(BQ) Part 2 book Brink’s modern internal auditing has contents: Internal audit charters and building the internal audit function; internal audit key competencies; internal audit key competencies; planning and performing internal audits; reporting internal audit results,...and other contents.
P1: OTA/XYZ P2: ABC c18 JWBT053-Moeller February 25, 2009 11:45 Printer Name: Hamilton PART Impact of Information Technology on Internal Auditing V P1: OTA/XYZ P2: ABC c18 JWBT053-Moeller February 25, 2009 11:45 Printer Name: Hamilton P1: OTA/XYZ P2: ABC c18 JWBT053-Moeller February 25, 2009 11:45 Printer Name: Hamilton CHAPTER 18 IT General Controls and ITIL Best Practices I n today’s world of information technology (IT) processes and computer systems, ranging from applications to control an enterprise’s accounting general ledger to the all-pervasive Internet, internal auditors must have a strong understanding of IT internal control techniques Although the lines of separation are sometimes difficult to understand, we generally can think of IT controls on two broad levels: application controls that cover a specific process, such as an accounts payable application to pay invoices from purchases, and what are called general IT controls This latter category covers internal controls that are important for all aspects of an enterprise’s IT operations; they cover more than just specific IT applications and include an enterprise’s pervasive IT controls The concept of IT general controls goes back to the 1960s and the early days of centralized, mainframe computers In those days, internal auditors sometimes looked for such things as an access control lock on a computer center door as a general control that covered all processes and applications operating within the centralized IT operations center Today, we often think of the processes that covers all enterprise IT operations as the IT infrastructure Because of the many possible variations in IT techniques today, there is really no one set of rights and wrongs that covers all IT general controls An enterprise should implement a set of best practices that will serve as guidance for establishing its IT general controls best practices This chapter looks at IT general controls from an internal audit perspective and with an emphasis on IT general controls based on the worldwide recognized set of best practices called the information technology infrastructure library (ITIL) These ITIL recommended best practices outline the type of framework internal audit should consider when reviewing IT internal control risks and recommending effective IT general controls improvements Having a general knowledge of IT general controls should be an essential common body of knowledge (CBOK) requirement for all internal auditors Many internal auditors believe that because they specialize in financial or operational audits, they not need to understand general control issues In fact, all internal auditors should have a CBOK level of understanding of IT general controls as well as the other IT issues discussed in chapters in this part of the volume 381 P1: OTA/XYZ P2: ABC c18 JWBT053-Moeller February 25, 2009 11:45 Printer Name: Hamilton 382 IT General Controls and ITIL Best Practices 18.1 Importance of IT General Controls Internal auditors became involved with early IT audit and control procedures—then called data-processing controls—when accounting applications were first installed on early punched-card-input computer systems Those early systems were often installed in glass-walled rooms within corporate lobbies to impress visitors with the enterprise’s “sophistication.” However, those same early systems were not particularly sophisticated Internal auditors, who were then unfamiliar with data-processing technology, would “audit around the computer.” That is, internal auditors might look at input controls procedures and the application’s outputs to check whether the inputs balanced to the output reports In this era, there was little question about the accuracy and controls of reports produced by a computer systems Internal auditors would just focus on the inputs and outputs while going around the actual computer program processing procedures Things changed in the early 1970s with an extremely fast-growing Californiabased insurance company, Equity Funding Some people believed the company was growing too fast The company’s external auditors decided to try a new technique and run their own audit software programs against Equity Funding’s files The result was the discovery of a massive fraud with invalid data recorded on IT application files Under management direction, fictitious insurance policy data had been entered on computer files Equity Funding’s external auditors had previously audited around the computer system, relying on printed computer system output reports, with no supporting procedures to verify the correctness of computer programs and files In the aftermath of the Equity Funding affair, the American Institute of Certified Public Accountants (AICPA) and the Institute of Internal Auditors (IIA) began to emphasize the importance of audits of data-processing operations and application controls A new professional specialty, called computer auditing, was launched In those early days of business data processing, most computer systems were considered to be “large,” and standard sets of auditor control objectives and procedures were developed for reviewing controls Many of these objectives are still applicable today, but internal auditors must look at these IT control objectives from a somewhat different perspective when reviewing controls in a modern IT environment The profession began to think of IT controls within specific applications and general controls surrounding all IT operations IT general controls cover all information systems operations and include: Reliability of information systems processing Good controls need to be in place over all IT systems operations Discussed throughout this chapter, these controls often depend on the nature and management of the specific size and type of systems used Integrity of data Processes should be in place to ensure a level of integrity over all data used in various application programs This control objective is a combination of the general operations controls discussed in this chapter as well as specific application controls discussed in Chapter 19 Integrity of programs New or revised programs should be developed in a well-controlled manner to provide accurate processing results These integrity control issues include the overall process of application program development and are part of our discussion in sections on ITIL best practices P1: OTA/XYZ P2: ABC c18 JWBT053-Moeller February 25, 2009 11:45 Printer Name: Hamilton Client-Server and Smaller Systems’ General IT Controls 383 Controls of the proper development and implementation of systems Controls should be in place to ensure the orderly development of new and revised information systems These control issues are discussed in Chapter 19 Continuity of processing Controls should be in place to back up key systems and to recover operations in the event of an unexpected outage—what was called disaster recovery planning and is often known today as business continuity planning These control issues are discussed in Chapter 22 This chapter discusses general controls over in-house information systems operations ranging from client server systems to desktop operations as well as older, larger mainframe computer systems operations While these systems differ in size and management, all should be subject to the same general control needs In addition to discussing general controls procedures, this chapter also discusses some related computer hardware types and characteristics The aim of this discussion is to encourage internal auditors to ask or look for the correct information in an information systems environment 18.2 Client-Server and Smaller Systems’ General IT Controls Internal auditors traditionally have had problems evaluating general controls in smaller IT operations, ranging from client-server systems to enterprise desktop systems These audit control problems arise because smaller systems are often installed with limited staffs in a more “user-friendly” type of environment, while internal auditors typically have looked for general IT controls in terms of the more traditional, larger mainframe IT environment That is, they are looking for the strong physical security, good revision, and proper separation of duties controls that often not exist or are only partially implemented in many smaller systems environments This less formal approach may have been adequate when small business or desktop systems were used primarily for single office accounting or similar lowaudit-risk applications The large capacity and capability of today’s smaller systems, the growth of the Internet, and the transition to client-server computing has made these smaller systems important parts of the IT control framework When evaluating controls in smaller computer systems settings, internal auditors sometimes revert to the traditional, almost cookbook types of controls recommendations That is, they recommend that desktop systems be placed in locked rooms or that a small, twoperson IT development staff should be expanded to four in order to ensure proper separation of duties While there may be situations where such controls are appropriate, often they are not applicable in small business settings Internal audit can easily lose credibility if its control recommendations are not appropriate to the risks found in smaller setting Enterprises today have implemented many networks and systems to support smaller business units or specific departmental computing, or to provide IT for the entire enterprise Despite their smaller size, these systems often represent significant general control concerns This chapter began with a discussion of differences between general, interdependent controls and application controls in larger systems These differences are equally applicable for smaller, Internet-based systems and client-server configuration P1: OTA/XYZ P2: ABC c18 JWBT053-Moeller February 25, 2009 11:45 Printer Name: Hamilton 384 IT General Controls and ITIL Best Practices systems Internal auditors should understand the general controls surrounding smaller computer systems Adequate general controls are necessary in order to rely on specific application controls (a) General Controls for Small Business Systems Although some internal auditors once thought of small business computers and client-server systems as one generic IT system class (as opposed to larger, mainframe computers), technological changes have introduced significant differences in their control procedures and in related internal audit concerns Smaller systems can be implemented in a variety of ways, depending on the system configuration and the size of the enterprise Internal auditors should be able to recognize these differences and develop appropriate general internal control procedures to review their general controls This section discusses these general controls in terms of small business computer systems, Internet and networked systems, client-server systems controls, and the classic large systems general controls Internal auditors may encounter all of these types of smaller computer systems in a single smaller enterprise today Small business computer systems provide total IT support for a smaller business function or unit; these systems also may support unit or departmental computing functions in a larger enterprise as part of their central computer systems resources Client-server systems are often a combination of various types and sizes of interconnected computer systems and may be found in many enterprises Process or nonbusiness systems include the numerous types of small computers used increasingly for manufacturing, distribution, and other operational control applications Internal audit frequently find these specialized control machines in enterprise operations (i) SMALL BUSINESS COMPUTER SYSTEM CONTROLS If an IT system is located in a secure facility, has a multitask operating system, or has a relative large application support staff, internal audit should probably consider it to be a “larger” computer system for purposes of audit planning and should review to ensure that the system has appropriate larger-system general control procedures While not particularly precise, this definition covers the typical major IT system This same type of attributebased description can be more difficult in the smaller system environment A strict computer hardware architecture definition often does not help internal audit decide when to apply smaller-system internal control review procedures For example, smaller desktop computers can be coupled together with attached peripheral devices to provide more computer power than many traditional mainframe machines When reviewing controls in such an environment, internal audit should consider these linked computers to be the same as the larger, legacy mainframe systems discussed later in this chapter Another problem in identifying a smaller computer is that they often look like larger processors For example, IBM’s System i was first implemented in the 1988 as a small business computer called the AS/400 This product line and the individual machine capacities have been expanded many times; many of these systems effectively operate as classic mainframe systems Smaller systems, which once were known as minicomputers, have been used for business applications since about the late 1960s They are a product of the increased miniaturization of electronic components as well as of different approaches used by computer engineers Because they were relatively inexpensive and easy to use, and P1: OTA/XYZ P2: ABC c18 JWBT053-Moeller February 25, 2009 11:45 Printer Name: Hamilton Client-Server and Smaller Systems’ General IT Controls 385 did not require elaborate power or air-conditioning support, minicomputers were once used by many smaller business enterprises as well as for specialized IT applications Long before the introduction of today’s desktop systems, minicomputers brought IT capabilities to enterprises that could not afford the large investments required by classic mainframe systems Today’s desktop or laptop systems have had a rapid growth curve Starting with hobbyists building their own microcomputers using newly available integrated circuit chips in the mid-1970s, things really got started in the late 1970s when Apple Computer Corporation was formed and produced the Apple II microcomputer Although many initially viewed the machine as a curious toy, a spreadsheet software package, VISICALC, introduced about a year later, made the Apple II a serious tool for business decision making Several years later, in the early 1980s, IBM introduced its personal computer and legitimized the microcomputer as a serious businessprocessing tool Today, many machines are said to be “IBM compatible” even though IBM only has its name on some products and no longer manufacturers them Today, personal computers, often connected into networks, are used for many business IT applications Often they are the only computer system resource for a smaller enterprise, and have replaced smaller “mainframe” systems They may also be used for specialized departmental computing, even though an enterprise may also have a larger, mainframe computer capability In particular, these specialized computers are used for such applications as research laboratory or manufacturing process control rather than for pure business IT These same machines may be used for some business-processing applications in addition to their intended specialized purposes Ever-increasing speed and capacity have done much to promote the use of these server systems When the first Apple II was released, it had an internal memory of 42k, or 42,000 memory locations By the mid-1990s, by contrast, off-the-shelf machines typically came with 32 million memory locations, or 32 mg Today, they have much larger capabilities by virtually every measure, whether processing speed, the ability to run multiple tasks, or their memory capacity These smaller business unit systems sometimes cause difficulties for internal auditors who tell their audit committees that they plan to review the general controls surrounding “all” IT enterprise systems Clearly, this type of objective covers mainframe and freestanding divisional server systems Such a planned objective may also cover the enterprise’s departmental desktop systems, sometimes freestanding but more often connected to the Internet However, internal audit’s planned reviews often miss such systems as the specialized IT workstations in the engineering laboratory used for recording test results or systems at the end of the distribution line that weigh packages and routes them to the correct shipping dock These IT review scope ambiguities will only get worse as embedded systems play a greater role in controlling business processes Embedded systems are the computers that reside behind the dashboard of a car, on the control panel of a video recorder, or even in the kitchen microwave As consumers, we press these flat-panel screens and generally not think we are submitting computer system commands However, embedded systems will take on greater roles in business processes as their capacities and applications increase Internal audit’s reviews should emphasize the computer systems used for business IT purposes To follow the preceding example, the processor at the end of the distribution line probably uses a standard set of embedded software that cannot be modified by local staff Very possibly the software was purchased from an outside P1: OTA/XYZ P2: ABC c18 JWBT053-Moeller 386 February 25, 2009 11:45 Printer Name: Hamilton IT General Controls and ITIL Best Practices systems vendor and, after initial installation and testing, it simply works, with no programmer interaction Such a machine generally has limited business or control risk implications and is of little or no internal auditor concern Internal audit often works in environments where only smaller business systems are used, particularly when enterprises are relatively small An example would be a not-for-profit enterprise whose only IT resources are a server and desktop systems to support direct mailing and limited accounting-related applications Internal audit should review general controls over such a server system as if it were a classic, larger enterprise system That is, there is still a need for systems security, integrity, and backup procedures These types of smaller business systems generally have these common characteristics: Limited IT staff The small business computer system, whether a single desktop system or a series of units tied to a server, will have a very limited dedicated IT staff, if any A desktop system to provide accounting reports for a small company may be maintained by a single person A small business or server system may have a manager/administrator and perhaps one or two systems administrators as its total IT department Such a small IT operation creates a control risk because it is dependent on some separate small consulting firm for much of their IT support, and functions such as backing up critical files may be ignored However, a small staff size will not in itself create internal controls concerns Internal audit should be able to look for compensating controls just as it does when reviewing a smaller accounting department that lacks a classic separation of duties Limited programming capability The typical small business computer system makes extensive use of purchased software packages The enterprise’s only “programming” responsibilities may be for updating the software purchased packages, maintaining systems parameter tables, and writing simple retrieval programs If internal audit finds a larger programming staff or extensive inhouse development activity, it should consider employing some of the control procedures discussed in later sections for larger systems-development functions Limited environmental controls Small business systems generally can be plugged into normal power systems and operate within a fairly wide range of temperatures Because of these limited environmental requirements, sometimes they are installed without important, easy-to-install environmental controls, such as backup drives or electrical power surge protectors While some small business computer installations or file servers may be housed in formal, environmentally controlled computer rooms, this is not a necessary attribute of such systems Limited physical security controls Because fewer environmental controls are needed, these systems are often installed directly in office areas The level of auditor concern regarding physical security controls depends on the type of equipment and the applications processed Internal audit sometimes may recommend that physical security be improved, particularly where critical applications are being processed In many other instances, however, this lack of physical security controls should not present a significant internal control problem Extensive telecommunications network Virtually all desktop systems today are tied to the Internet Data and applications can be easily uploaded or downloaded In addition, materials can be downloaded through common, easy-to-use USB devices A combination of controls and policies should be established to protect the enterprise P1: OTA/XYZ P2: ABC c18 JWBT053-Moeller February 25, 2009 11:45 Printer Name: Hamilton 387 Client-Server and Smaller Systems’ General IT Controls These characteristics certainly not define a smaller business computer system but merely explain some common attributes However, they should help internal audit to decide on the control procedures to be used As noted, when in doubt, internal audit should consider the system to be a larger, more complex one (ii) CLIENT-SERVER COMPUTER SYSTEMS The term client-server first appeared in IT literature in the late 1980s To non-IT specialists, including many internal auditors, it is one of those specialized IT terms that is often difficult to understand, let alone describe However, client-server architecture has become a very popular IT configuration in all sizes of enterprises and systems In a local network environment, for example, each of the workstations is a client A centralized processor, which contains common shared files and other resources, is called the server There may also be specialized servers for such tasks as storage management or printing Workstation users submit requests from client machines to a server, which then provides support, or serves, that client by doing the necessary processing This client-server architecture, however, goes beyond just a workstation and a server An application that queries a centralized database can be considered the client while the database that develops the view of the database is the server to all workstations requesting database service Similarly, an application program can request services from an operating system communications server Exhibit 18.1 shows Client Processors Internet Storage Server Administrative Server EXHIBIT 18.1 Client-Server System Configuration Print Server P1: OTA/XYZ P2: ABC c18 JWBT053-Moeller 388 February 25, 2009 11:45 Printer Name: Hamilton IT General Controls and ITIL Best Practices a client-server system sample configuration where a single server handles requests from multiple clients across a network This client-server configuration, though very general, represents the typical IT system of today (iii) NONBUSINESS SPECIALIZED PROCESSOR COMPUTER SYSTEMS In many enterprises today, other systems can be found in areas beyond IT operations such as engineering laboratories, manufacturing control operations, marketing departments, and elsewhere These systems may be used for process control, automated design work, statistical analysis processing, or many other applications Some are totally dedicated to specific applications; others may be used for a variety of tasks within their assigned functions This multitude of IT machines has come about in many enterprises because of the relatively low cost of such machines and the familiarity of many professionals with IT techniques, and because of the inability of traditional IT departments to support specialized IT needs Although these systems are not used for traditional business information needs, such as maintaining accounts receivable records, they often support critical applications for the enterprise For example, an engineering computer may support new product computer-aided design (CAD) work Systems backup and integrity concerns in this environment may be as great as in the typical business IT center Internal audit’s role in regard to specialized IT operations will vary with both management’s direction and internal audit’s review objectives While some audit enterprises will have little involvement with reviews over specialized computer systems, IT controls reviewed here often play an important role in support of internal audit’s understanding of control procedures and in other operational audit activities Before attempting any review of such a specialized computer system, internal audit should obtain a rough familiarity with the functions of that operation For example, an internal auditor who plans to review a dedicated computer-aided design and manufacturing (CAD/CAM) computer operation needs a general understanding of the terminology, general workings, and objectives of CAD/CAM Reviews of specialized IT systems are not recommended for the less experienced internal auditor In order to find control analogies from normal business IT situations and translate them to specialized controls environments, an auditor must be fairly experienced in reviewing business IT computer centers, whether larger or smaller operations Over time, internal audit will encounter more of these specialized computer operations The creative internal auditor can make increasing contributions to management by performing operational reviews over these computer centers on a periodic basis (b) Smaller Systems’ IT Operations Internal Controls As discussed, internal auditors have traditionally looked for a proper separation of duties as a first procedure for evaluating IT general controls This control, however, is also often lacking in a smaller business IT function While good IT control objectives call for a proper separation of responsibilities between users and operators, these controls are often difficult to establish in a small department When internal auditors first reviewed general controls in smaller IT departments and tried to apply traditional large-system control remedies, their recommendations were hard to sell to a costconscious management P1: OTA/XYZ P2: ABC ind JWBT053-Moeller March 1, 2009 13:26 Printer Name: Hamilton 752 Internal Audit CBOK Requirements COSO Internal Controls Framework, 51 Internal Audit Charter Approval Audit Committee Responsibilities for Internal Audit, 542 Internal Audit Charters Audit Committee Organization and Charters, 535 Authorizing Internal Audit Internal Consulting, 634 Establishing an Internal Audit Function, 275 Internal Audit Attribute Standards, 188 Internal Audit Competence and Objectivity Assessments AS Rules, 86 Internal Audit Document Records Management Workpaper Document Organization, 348 Internal Audit Documentation Internal Auditor CBOK Requirements, 349 Internal Audit Documentation Requirements Internal Auditor CBOK Requirements, 330 Workpaper Document Organization, 348 Internal Audit Field Surveys Internal Audit Planning, 163 Internal Audit Fieldwork Procedures Performing the Internal Audits, 173 Internal Audit Function Quality Assurance Reviews, 688 Internal Audit Function Internal Quality Assurance Reviews Internal Audit Quality-Assurance Review Benefits, 689 Internal Audit Quality-Assurance Review Elements, 689 Internal Audit Quality-Assurance Surveys, 702 International Standards for the Professional Practice of Internal Auditing, 688 Quality-Assurance Review of Internal Audit Review Steps, 699 Quality Review Engagement Letters, 696 Quality-Assurance Auditee Review Questions, 703 Quality-Assurance Review Approaches, 695 Internal Audit Health Check Assessment Audit Committee Responsibilities for Internal Audit, 540 Internal Audit HIPAA Requirements Procedures HIPAA: Healthcare related Rules, 592 Index Internal Audit Internal Consulting Capabilities Audit Committee Approvals, 631 Consulting Best Practices, 635 Internal Audit Key Competencies Quality Assurance Auditing (ASQ) Standards, 679 Analytical Skills, 296 Audit Committee Roles and Responsibilities, 532, 546 Audit Committees Expanded Responsibilities, 533 Audit Report Recommendations, 301 Auditing IT Security and Privacy, 472 Computer-Assisted Audit Tools and Techniques, 481 Developing Preliminary Internal Audit Plans, 323 Documenting the Internal Controls Environment, 323 Ethics and Whistleblower Programs, 549 Fraud Detection and Prevention, 571 Internal Auditor CBOK Requirements, 293 Internal Auditor Documentation, 298 Internal Auditor Interview Skills, 294 IT Application Controls, 425 Performing Applications Controls Reviews, 437 Project Management, 310 Project Management Best Practices, 319 Project Management Processes, 305 Internal Audit Management Responsibilities Establishing an Internal Audit Function, 278 Internal Audit Objective Statements Internal Audit Planning, 157 Internal Audit Objectives Internal Audit Performance Standards, 193 Internal Audit Organization Approaches Establishing an Internal Audit Function, 283 Internal Audit Performance Standards Engagement Planning, 193 Internal Audit Objectives, 193 International Standards for the Professional Practice of Internal Auditing, 191 Risk Management, 192 Internal Audit Plan and Budget Approvals Audit Committee Responsibilities for Internal Audit, 543 Audit Plan Summary for Audit Committee Review, 544 P1: OTA/XYZ P2: ABC ind JWBT053-Moeller March 1, 2009 13:26 Printer Name: Hamilton Index Internal Audit Planning Audit Programs, 166 Audit Scheduling and Time Estimates, 158 Determine the Audit Objectives, 157 Developing and Preparing Audit Programs, 166 Documenting the Internal Audit Field Surveys, 164 Engagement Letters, 161 Internal Audit Field Surveys, 163 Internal Audit Objective Statements, 157 Preliminary Surveys, 159 Surprise Audits, 162 Internal Audit Policies and Procedures Establishing an Internal Audit Function, 290 Internal Audit Practice Failure Observations IIARF CBOK Evaluation Results, 15 Internal Audit Preparatory Activities Performing Effective Internal Audits, 155 Internal Audit Procedures Auditing COSO ERM, 148 Auditing Six Sigma Processes, 718 BCP Client-Server Readiness Review, 514 Desktop and Laptop Systems BCP Processes, 515 Gramm-Leach-Bliley Compliance, 601 IT Business Continuity Plans, 515 Quality-Assurance Review of Internal Audit, 691 Internal Audit Procedures for a Review of a Six Sigma Program Auditing Six Sigma Processes, 720 Internal Audit Process Steps Performing an Individual Internal Audit, 181 Internal Audit Quality-Assurance Review Benefits Internal Audit Function Internal Quality-Assurance Reviews, 689 Internal Audit Quality-Assurance Review Elements Internal Audit Function Internal Quality Assurance Reviews, 689 Internal Audit Quality-Assurance Surveys Internal Audit Function Internal Quality Assurance Reviews, 702 Internal Audit Report Findings Application Controls Reviews, 426 Internal Audit Reporting Cycle Audit Report Preparation Steps, 366 Internal Audit Reports Audit Report Formats, 353 Reporting Internal Audit Results, 351 753 Internal Audit Requirements ISO 9001 on Quality Management Systems, 671 Internal Audit Responsibilities History of Internal Auditing, Internal Audit Review Focus Areas GLBA Safeguards Rule Compliance, 598 Internal Audit Review Points Auditing a Business Continuity Plan (BCP), 520 Internal Audit Roles AS Rules, 84 Benchmarking, 262 Performing a Benchmarking Study, 265 Performing Facilitated CSA Reviews, 257 Section 404 Compliance Reviews, 84 Service to Management, Internal Audit Roles and Responsibilities Fraud Investigations, 580 SOx Whistleblower Rules, 564 Internal Audit Rules Gramm-Leach-Bliley Act (GLBA), 595 Internal Audit Scope and Objectives Internal Audit Universe, 238 Internal Audit Self-Assessments Preliminary Surveys, 159 Internal Audit Steps ITIL Configuration Management, 412 Internal Audit Support Roles Audit Committee Financial Expert, 539 Internal Audit Tools and Techniques IIARF CBOK Evaluation Results, 16 Internal Audit Universe Auditable Activities, 238 Internal Audit Activity Plans, 238 Internal Audit Scope and Objectives, 238 Internal Audit Workpapers Documenting Internal Audit Results, 335 Internal Audit’s Privacy and Cybersecurity Roles Cybersecurity and Privacy Controls, 479 Internal Auditing History of Internal Auditing, Internal Auditing Activities (IAAs) IIARF CBOK Survey, 15 Internal Auditing Definition Modern Internal Auditing, Internal Auditing History Victor Z Brink, Internal Auditing Origins Common Body of Knowledge (CBOK), 11 P1: OTA/XYZ P2: ABC ind JWBT053-Moeller March 1, 2009 13:26 Printer Name: Hamilton 754 Internal Auditor CBOK Requirements Audit Committee Roles and Responsibilities, 531 Audit Sampling, 201, 233 Basic Understandings of the General Use of CAATTs, 481 Basic Understandings of the General Use of CAATTs, 503 Benchmarking, 253 CIA Examination Summary, 608 CobiT, 111 Code of Conduct Knowledge and Compliance, 550 Consulting Best Practices, 630 Control Self-Assessments, 253 COSO ERM, 114, 146 Cybersecurity Risks and Controls, 461 Developing Effective Internal Audit Recommendations, 377 Fraud Detection and Prevention, 585 Internal Audit Documentation, 349 Internal Audit Documentation Requirements, 330 Internal Audit Key Competencies, 293 IT Application Controls, 426 IT General Controls, 381, 423 Organizing and Conducting a CSA Process, 262 Performing Effective Internal Audits, 153 Performing Effective QA Reviews, 705 Performing the Internal Audits, 172 Planning and Performing Internal Audits, 321 Process Modeling for Internal Auditors, 329 Six Sigma Principles, 721 Understanding Current IIA Standards, 183 Understanding HIPAA or GLBA Rules, 601 Understanding of BCP Requirements, 527 Understanding of Six Sigma Processes, 709 Internal Auditor Commitment to Learning Continuing Education Requirements, 304 Internal Auditor Communication Skills, 304 Internal Auditor Communication Skills Internal Auditor Commitment to Learning, 304 Internal Auditor Communication Skills, 302 Index Internal Auditor Negotiation Skills, 302 Testing and Analysis Skills, 296 Internal Auditor Documentation e-Office Documentation Best Practices, 299 Internal Audit Key Competencies, 298 Internal Auditor General Understanding CBOK Needs IT Systems Privacy Concerns, 470 Internal Auditor Independence International Standards for the Professional Practice of Internal Auditing, 196 Internal Auditor Interview Skills Internal Audit Key Competencies, 294 Internal Auditor Knowledge Needs International Financial Reporting Standards (IFRS), 728 Internal Auditor Knowledge Requirements CBOK Objectives, 19 Internal Auditor Needs for a Common Body of Knowledge (CBOK) CBOK for the Modern Internal Auditor, 731 Internal Auditor Negotiation Skills Internal Auditor Communication Skills, 302 Internal Auditor Outsourcing SOx Title II: Auditor Independence, 60 Internal Auditor Steps Application Walk-Throughs, 439 Internal Audit’s Role Section 404 Compliance Reviews, 78 Internal Control Definitions COSO Internal Controls Framework, 31 Foreign Corrupt Practices Act of 1977 (FCPA), 26 Negative Assurance, 29 SAS No 55, 30 Treadway Commission, 28 Treadway Committee Report, 31 Internal Control Evaluation Processes COSO Internal Controls Framework, 48 Internal Control Evaluations Monitoring, 34 Internal Control Structure in a Financial Statement Audit SAS No 55, 30 Internal Control Testing Scope SOx Title I: Public Company Accounting Oversight Board, 58 P1: OTA/XYZ P2: ABC ind JWBT053-Moeller March 1, 2009 13:26 Printer Name: Hamilton Index Internal Controls COSO Definition of Internal Controls, 24 Definition of Internal Controls, 24 Internal Controls Definition Committee of Sponsoring Organizations (COSO), 23 COSO Internal Controls, 24 Internal Controls Importance COSO Internal Controls Framework, 24 Internal Controls Reviews CobiT, 96 International Accounting and Auditing Standards U.S Securities and Exchange Commission (SEC) Rules, 724 International Financial Reporting and Auditing Standards as of January, 2008 Financial Reporting Standards Convergence, 725 International Financial Reporting Standards (IFRS) Internal Auditor Knowledge Needs, 728 U.S Securities and Exchange Commission (SEC) Rules, 723 International Organization for Standardization (ISO) Importance of ISO Standards, 663 International Standards for the Professional Practice of Internal Auditing Background of the IIA Standards, 184 Control Self-Assessments, 254 Enterprise Consulting Activities, 629 Establishing an Internal Audit Function, 274 Independent Quality Assurance Reviews, 186 Internal Audit as an Enterprise Consultant, 630 Internal Audit Attribute Standards, 188 Internal Audit Function Internal Quality Assurance Reviews, 688 Internal Audit Performance Standards, 191 Internal Auditor Independence, 196 ISO International Internal Auditing Standards, 728 New Internal Audit Standards, 187 Organizing and Planning Internal Audits, 154 Practice of Internal Auditing, 580 755 Quality Assurance and Improvement Programs, 190 Red Book, 183 Workpaper Standards, 338 Internet Privacy Threats IT Systems Privacy Concerns, 470 Radio Frequency Identification, 470 Interval Selection Sampling Statistical Sampling Plans, 211 ISO, 15408 IT Security Evaluation Framework, 601 ISO 17799 and 27001 on IT Security ISO Standards Overview, 672 ISO 19011 Auditing Principles ISO 19011 on Quality Management Systems Auditing, 677 ISO 19011 on Quality Management Systems Auditing ISO 19011 Auditing Principles, 677 ISO Standards Overview, 676 ISO 20000 on Service Quality Management: ISO Standards Overview, 674 ISO 27001 Internal Audit Standards Quality Auditor Duties and Responsibilities, 684 ISO 27001 on IT Security IT Security Requirements, 674 ISO 27001 on Management Commitment ISO Standards Example, 665 ISO 9000 Audit Quality Control Standards, 58 ISO 9001 on Quality Management Systems Internal Audit Requirements, 671 ISO, 9001: 20000 Key Elements, 671 ISO Standards Overview, 667 Quality Management System Process, 669 ISO, 9001: 20000 Key Elements ISO 9001 on Quality Management Systems, 671 ISO Documentation Hierarchy ISO Standards, 669 ISO International Internal Auditing Standards International Standards for the Professional Practice of Internal Auditing, 728 ISO Standards ISO Documentation Hierarchy, 669 ITIL Best Practices, 665 ISO Standards and Internal Auditors CBOK Level of General Understanding Requirements, 678 IIA GAIN Network, 678 P1: OTA/XYZ P2: ABC ind JWBT053-Moeller March 1, 2009 13:26 Printer Name: Hamilton 756 ISO Standards Example ISO 27001 on Management Commitment, 665 ISO Standards Overview ISO 17799 and 27001 on IT Security, 672 ISO 19011 on Quality Management Systems Auditing, 676 ISO 20000 on Service Quality Management: 674 ISO 9001 on Quality Management Systems, 667 IT Assurance Framework (ITAF) CobiT, 110 IT Application Audit Test Procedures Application Controls Reviews, 445 IT Application Control Components IT Application Controls, 426 IT Application Controls Internal Audit Key Competencies, 425 Internal Auditor CBOK Requirements, 426 IT Application Control Components, 426 IT Databases, 429 IT Applications Development Reviews Application Controls Reviews, 433 IT Auditing Background Equity Funding, 382 IT Business Continuity Plans BCP Risk and Business Impact Analysis, 517 Business Criticality Outage Impact Analysis, 518 Internal Audit Procedures, 515 IT Control Risks Client-Server and Smaller IT Systems, 389 IT Controls Control Activities, 27 COSO Internal Controls Framework, 42 IT Databases IT Application Controls, 429 IT Disaster and Business Continuity Planning Auditing Business Continuity Plans, 526 BCP Training, 523 Client-Server and Web-Based Applications, 507 Client-Server Continuity Planning Internal Audit Procedures, 513 Continuity Planning for Desktop and Laptop Applications, 513 Disaster Recovery Emergency Handling, 522 Emergency Response Plans, 512 Index IT Fraud Prevention Processes Computer Forensics, 584 Fraud Detection and Prevention, 583 IT General Controls Client-Server and Smaller IT Systems, 383 Internal Auditor CBOK Requirements, 381, 423 IT Internal Control Techniques 381 ITIL Service Support and Delivery Infrastructure Best Practices, 405 IT Governance Focus Areas CobiT, 91 IT Governance Institute (ITGI) CobiT, 90 IT Infrastructure Controls ITIL Configuration Management, 411 ITIL Service Support and Delivery Infrastructure Best Practices, 406 IT Internal Control Techniques IT General Controls, 381 IT Network Security Fundamentals Cybersecurity Risks and Controls, 462 IT Passwords, 464 IT Security Threats, 462 IT System Firewalls, 468 Malicious Program Code Types, 466 Phishing and Other Identity Threats, 467 Security of Data, 463 Viruses and Malicious Program Code, 465 IT Password Logon Exchange Processes IT Passwords, 465 IT Passwords IT Network Security Fundamentals, 464 IT Password Logon Exchange Processes, 465 IT Processes CobiT Cube Components, 95 IT Resources CobiT Cube Components, 94 IT Risks and Controls Internal Audit Attribute Standards, 189 IT Security Evaluation Framework ISO 15408, 601 IT Security Requirements ISO 27001 on IT Security, 674 IT Security Threats IT Network Security Fundamentals, 462 IT Service-Level Agreement Contents Service Level Agreements (SLAs), 416 IT System Firewalls IT Network Security Fundamentals, 468 P1: OTA/XYZ P2: ABC ind JWBT053-Moeller March 1, 2009 13:26 Printer Name: Hamilton 757 Index IT System Update Controls Auditing IT General Controls, 392 IT Systems Privacy Concerns Cybersecurity Risks and Controls, 469 Data Profiling Issues, 469 Internal Auditor General Understanding CBOK Needs, 470 Internet Privacy Threats, 470 ITIL Best Practices ISO Standards, 665 ITIL Change Management ITIL Framework, 413 ITIL Configuration Management Internal Audit Steps, 412 IT Infrastructure Controls, 411 ITIL Framework ITIL Change Management, 413 ITIL Service Delivery Availability Management, 421 ITIL Service Delivery Best Practices, 414 ITIL Service Delivery Capacity Management, 419 ITIL Service Delivery Continuity Management, 422 ITIL Service Delivery IT Financial Management, 418 ITIL Service Support Incident Management, 407 ITIL Service Support Problem Management, 409 ITIL Service Delivery Availability Management ITIL Framework, 421 ITIL Service Delivery Best Practices ITIL Framework, 414 ITIL Service Delivery Capacity Management ITIL Framework, 419 ITIL Service Delivery Continuity Management ITIL Framework, 422 ITIL Service Delivery IT Financial Management Auditing IT Costs and Pricing, 419 ITIL Framework, 418 ITIL Service Delivery Service-Level Management Service Level Agreements (SLAs), 415 ITIL Service Support and Delivery Infrastructure Best Practices IT General Controls, 405 IT Infrastructure Controls, 406 ITIL Service Support Incident Management ITIL Framework, 407 Service Level Agreements (SLAs), 407 ITIL Service Support Problem Management ITIL Framework, 409 Judgmental Sampling Audit Findings Problems, 204 Audit Sampling, 203 Key Example Company Characteristics Global Computer Products Example Company, 240 Laptop Computers Documenting Internal Audit Results, 340 Laptop-Based Internal Audit Systems Document Backup, Security, and Continuity, 348 Large System IT General Controls Objectives Auditing IT General Controls, 403 Launching a Consulting Assignment Consulting Best Practices, 636 Lean Six Sigma Lean Six Sigma Process Waste Example, 717 Quality Assurance Procedures, 716 Lean Six Sigma Process Waste Example Lean Six Sigma, 717 Legacy System General Controls Reviews Auditing IT General Controls, 400 Preliminary Reviews of IT General Controls, 400 Legal and Regulatory Compliance Requirements Enterprise Risk Objectives, 143 Legal and Regulatory Compliance Risk Objectives COSO ERM Framework, 143 Limitations/Problems with IIARF CBOK Survey IIARF CBOK Evaluation Results, 15 Limitations on External Auditor Services SOx Section 201, 60 SOx Title II: Auditor Independence, 60 Loss Event Data Tracking Risk Identification Processes, 134 Mainframe and Legacy Systems Auditing IT General Controls, 394 Malicious Program Code Types IT Network Security Fundamentals, 466 P1: OTA/XYZ P2: ABC ind JWBT053-Moeller March 1, 2009 13:26 Printer Name: Hamilton 758 Management Agreements to IIARF CBOK Survey Results IIA Standards Compliance, 16 Management’s Philosophy and Operating Style Control Environment, 36 Management’s Assessment of Internal Controls SOx Title IV: Enhanced Financial Disclosures, 69 Mapping Internal Control Frameworks COSO and CobiT Relationships, 109 Mesopotamian Civilizations Foundations of Internal Auditing, Methods of Communication Communications and Information, 32 Microsoft Corporate Internal Audit CAA Approach Technology Enabled Continuous Auditing (TECA) System, 649 Microsoft Corporation’s 2007 Audit Committee Charter Audit Committee Charters, 536 Misappropriation of Assets Fraud Risk Factors, 579 Mission Statements Ethics and Whistleblower Programs, 551 Modern Internal Auditing Book Objective, Definition, IIA Definition, Monetary Unit Sampling Audit Sampling, 225 Evaluating Monetary Unit Sample Results, 228 Monetary Unit Sampling Selection Example, 226 Monetary Unit Sampling Selection Example Monetary Unit Sampling, 226 Monitoring Communications from External Parties, 47 COSO Internal Controls Framework, 32 COSO Internal Controls Framework, 46 Internal Control Evaluations, 34 Reporting Internal Control Deficiencies, 35 Moto of The Institute of Internal Auditors Progress through Sharing, 11 Multistage Sampling Audit Sampling Approaches, 232 Index National Commission on Fraudulent Financial Reporting Treadway Committee, 31 Treadway Committee, 31 Navigating the CobiT Framework CobiT, 97 Negative Assurance Internal Control Definitions, 29 New Internal Audit Standards International Standards for the Professional Practice of Internal Auditing, 187 Normal Distributions Statistical Sampling Concepts, 209 NYSE Model Audit Committee Charter Audit Committee Organization and Charters, 535 Objectives and Obstacles of Reimplementation Auditing Auditing Applications under Development, 452 Objectives of IIARF CBOK IIARF CBOK Survey, 14 Objectives of this Book Practice of Modern Internal Auditing, Object-Oriented Programming Language Concepts Computer Programming Languages, 432 Off Balance-sheet Transactions SOx Title IV: Enhanced Financial Disclosures, 68 Online Analytical Processing (OLAP) Continuous Monitoring Processes, 658 Operating Systems Software Characteristics of Larger IT Systems, 398 Operations Risk Management Objectives COSO ERM Framework, 142 Oral or Informal Audit Reports Audit Report Formats, 365 Organization Project Management (OPM3) Project Management, 306 Organizational Process Maturity Model Project Management Processes, 315 Organizational Structure Control Environment, 36 Organizing Section 404 Compliance Review Projects Section 404 Compliance Reviews, 79 Organizing and Conducting a CSA Process Internal Auditor CBOK Requirements, 262 P1: OTA/XYZ P2: ABC ind JWBT053-Moeller March 1, 2009 13:26 Printer Name: Hamilton Index Organizing and Planning Internal Audits Audit Plan Project Schedule Example, 156 International Standards for the Professional Practice of Internal Auditing, 154 Origins – First Membership Chapter IIA, Institute of Internal Auditors, Pareto Chart Example Quality Audit Tools and Techniques, 683 Payment System Continuous Audit Monitor Continuous Monitoring Processes, 646 PCAOB Accounting Standards Authority Financial Accounting Standards Board (FASB), 59 SOx Title I: Public Company Accounting Oversight Board, 59 PCAOB Administration and Public Accounting Firm Registration SOx Title I: Public Company Accounting Oversight Board, 56 PCAOB Auditing, Quality Control, and Independence Standards SOx Title I: Public Company Accounting Oversight Board, 56 PCAOB Standard AS Workpaper Retention Rules, 57 PCAOB Standard AS Sarbanes-Oxley Act Key Provisions, 57 PCI-DSS Requirements Cybersecurity and Privacy Controls, 478 PDCA Continuous Improvement Cycle Performing ASQ Quality Audits, 686 Pension Fund Blackout Periods SOx Title III: Corporate Responsibility, 67 Performing a Benchmarking Study Internal Audit Roles, 265 Performing an Individual Internal Audit Audit Assessment and Evaluation Techniques, 200 Audit Evidence, 199 Internal Audit Process Steps, 181 Performing Applications Controls Reviews Auditing Applications under Development, 451 Automated Purchasing System Compliance Tests, 447 Developing Application Control Objectives, 442 Internal Audit Key Competencies, 437 Testing Audit Internal Control Objectives, 444 759 Performing ASQ Quality Audits PDCA Continuous Improvement Cycle, 686 Quality Audit Process Steps, 687 Quality Audit Tools and Techniques, 685 Performing Effective Internal Audits Internal Audit Preparatory Activities, 155 Internal Auditor CBOK Requirements, 153 Performing Effective QA Reviews Internal Auditor CBOK Requirements, 705 Performing Facilitated CSA Reviews CSA Facilitated Sessions, 258 Internal Audit Roles, 257 Performing the Internal Audits Internal Audit Fieldwork Procedures, 173 Internal Auditor CBOK Requirements, 172 Workpaper Review “Point Sheets”, 174 Permanent files Workpaper Document Organization, 341 Phishing and Other Identity Threats IT Network Security Fundamentals, 467 Planning and Performing Internal Audits Developing Appropriate Internal Audit Procedures, 324 Internal Auditor CBOK Requirements, 321 Walk-through Exercises, 324 Planning Internal Audit Activities Audit Focal Points, 239 PMI Standard for Program Management Program and Portfolio Management, 311 PMI’s PMBOK Definition of a CBOK, 12 PMP (Project Management Professional) Project Management, 306 Practice of Internal Auditing Fraud Detection and Prevention, 585 International Standards for the Professional Practice of Internal Auditing, 580 Practice of Modern Internal Auditing Objectives of this Book, Preliminary Audit Findings Audit Findings, 177 Preliminary Findings Point Sheets Audit Fieldwork, 328 Preliminary Reviews of IT General Controls Legacy System General Controls Reviews, 400 Preliminary Surveys Internal Audit Planning, 159 Internal Audit Self-Assessments, 159 P1: OTA/XYZ P2: ABC ind JWBT053-Moeller March 1, 2009 13:26 Printer Name: Hamilton 760 Pro forma Financial Reports SOx Title IV: Enhanced Financial Disclosures, 68 Probability Estimates Risk Assessments, 119 Procedure Oriented Audit Programs Audit Programs, 171 Process Model Example Documenting Internal Audit Results, 331 Process Modeling and Workpapers Documenting Internal Audit Results, 329 Process Modeling for Internal Auditors Input/Output Process Flowchart, 334 Internal Auditor CBOK Requirements, 329 Work-Flow Description Process Flowcharts, 334 Process Modeling Hierarchy Documenting Internal Audit Results, 333 Professional Certifications ASQ Internal Audit Certifications, 625 Certified Fraud Examiner (CFE) Certification, 623 Certified Information Security Manager R (CISM) Certification, 622 Certified Information Systems Auditor (CISA) Requirements, 619 Certified Information Systems Security Professional (CISSP) Certification, 624 Certified Internal Auditor Responsibilities and Requirements, 606 CIA Responsibilities and Requirements, 606 Program and Portfolio Management PMI Standard for Program Management, 311 Progress through Sharing Moto of The Institute of Internal Auditors, 11 Project Management Developing a Project Management Plan, 310 Effective Internal Audit Plans, 318 Internal Audit Key Competencies, 310 Organization Project Management (OPM3), 306 PMP (Project Management Professional), 306 Project Management Book of Knowledge (PMBOK), 306 Project Management Best Practices Internal Audit Key Competencies, 319 Index Project Management Book of Knowledge (PMBOK) Project Management, 306 Project Management Knowledge Areas, 308 Project Management Knowledge Areas Project Management Book of Knowledge (PMBOK), 308 Project Management Processes Internal Audit Key Competencies, 305 Organizational Process Maturity Model, 315 Public Accounting Firm Prohibitions Financial Information Systems Design, 61 SOx Title II: Auditor Independence, 61 Public Accounting’s Role in Fraud Detection AICPA SAS No 99, 577 Public Company Accounting Oversight Board (PCAOB) Sarbanes-Oxley Act (SOx), 53 Purchased Software Internal Controls Audit Checklist Application Controls Reviews, 435 Quality Assurance and Improvement Programs Internal Audit Attribute Standards, 190 International Standards for the Professional Practice of Internal Auditing, 190 Quality Assurance Auditing (ASQ) Standards Internal Audit Key Competancies, 679 Quality Auditor Duties and Responsibilities, 680 Quality Assurance Procedures Lean Six Sigma, 716 Six Sigma Background and Concepts, 708 Quality Assurance Review of Internal Audit Review Steps Internal Audit Function Internal Quality Assurance Reviews, 699 Quality Assurance Reviews Internal Audit Function, 688 Quality Audit Approaches Classifications of Quality Audits, 682 Quality Audit Process Steps IIA Internal Auditors, 687 Performing ASQ Quality Audits, 687 Quality Audit Tools and Techniques Pareto Chart Example, 683 Performing ASQ Quality Audits, 685 P1: OTA/XYZ P2: ABC ind JWBT053-Moeller March 1, 2009 13:26 Printer Name: Hamilton Index Quality Auditor Duties and Responsibilities ASQ Quality Audit Division (QAD), 680 ISO 27001 Internal Audit Standards, 684 Quality Assurance Auditing (ASQ) Standards, 680 Quality Management System Process ISO 9001 on Quality Management Systems, 669 Quality Management Techniques IIARF CBOK Evaluation Results, 16 Quality of Information Communications and Information, 29 COSO Internal Controls Framework, 44 Quality Review Engagement Letters Internal Audit Function Internal Quality Assurance Reviews, 696 Quality-Assurance Auditee Review Questions Internal Audit Function Internal Quality Assurance Reviews, 703 Quality-Assurance Auditing Future Directions for Quality-Assurance Auditing, 704 Quality-Assurance Review Approaches Internal Audit Function Internal Quality Assurance Reviews, 695 Quality-Assurance Review of Internal Audit Internal Audit Procedures, 691 Quantitative Risk Analysis Risk Management Fundamentals, 121 Questionnaire-Format Audit Reports Audit Report Formats, 366 RACI Chart Responsibilities CobiT Objectives, 99 Radio Frequency Identification Internet Privacy Threats, 470 Random Number Sample Selections Statistical Sampling Plans, 211 Reasons for Committing Fraud Definition of a Fraud, 576 Red Book International Standards for the Professional Practice of Internal Auditing, 183 Red Flags Indicating Potential Financial Fraud Fraud Detection and Prevention, 574 Reimplementation Internal Audit Reviews Application Controls Reviews, 433 761 Reimplementation Review Application Testing Checklist Reimplementation Review Procedures, 458 Reimplementation Review Objectives Auditing Applications under Development, 453 Reimplementation Review Problems Auditing Applications under Development, 454 Reimplementation Review Procedures Auditing Applications under Development, 455 Reimplementation Review Application Testing Checklist, 458 Reimplementation Review Requirements Definition Checklist, 456 Reimplementation Review Requirements Definition Checklist Reimplementation Review Procedures, 456 Replicated Sampling Audit Sampling Approaches, 232 Report Generators Languages Types of CAATTs, 489 Reporting Internal Audit Results Audit Exit or Closing Conferences, 370 Effective Internal Audit Communications, 374 Internal Audit Reports, 351 Reporting Internal Control Deficiencies COSO Internal Controls Framework, 48 Monitoring, 35 Reporting Risk Management Objectives COSO ERM Framework, 143 Residual Risk Risk Assessment, 134 Reviews of IT and Cybersecurity Controls Auditing IT Security and Privacy, 472 Risk Acceptance Risk Response Strategies, 136 Risk Appetite COSO ERM Internal Environment, 128 Risk Management Fundamentals, 125 Risk Appetite Map Risk Objective Setting, 130 Risk Assessment COSO Internal Controls Framework, 39 Inherent Risk, 134 Residual Risk, 134 Risk Assessment as a Three-Step Process, 39 COSO Internal Controls Framework, 23 P1: OTA/XYZ P2: ABC ind JWBT053-Moeller March 1, 2009 13:26 Printer Name: Hamilton 762 Risk Assessment Analysis Map Risk Assessments, 119 Risk Assessment as a Three-Step Process Risk Assessment, 39 Risk Assessment Process COSO Internal Controls Framework, 23 Risk Assessment Processes Control Activities, 26 External Factor Risks, 23 Internal Factor Risks, 23 Specific Activity-Level Risks, 24 Risk Assessments COSO Enterprise Risk Management (COSO ERM), 113 Probability Estimates, 119 Risk Assessment Analysis Map, 119 Risk Management Fundamentals, 118 Risk Avoidance Risk Response Strategies, 136 Risk Event Identification COSO ERM Internal Environment, 132 Risk Events Union Carbide in Bhopal, India, 121 Risk Identification Enterprise Risks, 117 Enterprise-Wide Strategic Risks, 117 Risk Management Fundamentals, 115 Risk Identification Processes Loss Event Data Tracking, 134 Risk Independencies Risk Management Fundamentals, 120 Risk Likelihood and Impact Mapping Risk Response Strategies, 135 Risk Management AS Key Concepts, 113 Internal Audit Performance Standards, 192 Risk Management Fundamentals COSO ERM, 114 Effective Risk Management Processes, 115 Quantitative Risk Analysis, 121 Risk Appetite, 125 Risk Assessments, 118 Risk Identification, 115 Risk Independencies, 120 Risk Ranking Expected Costs, 123 Risk Scoring Schedules, 120 Risk Management Philosophy COSO ERM Framework, 127 COSO ERM Internal Environment, 127 Risk Objective Setting COSO ERM Internal Environment, 130 Risk Appetite Map, 130 Index Risk Ranking Expected Costs Risk Management Fundamentals, 123 Risk Response Strategies Risk Acceptance, 136 Risk Avoidance, 136 Risk Likelihood and Impact Mapping, 135 Risk Scoring Schedules Risk Management Fundamentals, 120 Root Cause Analysis Service Support Problem Management Processes, 410 Sample Organization Chart Global Computer Products Example Company, 242 Sample Size Recommendations Section 404 Compliance Reviews, 83 Sampling Advantages and Limitations Attributes Sampling, 224 Sarbanes-Oxley Act (SOx) Auditing Business Continuity Planning Processes, 508 Sarbanes-Oxley Act (SOx) Requirements, 510 Cox Title XI: Corporate Fraud Accountability, 74 Public Company Accounting Oversight Board (PCAOB), 53 Sarbanes-Oxley Act Key Provisions, 55 Section 404 Compliance Reviews, 76 Section 404 Internal Controls Assessments, 75 SOx Background, 53 SOx Important Aspects, 54 SOx Title II: Auditor Independence, 60 SOx Title III: Corporate Responsibility, 62 SOx Title IV: Enhanced Financial Disclosures, 68 SOx Title V: Analyst Conflicts of Interest, 72 Sarbanes-Oxley Act (SOx) Requirements Sarbanes-Oxley Act (SOx), 510 Sarbanes-Oxley Act Key Provisions Auditing Standard No (AS 5), 57 PCAOB Standard AS 5, 57 Sarbanes-Oxley Act (SOx), 55 Workpaper Retention Rules, 57 SAS No 55 Financial Auditing Standards, 30 Internal Control Structure in a Financial Statement Audit, 30 Internal Control Definitions, 30 P1: OTA/XYZ P2: ABC ind JWBT053-Moeller March 1, 2009 13:26 Printer Name: Hamilton Index SEC Audit Committee Rules Audit Committee Financial Expert Rules, 537 Audit Committee Governance, 533 Section 302 Corporate Responsibility for Financial Reports SOx Title III: Corporate Responsibility, 63 Section 404 Compliance Reviews Basic Accounting Cycles, 76 Internal Audit Roles, 84 Internal Audit’s Role, 78 Organizing Section 404 Compliance Review Projects, 79 Recommended Sample Sizes, 83 Sarbanes-Oxley Act (SOx), 76 Selecting Key Processes for Review, 80 Transaction Flow Documentation, 81 Section 404 Internal Controls Assessments Sarbanes-Oxley Act (SOx), 75 Section 404 Reviews under AS, SOx Section 404 Internal Controls Assessments, 75 Securities Exchange Act of 1934 Controls Standards Background, 25 Security and Control for Auditor Computers Security and Privacy in the Internal Audit Department, 474 Security and Privacy in the Internal Audit Department Audit Reports and Privacy, 477 Cybersecurity Risks and Controls, 474 Security and Control for Auditor Computers, 474 Workpaper Security, 475 Workpaper Security Best Practices, 476 Security of Data IT Network Security Fundamentals, 463 Selecting and Printing Audit Samples CAATT Procedures, 487 Selecting Appropriate CAATT Processes Basic Understandings of the General Use of CAATTs, 501 Selecting Key Processes for Review Section 404 Compliance Reviews, 80 Service Level Agreements (SLAs) IT Service-Level Agreement Contents, 416 ITIL Service Delivery Service-Level Management, 415 ITIL Service Support Incident Management, 407 Service Support Problem Management Processes Root Cause Analysis, 410 763 Service to Management Internal Audit Roles, Service-Level Agreements (SLAs) Business Continuity Planning, 523 Significant Internal Audit Findings Audit Committee Review and Action, 545 Signing Officer Certification of Financial Reports SOx Title III: Corporate Responsibility, 63 Six Sigma Background and Concepts Baldridge National Quality Award, 708 Black Belt Body of Knowledge, 712 Implementing Six Sigma, 709 Quality Assurance Procedures, 708 Six Sigma Design-Measure-AnalyzeImprove-Control (DMAIC) Model, 708 Six Sigma SIPOC Chart, 715 Six Sigma Deployment and Process Guide Implementing Six Sigma, 710 Six Sigma Design-Measure-AnalyzeImprove-Control (DMAIC) Model DMAIC Procedures for a Six Sigma Project, 715 Six Sigma Background and Concepts, 708 Six Sigma Leadership Roles and Responsibilities Implementing Six Sigma, 711 Six Sigma Principles Internal Auditor CBOK Requirements, 721 Six Sigma SIPOC Chart Six Sigma Background and Concepts, 715 Slush Funds Foreign Corrupt Practices Act of 1977 (FCPA), 27 Smaller Business IT Systems General Control Objectives, 393 SOx Audit Committee Whistleblower Rules Whistleblower and Hotline Functions, 563 SOx Background Sarbanes-Oxley Act (SOx), 53 SOx Closing Requirements Continuous Close Processes, 659 SOx Important Aspects Sarbanes-Oxley Act (SOx), 54 Whistleblower Programs, 54 SOx Requirements Audit Committee Formal Whistleblower Programs, 547 SOx Section 201 Limitations on External Auditor Services, 60 P1: OTA/XYZ P2: ABC ind JWBT053-Moeller March 1, 2009 13:26 Printer Name: Hamilton 764 SOx Section 302 Officer Certifications SOx Title III: Corporate Responsibility, 65 SOx Section 404 Internal Controls Assessments CobiT, 108 CobiT, 90 COSO Internal Controls Framework, 76 Section 404 Reviews under AS 5, 75 SOx Title IV: Enhanced Financial Disclosures, 69 SOx Section 404 Internal Controls Tests Attributes Sampling, 216 SOx Section 404 Requirements COSO ERM Risk Event Identification, 138 SOx Title I: Public Company Accounting Oversight Board Audit Quality Control Standards, 58 Concurring Partner Approvals, 58 Inspections, Investigations, and Disciplinary Procedures, 59 Internal Control Testing Scope, 58 PCAOB Accounting Standards Authority, 59 PCAOB Administration and Public Accounting Firm Registration, 56 PCAOB Auditing, Quality Control, and Independence Standards, 56 SOx Title II: Auditor Independence Audit Committee Preapproval of Services, 61 External Audit Conflicts of Interest, 62 Internal Auditor Outsourcing, 60 Limitations on External Auditor Services, 60 Public Accounting Firm Prohibitions, 61 Sarbanes-Oxley Act (SOx), 60 SOx Title III: Corporate Responsibility Pension Fund Blackout Periods, 67 Sarbanes-Oxley Act (SOx), 62 Section 302 Corporate Responsibility for Financial Reports, 63 Signing Officer Certification of Financial Reports, 63 SOx Section 302 Officer Certifications, 65 SOx Title IV: Enhanced Financial Disclosures Enterprise Codes of Conduct, 71 Financial Officer Codes of Conduct, 70 Management’s Assessment of Internal Controls, 69 Index Off Balance-Sheet Transactions, 68 Pro forma Financial Reports, 68 Sarbanes-Oxley Act (SOx), 68 SOx Section 404 Internal Controls Assessments, 69 SOx Title V: Analyst Conflicts of Interest Sarbanes-Oxley Act (SOx), 72 SOx Title XI: Corporate Fraud Accountability Sarbanes-Oxley Act (SOx), 74 SOx Whistleblower Call Center Guidelines Ethics and Whistleblower Programs, 565 SOx Whistleblower Rules Internal Audit Roles and Responsibilities, 564 Specialized Audit Test and Analysis Software Computer-Aided Systems Engineering (CASE) Software Tools, 496 Types of CAATTs, 496 Specific Activity-Level Risks Risk Assessment Processes, 24 Standard Deviations Statistical Sampling Concepts, 207 Standards for the Professional Practice of Internal Auditing CBOK Objectives, 18 Controls Definition, 25 Statistical Sampling Concepts Audit Sampling, 205 Histograms, 207 Normal Distributions, 209 Standard Deviations, 207 Statistical Sampling Plans Audit Sampling, 210 Cluster Selection Sampling, 213 Interval Selection Sampling, 211 Random Number Sample Selections, 211 Stratified Selection Sampling, 212 Stratified Variables Sampling, 229 Strategic and Integrated Systems Communications and Information, 29 COSO Internal Controls Framework, 44 Stratified Selection Sampling Statistical Sampling Plans, 212 Stratified Variables Sampling Statistical Sampling Plans, 229 Summarizing Ethics Survey Results Ethics Environment Attitude Surveys, 556 Surprise Audits Internal Audit Planning, 162 P1: OTA/XYZ P2: ABC ind JWBT053-Moeller March 1, 2009 13:26 Printer Name: Hamilton Index Switchable Hot Site Facilities BCP Contingency Strategies, 519 Systems Development Life Cycle (SDLC) Procedures CobiT Domain Areas, 95 Systems Development Methodology (SDM) Processes Application Controls Reviews, 438 Technical Security Services and Mechanisms HIPAA: Healthcare Related Rules, 594 Technology Enabled Continuous Auditing (TECA) System Microsoft Corporate Internal Audit CAA Approach, 649 Temptations that Encourage Improper Accounting Integrity and Ethical Values, 35 Test Deck Approaches Tracing User-Initiated Transactions, 494 Types of CAATTs, 492 Testing and Analysis Skills Internal Auditor Communication Skills, 296 Testing Audit Internal Control Objectives Performing Applications Controls Reviews, 444 Testing Calculations and Making Computations CAATT Procedures, 486 The Institute of Internal Auditors (IIA) Code of Ethics, 197 Tick Marks Workpaper Document Organization, 346 Tone at the Top Control Environment, 34 Tracing User-Initiated Transactions Test Deck Approaches, 494 Traditional Hot Sites BCP Contingency Strategies, 519 Transaction Flow Documentation Section 404 Compliance Reviews, 81 Treadway Commission Internal Control Definitions, 28 Treadway Committee National Commission on Fraudulent Financial Reporting, 31 Treadway Committee Report COSO Internal Control Framework, 31 Internal Control Definitions, 31 765 U.S Federal Whistleblower Rules Whistleblower and Hotline Functions, 563 U.S Securities and Exchange Commission (SEC) Rules International Accounting and Auditing Standards, 724 International Financial Reporting Standards (IFRS), 723 Understanding and Recognizing Fraud Fraud Detection and Prevention, 572 Understanding Current IIA Standards Internal Auditor CBOK Requirements, 183 Understanding HIPAA or GLBA Rules Internal Auditor CBOK Requirements, 601 Understanding of BCP Requirements Internal Auditor CBOK Requirements, 527 Understanding of Six Sigma Processes Internal Auditor CBOK Requirements, 709 Unethical, Illegal, or Otherwise Improper Activities COSO Internal Controls Framework, 45 Union Carbide in Bhopal, India Risk Events, 121 Variables Sampling Audit Sampling Approaches, 215 Victor Z Brink History of Internal Auditing, Internal Auditing History, Viruses and Malicious Program Code IT Network Security Fundamentals, 465 Walk-through Exercises Planning and Performing Internal Audits, 324 Whistleblower and Hotline Functions Ethics and Whistleblower Programs, 562 SOx Audit Committee Whistleblower Rules, 563 U.S Federal Whistleblower Rules, 563 Whistleblower Programs Communications and Information, 45 SOx Important Aspects, 54 Whistleblower Responsibilities Audit Committee Roles and Responsibilities, 546 Work-Flow Description Process Flowcharts Process Modeling for Internal Auditors, 334 Workpaper Auditor Tick Marks Workpaper Document Organization, 346 P1: OTA/XYZ P2: ABC ind JWBT053-Moeller March 1, 2009 13:26 Printer Name: Hamilton 766 Workpaper Cross-Referencing Workpaper Document Organization, 346 Workpaper Document Organization Administrative files, 341 Audit Procedures Files, 342 Documenting Internal Audit Results, 340 Internal Audit Document Records Management, 348 Internal Audit Documentation Requirements, 348 Permanent Files, 341 Tick Marks, 346 Workpaper Auditor Tick Marks, 346 Workpaper Cross-Referencing, 346 Workpaper Indexing and Cross-Referencing, 345 Workpaper Preparation Techniques, 345 Workpaper Supervisor Point Sheets, 344 Workpaper Indexing and Cross-Referencing Workpaper Document Organization, 345 Workpaper Objectives Documenting Internal Audit Results, 336 Workpaper Permanent Files Documenting the Internal Audit Field Surveys, 166 Workpaper Preparation Techniques Workpaper Document Organization, 345 Workpaper Review Processes, 347 Workpaper Retention Rules PCAOB Standard AS 3, 57 Sarbanes-Oxley Act Key Provisions, 57 Workpaper Review “Point Sheets” Performing the Internal Audits, 174 Index Workpaper Review Processes CAATT Document Repositories, 349 Chief Audit Executive (CAE) Overall Workpaper Responsibility, 347 Document Backup, Security, and Continuity, 348 Document Standards and Review Processes, 348 Workpaper Preparation Techniques, 347 Workpaper Security Security and Privacy in the Internal Audit Department, 475 Workpaper Security Best Practices Security and Privacy in the Internal Audit Department, 476 Workpaper Standards Audit Bulk Files, 344 International Standards for the Professional Practice of Internal Auditing, 338 Workpaper Supervisor Point Sheets Workpaper Document Organization, 344 XBRL Defined XBRL: Internet-Based Extensible Business Reporting Language, 652 XBRL: Internet-Based Extensible Business Reporting Language Financial and Business Reporting Tools, 651 Implementing XBRL, 653 XBRL Defined, 652 ... Determine that an automated system is in place to log all computer systems activity, 20 21 22 23 24 25 26 27 including all jobs and programs run, any reruns, abnormal terminations, or operator...P1: OTA/XYZ P2: ABC c18 JWBT053-Moeller February 25 , 20 09 11:45 Printer Name: Hamilton P1: OTA/XYZ P2: ABC c18 JWBT053-Moeller February 25 , 20 09 11:45 Printer Name: Hamilton... released, it had an internal memory of 42k, or 42, 000 memory locations By the mid-1990s, by contrast, off-the-shelf machines typically came with 32 million memory locations, or 32 mg Today, they