Internal Audit Handbook Henning Kagermann William Kinney Karlheinz Küting Claus-Peter Weber (Eds.) Internal Audit Handbook Management with the SAP® -Audit Roadmap In cooperation with: Corinna Boecker Julia Busch Oliver Bussiek Margaret H Christ Petra Eckes Markus Falk Penelope Sue Greenberg Bernhard Reichert Manfred Wolf Translated from German by: Ziggie Keil 123 Professor Dr Henning Kagermann SAP AG Dietmar-Hopp-Allee 16 69190 Walldorf Germany Professor Dr Karlheinz Küting Institut für Wirtschatsprüfung Universität des Saarlandes, Campus Gebäude B4 66123 Saarbrücken Germany Professor William Kinney, Ph.D McCombs School of Business University of Texas at Austin University Station B6400 Austin, Texas 78712 USA Professor Dr Claus-Peter Weber Institut für Wirtschatsprüfung Universität des Saarlandes, Campus Gebäude B4 66123 Saarbrücken Germany ISBN 978-3-540-70886-5 e-ISBN 978-3-540-70887-2 DOI 10.1007/978-3-540-70887-2 Library of Congress Control Number: 2007937939 © 2008 Springer-Verlag Berlin Heidelberg his work is subject to copyright All rights are reserved, whether the whole or part of the material is concerned, speciically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microilm or in any other way, and storage in data banks Duplication of this publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, in its current version, and permission for use must always be obtained from Springer Violations are liable to prosecution under the German Copyright Law ® ® ® SAP , SAP NetWeaver , ABAP-4 and other SAP products and services mentioned in this text as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world SAP AG is neither the author nor the publisher of this book and is not responsible for its content COBIT (Control Objectives for Information and related Technology) is a registered trademark of the ITGI he ITGI is neither the author nor the publisher of this book and is not responsible for its content Excel , Internet Explorer , Microsot , PowerPoint , Windows and Word are registered trademarks of Microsot Corporation in the USA and/or other countries Microsot Corporation or Microsot GmbH are neither the authors nor the publishers of this book and are not responsible for its content All other names of products and services are trademarks of the respective companies COSO IC Cube, Copyright © 1992 and COSO ERM Cube, Copyright © 2001 by the Committee of Sponsoring Organizations of the Treadway Commission Reproduced with permission from the AICPA acting as authorized copyright administrator for COSO ® ® ® ® ® ® ® he use of general descriptive names, registered names, trademarks, etc in this publication does not imply, even in the absence of a speciic statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use Cover design: WMX Design GmbH, Heidelberg Printed on acid-free paper springer.com Preamble by the Institute of Internal Auditors It’s plain and simple: Internal auditing is anything but plain and simple It is a rapidly changing profession with high standards Internal auditing is unique to the organization and culture in which it is performed, and requires an in-depth understanding of that organization’s culture, policies, and procedures Today’s professional internal auditors more closely resemble coaches and educators than did their predecessors hey watch for eiciencies, economies, and effectiveness and make recommendations for improvement when they ind gaps Internal auditors assess risks—inancial, operational, strategic, compliance-oriented, and reputation-related—to ensure an organization’s system of control is strong hey evaluate processes and determine what’s working and what’s not And internal auditors’ main job function is to help management and the board to meet goals and objectives Such a broad and dynamic profession requires its members to be ever watchful for new and better ways of doing things he Insitute of Internal Auditors (IIA) and he IIA Research Foundation are both committed to enhancing the professionalism of internal audit practitioners and elevating the profession all around the world his includes expanding the proiciency and performance of internal auditors, as well as building broad awareness of the value the internal audit activity brings to an organization and its myriad stakeholders Clearly, this handbook is consistent with these two goals It sets the stage by deining internal auditing, relating to the International Standards for the Professional Practice of Internal Auditing, and describing recognized frameworks for internal control and risk management It explores internal audit methodology and provides helpful information on scope, integration, analysis, and quality Written for management, board members, chief audit executives, and staf internal auditors, the concepts presented on the pages that follow put the complexities of internal auditing into language that is understandable and relevant Trish Harris Director, Communications he Institute of Internal Auditors, Inc V Foreword Everything starts with an idea, and this book is no exception At irst, the various thoughts and discussions were focused on the original intention to “merely” create a job introduction for new Internal Audit employees his plan has since evolved into a comprehensive, up-to-date presentation of the tasks and challenges facing Internal Audit, in a format and on a scale hitherto unrivalled in the market here are very few units in the company that have been subject to such a major change process in recent years as Internal Audit his applies irrespective of company size as corporations adapt to developments in information technology, corporate governance, legal requirements, and global best practices For large corporations, the change process typically involves restructuring, expanding, and internationalizing the existing department, while smaller and medium-sized companies face the challenges associated with setting up such a department for the irst time For this reason, we have not produced this book with a speciic audience or sector in mind Rather, we have tried to present the idea of Internal Audit so comprehensively that readers can get from it the information they require for their particular situations he target audience of this handbook could not be more varied, and we hope that a large cross-section of managers and employees from Internal Audit, compliance, risk, and corporate management will beneit from reading it Apart from the auditors themselves, this book should also appeal to those who have contact with Internal Audit within or outside their own company, with the aim of giving them insight into the tasks and responsibilities of this department In this context, it is our particular concern to eradicate, once and for all, the outdated notion of internal auditors as controlling box checkers, not much loved by the rest of the company, and instead to present the highly varied, interesting, and increasingly international range of tasks of Internal Audit as a navigator in the company Finally, we hope this book will make an important contribution to teaching (internal) auditing at universities he introductory information provided in Section A gives a comprehensive overview of the principles of internal auditing It places audit work in the overall context and deals with organizational issues as well as the practice of audit and consulting work Section B describes the Audit Roadmap, the process model of Internal Audit at SAP he chapters in Section C provide ictitious, practice-based examples of how Internal Audit at SAP AG deals with selected audit topics Section D revisits some focus areas and special topics for a more detailed discussion he summarizing key points at the beginning of each chapter are to give readers a concise overview of the topics dealt with in the chapter he same applies to the enclosed CD containing templates to put speciic elements of theory into practice ® VII With the Hints and Tips at the end of most chapters we hope to provide useful impulses for practical audit work As mentioned earlier, this handbook is intended to satisfy a variety of users with diferent information requirements Nevertheless, the information generally makes reference to examples from the organizational structure of SAP AG and its internal audit service provider GIAS (Global Internal Audit Services), although in speciic cases we depart from company-speciic names and structures to make the information more generally accessible With regard to SAP-speciic terminology and situations, e.g., the organizational position of Internal Audit under the CEO or reference to SAP AG’s local subsidiaries, we ask readers to apply the information provided to their personal situations as required his also holds for adjustments resulting from certain company forms and the application to other legal forms of information relating to the German Aktiengesellschat (stock corporation) his guide incorporates the latest status of discussion, although we have to bear in mind that the whole topic is subject to constant development Some issues of the future have already been touched upon, but will require further development and consolidation It remains to be seen how changes will shape the future of Internal Audit As the scale of work suggests, this book could not have been published without the dedicated eforts of a large team of people, who worked hard over the past few months to help this project succeed We would like to say a special thank you to Margaret Christ, Penelope Sue Greenberg, and Bernhard Reichert for their dedication in revising and editing the English translation of this handbook, which irst appeared in German as Handbuch der Revision hanks also to Ziggie Keil for translating the work into English We would also like to acknowledge the original authors of the German edition: Corinna Boecker, Julia Busch, Petra Eckes, Oliver Bussiek, Markus Falk, and Manfred Wolf We also wish to thank Christine Benner for her organizational work, for producing numerous graphics, and for looking after the CD design A word of thanks also to Dorothee Brechtel and Adelheid Röben, who read and reread each chapter with tireless dedication, contributing to factual and linguistic quality assurance and making many valuable suggestions We are also grateful to the following Internal Audit employees of SAP AG for their work on speciic chapters: Julio M Arevalo, horsten Caspari, Ưnder Güngưr, Miang Ngee Lau, Christian Müller, Mark Scavillo, Maria Eliana Testolin, Zoltan Vagvoelgyi, and Kai Zobel Other departments of SAP AG also gave us plentiful support by reading the text and providing critical feedback hanks also to the employees from Global Communications, Corporate Legal, Corporate Financial Reporting, Global Risk Management, Global Compliance, HR Business Partner, Project Management Oice Finance & Administration, Corporate Controlling, Controlling, and Global Purchase Organization of SAP AG, and the Oice of the CFO We would like to thank Dr Matthias Heiden for coordinating the reviews and for making many valuable suggestions he staf of Springer-Verlag, especially Dr Werner A Müller and Ruth Milewski, deserve our thanks for the excellent and smooth cooperation VIII Foreword We also wish to sincerely thank Trish Harris, Director of Communications at the Institute of Internal Auditors, for agreeing to write a preamble to this handbook We would be delighted if this new handbook enjoyed a positive reception in both corporate practice and at universities We look forward to your critical feedback and suggestions for improvement, which we will incorporate in our next edition Please e-mail any comments to audithandbook@sap.com Walldorf, Austin, and Saarbrücken, August 2007 Henning Kagermann Karlheinz Küting William Kinney Claus-Peter Weber IX Note to Users his internal audit handbook has been written for diferent target audiences and therefore addresses diferent interest groups It is comprised of ive sections and includes a CD with examples and templates Read in its entirety, the handbook is a complete guide to a modern internal audit department However, depending on your personal knowledge and available time, you may prefer to approach the content selectively To this end, each chapter starts with Key Points, which provide a concise overview of the topics discussed within the chapter he Hints and Tips at the end of most chapters are to provide helpful suggestions for day-to-day auditwork he following table shows the contents that each section of the guide covers and lists possible target groups Section Contents A Target groups All interested parties, especially general managers, Boards of Directors, managers and specialized employees of Internal Audit B Description of the SAP® Audit Roadmap Internal Audit managers and employees C Operational aspects of audit execution Internal Audit employees and operational managers D Applied specialist knowledge Audit employees and interested parties with a high level of professional knowledge or expertise E Conclusion All he included CD provides a visual depiction of the Audit Roadmap at SAP, which is dealt with extensively in Section B of the guide he content of the CD is presented in two diferent modes With the “View” function, you can display selected topics from Section B, including the diferent templates used With the “Edit document” mode, users can complete templates by entering their own details and then save them to their own hard disks for subsequent use For this reason, the CD is particularly valuable for practical audit work Finally, this handbook is intended for use by internal audit departments from around the world However, when describing Internal Audit and corporate governance in general, we focus on U.S rules and regulations In addition, in the chapters that speciically address SAP practices, we refer to the two-tiered Board system which is standard in Germany his two-tiered Board comprises an Executive Board, which consists of the managing directors, and a Supervisory Board, which consists of shareholder representatives and employee representatives However, wherever it seems expedient we refer to either the “Board of Directors” or only the “Board” XI Contents Preamble by the Institute of Internal Auditors Foreword Note to Users List of Abbreviations List of Figures V VII XI XXI XXV A Conceptual Basis of Internal Audit 1 1.1 1.2 1.3 Nature and Content of Audits General Deinition of Audit Deinition of Internal Audit Regulatory and Organizational Framework 2 Internal Audit: Meeting Today’s Needs he Dynamics of the Operating Environment Reorientation of the Requirements Proile Formulating the General Audit Objectives and Ways of Implementing hem 2.4 he Charter as Audit Mandate 2.4.1 Purpose of the Charter 2.4.2 Main Contents of the Charter 2.4.2.1 Tasks of Internal Audit at SAP 2.4.2.2 Organizational Foundation 2.4.3 he Charter as Part of Internal Audit’s Deinition Process 2.5 Implementing the Audit Mandate 2.5.1 Internal Audit as an Independent Audit Body for the Whole Company 2.5.2 Internal Audit as a Component of Corporate Governance 2.5.3 Internal Audit as a Service Unit 2.5.4 Trend toward Audit Management as a Corporate Management Instrument 2.5.5 Internal Audit as a Proit Center Organization 2.6 Internal Audit and the Requirements of SOX 2.7 Value Added by Internal Audit at SAP 16 16 19 2.1 2.2 2.3 3.1 Framework of Internal Audit at SAP SAP’s Global Audit Approach in the Shape of Global Internal Audit Services (GIAS) 22 27 27 29 29 33 35 37 37 40 44 47 51 53 58 60 60 XIII 3.2 3.3 3.4 Structure of the GIAS Code of Conduct he GIAS Code of Conduct in Detail Examples Illustrating the Efectiveness of the Code of Conduct 62 65 69 4.1 4.2 4.3 4.4 4.5 4.6 4.7 Organizational Structure of GIAS Organizational Status within SAP Organizational Structure and Responsibilities within GIAS Structure and Tasks of the Regional GIAS Teams Structure and Organization of the Audit Teams Employee Proiles in GIAS Career Paths and Development Potential he Structure of Timesheets in Internal Audit 72 72 75 78 79 82 85 88 5.1 5.2 5.3 5.4 5.5 5.6 5.6.1 5.6.2 5.7 5.8 Fundamental Principles of the GIAS Approach Employee Proiles and their Interaction in the Audit Process Attributes of the Process-Based Approach Deinition of Audit Content GIAS Target Group Structure Structure and Content of the Audit Universe Audit Challenges in the Global Corporate Environment Basis of an International Orientation Overview of Global Challenges GIAS Integration Model Identifying Audit-Relevant Facts 91 91 92 95 97 101 104 104 106 108 111 6.1 6.2 6.2.1 6.2.2 6.2.3 6.2.4 6.2.5 6.2.6 6.2.7 6.3 6.4 6.5 6.6 6.7 Audit Methods Content Determinants and Formal Determinants Audit Field Structure Introduction Management Audit Operational Audit Financial Audit IT Audit Fraud Audit Business Audit Audit Approaches Audit Categories Audit Types Audit Cycle Cost/Beneit Analysis 114 114 117 117 119 123 127 129 135 139 142 150 155 159 162 7.1 Other Services Introduction 165 165 XIV ... managers and specialized employees of Internal Audit B Description of the SAP® Audit Roadmap Internal Audit managers and employees C Operational aspects of audit execution Internal Audit employees and. .. this handbook is consistent with these two goals It sets the stage by deining internal auditing, relating to the International Standards for the Professional Practice of Internal Auditing, and. ..Henning Kagermann William Kinney Karlheinz Küting Claus -Peter Weber (Eds.) Internal Audit Handbook Management with the SAP® -Audit Roadmap In cooperation with: Corinna