Brink’s Modern Internal Auditing
Brink’s ModernInternal AuditingA Common Body of KnowledgeSeventh EditionROBERT R. MOELLERJohn Wiley & Sons, Inc.
Copyright C2009 John Wiley & Sons, Inc. All rights reserved.Published by John Wiley & Sons, Inc., Hoboken, New Jersey.Published simultaneously in Canada.No part of this publication may be reproduced, stored in a retrieval system, or transmitted in anyform or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise,except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, withouteither the prior written permission of the Publisher, or authorization through payment of theappropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers,MA 01923, 978-750-8400, fax 978-646-8600, or on the web at www.copyright.com. Requests to thePublisher for permission should be addressed to the Permissions Department, John Wiley & Sons,Inc., 111 River Street, Hoboken, NJ 07030, 201-748-6011, fax 201-748-6008, or online athttp://www.wiley.com/go/permissions.Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their bestefforts in preparing this book, they make no representations or warranties with respect to theaccuracy or completeness of the contents of this book and specifically disclaim any impliedwarranties of merchantability or fitness for a particular purpose. No warranty may be created orextended by sales representatives or written sales materials. The advice and strategies containedherein may not be suitable for your situation. You should consult with a professional whereappropriate. Neither the publisher nor author shall be liable for any loss of profit or any othercommercial damages, including but not limited to special, incidental, consequential, or otherdamages.For general information on our other products and services, or technical support, please contactour Customer Care Department within the United States at 800-762-2974, outside the United Statesat 317-572-3993 or fax 317-572-4002.Wiley also publishes its books in a variety of electronic formats. Some content that appears inprint may not be available in electronic books.For more information about Wiley products, visit our Web site at http://www.wiley.com.Library of Congress Cataloging-in-Publication Data:Moeller, Robert R.Brink’s modern internal auditing : a common body of knowledge / Robert Moeller. – 7th ed.p. cm.Includes index.ISBN 978-0-470-29303-4 (cloth: alk. paper) 1. Auditing, Internal. I. Title.HF5668.25.B74 2009657 .458–dc222008048335Printed in the United States of America.10987654321
ContentsPrefacexixAbout the AuthorxxvPART ONEFOUNDATIONS OF MODERN INTERNAL AUDITING1CHAPTER 1Foundations of Internal Auditing3CHAPTER 21.1 Internal Auditing History and Background1.2 Organization of This BookNote5810Internal Audit’s Common Body of Knowledge112.12.22.32.41213181919What Is a CBOK?: Experiences from Other ProfessionsInstitute of Internal Auditor’s Research Foundation CBOKWhat Does an Internal Auditor Need to Know?Modern Internal Auditing’s CBOK Going ForwardNotesPART TWOIMPORTANCE OF INTERNAL CONTROLS21CHAPTER 3Internal Control Framework: The COSO Standard233.13.22325Importance of Effective Internal ControlsInternal Controls Standards: Background(a) Internal Control Definitions: Foreign CorruptPractices Act of 1977(b) FCPA Aftermath: What Happened?3.3 Events Leading to the Treadway Commission(a) Earlier AICPA Standards: SAS No. 55(b) Treadway Committee Report3.4 COSO Internal Control Framework(a) Control Environment(b) Risk Assessment(c) Control Activities(d) Communications and Information(e) Monitoring2628283030313339414346v
viContents3.53.6CHAPTER 4534.1544.34.4CHAPTER 6505151Sarbanes-Oxley and Beyond4.2CHAPTER 5Other Dimensions of the COSO Internal ControlsFrameworkInternal Audit CBOK NeedsNotesKey Sarbanes-Oxley Act Elements(a) Title I: Public Company AccountingOversight Board(b) Title II: Auditor Independence(c) SOx Title III: Corporate Responsibility(d) Title IV: Enhanced Financial Disclosures(e) Title V: Analyst Conflicts of Interest(f) Titles VI through X: Fraud Accountabilityand White-Collar Crime(g) Title XI: Corporate Fraud AccountabilityPerforming Section 404 Reviews under AS 5(a) Section 404 Internal Controls Assessments Today(b) Launching the Section 404 Compliance ReviewAS 5 Rules and Internal AuditImpact of the Sarbanes-Oxley ActNotesAnother Internal Controls Framework: CobiT55606268727274757576848787895.1 Introduction to CobiT5.2 CobiT Framework(a) CobiT Cube Components: IT Resources(b) CobiT Cube Components5.3 Using CobiT to Assess Internal Controls(a) Planning and Enterprise(b) Acquisition and Implementation(c) Delivery and Support(d) Monitoring and Evaluation5.4 Using CobiT in a SOx Environment5.5 CobiT Assurance Framework Guidance5.6 CobiT in isk Management: COSO ERM1136.11141151181211241261271291326.26.3Risk Management Fundamentals(a) Risk Identification(b) Key Risk Assessments(c) Quantitative Risk AnalysisCOSO ERM: Enterprise Risk ManagementCOSO ERM Key Elements(a) Internal Environment Component(b) Objective Setting(c) Event Identification
viiContents(d) Risk Assessment(e) Risk Response(f) Control Activities(g) Information and Communication(h) Monitoring6.4 Other Dimensions of COSO ERM: Enterprise RiskObjectives(a) Operations Risk Management Objectives(b) Reporting Risk Management Objectives(c) Legal and Regulatory Compliance Risk Objectives6.5 Entity-Level Risks(a) Risks Encompassing the Entire Organization(b) Business Unit–Level Risks6.6 Putting It All Together6.7 Auditing Risk and COSO ERM Processes6.8 Risk Management and COSO ERM in ART THREEPLANNING AND PERFORMING INTERNAL AUDITS151CHAPTER 7Performing Effective Internal 11721731751751761787.37.47.57.67.7CHAPTER 8Organizing and Planning Internal AuditsInternal Audit Preparatory Activities(a) Determine the Audit Objectives(b) Audit Scheduling and Time Estimates(c) Preliminary SurveysStarting the Internal Audit(a) Internal Audit Field Survey(b) Documenting the Internal Audit Field Survey(c) Field Survey Auditor ConclusionsDeveloping and Preparing Audit Programs(a) Audit Program Formats and Their Preparation(b) Types of Audit EvidencePerforming the Internal Audit(a) Internal Audit Fieldwork Initial Procedures(b) Audit Fieldwork Technical Assistance(c) Audit Management Fieldwork Monitoring(d) Potential Audit Findings(e) Audit Program and Schedule Modifications(f) Reporting Preliminary Audit Findings toManagementWrapping Up the Field Engagement Internal AuditPerforming an Individual Internal Audit134136138140141178179180Standards for the Professional Practice of Internal Auditing1838.1184184Internal Auditing Professional Practice Standards(a) Background of the IIA Standards
viiiContents8.28.3CHAPTER .69.79.8Gathering Appropriate Audit EvidenceAudit Assessment and Evaluation TechniquesInternal Audit Judgmental SamplingStatistical Sampling: An Introduction(a) Statistical Sampling Concepts(b) Developing a Statistical Sampling Plan(c) Audit Sampling ApproachesMonetary Unit Sampling(a) Selecting the Monetary Unit Sample: An Example(b) Performing the Monetary Unit Sampling Test(c) Evaluating Monetary Unit Sample Results(d) Monetary Unit Sampling Advantages andLimitationsVariables and Stratified Variables SamplingOther Audit Sampling Techniques(a) Multistage Sampling(b) Replicated Sampling(c) Bayesian SamplingMaking Efficient and Effective Use of Audit SamplingNotesAudit Programs and Establishing the Audit Universe10.110.210.310.410.510.6CHAPTER 11186187187188191196198Testing, Assessing, and Evaluating Audit Evidence9.5CHAPTER 10(b) IIA’s Current Standards: What Has Changed(c) 2009 New Internal Audit StandardsContent of the IIA Standards(a) Internal Audit Attribute Standards(b) Internal Audit Performance StandardsCodes of Ethics: The IIA and ISACANotesDefining the Scope and Objectives of the Internal AuditUniverseAssessing Internal Audit Capabilities and ObjectivesAudit Universe Time and Resource Limitations“Selling” the Audit Universe to the Audit Committeeand ManagementAssembling Audit Programs: Audit Universe KeyComponents(a) Audit Program Formats and Their Preparation(b) Types of Program Audit EvidenceAudit Universe and Program 247248251252Control Self-Assessments and Benchmarking25311.111.2253254Importance of Control Self-AssessmentsCSA Model
ixContents11.3PART FOURCHAPTER 12Launching the CSA Process(a) Performing the Facilitated CSA Review(b) Performing the Questionnaire-Based CSAReview(c) Performing the Management-Produced AnalysisCSA Review11.4 Evaluating CSA Results11.5 Benchmarking and Internal Audit(a) Implementing Benchmarking to ImproveProcesses(b) Benchmarking and the IIA’s GAIN Initiative11.6 Better Understanding Internal Audit ActivitiesNotes263265269269ORGANIZING AND MANAGING INTERNAL AUDITORACTIVITIES271Internal Audit Charters and Building the InternalAudit Function27312.112.212.312.412.512.6CHAPTER 13Establishing an Internal Audit FunctionAudit Charter: Audit Committee and ManagementAuthorityBuilding the Internal Audit Staff(a) Role of the CAE(b) Internal Audit Management Responsibilities(c) Internal Audit Staff Responsibilities(d) Information Systems Audit Specialists(e) Other Internal Auditor SpecialistsInternal Audit Department Organization Approaches(a) Centralized versus Decentralized Internal AuditOrganization Structures(b) Organizing the Internal Audit FunctionInternal Audit Policies and ProceduresProfessional Development: Building a Strong InternalAudit 1281283283285290292292Internal Audit Key 294296296298301301302Importance of Internal Audit Key CompetenciesInternal Auditor Interview SkillsAnalytical SkillsTesting and Analysis SkillsInternal Auditor Documentation SkillsRecommending Results and Corrective ActionsInternal Auditor Communication SkillsInternal Auditor Negotiation Skills
xContents13.913.10CHAPTER tanding the Environment: Launching anInternal AuditDocumenting and Understanding the Internal ControlsEnvironmentPerforming Appropriate Internal Audit ProceduresWrapping Up the Internal AuditPerforming Internal AuditsDocumenting Results through Process Modelingand Workpapers16.116.216.316.416.5CHAPTER 17Project Management Processes(a) Project Management Book of Knowledge(b) Developing a Project Management PlanPMBOK Program and Portfolio ManagementOrganizational Process Maturity ModelUsing Project Management for Effective InternalAudit PlansProject Management Best Practices and Internal AuditNotesPlanning and Performing Internal Audits15.1CHAPTER 16304304Understanding Project Management14.214.314.4CHAPTER 15Internal Auditor Commitment to LearningImportance of Internal Auditor Core CompetenciesInternal Audit Documentation RequirementsProcess Modeling for Internal Auditors(a) Understanding the Process Modeling Hierarchy(b) Describing and Documenting Key Processes(c) Process Modeling and the Internal AuditorInternal Audit Workpapers(a) Workpaper Standards(b) Workpaper Formats(c) Workpaper Document Organization(d) Workpaper Preparation Techniques(e) Workpaper Review ProcessesInternal Audit Document Records ManagementImportance of Internal Audit 331332332334335338339340344347347349350Reporting Internal Audit Results35117.117.2351353354358Purposes and Types of Internal Audit ReportsPublished Audit Reports(a) Approaches to Published Audit Reports(b) Elements of an Audit Report Finding
xiContents(c) Balanced Audit Report Presentation Guidelines(d) Alternative Audit Report Formats17.3 Internal Audit Reporting Cycle(a) Draft Audit Reports(b) Audit Reports: Follow-Up and Summary(c) Audit Report and Workpaper Retention17.4 Effective Internal Audit Communications Opportunities17.5 Audit Reports and Understanding the People in InternalAuditingPART FIVECHAPTER 18376IMPACT OF INFORMATION TECHNOLOGYON INTERNAL AUDITING379IT General Controls and ITIL Best .718.8CHAPTER 19362363366368371372373Importance of IT General ControlsClient-Server and Smaller Systems’ General IT Controls(a) General Controls for Small Business Systems(b) Smaller Systems’ IT Operations Internal Controls(c) Auditing IT General Controls for SmallerIT SystemsComponents and Controls of Mainframe andLegacy Systems(a) Characteristics of Larger IT Systems(b) Classic Mainframe or Legacy Computer Systems(c) Operating Systems SoftwareLegacy System General Controls ReviewsITIL Service Support and Delivery InfrastructureBest Practices(a) ITIL Service Support Incident Management(b) Service Support Problem ManagementService Delivery Best Practices(a) Service Delivery Service-Level Management(b) Service Delivery Financial Management forIT Services(c) Service Delivery Capacity Management(d) Service Delivery Availability Management(e) Service Delivery Continuity ManagementAuditing IT Infrastructure ManagementInternal Auditor CBOK Needs for IT General 19421422422423424Reviewing and Assessing IT Application Controls42519.1426427429434IT Application Control Components(a) Application Input Components(b) Application Programs(c) IT Application Output Components
xiiContents19.219.3Selecting Applications for Internal Audit ReviewsPreliminary Steps to Performing ApplicationsControls Reviews(a) Conducting an Application Walk-Through(b) Developing Application Control Objectives19.4 Completing the IT Application’s Controls Audit(a) Clarifying and Testing Audit Internal ControlObjectives(b) Completing the Application Controls Review19.5 Application Review Example: Client-ServerBudgeting System(a) Reviewing Capital Budgeting SystemDocumentation(b) Identifying Capital Budgeting ApplicationKey Controls(c) Performing Application Tests of Compliance19.6 Auditing Applications under Development(a) Objectives and Obstacles of PreimplementationAuditing(b) Preimplementation Review Objectives(c) Preimplementation Review Problems(d) Preimplementation Review Procedures19.7 Importance of Reviewing IT Application ControlsNotesCHAPTER 459459Cybersecurity and Privacy 1472474474475477IT Network Security Fundamentals(a) Security of Data(b) Importance of IT Passwords(c) Viruses and Malicious Program Code(d) Phishing and Other Identity Threats(e) IT System Firewalls(f) Other Computer Security Issues20.2 IT Systems Privacy Concerns(a) Data Profiling Privacy Issues(b) Online Privacy and E-Commerce Issues(c) Radio Frequency Identification(d) Absence of U.S. Federal Privacy Protection Laws20.3 Auditing IT Security and Privacy20.4 Security and Privacy in the Internal Audit Department(a) Security and Control for Auditor Computers(b) Workpaper Security(c) Audit Reports and Privacy(d) Internal Audit Security and Privacy Standards andTraining20.5 PCI-DSS Fundamentals20.6 Internal Audit’s Privacy and Cybersecurity RolesNotes477477479479
xiiiContentsCHAPTER 21Computer-Assisted Audit Tools and Techniques21.121.221.321.421.521.6CHAPTER 22Understanding Computer-Assisted Audit Toolsand TechniquesDetermining the Need for CAATTsCAATT Software Tools(a) Types of CAATTs: Generalized Audit Software(b) Report Generators Languages(c) Desktop and Laptop CAATTs(d) Test Data or Test Deck Approaches(e) Specialized Audit Test and Analysis Software(f) Embedded Audit ProceduresSelecting Appropriate CAATT ProcessesSteps to Building Effective CAATTsUsing CAATTs for Audit Evidence 503504Business Continuity Planning and IT Disaster Recovery50522.122.250650822.322.422.522.622.7IT Disaster and Business Continuity Planning TodayAuditing Business Continuity Planning Processes(a) Internal Auditor Centralized Data CenterBCP Reviews(b) Client-Server Continuity Planning Internal AuditProcedures(c) Continuity Planning for Desktop and LaptopApplicationsBuilding the IT Business Continuity Plan(a) Risks, Business Impact Analysis, and the Impact ofPotential Emergencies(b) Preparing for Possible Contingencies(c) Disaster Recovery: Handling the Emergency(d) Business Continuity Plan Enterprise TrainingBusiness Continuity Planning and Service-LevelAgreementsNewer Business Continuity Plan Technologies: DataMirroring TechniquesAuditing Business Continuity PlansBusiness Continuity Planning Going 7PART SIXINTERNAL AUDIT AND ENTERPRISE GOVERNANCE529CHAPTER 23Board Audit Committee Communications53123.123.223.3532533Role of the Audit CommitteeAudit Committee Organization and ChartersAudit Committee’s Financial Expert and InternalAudit536
xivContents23.4CHAPTER 24Audit Committee Responsibilities for Internal Audit(a) Appointment of the Chief Audit Executive(b) Approval of Internal Audit Charter(c) Approval of Internal Audit Plans and Budgets(d) Audit Committee Review and Action on SignificantAudit Findings23.5 Audit Committee and Its External Auditors23.6 Whistleblower Programs and Codes of Conduct23.7 Other Audit Committee Roles545546546547Ethics and Whistleblower Programs54924.1550551553Enterprise Ethics, Compliance, and Governance(a) Ethics First Steps: Developing a Mission Statement(b) Understanding the Ethics Risk Environment(c) Summarizing Ethics Survey Results: Do We Havea Problem?24.2 Enterprise Codes of Conduct(a) Code of Conduct Contents: What Should Be theCode’s Message?(b) Communications to Stakeholders and AssuringCompliance(c) Code Violations and Corrective Actions(d) Keeping the Code of Conduct Current24.3 Whistleblower and Hotline Functions(a) Federal Whistleblower Rules(b) SOx Whistleblower Rules and Internal Audit(c) Launching an Enterprise Help or Hotline Function24.4 Auditing the Enterprise’s Ethics Functions24.5 Improving Corporate Governance PracticesNotesCHAPTER 25CHAPTER 569Fraud Detection and 580582583585585Understanding and Recognizing FraudRed Flags: Fraud Detection Signs for Internal AuditorsPublic Accounting’s Role in Fraud DetectionIIA Standards for Detecting and Investigating FraudFraud Investigations for Internal AuditorsInformation Technology Fraud Prevention ProcessesFraud Detection and the Internal AuditorNotesHIPAA, GLBA, and Other Compliance Requirements58726.1588589HIPAA: Healthcare and Much More(a) HIPAA Patient Record Privacy Rules(b) Cryptography, PKI, and HIPAA SecurityRequirements591
xvContents(c) HIPAA Security Administrative Procedures(d) Technical Security Services and Mechanisms(e) Going Forward: HIPAA and E-Commerce26.2 Gramm-Leach-Bliley Act Internal Audit Rules(a) GLBA Financial Privacy Rules(b) GLBA Safeguards Rule(c) GLBA Pretexting Provisions26.3 Other Personal Privacy and Security LegislativeRequirements593594595595596598599PART SEVENTHE PROFESSIONAL INTERNAL AUDITOR603CHAPTER 27Professional Certifications: CIA, CISA, and More60527.127.227.327.427.527.627.727.8CHAPTER 28Certified Internal Auditor Responsibilitiesand Requirements(a) The CIA Examination(b) Maintaining Your CIA CertificationBeyond the CIA: Other IIA CertificationsRRequirements(a) CCSA RRequirements(b) CGAP RRequirements(c) CFSA (d) Importance of the CIA Specialty CertificationExaminationsCertified Information Systems Auditor (CISA)RequirementsRCertificationCertified Information Security Manager Certified Fraud ExaminerCISSP Information Systems Security ProfessionalCertificationASQ Internal Audit CertificationsOther Internal Auditor Certificati
CHAPTER 12 Internal Audit Charters and Building the Internal Audit Function 273 12.1 Establishing an Internal Audit Function 274 12.2 Audit Charter: Audit Committee and Management Authority 274 12.3 Building the Internal Audit Staff 275 (a) Role of the CAE 277 (b) Internal Audit Management Responsibilities 278 (c) Internal Audit Staff .
REDI-TANKS PRODUCT LIST Moeller Marine Products 801 N. Spring Street Sparta, TN 38583 www.moellermarine.com 800-432-8344 Custom Performance, CARB Certification, and Moeller Quality at an Aftermarket Price In response to builder input, Moeller launched a line of standard-sized EPA/CARB Certified fuel tanks in 2012. The tanks are available in
city’s culture and traditions. It started in 1984 when the Lancaster Symphony . Stanly Pratt. Pratt first asked Heft where he got his crystal ball, referringto Heft's presumption that . He first sent his flag to Ohio's governor, and then gave it to Congressman Walter Henry Moeller. Heft asked Moeller to store the flag until there was a .
CTC 2200 and 2600 Series Profibus GE Fanuc Series 90 SNP/SNPX Reliance Automate 15/20/30/40 GE Genius I/O Square D Symax IDEC Siemens/TI Series 5x5 Keyence Siemens/TI Series 100 Klockner-Moeller PS 306/316 Siemens S7 Klockkner-Moeller PS4-201-MM1 Texas Instruments Koyo (PLC Direct) Toshiba Magnetek UTICOR Director 6001 1.2 Easy,
Moeller Wiring Manual 02/05 2-3 2 The three-phase asynchronous motor is the world's most common electric motor. Its popularity is the result of a rugged, simple construction, high degrees of protection, standardized sizes and low cost. Three-phase motors have typical starting characteristics, with tightening torque M A, pull-out torque M
58 Associate Members 2021 A Accounting/CPA Firms continued CLA www.claconnect.com (515) 222-4400 John Moeller - john.moeller@claconnect.com Cedar Rapids, IA (319) 363-2697 Liz Rider - elizabeth.rider@claconnect.com
Important Days in March March 1 -Zero Discrimination Day March 3 -World Wildlife Day; National Defence Day March 4 -National Security Day March 8 -International Women's Day March 13 -No Smoking Day (Second Wednesday in March) March 15 -World Disabled Day; World Consumer Rights Day March 18 -Ordnance Factories Day (India) March 21 -World Down Syndrome Day; World Forestry Day
Hijri years of the official Afghan calendar. Based on the official calendar of Afghanistan, March 2011/March 2012 is 1390 in Hijri years, March 2012/March 2013 is 1391 in Hijri years, March 2013/March 2014 is 1392 in Hijri years, and March 2014/March 2015 is 1393 in Hijri years.
o Additif alimentaire. 41 Intrants alimentaires: o Matière première : matière unique ou principale soumise à la transformation Unique : blé en minoterie, betterave ou canne en sucrerie Principale en volume : lait pour le yaourt, eau pour les boissons gazeuses Principale en valeur : sucre pour les boissons gazeuses 1. Chapitre introductif 1.4- Intrants et produits des IAA. 42 o Ingrédient .