Brink’s Modern Internal Auditing Eighth Edition ffirs i 17 November 2015 5:45 PM The Wiley Corporate F&A series provides information, tools, and insights to corporate professionals responsible for issues affecting the profitability of their company, from accounting and finance to internal controls and performance management Founded in 1807, John Wiley & Sons is the oldest independent publishing company in the United States With offices in North America, Europe, Asia, and Australia, Wiley is globally committed to developing and marketing print and electronic products and services for our customers’ professional and personal knowledge and understanding ffirs  ii 17 November 2015 5:45 PM Brink’s Modern Internal Auditing Eighth Edition A Common Body of Knowledge ROBERT R MOELLER ffirs iii 17 November 2015 5:45 PM Cover design: Wiley Copyright © 2016 by John Wiley & Sons, Inc All rights reserved Published by John Wiley & Sons, Inc., Hoboken, New Jersey The Seventh Edition was published by Wiley in 2009 Published simultaneously in Canada No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600, or on the Web at www.copyright.com Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose No warranty may be created or extended by sales representatives or written sales materials The advice and strategies contained herein may not be suitable for your situation You should consult with a professional where appropriate Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002 Wiley publishes in a variety of print and electronic formats and by print-on-demand Some material included with standard print versions of this book may not be included in e-books or in print-on-demand If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com For more information about Wiley products, visit www.wiley.com Library of Congress Cataloging-in-Publication Data: Moeller, Robert R Brink’s modern internal auditing : a common body of knowledge / Robert R Moeller — Eighth edition pages cm — (Wiley corporate F&A) Revised edition of the author’s Brink’s modern internal auditing, 2009 Includes index ISBN 978-1-119-01698-4 (hardback) — ISBN 978-1-119-18000-5 (ePDF) — ISBN 978-1-11917999-3 (ePub) — ISBN 978-1-119-18001-2 (oBook) Auditing, Internal I Title HF5668.25.M64 2015 657’.458—dc23 2015023640 Printed in the United States of America 10  9  8  7  6  5  4  3  2  ffirs  iv 17 November 2015 5:45 PM Dedicated to my best friend and wife, Lois Moeller Lois has been my companion and partner for over 45 years, whether we are somewhere in the world visiting an interesting historical location, attending one of Chicago’s many music and theater events, gardening vegetables in the backyard, or finding the right wine and cooking the produce ffirs  v 17 November 2015 5:45 PM Contents Preface xvii PART ONE: FOUNDATIONS OF MODERN INTERNAL AUDITING Chapter 1: Significance of Internal Auditing in Enterprises Today: An Update 1.1 Internal Auditing History and Background 1.2 Mission of Internal Auditing 1.3 Organization of this Book Note 9 10 Chapter 2: An Internal Audit Common Body of Knowledge 11 2.1 2.2 2.3 2.4 What Is a CBOK? Experiences from Other Professions What Does an Internal Auditor Need to Know? An Internal Auditing CBOK Another Attempt: The IIA Research Foundation’s CBOK 2.5 Essential Internal Audit Knowledge Areas Notes 12 14 14 20 25 25 PART TWO: IMPORTANCE OF INTERNAL CONTROLS Chapter 3: The COSO Internal Control Framework 29 3.1 Understanding Internal Controls 3.2 Revised COSO Framework Business and Operating Environment Changes 3.3 The Revised COSO Internal Control Framework 3.4 COSO Internal Control Principles 3.5 COSO Internal Control Components: The Control Environment 3.6 COSO Internal Control Components: Risk Assessment 3.7 COSO Internal Control Components: Internal Control Activities 3.8 COSO Internal Control Components: Information and Communication 3.9 COSO Internal Control Components: Monitoring Activities 3.10 The COSO Framework’s Other Dimensions 30 33 35 37 38 40 45 49 53 57 vii ftoc vii 17 November 2015 5:41 PM viii ◾  Contents Chapter 4: The 17 COSO Internal Control Principles 59 4.1 COSO Internal Control Framework Principles 4.2 Control Environment Principle 1: Integrity and Ethical Values 4.3 Control Environment Principle 2: Role of the Board of Directors 4.4 Control Environment Principle 3: Authority and Responsibility Needs 4.5 Control Environment Principle 4: Commitment to a Competent Workforce 4.6 Control Environment Principle 5: Holding People Accountable 4.7 Risk Assessment Principle 6: Specifying Appropriate Objectives 4.8 Risk Assessment Principle 7: Identifying and Analyzing Risks 4.9 Risk Assessment Principle 8: Evaluating Fraud Risks 4.10 Risk Assessment Principle 9: Identifying Changes Affecting Internal Controls 4.11 Control Activities Principle 10: Selecting Control Activities That Mitigate Risks 4.12 Control Activities Principle 11: Selecting and Developing Technology Controls 4.13 Control Activities Principle 12: Policies and Procedures 4.14 Information and Communication Principle 13: Using Relevant, Quality Information 4.15 Information and Communication Principle 14: Internal Communications 4.16 Information and Communication Principle 15: External Communications 4.17 Monitoring Principle 16: Internal Control Evaluations 4.18 Monitoring Principle 17: Communicating Internal Control Deficiencies Note Chapter 5: Sarbanes‐Oxley (SOx) and Beyond 60 64 65 66 67 68 68 69 71 72 73 74 75 78 81 82 83 84 85 5.1 Key Sarbanes‐Oxley Act (SOx) Elements 5.2 Performing Section 404 Reviews under AS5 5.3 AS5 Rules and Internal Audit 5.4 Impact of the Sarbanes‐Oxley Act Notes 86 107 118 120 121 Chapter 6: COBIT and Other ISACA Guidance 123 ftoc  viii 59 6.1 Introduction to COBIT 6.2 COBIT Framework 6.3 Principle 1: Meeting Stakeholder Needs 6.4 Principle 2: Covering the Enterprise End to End 6.5 Principle 3: A Single Integrated Framework 6.6 Principle 4: Enabling a Holistic Approach 6.7 Principle 5: Separating Governance from Management 6.8 Using COBIT to Assess Internal Controls 6.9 Mapping COBIT to COSO Internal Controls Notes 124 126 128 129 131 132 134 135 139 139 17 November 2015 5:41 PM Contents ◾ Chapter 7: Enterprise Risk Management: COSO ERM 7.1 Risk Management Fundamentals 7.2 COSO ERM: Enterprise Risk Management 7.3 COSO ERM Key Elements 7.4 Other Dimensions of COSO ERM: Enterprise Risk Objectives 7.5 Entity‐Level Risks 7.6 Putting It All Together: Auditing Risk and COSO ERM Processes Notes ix 141 142 153 155 171 174 175 178 PART THREE: PLANNING AND PERFORMING INTERNAL AUDITS Chapter 8: Performing Effective Internal Audits 8.1 8.2 8.3 8.4 8.5 8.6 8.7 8.8 Initiating and Launching an Internal Audit Organizing and Planning Internal Audits Internal Audit Preparatory Activities Starting the Internal Audit Developing and Preparing Audit Programs Performing the Internal Audit Wrapping Up the Field Engagement Internal Audit Performing an Individual Internal Audit Chapter 9: Standards for the Professional Practice of Internal Auditing  9.1 What Is the IPPF? 9.2 The Internal Auditing Professional Practice Standards: A Key IPPF Component 9.3 Content of the IIA Standards 9.4 Codes of Ethics: The IIA and ISACA 9.5 Internal Audit Principles 9.6 IPPF Future Directions Notes Chapter 10: Testing, Assessing, and Evaluating Audit Evidence  10.1 Gathering Appropriate Audit Evidence 10.2 Audit Assessment and Evaluation Techniques 10.3 Internal Audit Judgmental Sampling 10.4 Statistical Audit Sampling: An Introduction 10.5 Developing a Statistical Sampling Plan 10.6 Audit Sampling Approaches 10.7 Attributes Sampling Audit Example 10.8 Attributes Sampling Advantages and Limitations 10.9 Monetary Unit Sampling 10.10 Other Audit Sampling Techniques 10.11 Making Efficient and Effective Use of Audit Sampling Notes ftoc ix 181 182 183 184 192 198 205 212 213 215 216 217 219 228 230 232 233 235 236 236 239 241 247 251 258 262 263 267 269 271 17 November 2015 5:41 PM x ◾ Contents ◾ Chapter 11: Continuous Auditing and Computer‐Assisted Audit Techniques  11.1 Implementing Continuous Assurance Auditing 11.2 ACL, NetSuite, BusinessObjects, and Other Continuous Assurance Systems 11.3 Benefits of CAA 11.4 Computer‐Assisted Audit Tools and Techniques 11.5 Determining the Need for CAATTS 11.6 Steps to Building Effective CAATTS 11.7 Importance of Using CAATTS for Audit Evidence Gathering 11.8 XBRL: The Internet‐Based Extensible Marking Language Notes Chapter 12: Control Self‐Assessments and Internal Audit Benchmarking  12.1 Importance of Control Self‐Assessments 12.2 CSA Model 12.3 Launching the CSA Process 12.4 Evaluating CSA Results 12.5 Benchmarking and Internal Audit 12.6 Better Understanding Internal Audit Activities Notes Chapter 13: Areas to Audit: Establishing an Audit Universe and Audit Programs  13.1 Defining the Scope and Objectives of the Internal Audit Universe 13.2 Assessing Internal Audit Capabilities and Objectives 13.3 Audit Universe Time and Resource Limitations 13.4 “Selling” an Audit Universe Concept to the Audit Committee and Management 13.5 Assembling Audit Programs: Audit Universe Key Components 13.6 Audit Universe and Program Maintenance Preface 273 274 280 281 282 284 287 288 290 293 295 296 296 297 303 304 312 313 315 316 321 322 324 325 330 PART FOUR: ORGANIZING AND MANAGING INTERNAL AUDIT ACTIVITIES ftoc x Chapter 14: Charters and Building the Internal Audit Function  335 14.1 Establishing an Internal Audit Function 14.2 Audit Committee and Management Authorization of an Audit Charter 14.3 Establishing an Internal Audit Function Notes 336 337 338 345 17 November 2015 5:41 PM Contents  ◾     xi Chapter 15: Managing the Internal Audit Universe and Key Competencies  15.1 Auditing in the Weeds: Problems with Reviews of Nonmainstream Audit Areas 15.2 Importance of an Audit Universe Schedule: What Is Right or Wrong 15.3 Importance of Internal Audit Key Competencies 15.4 Importance of Internal Audit Risk Management 15.5 Internal Auditor Interview Skills 15.6 Internal Audit Analytical and Testing Skills Competencies 15.7 Internal Auditor Documentation Skills 15.8 Recommending Results and Corrective Actions 15.9 Internal Auditor Negotiation Skills 15.10 An Internal Auditor Commitment to Learning 15.11 Importance of Internal Auditor Core Competencies Chapter 16: Planning Audits and Understanding Project Management  16.1 The Project Management Process 16.2 PMBOK: The Project Management Book of Knowledge 16.3 PMBOK Program and Portfolio Management 16.4 Planning an Internal Audit 16.5 Understanding the Environment: Planning and Launching an Internal Audit 16.6 Audit Planning: Documenting and Understanding the Internal Control Environment 16.7 Performing Appropriate Internal Audit Procedures and Wrapping Up the Audit 16.8 Project Management Best Practices and Internal Audit Note Chapter 17: Documenting Audit Results through Process Modeling and Workpapers  17.1 Internal Audit Documentation Requirements 17.2 Process Modeling for Internal Auditors 17.3 Internal Audit Workpapers 17.4 Workpaper Document Organization 17.5 Workpaper Preparation Techniques 17.6 Internal Audit Document Records Management 17.7 Importance of Internal Audit Documentation Notes Chapter 18: Reporting Internal Audit Results  18.1 The Audit Report Framework 18.2 Purposes and Types of Internal Audit Reports 18.3 Published Audit Reports 18.4 Alternative Audit Report Formats ftoc  xi 347 348 351 352 353 354 354 357 360 361 363 363 365 366 368 375 378 379 381 383 386 387 389 390 391 396 401 405 408 410 410 411 412 413 415 425 17 November 2015 5:41 PM About the Author Robert R Moeller, CPA, CISA, CISSP, PMP, first was introduced to internal auditing when he had a new engineering degree, had completed his U.S Army service, and was working at the then major computer manufacturer Sperry UNIVAC and was also attempting to learn more about managerial accounting That was in 1975 Out of curiosity Moeller enrolled in an evening class on internal auditing at the University of Minnesota taught by Leon Radde, one of the pioneers of the internal audit profession Moeller was fascinated by this introduction to internal audit processes and soon joined a team to help create an IT internal audit function at Sperry After several years as a lead on the Sperry internal audit team, Moeller then relocated to the Chicago area where he launched IT internal audit functions for several major corporations and also got involved with the Chicago IIA chapter He gained CPA credentials, earned an MBA at the University of Chicago, and became national director of IT auditing for Grant Thornton He subsequently joined Sears Roebuck, back in the days when Sears was a major retailer that owned Allstate Insurance, Discover Card, and major financial and real estate operations Moeller launched Sears’ fi rst corporate IT internal audit function and went on to become Sears’ internal audit director; he also reengineered the corporation’s internal control processes and launched its corporate ethics function Since leaving Sears, Moeller has been involved with a wide range of audit, internal control, IT governance, and project management processes A frequently published author and speaker, he provides insights into many of the issues and concerns impacting internal audit, enterprise governance, and risk and compliance processes Brink’s Modern Internal Auditing: A Common Body of Knowledge, Eighth Edition By Robert R Moller Copyright © 2016 by John Wiley & Sons, Inc babout 795 795 17 November 2015 7:56 PM Index 2014 revised COSO framework See COSO internal control framework Association of Certified Fraud Examiners (ACFE), 666 Administrative files workpaper document organization, 402 AICPA fraud standards AU-C, Section 240, 655 public accounting’s role in fraud detection, 659 American Society for Quality (ASQ) ASQ Quality Audit Division (QAD), 718 CQA requirements, 699 quality assurance auditing, 717 quality audit process steps, 726 Six Sigma and Lean techniques, 746 Analytical skills internal audit key competencies, 355 Application control process areas Section 404 compliance reviews, 115 Application controls See COSO internal control framework Application input and output audit tests performing applications controls reviews, 548 Application input components internal control processes, 525 Application programs IT application components, 528 Application walk-through reviews internal audit procedures, 536 Applications testing objectives performing applications controls reviews, 555 Areas to audit assessing internal audit capabilities, 321 audit program formats, 329 audit universe concepts, 315 internal audit “best evidence” classifications, 330 AS5 auditing rules internal audit SOx processes, 118 Section 404 compliance reviews, 109 ASQ Quality Audit Division (QAD) See American Society for Quality (ASQ) Assessing internal audit capabilities areas to audit, 321 Association of certified fraud examiners See Fraud detection and prevention Attributes sampling evaluating attributes sampling results, 258 statistical sampling plans, 257 testing, assessing, and evaluating audit evidence, 252 AU-C, section 240 See AICPA fraud standards Auditable entities identification See Audit universe concepts Brink’s Modern Internal Auditing: A Common Body of Knowledge, Eighth Edition By Robert R Moller Copyright © 2016 by John Wiley & Sons, Inc bindex 797 Audit alternative testing approaches internal audit processes, 356 Audit and consulting best practices consulting engagement letters, 711 developing an internal audit consulting strategy, 708 Audit charter designations launching an internal audit internal consulting capability, 706 Audit committee and management audit charter authorizations building the internal audit function, 337 internal audit charters, 338 Audit committee financial expert internal audit processes, 617 SOx requirements, 617 Audit committee governance rules See SOx Title III: corporate responsibility Audit committee responsibilities chief audit executive appointment, 619 codes of conduct, 625 internal audit charter approval, 620 internal audit plans and budget approval, 621 internal audit processes, 619 whistleblower programs, 625 Audit committees audit committee organization, 611, 613 authorizing, 612 board resolution example, 612 charters, 613 Microsoft Corporation 2007 audit committee charter, 615 Audit evidence gathering computer-assisted audit techniques (CAATTs), 289 performing effective internal audits, 204 Audit findings elements preliminary audit findings, 210 Auditing enterprise ethics functions internal audit processes, 649 Auditing applications under development performing applications controls reviews, 549 Auditing big data internal controls internal audit procedures, 518 Auditing business continuity plans internal audit procedures, 604 internal audit review points, 599 IT audit processes, 588 Auditing COSO ERM internal audit procedures, 177 Auditing IT general controls small IT business systems, 449 797 18 November 2015 9:52 PM 798 ◾  Index Auditing IT infrastructure management ITIL® best practices, 482 Auditing IT security and privacy IT audit processes, 576 Auditing Six Sigma processes internal audit procedures, 757 Audit planning documentation See Project Management Book of Knowledge (PMBOK) Audit plans performing effective internal audits, 187 Audit procedure files workpaper document organization, 402 Audit programs areas to audit, 329 audit universe concepts, 325, 330 internal audit preparatory activities, 199 internal audit processes, 326 Audit quality control standards See PCAOB standard AS3 Audit report audit report findings, 419 interim memo audit reports, 426 key elements, 419 questionnaire-type audit reports, 426 reporting internal audit results, 412, 417, 429 Audit sampling computerized sampling software, 270 monetary unit sampling, 263 testing, assessing, and evaluating audit evidence, 236 Audit universe concepts areas to audit, 315 auditable entities identification, 319 audit programs, 325 audit program maintenance, 330 control objectives identification, 321 potential problems, 351 SOx section 404 internal control reviews, 323 Audit workpapers retention PCAOB standard AS3, 90 SOx requirements, 90 Authorizing the audit committee, 612 Availability management ITIL service delivery, 481 Basic support principles 2014 revised COSO framework, 33 Bayesian sampling testing, assessing, and evaluating audit evidence, 268 BCP client-server readiness review See Business continuity planning (BCP) BCP deliverables See Business continuity planning (BCP) BCP enterprise training See Business continuity planning (BCP) Benchmarking See Internal audit processes Benefits of internal audit quality assurance reviews IIA international standards, 728 Best evidence classifications See Internal audit processes Big data analytics compliance monitoring life cycle, 515 Big data governance, risk, and compliance issues internal control processes, 509 Big data internal audit procedures identifying higher-criticality applications, 514 Big data internal control issues processes, 510 bindex  798 Big data management security issues internal audit procedures, 513 Black belt body of knowledge Six Sigma leadership roles, 751 Board audit committee communications internal audit processes, 609, 612 Board of directors role COSO internal control principles, 64 Brink, Victor Z., Building the internal audit function audit committee and management audit charter authorizations, 337 definition of internal auditing, 336 internal audit management responsibilities, 340 internal audit manager position description, 340 IT systems auditor basic knowledge requirements, 343 Business continuity planning (BCP) BCP client-server readiness review, 595 BCP deliverables, 597 desktop and laptop systems BCP processes, 596 desktop, laptop, and handheld applications, 294 emergency response plans, 291 service level agreements (SLAs), 603 steps to building a BCP, 590 Business continuity planning risk management business impact analysis, 598 internal audit processes, 589 Business fraud examples fraud detection and prevention, 654 Business impact analysis business continuity planning risk management, 598 Business unit-level risks operations risk management objectives, 175 BYOD legal actions See Internal control security risks BYOD risk tolerances See Internal control processes BYOD security policy elements See Internal control processes CAATT internal audit procedures See Internal audit processes Capacity management ITIL service delivery, 479 Cause ­and effect diagram internal audit internal consulting practices, 712 CBOK concentration areas internal audit CBOK summary, 790 CBOK for the modern internal auditor CBOK for the modern internal auditor, 782 IIARF CBOK approaches, 781 CBOK high-level understanding COBIT concepts and processes, 16 CBOK knowledge requirements COSO internal control framework, 29 Intentional Standards for the Professional Practice of Internal Auditing (IPPF), 215 internal audit CBOK summary, 790 planning and performing internal audits, 16 SOx knowledge and understanding, 16 CBOK requirements foundations of internal auditing, 782 GRC—governance, risk, and compliance—issues, 788 impact of IT on internal auditors, 786 importance of internal controls, 783 internal auditor professional requirements, 788 18 November 2015 9:52 PM Index  ◾     799 organizing and managing internal audit activities, 785 planning and performing internal audits, 784 professional convergence requirements, 788 CCSA requirements other CIA certifications, 688 Certified Information Systems Auditor (CISA) CISA examination domain areas, 695 CISA requirements, 694 Certified internal auditor requirements internal auditor professional certifications, 330 Certified quality auditor (CQA) requirements, 330 CFE requirements other CISA certifications, 697 CFSA requirements other CIA certifications, 691 CGAP requirements other CIA certifications, 690 CGEIT requirements other CISA certifications, 695 Change management ITIL service support, 472 Checklist format audit program developing and preparing audit programs, 203 internal audit processes, 328 Chief audit executive (CAE) establishing an internal audit function, 338 internal audit responsibilities, 339 Chief audit executive appointment audit committee responsibilities, 619 significant findings audit committee report, 624 CIA examination summary CIA requirements, 685 CIA requirements CIA examination summary, 685 internal auditor professional certifications, 684 CISA examination domain areas Certified Information Systems Auditor (CISA), 695 CISA requirements Certified Information Systems Auditor (CISA), 694 other CISA certifications, 696–697 Classifications of quality audits quality assurance auditing, 719 Client-server budgeting system performing applications controls reviews, 546 Client-server continuity planning internal audit procedures, 293 Client-server system configuration small IT business systems characteristics, 446 Client-server systems general IT controls information systems operations, 441 Cluster selection audit sample selection statistical sampling plans, 251 COBIT concepts and processes CBOK high-level understanding, 16 COBIT enabler types COBIT standards and framework, 133 COBIT framework COBIT principle 1: meeting stakeholder needs, 128 COBIT principle 2: covering the enterprise end to end, 129 COBIT principle 3: a single integrated framework, 131 COBIT principle 4: enabling a holistic approach, 133 bindex  799 COBIT principle 5: separating governance from management, 135 COBIT goal and IT objective mapping COBIT standards and framework, 138 COBIT goals and metrics COBIT standards and framework, 132 COBIT principle 1: meeting stakeholder needs See COBIT framework COBIT principle 2: covering the enterprise end to end See COBIT framework COBIT principle 3: a single integrated framework See COBIT framework COBIT principle 4: enabling a holistic approach See COBIT framework COBIT principle 5: separating governance from management See COBIT framework COBIT process reference model COBIT standards and framework, 136 COBIT standards and framework COBIT enabler types, 133 COBIT goal and IT objective mapping, 138 COBIT goals and metrics, 132 COBIT process reference model, 136 ISACA, 124 principles of internal controls, 125 Code of conduct topics code violations and corrective actions, 641 enterprise ethics issues, 639 Code of ethics, 61 adherence, 61 Code of ethics topics COSO internal control principles, 62 Code violations and corrective actions code of conduct topics, 641 code violations and corrective actions, 63 Codes of conduct audit committee responsibilities, 625 Commitment to competence COSO internal control principles, 65 Committee of sponsoring organizations (COSO) internal control fundamentals, 30 internal controls definition, 30 Common body of knowledge (CBOK) definition of internal auditing, 11 internal audit requirements, 11 internal controls, 15 knowledge area concepts, 13 significance of internal auditing, Communicating internal audit results internal audit performance standards, 227 Communicating internal control deficiencies COSO internal control principles, 83 Communication problems published audit reports, 433 Compliance monitoring life cycle big data analytics, 515 Computer-assisted audit techniques (CAATTs) audit evidence gathering, 289 equity funding fraud, 282 internal audit processes, 273 Computerized sampling software audit sampling, 270 Configuration management ITIL service support, 470 18 November 2015 9:52 PM 800 ◾  Index Consulting engagement letters audit and consulting best practices, 711 Continuity management ITIL service delivery, 482 Continuous assurance auditing internal audit processes, 273 testing, assessing, and evaluating audit evidence, 275 Continuous monitoring internal audit processes, 276 Control activities to mitigate risks See COSO internal control principles Control activity policies and procedures See COSO internal control principles Control environment COSO internal control framework, 38 tone at the top, 40 Control objectives identification audit universe concepts, 321 Control self-assessment (CSA) reviews internal audit quality assurance review procedures, 732 Control self-assessments (CSAs) internal audit processes, 295 Corporate responsibility for financial reports SOx section 302, 96 COSO Enterprise Risk Management (ERM), 141, 153, 155, 163 control activities, 167 framework, 153 information and communication, 169 internal environment component, 157 key elements, 155 monitoring, 170 objective setting, 159 operations risk management objectives, 172 risk response elements, 165 COSO internal control principles code of ethics topics, 62 integrity and ethical values, 60 COSO internal control components COSO reporting perspective, 58 monitoring activities, 53 COSO internal control framework 2014 revised COSO framework, 30 application controls, 47 CBOK knowledge requirements, 29 changes and concepts, 32 control environment, 38 COSO internal controls pyramid view, 31 information and communication processes, 49 internal control activities, 45, 46 internal control fundamentals, 30 internal control principles, 37 ISO standards, 776 monitoring activities, 55 revised COSO framework, 35 risk assessment, 40, 41 risk identification and analysis, 41 SOx legal compliance, 34 SOx requirements, 29 transaction controls, 46 COSO internal control principles 17 COSO principles, 60 board of directors role, 64 commitment to competence, 65 bindex  800 communicating internal control deficiencies, 83 control activities to mitigate risks, 72 control activity policies and procedures, 74 evaluating fraud risks, 69 fraud risk assessments, 70 holding people accountable, 67 identifying changes affecting internal controls, 71 information from relevant sources, 76 internal communications, 78 methods of internal communication, 80 selecting technology controls, 73 COSO internal controls pyramid view See COSO internal control framework COSO monitoring activities See COSO internal control framework COSO reporting perspective See COSO internal control components COSO risk assessment risk response strategies, 44 types of enterprise business risks, 43 Costs and pricing internal audit review steps ITIL service delivery, 479 CQA requirements ASQ internal audit certifications, 699 certified quality auditor (CQA), 720 CRMA requirements other CIA certifications, 693 CRSIC requirements other CISA certifications, 697 CSA processes facilitated CSA reviews, 300 internal audit quality assurance, 297 questionnaire-based CSA reviews, 302 Cybersecurity internal audit concerns IT network security fundamentals, 561 Cybersecurity internal controls audit procedures internal audit processes, 578 Data profiling privacy issues Gramm-Leach-Bliley Act (GLBA), 570 Data security concepts IT passwords, 563 Data variety and complexity issues internal control processes, 506 Define-Measure-Analyze-Improve-Control (DMAIC) model Six Sigma concepts, 747 Definition of internal auditing building the internal audit function, 336 common body of knowledge (CBOK), 11 internal auditing, internal auditing’s mission statement, Institute of Internal Auditors (IIA), mission of internal auditing, self-assessment functions, Deming PDCA cycle quality assurance auditing, 724 Desktop and laptop systems BCP processes business continuity planning (BCP), 596 Desktop, laptop, and handheld applications business continuity planning (BCP), 294 Developing an internal audit consulting strategy audit and consulting best practices, 708 internal audit internal consulting practices, 704 Developing and preparing audit programs 18 November 2015 9:52 PM Index  ◾     801 checklist format audit program, 203 petty cash audit program, 202 Disaster recovery planning internal audit key responsibilities, 586 DMAIC model See Six Sigma concepts DMAIC procedures See Six Sigma concepts Document records management internal audit workpapers, 409 document standards review processes documenting audit results, 409 Documentation best practices internal audit processes, 359 Documentation skills internal audit key competencies, 357 Documenting audit results document standards review processes, 409 input/output process flowcharts, 394 internal audit documentation requirements, 390 process modeling and workpapers, 390 tick marks, 406 work­flow description process flowchart, 394 workpaper auditor tick marks examples, 406 workpaper point sheets, 404 Documenting field survey results internal audit field surveys, 198 Documenting key processes internal audit workflow processes, 393 Due professional care internal audit attribute standards, 221 Duties and responsibilities of ASQ quality auditors quality assurance auditing, 719 DYOD internal audit issues  internal control processes, 486 Early internal auditor responsibilities history and background of internal auditing, Elements of GRC governance GRC concepts, 674 Elements of the negotiating process internal audit processes, 362 Emergency response plans business continuity planning (BCP), 291 Engagement planning internal audit performance standards, 224 Enterprise BYOD environments internal audit procedures, 487 Enterprise codes of conduct enterprise governance processes, 637 Enterprise compliance processes ethics risk environment, 634 Enterprise content management internal controls internal control processes, 517 Enterprise content management overview internal control processes, 519 Enterprise content management review procedures internal audit procedures, 520 Enterprise ethics functions ethics attitude survey questions, 636 stakeholder ethics attitude surveys, 635 Enterprise ethics issues code of conduct topics, 639 internal audit processes, 630 Enterprise governance processes enterprise codes of conduct, 637 bindex  801 ethics risk environment, 633 hotline functions, 643 mission statements, 632 whistleblower call centers, 648 whistleblower programs, 643 Enterprise internal audit consulting standards IPPF professional standards, 702 Enterprise risk enterprise risk types, 146 Enterprise risk management, 141, 142, 163 Enterprise risk types, 146 Enterprise social media policy internal control processes, 500 social media computing risks, 501 Entity-level risks risks encompassing the entire organization, 174 e-Office documentation best practices internal audit processes, 358 Equity funding fraud computer-assisted audit techniques (CAATTs), 282 ERM control activities COSO ERM key elements, 167 ERM objective setting COSO ERM, 159 Establishing an internal audit function chief audit executive (CAE), 338 internal audit charters, 338 role of the CAE, 338 Ethics attitude survey questions enterprise ethics functions, 636 Ethics risk environment enterprise compliance processes, 634 enterprise governance processes, 633 Evaluating attributes sampling results attributes sampling procedures, 258 Evaluating fraud risks COSO internal control principles, 69 Facebook social media example, 494 Facilitated CSA reviews CSA processes, 300 Failed internal audit research approaches IIARF 2007 CBOK study, 21 Federal whistleblower rules, 644 Files and databases IT application components, 527 Financial officer codes of ethics section 404: management’s assessment of internal controls, 102 Financial management for IT services ITIL service delivery, 477 Foundations of internal auditing CBOK requirements, 782 Fraud detection and prevention Association of Certified Fraud Examiners (ACFE), 666 business fraud examples, 654 internal auditor responsibilities, 664 red flags, 658 Fraud investigations internal audit processes, 665 Fraud review objectives internal audit processes, 666 18 November 2015 9:52 PM 802 ◾  Index Fraud risk assessments COSO internal control principles, 70 Fraudulent financial reporting Treadway Commission Report, 660 General controls IT infrastructure internal controls reviews, 440 General controls internal audit objectives large IT general controls preliminary survey, 457 small business IT systems, 453 General controls reviews of IT operations IT systems general controls, 461 Global Audit Information Network (GAIN) implementing benchmarking, 305 Governance, risk, and compliance (GRC) GRC risk management strategies, 676 internal audit processes, 672 Gramm-Leach-Bliley Act (GLBA) data profiling privacy issues, 570 GRC concepts elements of GRC governance, 674 internal control processes, 673 GRC practices and principles internal control processes, 679 GRC Risk Management Strategies governance, risk, and compliance (GRC), 676 GRC—governance, risk, and compliance—issues CBOK requirements, 788 Health Insurance Portability and Accountability Act (HIPAA) IT systems privacy concerns, 570 History and background of internal auditing early internal auditor responsibilities, Institute of Internal Auditors (IIA), internal auditing, Victor Z Brink, Holding people accountable COSO internal control principles, 67 Hotline functions enterprise governance processes, 643 Identify higher-criticality applications big data internal audit procedures, 514 Identifying changes affecting internal controls COSO internal control principles, 71 IIA code of ethics intentional standards for the professional practice of internal auditing (IPPF), 229 IIA F CBOK documentation approaches internal auditor CBOK, 20 IIA GAIN benchmarking questionnaire internal audit processes, 308 IIA international standards benefits of internal audit quality assurance reviews, 728 IIA standards for detecting and investigating fraud, 663 internal audit quality assurance reviews, 727 IIA standards for detecting and investigating fraud IIA international standards, 663 IIARF 2007 CBOK study failed internal audit research approaches, 21 IIARF 2015 CBOK planned analysis planned IIARF CBOK study, 23 IIARF prior CBOK approaches CBOK for the modern internal auditor, 781 bindex  802 Impact of IT on internal auditors CBOK requirements, 786 Implementing benchmarking Global Audit Information Network (GAIN), 305 Implementing consulting recommendations internal audit internal consulting practices, 713 Importance of internal controls CBOK requirements, 783 Incident management ITIL service support, 466 Information and communication COSO ERM, 169 Information and communication processes COSO internal control framework, 49 internal communications, 52 relevant information, 50 Information from relevant sources COSO internal control principles, 76 Information systems audit specialists internal audit organizations, 342 Information systems operations client-server systems general IT controls, 441 IT systems general controls, 440 Information technology fraud prevention processes internal audit processes, 667 Inherent risk risk management fundamentals, 163 Input/Output Process Flowcharts documenting audit results, 394 Institute of Internal Auditors (IIA) definition of internal auditing, history and background of internal auditing, Integrity and ethical values COSO internal control principles, 60 Intentional Standards for the Professional Practice of Internal Auditing (IPPF) CBOK knowledge requirements, 215 IIA code of ethics, 229 internal audit attribute standards, 220 internal auditor code of ethics, 229 internal audit performance standards, 223 internal audit IPPF principles, 232 IPPF required and recommended elements, 217 performing effective internal audits, 214 red book standards, 218 Interim memo audit reports audit report formats, 426 Internal audit requirements common body of knowledge (CBOK), 11 Internal audit “best evidence” classifications areas to audit, 330 Internal audit attribute standards due professional care, 221 intentional standards for the professional practice of internal auditing (IPPF), 220 quality assurance programs, 222 Internal audit BCP review procedures IT audit processes, 292 Internal audit benchmarking internal audit processes, 305 Internal audit CBOK summary CBOK concentration areas, 790 CBOK knowledge requirements, 790 Internal audit charter approval audit committee responsibilities, 620 18 November 2015 9:52 PM Index  ◾     803 Internal audit charters audit committee authorizations, 338 establishing an internal audit function, 338 internal audit processes, 335 performing effective internal audits, 186 Internal audit communications published audit reports, 433 Internal audit data center reviews IT systems general controls, 460 Internal audit department privacy and security internal audit processes, 581 workpaper security, 582 Internal audit documentation best practices internal audit key competencies, 359 Internal audit documentation requirements documenting audit results, 390 process modeling for internal auditors, 391 Internal audit engagement letters internal audit field surveys, 194 Internal audit essential knowledge areas internal auditor CBOK, 25 Internal audit field surveys documenting field survey results, 198 internal audit engagement letters, 194 internal audit preparatory activities, 195 Internal audit fieldwork monitoring internal audit fieldwork, 209 performing effective internal audits, 206 preliminary audit findings, 208 Internal audit fraud detection signs red flags, 657 Internal audit GRC approaches a internal audit processes, 672 Internal audit health check assessment internal audit processes, 618 Internal audit internal consulting practices cause ­and ­effect diagram, 712 developing an internal audit consulting strategy, 704 implementing consulting recommendations, 713 Internal audit interview skills internal audit key competencies, 354 Internal audit IPPF principles intentional standards for the professional practice of internal auditing (IPPF), 232 Internal audit key competencies analytical skills, 355 documentation skills, 357 internal audit documentation best practices, 359 internal audit interview skills, 354 internal auditor commitments to learning, 363 internal audit processes, 352 negotiation skills, 361 testing skills competencies, 356 Internal audit key responsibilities disaster recovery planning, 586 Internal audit manager position description building the internal audit function, 340 Internal audit organization planning internal audits, 183 Internal audit organizations information systems audit specialists, 342 internal auditor staff-level position description, 342 Internal audit performance standards communicating internal audit results, 227 engagement planning, 224 bindex  803 intentional standards for the professional practice of internal auditing (IPPF), 223 managing the internal audit activity, 223 performing an internal audit engagement., 226 Internal audit plans and budgets approval audit committee responsibilities, 621 Internal audit preliminary surveys internal audit preparatory activities, 190 Internal audit preparatory activities audit programs, 199 internal audit field surveys, 195 internal audit preliminary surveys, 190 planning internal audits, 185 Internal audit principles ISACA code of professional ethics, 231 Internal audit procedures application walk-through reviews, 536 auditing big data internal controls, 518 auditing business continuity plans, 604 auditing COSO ERM, 177 auditing Six Sigma processes, 757 big data management security issues, 513 client-server continuity planning, 293 enterprise BYOD environments, 487 enterprise content management review procedures, 520 international auditing standards, 777 IT application controls, 524 IT application review control objectives, 540 ITIL® con­figuration management, 472 object-oriented programming (OOP concepts, 530 performing applications controls reviews, 534 preimplementation review objectives, 551 purchased software internal controls audit checklist, 532 review of a Six Sigma program, 759 Six Sigma and Lean techniques, 756 social media internal audit issues, 492, 504 Internal audit process: summarized steps performing effective internal audits, 214 Internal audit processes audit alternative testing approaches, 356 audit committee financial expert, 617 audit committee responsibilities, 619 audit program formats, 326 audit universe schedule potential problems, 351 auditing enterprise ethics functions, 649 benchmarking, 295 best evidence classifications, 330 board audit committee communications, 609, 612 business continuity planning risk management, 589 CAATT internal audit procedures, 283 checklist-format audit programs, 328 computer-assisted audit techniques (CAATTs), 273 continuous assurance auditing, 273 continuous monitoring, 276 control self-assessments (CSAs), 295 cybersecurity internal controls audit procedures, 578 documentation best practices, 359 elements of the negotiating process, 362 enterprise ethics issues, 630 e-Office documentation best practices, 358 fraud investigations, 665 fraud review objectives, 666 governance, risk, and compliance (GRC), 672 IIA GAIN benchmarking questionnaire, 308 information technology fraud prevention processes, 667 18 November 2015 9:52 PM 804 ◾  Index Internal audit processes (continued ) internal audit benchmarking, 305 internal audit charters, 335 internal audit department privacy and security, 581 internal audit GRC approaches, 672 internal audit health check assessment, 618 internal audit key competencies, 352 internal audit quality assurance reviews, 727 internal audit quality review steps, 738 internal audit report objectives, 413 internal audit report privacy, 584 internal audit workpaper security best practices, 583 project management, 366 quality assurance reviews of the internal audit function, 727 quality review engagement memo, 736 reporting audit results, 360 reporting internal audit results, 411 reporting the results of an internal audit quality assurance review, 741 reviews of compliance activities, 678 section 404 compliance reviews, 110 Six Sigma and Lean techniques, 746 SOx whistleblower, 646 understanding and recognizing fraud, 655 Internal audit project management Project Management Institute’s Project Management Body of Knowledge (PMBOK), 365 Internal audit quality assurance CSA processes, 297 Internal audit quality assurance review procedures control self-assessment (CSA) reviews, 732 QA reviews of individual completed audits, 739 quality assurance auditing, 731 quality assurance review approaches, 734 Internal audit quality assurance reviews IIA international standards, 727 internal audit processes, 727 quality assurance auditing, 730 Internal audit quality review steps internal audit processes, 738 Internal audit report objectives internal audit processes, 413 reporting internal audit results, 423 Internal audit report privacy internal audit processes, 584 Internal audit responsibilities chief audit executive (CAE), 339 Internal audit review points auditing business continuity processes, 599 Internal audit risk management managing the internal audit universe, 353 Internal audit SOx processes AS5 auditing rules, 118 Internal audit workflow processes documenting key processes, 393 Internal audit workpaper security best practices internal audit processes, 583 Internal audit workpapers document records management, 409 process modeling, 396 travel audit workpaper example, 404 workpaper objectives, 397 workpaper preparation techniques, 405 workpaper review processes, 407 bindex  804 Internal auditing definition of internal auditing, history and background of internal auditing, Internal auditing motto Progress through Sharing, 11 Internal auditing’s mission statement definition of internal auditing, Internal Standards for the Professional Practice of Internal Auditing (IPPF), IPPF, Internal auditor CBOK IIA Research Foundations’s CBOK documentation approaches, 20 internal audit essential knowledge areas, 25 Internal Standards for the Professional Practice of Internal Auditing (IPPF), 16 objectives of this book, 14 Internal auditor code of ethics Intentional Standards for the Professional Practice of Internal Auditing (IPPF), 229 Internal auditor commitments to learning internal audit key competencies, 363 Internal auditor professional certifications certified internal auditor requirements, 684 CIA requirements, 684 value of CIA specialty certifications, 693 Internal auditor professional requirements CBOK requirements, 788 Internal auditor responsibilities fraud detection and prevention, 664 Internal auditor staff-level position description internal audit organizations, 342 Internal communications COSO internal control principles, 78 information and communication processes, 52 International Organization for Standardization (ISO), 762 Internal control activities COSO internal control framework, 45, 46 transaction control activities, 48 Internal control components internal control principles, 33 Internal control concerns small IT business systems characteristics, 449 Internal control evaluations monitoring COSO internal controls, 83 Internal control fundamentals committee of sponsoring organizations (COSO), 30 COSO internal control framework, 30 major components of internal control, 33 Internal control principles COSO internal control framework, 37 internal control components, 33 three components of internal control, 33 Internal control processes application input components, 525 big data governance, risk, and compliance issues, 509 big data internal control issues, 510 BYOD risk tolerances, 488 BYOD security policy elements, 488 data variety and complexity, 506 DYOD internal audit issues, 486 enterprise content management internal controls, 517 enterprise content management overview, 519 enterprise social media policy, 500 18 November 2015 9:52 PM Index  ◾     805 IT application components, 524 IT application output components, 533 GRC concepts, 673 GRC practices and principles, 679 Internal control security risks BYOD legal actions, 489 IT social engineering security risk methods, 569 NIST cybersecurity framework, 573 NIST implementation steps, 575 NIST tiers of cybersecurity maturity, 573 social engineering IT risks, 568 Internal controls common body of knowledge (CBOK), 15 Internal controls changes and concepts 2014 revised COSO framework, 32 Internal controls definition committee of sponsoring organizations (COSO), 30 Internal environment component See COSO Enterprise Risk Management (ERM) Internal Standards for the Professional Practice of Internal Auditing (IPPF) internal auditing’s mission statement, internal auditor CBOK, 16 International auditing standards internal audit procedures, 777 Interval selection audit sample selection statistical sampling plans, 250 IPPF internal auditing’s mission statement, mission statements, IPPF professional standards enterprise internal audit consulting standards, 702 IPPF required and recommended elements Intentional Standards for the Professional Practice of Internal Auditing (IPPF), 217 ISACA COBIT standards and framework, 124 ISACA code of professional ethics internal audit principles, 231 ISO international organization for standardization, 762 ISO standards overview, 764 worldwide internal audit standards, 762 ISO 2000 service quality management, 771 ISO 27002 ISO IT security standards, 768 ISO 27002 IT security standards, 768 IT security technique requirements, 770 ISO 38500 IT governance standard, 772 ISO 38500 model IT governance standard, 774 objectives, 772 ISO 9000 standards quality assurance auditing, 723 ISO 9001 quality management systems ISO standards, 765 quality management system processes, 767 ISO certification processes ISO standards, 764 ISO documentation hierarchy, 768 ISO standards COSO internal control framework, 776 bindex  805 ISO certification processes, 764 ISO documentation hierarchy, 768 ISO 9001 quality management systems, 765 ISO 38500 objectives, 772 ISO standards overview ISO, 764 IT application audit test procedures reviewing application management controls, 543 IT application components application programs, 528 files and databases, 527 internal control processes, 524 IT application development review guidelines, 531 IT application controls internal audit procedures, 524 IT application development review guidelines IT application components, 531 IT application output components internal control processes, 533 IT application review control objectives internal audit procedures, 540 IT audit processes auditing business continuity processes, 588 auditing IT security and privacy, 576 internal audit BCP review procedures, 292 IT control hierarchy selecting technology controls, 73 IT disaster recovery plans IT security processes, 585 IT governance standard ISO 38500, 772, 774 IT infrastructure internal control reviews general controls, 440 IT network security fundamentals cybersecurity internal audit concerns, 561 IT security threats, 561 password logon process, 564 system firewall controls, 566 viruses and malicious program code, 565 IT passwords data security concepts, 563 IT security processes IT disaster recovery plans, 585 IT security technique requirements ISO 27002, 770 IT security threats IT network security fundamentals, 561 IT systems privacy concerns, 570 target corporation security breach, 562 IT social engineering security risk methods internal control security risks, 569 IT systems auditor basic knowledge requirements building the internal audit function, 343 IT systems general controls general controls reviews of IT operations, 461 information systems operations, 440 internal audit data center reviews, 460 ITIL® service support IT infrastructure best practices, 465 large IT systems, 454 large IT systems general controls review objectives, 462 legacy systems, 453 mainframe legacy system controls, 455 operating systems software, 458 small IT business systems characteristics, 444 18 November 2015 9:52 PM 806 ◾  Index IT systems privacy concerns IT security threats, 570 Health Insurance Portability and Accountability Act (HIPAA), 570 PCI DSS goals and requirements, 580 ITIL framework ITIL® best practices, 466 service delivery best practices, 475 ITIL service delivery availability management, 481 capacity management, 479 continuity management, 482 costs and pricing internal audit review steps, 479 financial management for IT services, 477 service level management, 475 ITIL service support configuration management, 470 change management, 472 incident management, 466 problem management, 469 release management, 474 ITIL® best practices auditing IT infrastructure management, 482 ITIL framework, 466 ITIL® con­figuration management internal audit procedures, 472 ITIL® service support IT infrastructure best practices IT systems general controls, 465 Johnson & Johnson tylenol crisis mission statements, 632 Judgmental sampling testing, assessing, and evaluating audit evidence, 239 Knowledge area concepts common body of knowledge (CBOK), 13 Large IT general controls preliminary survey general controls internal audit objectives, 457 Large IT systems general controls, 454 legacy systems, 454 Large IT systems general controls review objectives IT systems general controls, 462 Launching an enterprise Six Sigma project quality assurance processes, 752 Launching an internal audit internal consulting capability audit charter designations, 706 strategic decisions, 705 Lean Six Sigma concepts, 754 Legacy systems IT systems general controls, 453 large IT systems, 454 Legal and regulatory compliance risk objectives risk management fundamentals, 173 LinkedIn social media example, 497 Mainframe legacy system controls IT systems general controls, 455 Major components of internal control internal control fundamentals, 33 bindex  806 Managing the internal audit activity internal audit performance standards, 223 Managing the internal audit universe internal audit risk management, 353 Methods of internal communication COSO internal control principles, 80 Microsoft Corporation 2007 Audit Committee Charter Audit Committee Organization, 615 Mission of internal auditing definition of internal auditing, Mission statements enterprise governance processes, 632 IPPF, Johnson & Johnson Tylenol Crisis, 632 Monetary unit sampling audit sampling, 263 testing, assessing, and evaluating audit evidence, 264 Monitoring activities COSO internal control components, 53 Monitoring COSO internal controls internal control evaluations, 83 Monitoring internal audit fieldwork internal audit fieldwork, 209 Multistage sampling testing, assessing, and evaluating audit evidence, 267 Negotiation skills internal audit key competencies, 361 NIST cybersecurity framework internal control security risks, 573 NIST implementation steps internal control security risks, 575 NIST tiers of cybersecurity maturity internal control security risks, 573 Object-oriented programming (OOP concepts internal audit procedures, 530 Objectives of this book internal auditor CBOK, 14 Online Privacy and E-Commerce Issues radio frequency identification (RFID) Privacy issues, 570 Operating systems software IT systems general controls, 458 Operations IT internal controls small IT business systems characteristics, 447 Operations risk management objectives business unit–level risks, 175 COSO ERM key elements, 172 Opt-out rights U.S Federal Privacy Protection Laws, 572 Organizing and managing internal audit activities CBOK requirements, 785 Other CIA certifications CCSA requirements, 688 CFSA requirements, 691 CGAP requirements, 690 CRMA requirements, 693 QIAL requirements, 693 Other CISA certifications CFE requirements, 697 CGEIT requirements, 695 CISM requirements, 696 CISSP requirements, 697 CRSIC requirements, 697 18 November 2015 9:52 PM Index  ◾     807 Pareto Chart Example quality assurance auditing, 722 Password logon process IT network security fundamentals, 564 PCAOB public accounting firm registration Public Company Accounting Oversight Board (PCAOB), 88 PCAOB standard AS3 audit quality control standards, 90 audit workpapers retention, 90 PCI DSS fundamentals U.S Federal Privacy Protection Laws, 579 PCI DSS goals and requirements IT systems privacy concerns, 580 Performing an internal audit engagement internal audit performance standards, 226 Performing applications controls reviews application input and output audit tests, 548 applications testing objectives, 555 auditing applications under development, 549 client-server budgeting system, 546 internal audit procedures, 534 preimplementation review requirements definition checklist, 554 testing audit control objectives, 541 tests of compliance, 548 Performing appropriate internal audit procedures project management institutes PMBOK processes, 383 Performing effective internal audits audit evidence, 204 audit plans, 187 intentional standards for the professional practice of internal auditing (IPPF), 214 internal audit charters, 186 internal audit fieldwork, 206 internal audit process: summarized steps, 214 Permanent files workpaper document organization, 401 Petty cash audit program developing and preparing audit programs, 202 Planned IIARF CBOK study IIARF 2015 CBOK study, 23 Planning an internal audit Project Management Book of Knowledge (PMBOK), 378 Planning and performing internal audits CBOK knowledge requirements, 16 CBOK requirements, 784 Planning audits project management, 366 workpaper standards, 398 Planning internal audits internal audit organization, 183 internal audit preparatory activities, 185 PMBOK process steps Project Management Book of Knowledge (PMBOK), 369 PMBOK program and portfolio management Project Management Book of Knowledge (PMBOK), 375, 377 PMBOK project management plan project management institutes PMBOK processes, 374 PMI definition of a project Project Management Institute (PMI), 367 project, program, and portfolio management interactions, 376 bindex  807 PMI risk management components Project Management Book of Knowledge (PMBOK), 369 PMI risk management data flow Project Management Book of Knowledge (PMBOK), 369 Preimplementation review objectives internal audit procedures, 551 Preimplementation review requirements definition checklist performing applications controls reviews, 554 Preliminary audit findings audit findings elements, 210 internal audit fieldwork, 208 Preliminary findings point sheet wrapping up an internal audit, 385 Principles of internal controls COBIT standards and framework, 125 Probability and uncertainty risk assessment analysis, 148 Problem management ITIL service support, 469 Process modeling internal audit workpapers, 396 Process modeling and workpapers documenting audit results, 390 process modeling hierarchy, 392 Process modeling for internal auditors internal audit documentation requirements, 391 Process modeling hierarchy process modeling and workpapers, 392 Professional convergence requirements CBOK requirements, 788 Progress through Sharing internal auditing motto, 11 Project management See also Project Management Institute (PMI); Project Management Book of Knowledge (PMBOK) internal audit processes, 366 planning audits, 366 Project Management Book of Knowledge (PMBOK) audit planning documentation, 381 best practices, 386 internal audit project management, 365 planning an internal audit, 378 PMBOK process steps, 369 PMI risk management components, 369 PMI risk management data flow, 369 PMBOK program and portfolio management, 375, 377 project management best practices, 386 project, program, and portfolio management relationships, 378 Project Management Institute (PMI) definition of a project, 367 institutes PMBOK processes, 367 Project Management Institutes PMBOK processes performing appropriate internal audit procedures, 383 PMBOK project management plan, 374 Project Management Institute (PMI), 367 Project, program, and portfolio management interactions PMI definition of a project, 376 Project, program, and portfolio management relationships Project Management Book of Knowledge (PMBOK), 378 Public accounting’s role in fraud detection AICPA fraud standards, 659 18 November 2015 9:52 PM 808 ◾  Index Public Company Accounting Oversight Board (PCAOB) PCAOB public accounting firm registration, 88 Sarbanes Oxley Act (SOx), 88 Published audit reports communication problems, 433 internal audit communications, 433 reporting internal audit results, 415 Purchased software internal controls audit checklist internal audit procedures, 532 QA reviews of individual completed audits internal audit quality assurance review procedures, 739 QIAL requirements other CIA certifications, 693 Quality assurance auditing American Society for Quality (ASQ), 717 ASQ standards, 717 classifications of quality audits, 719 Deming PDCA cycle, 724 duties and responsibilities of ASQ quality auditors, 719 internal audit quality assurance review elements, 730 internal audit quality assurance review procedures, 731 ISO 9000 standards, 723 Pareto chart example, 722 types of quality audits, 721 Quality assurance processes launching an enterprise Six Sigma project, 752 Six Sigma concepts, 747 Quality assurance programs internal audit attribute standards, 222 Quality assurance review approaches internal audit quality assurance review procedures, 734 Quality assurance reviews of the internal audit function internal audit processes, 727 Quality audit process steps ASQ standards, 726 Quality management system processes ISO 9001 quality management systems, 767 Quality review engagement memo internal audit processes, 736 Quantitative risk analysis risk management fundamentals, 150 risk monitoring, 152 risk ranking expected costs, 152 Questionnaire-based CSA reviews CSA processes, 302 Questionnaire-type audit reports audit report formats, 426 Radio frequency identification (RFID) privacy issues online privacy and e-commerce issues, 570 Random number audit sample selection statistical sampling plans, 248 Recommended sample sizes section 404 compliance reviews, 116 Red book standards Intentional Standards for the Professional Practice of Internal Auditing (IPPF), 218 Red flags fraud detection and prevention, 658 internal audit fraud detection signs, 657 Release management ITIL service support, 474 bindex  808 Relevant information information and communication processes, 50 Replicated sampling testing, assessing, and evaluating audit evidence, 268 Reporting audit results internal audit processes, 360 Reporting internal audit results audit report framework, 412 audit report key elements, 417 audit report negative and positive statement examples, 425 audit report preparation steps, 429 internal audit processes, 411 internal audit report objectives, 423 published audit reports, 415 Reporting the results of an internal audit quality assurance review internal audit processes, 741 Residual risk risk management fundamentals, 164 Review of a Six Sigma program internal audit procedures, 759 Reviewing application management controls  IT application audit test procedures, 543 vendor-supplied software, 531 Reviews of compliance activities internal audit processes, 678 Revised COSO framework COSO internal control framework, 35 Risk appetite map risk management fundamentals, 159 Risk assessment COSO internal control framework, 40 Risk assessment analysis probability and uncertainty, 148 risk management fundamentals, 148 Risk assessment principles COSO internal control framework, 41 Risk encompassing the entire organization entity-level risks, 174 Risk identification risk management process steps, 144 Risk identification and analysis COSO internal control framework, 41 Risk management fundamentals enterprise risk management, 142 inherent risk, 163 legal and regulatory compliance risk objectives, 173 quantitative risk analysis, 150 residual risk, 164 risk appetite map, 159 risk assessment analysis, 148 risk objective setting components, 161 risk ranking, 149 Risk management process steps risk identification, 144 Risk monitoring quantitative risk analysis, 152 Risk objective setting components risk management fundamentals, 161 Risk ranking risk management fundamentals, 149 Risk ranking expected costs quantitative risk analysis, 152 18 November 2015 9:52 PM Index  ◾     809 Risk response elements COSO ERM, 165 Risk response strategies COSO risk assessment, 44 Role of the CAE establishing an internal audit function, 338 Sarbanes Oxley Act (SOx) Public Company Accounting Oversight Board (PCAOB), 88 Sarbanes Oxley Act key provisions, 87 Sarbanes Oxley Act key provisions Sarbanes Oxley Act (SOx), 87 Section 404: Management’s Assessment of Internal Controls, 102 SOx Title II: Auditor Independence, 92 SOx Title III: Corporate Responsibility, 95 SOx Title IV: Enhanced Financial Disclosures, 100 Title V: Analyst Conflicts of Interest, 104 Title XI: Corporate Fraud Accountability, 107 Section 302 Officer Cortication SOx Title III: Corporate Responsibility, 96 Section 404 Compliance Reviews application control process areas, 115 AS5 auditing rules, 109 internal audit processes, 110 recommended sample sizes, 116 Section 404: Management’s Assessment of Internal Controls financial officer codes of ethics, 102 Sarbanes Oxley Act key provisions, 102 Selecting technology controls COSO internal control principles, 73 IT control hierarchy, 73 Self-assessment functions definition of internal auditing, Service delivery best practices ITIL framework, 475 Service level agreements (SLAs) business continuity planning (BCP), 603 service level management, 476 Service level management ITIL service delivery, 475 service level agreements (SLAs), 476 Service quality management ISO 2000, 771 Seventeen COSO principles COSO internal control principles, 60 Significance of internal auditing common body of knowledge (CBOK), Significant findings audit committee report chief audit executive appointment, 624 SIPOC analysis Six Sigma concepts, 753 Six Sigma concepts define-measure-analyze-improve-control model, 747 DMAIC model, 747 DMAIC procedures, 756 Lean Six Sigma, 754 quality assurance processes, 747 SIPOC analysis, 753 Six Sigma deployment and process goal, 749 supplier-inputs-process-outputs-customer (SIPOC) charts, 754 bindex  809 Six Sigma and Lean techniques ASQ quality assurance processes, 746 internal audit procedures, 756 internal audit processes, 746 Six Sigma deployment and process goal Six Sigma concepts, 749 Six Sigma leadership roles Black Belt Body of Knowledge, 751 Small business IT systems auditing IT general controls, 449 general controls internal audit objectives, 453 Small business IT systems characteristics client-server system configuration, 446 internal control concerns, 449 IT systems general controls, 444 operations IT internal controls, 447 system program library controls, 451 Social engineering IT risks internal control security risks, 568 Social media computing risks enterprise social media policy, 501 Social media example Facebook, 494 LinkedIn, 497 Twitter, 498 Social media internal audit issues internal audit procedures, 492, 504 SOx knowledge and understanding CBOK knowledge requirements, 16 SOx legal compliance See COSO internal control framework SOx requirements COSO internal control framework, 29 SOx requirements audit committee financial expert, 617 audit workpapers retention, 90 SOx Section 302 corporate responsibility for financial reports, 96 SOx Section 404 internal control reviews audit universe concepts, 323 SOx Title II: Auditor Independence Sarbanes Oxley Act key provisions, 92 SOx Title III: Corporate Responsibility audit committee governance rules, 95 Sarbanes Oxley Act key provisions, 95 Section 302 officer cortication, 96 SOx Title IV: Enhanced Financial Disclosures Sarbanes Oxley Act key provisions, 100 SOx whistleblower internal audit processes, 646 Stakeholder ethics attitude surveys enterprise ethics functions, 635 Standard deviations statistical audit sampling measures, 244 Statistical audit sampling testing, assessing, and evaluating audit evidence, 241 Statistical audit sampling measures standard deviations, 244 Statistical sampling testing, assessing, and evaluating audit evidence, 238 Statistical sampling plans attributes sampling size examples, 257 cluster selection audit sample selection, 251 interval selection audit sample selection, 250 random number audit sample selection, 248 18 November 2015 9:52 PM 810 ◾  Index stratified selection audit sample selection, 250 testing, assessing, and evaluating audit evidence, 247 Steps to building a BCP BCP enterprise training, 602 business continuity planning (BCP), 590 Strategic decisions launching an internal audit internal consulting capability, 705 Stratified selection audit sample selection statistical sampling plans, 250 Supplier-inputs-process-outputs-customer (SIPOC) charts Six Sigma concepts, 754 System firewall controls IT network security fundamentals, 566 System program library controls small IT business systems characteristics, 451 Target corporation security breach IT security threats, 562 Testing audit control objectives performing applications controls reviews, 541 Testing skills competencies internal audit key competencies, 356 Testing, assessing, and evaluating audit evidence attributes sampling procedures, 252 audit sampling, 236 Bayesian sampling, 268 continuous assurance auditing, 275 judgmental sampling, 239 monetary unit sampling, 264 multistage sampling, 267 replicated sampling, 268 statistical audit sampling, 241 statistical sampling, 238 statistical sampling plans, 247 XBRL extensible marking language, 291 XBRL interoperability concepts, 291 Tests of compliance performing applications controls reviews, 548 Three components of internal control internal control principles, 33 Tick marks documenting audit results, 406 Title V: analyst conflicts of interest Sarbanes Oxley Act key provisions, 104 Title XI: corporate fraud accountability Sarbanes Oxley Act key provisions, 107 Tone at the top control environment, 40 Transaction control activities internal control activities, 48 Transaction controls COSO internal control framework, 46 Travel audit workpaper example internal audit workpapers, 404 Treadway commission report fraudulent financial reporting, 660 bindex  810 Twitter social media example, 498 Types of enterprise business risks COSO risk assessment, 43 Types of quality audits quality assurance auditing, 721 U.S Federal Privacy Protection Laws opt-out rights, 572 PCI DSS fundamentals, 579 Understanding and recognizing fraud internal audit processes, 655 Value of CIA specialty certifications internal auditor professional certifications, 693 Vendor-supplied software reviewing application management controls, 531 Viruses and malicious program code IT network security fundamentals, 565 Whistleblower call centers enterprise governance processes, 648 Whistleblower programs audit committee responsibilities, 625 enterprise governance processes, 643 Work­flow description process flowchart documenting audit results, 394 Workpaper auditor tick marks examples documenting audit results, 406 Workpaper document organization administrative files, 402 audit procedure files, 402 permanent files, 401 workpaper formats, 400 Workpaper formats workpaper document organization, 400 Workpaper objectives internal audit workpapers, 397 Workpaper point sheets documenting audit results, 404 Workpaper preparation techniques internal audit workpapers, 405 Workpaper review processes internal audit workpapers, 407 Workpaper security internal audit department privacy and security, 582 Workpaper standards planning audits, 398 Worldwide internal audit standards ISO, 762 Wrapping up an internal audit preliminary findings point sheet, 385 XBRL interoperability concepts testing, assessing, and evaluating audit evidence, 291 XBRL extensible marking language testing, assessing, and evaluating audit evidence, 291 18 November 2015 9:52 PM ... Internal Audits 8. 1 8. 2 8. 3 8. 4 8. 5 8. 6 8. 7 8. 8 Initiating and Launching an Internal Audit Organizing and Planning Internal Audits Internal Audit Preparatory Activities Starting the Internal Audit Developing... describe internal auditing as it is or should be performed today modern internal auditing as well as to describe a common body of knowledge (CBOK) for internal auditing Because of modern internal auditing s... FOUNDATIONS OF MODERN INTERNAL AUDITING Chapter 1: Significance of Internal Auditing in Enterprises Today: An Update 1.1 Internal Auditing History and Background 1.2 Mission of Internal Auditing