISACA
9.5 Internal Audit Principles
9.6 IPPF Future Directions
Notes
Chapter 10 Testing, Assessing, and Evaluating Audit Evidence
10.1 Gathering Appropriate Audit Evidence
10.2 Audit Assessment and Evaluation Techniques
10.3 Internal Audit Judgmental Sampling
10.4 Statistical Audit Sampling: An Introduction
10.5 Developing a Statistical Sampling Plan
10.6 Audit Sampling Approaches
10.7 Attribute Sampling Audit Example
10.8 Attributes Sampling Advantages and Limitations.
10.9 Monetary Unit Sampling
10.10 Other Audit Sampling Techniques
10.11 Making Efficient and Effective Use of Audit Sampling
Notes
Chapter 11 Continuous Auditing and Computer Assisted Audit Techniques
11.1 Implementing Continuous Assurance Auditing
11.2 ACL, NetSuite, Business Objects, and Other Continuous Assurance Systems.
11.3 Benefits of CAA
11.4 Computer Assisted Audit Tools & Techniques (CAATTs)
11.4 Determining the Need for CAATTs
11.5 Steps to Building Effective CAATTs
11.6 Importance of Using CAATTs for Audit Evidence Gathering
11.7 XBRL: The Internet-Based Extensible Marking Language
Notes
Chapter 12 Control Self assessments and Internal Audit Quality Assurance
12.1 Importance of Control Self-Assessments
12.2 CSA Model
12.3 Launching the CSA Process
12.4 Evaluating CSA Results
12.5 Benchmarking and Internal Audit
12.6 Better Understanding Internal Audit Activities
Notes
Chapter 13 Areas to Audit: Establishing an Audit Universe and Audit Programs
13.1 Defining the Scope and Objectives of the Internal Audit Universe
13.2 Assessing Internal Audit Capabilities and Objectives
13.3 Audit Universe Time and Resource Limitations
13.4 “Selling” an Audit Universe Concept to the Audit Committee and Management
13.5 Assembling Audit Programs: Audit Universe Key Components
13.6 Audit Universe and Program Maintenance
Part Four: Organizing and Managing Internal Audit Activities
Chapter 14 Charters and Building the Internal Audit Function
14.1 Establishing an Internal Audit Function
14.2 Audit Committee and Management Authorization of an Audit Charter
14.3 Building an Internal Audit Function
Notes
Chapter 15 Establishing an Audit Universe and Performing Internal Audits
15.1 Defining the Scope and Objectives of the Internal Audit Universe
15.2 Assessing Potential Internal Audit Review Capabilities and Objectives
15.3 Audit Universe Time and Resource Limitations
15.4 Importance of Internal Audit Key Competencies
15.5 Importance of Internal Audit Risk Management
15.6 Internal Auditor Interview Skills
15.7 Internal Audit Analytical and Testing Skills Competencies
15.8 Internal Auditor Documentation Skills
15.9 Recommending Results and Corrective Actions
15.10 Internal Auditor Negotiation Skills
15.11 An Internal Auditor Commitment to Learning
15.12 Importance of Internal Auditor Core Competencies
Chapter 16 Planning Audits and Understanding Project Management
16.1 The Project Management Process
16.2 PMBOK: The Project Management Book of Knowledge
16.3 PMBOK Program and Portfolio Management
16.4 Planning An Internal Audit
16.5 Understanding the Environment: Planning and Launching an Internal Audit
16.6 Audit Planning: Documenting and Understanding the Internal Controls Environment
16.7 Performing Appropriate Internal Audit Procedures and Wrapping up the Audit
16.8 Project Management Best Practices and Internal Audit
Note
Chapter 17 Documenting Audit Results Through Process Modeling and Workpapers
17.1 Internal Audit Documentation Requirements
17.2 Process Modeling for Internal Auditors
17.3 Internal Audit Workpapers
17.5 Workpaper Document Organization
17.6 Workpaper Preparation Techniqu
17.7 Internal Audit Document Records Management
17.8 The Importance of Internal Audit Documentation
Notes
Chapter 18 Reporting Internal Audit Results
18.1 The Audit Report Framework
18.2 Purposes and Types of Internal Audit Reports
18.3 Published Audit Reports
18.4 Alternative Audit Report Formats
18.5 Internal Audit Reporting Cycle
18.6 Effective Internal Audit Communications Opportunities
18.7 Audit Reports and Understanding People in Internal Auditing
Note
Part Five: Impact of Information Systems on Internal Auditing
Chapter 19 ITIL Best Practices, the IT Infrastructure and General Controls
19.1 Importance of IT General Controls
19.2 Client-Server and Smaller Systems General IT Controls
19.3 Client-Server Computer Systems.
19.4 Smaller Systems Operations Internal Controls
19.5 Auditing IT General Controls for Smaller IT Systems
19.5 Mainframe, Legacy System Components and Controls
19.6 Internal Control Reviews of Classic “Mainframe” or “Legacy” IT Systems.
19.7 Legacy or Larger System General Controls Reviews
19.8 ITIL Service Support and Delivery IT Infrastructure Best Practices
19.9 Service Delivery Best Practices
19.10 Auditing IT Infrastructure Management
19.11 Internal Auditor CBOK Needs for IT General Controls
Notes
Chapter 20 BYOD Practices and Social Media Internal Audit Issues
20.1 The Growth and Impact of BYOD Personal Computing Devices
20.2 Understanding the Enterprise BYOD Environment
20.3 BYOD Security Policy Elements
20.4 Social Media Computing:
20.5 Enterprise Social Media Computing Risks and Vulnerabilities
20.6 Social Media Policies
Chapter 21 Big Data and Enterprise Content Management
21.1 Big Data Overview
21.2 Big Data Governance, Risk and Compliance Issues
21.3 Big Data Management, Hadoop and Security Issues
21.4 Compliance Monitoring and Big Data Analytics
21.5 Internal Auditing in a Big Data Environment
21.6 Enterprise Content Management Internal Controls
21.7 Auditing Enterprise Content Management Processes
Notes
Chapter 22 Reviewing Application and Software Management Controls
22.1 IT Application Components
22.2 Selecting Applications for Internal Audit Reviews
22.3 Preliminary Steps to Performing Applications Controls Reviews
22.4 Completing the IT Applications Controls Audit
22.5 Application Review Example: Client-Server Budgeting System
22.6 Auditing Applications Under Development.
22.7 Importance of Reviewing IT Application Controls
Notes
Chapter 23 Cybersecurity, Hacking Risks, and Privacy Controls
23.1 Hacking and IT Network Security Fundamentals
23.2 Data Security Concepts
23.3 Importance of IT Passwords
23.4 Viruses and Malicious Program Code
23.5 System Firewall Controls
23.6 Social Engineering IT Risks
23.7 IT Systems Privacy Concerns
23.8 The NIST Cybersecurity Framework
23.9 Auditing IT Security and Privacy
23.10 PCI-DSS Fundamentals
23.11 Security and Privacy in the Internal Audit Department
23.12 Internal Audit’s Privacy and Cybersecurity Roles
Chapter 24 Business Continuity and Disaster Recovery Planning
24.1 IT Disaster & Business Continuity Planning Today
24.2 Auditing Business Continuity Planning Processes
24.3 Building the IT Business Continuity Plan
24.4 Business Continuity Planning and Service Level Agreements
24.5 Auditing Business Continuity Plans
24.6 Business Continuity Planning Going Forward
Notes
Part Six: Internal Audit and Enterprise Governance
Chapter 25 Board Audit Committee Communications
25.1 Role of the Audit Committee
25.2 Audit Committee Organization and Charters
25.3 Audit Committee’s Financial Expert and Internal Audit
25.4 Audit Committee Responsibilities for Internal Audit
25.5 Audit Committee Review and Action on Significant Audit Findings
25.6 Audit Committee and its External Auditors
25.7 Whistleblower Programs and Codes of Conduct
25.8 Other Audit Committee Roles
Note
Chapter 26 Ethics and Whistleblower Programs
26.1 Enterprise Ethics, Compliance, and Governance
26.2 Ethics First Steps: Developing a Mission Statement
26.3 Understanding the Ethics Risk Environment
26.4 Summarizing Ethics Survey Results: Do We Have a Problem?
26.5 Enterprise Codes of Conduct
26.6 Whistleblower and Hotline Functions.
26.7 Auditing the Enterprise’s Ethics Functions
26.8 Improving Corporate Governance Practices
Notes
Chapter 27 Fraud Detection and Prevention
27.1 Understanding and Recognizing Fraud
27.2 Red Flags: Fraud Detection Signs for Internal Auditors
27.3 Public Accounting’s Role in Fraud Detection
27.4 IIA Standards for Detecting and Investigating Fraud
27.5 Fraud Investigations for Internal Auditors
27.6 Information Technology Fraud Prevention Processes
27.7 Fraud Detection and the Internal Auditor
Notes
Chapter 28 Internal Audit GRC Approaches and Other Compliance Requirements
28.1 The Road to Effective GRC Principles
28.2 GRC Risk Management Components
28.3 GRC and Internal Audit Enterprise Compliance Issues
28.4 The Importance of Effective GRC Practices and Principles
Part Seven: The Professional Internal Auditor
Chapter 29 Professional Certifications: CIA, CISA, and More
29.1 Certified Internal Auditor Responsibilities and Requirements
29.2 Beyond the CIA: Other IIA Certifications
29.3 Importance of the CIA Specialty Certification Examinations.
29.4 Certified Information Systems Auditor (CISA) Credentials
29.5 Certification in Information Systems Management (CISM)
29.6 Certification in the Governance of Enterprise IT (CGEIT)
29.7 Certification in Risk and Information Systems Control (CRISC)
29.8 Certified Fraud Examiner Certification
29.9 CISSP Information Systems Security Professional Certification
29.10 ASQ Internal Audit Certifications
29.11 Other Internal Auditor Certifications
Chapter 30 The Modern Internal Auditor as an Enterprise Consultant
30.1 Standards for Internal Audit as an Enterprise Consultant
30.2 Launching an Internal Audit Internal Consulting Capability
30.3 Ensuring an Audit and Consulting Separation of Duties
30.4 Consulting Best Practices
Part Eight: The Other Sides of Auditing: Professional Convergence
Chapter 31 Quality Assurance Auditing and ASQ Standards
31.1 Duties and Responsibilities of ASQ Quality Auditors
31.2 Role of the Quality Auditor
31.3 Performing ASQ Quality Audits
31.4 Quality Assurance Reviews of the Internal Audit Function
31.5 Launching the Internal Audit Quality Assurance Review
31.6 Reporting the Results of an Internal Audit Quality-Assurance Review
31.7 Future Directions for Quality Assurance Auditing
Chapter 32 Six Sigma and Lean Techniques for Internal Audit
32.1 Six Sigma Background and Concepts
32.2 Implementing Six Sigma
32.3 Six Sigma Leadership Roles and Responsibilities
32.4 Launching an Enterprise Six Sigma Project
32.5 Lean Six Sigma
32.6 Auditing Six Sigma Processes
32.7 Six Sigma in Internal Audit Operations
Notes
Chapter 33 ISO and Worldwide Internal Audit Standards
33.1 ISO Standards Background
33.2 ISO Standards Overview
33.3 ISO 38500 IT Governance Standard
33.4 ISO Standards and the COSO Internal Controls Framework
33.5 Internal Audit and International Auditing Standards
Notes
Chapter 34 A CBOK for the Modern Internal Auditor
34.1 Part I: Foundations of Internal Auditing CBOK Requirements
34.2 Part II: Importance of Internal Controls CBOK Requirements
34.3 Part III: Planning and Performing Internal Audit CBOK Requirements
34.4 Part IV: Organizing and Managing Internal Audit Activities CBOK Requirements
34.5 Part V: Impact of IT on Internal Auditing CBOK Requirements
34.6 Part VI: Internal Audit and Enterprise Governance CBOK Requirements
34.7 Part VII: Understanding Internal Auditor Professional CBOK Requirements
34.8 Part VIII: Internal Auditing Professional Convergence CBOK Requirements
34.9 A CBOK for the Modern Internal Auditor
Note
About the Author
Index
