Brink’s Modern Internal Auditing A Common Body of Knowledge Seventh Edition ROBERT R. MOELLER @ wiley John Wiley & Sons, Inc.Copyright © 2009 John Wiley & Sons, Inc, AIL rights reserved Pulblished by John Wiley & Sons, Ine., Hoboken, New Jersey Published simultancousty in Canada, No patt of this publica form oF by any means, electronic, mechanical, photocopying, eecording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without tither the prior written pemnission of the Publisher, or authorization through payment of the appropriate pet-copy fee to the Copyright Clearance Center, Inc., 222 Royewood Drive, Danvers, MA 01923, 978-750-8400, fax 978-696-8600, oF on the web at www.copyright.com. Requests 10 the Publisher for permission sttould be addressed to the Permissions Department, John Wiley & Sons, Inc,, 111 River Street, Hoboken, NJ 07030, 201-748-6011, fax 201-748-6008, or online hutp.//ivww.wiley.com/go/permissions, tion may be reproduced, stored in 4 retrieval system, or transmitted ia sey Limit of Linbitity: Disclaimer of Warranty: While the publisher and author have used their best effoxts in preparing this book, they make no representations oF warratities with respect «0 the ‘curicy oF completeness of the contents of this book and specifically disclaim any anplied satrranties of merchantability or ness for a particular purpose, No warranty may be created or extended by sales representatives or weitten sales materials. The advice and strategies contained herein may not be suitable for your situation, You should consult with # professional where appropriate, Neither the publisher nor author stil be liable for any toss of profit or any other commercial damages, including but not limited fo special, incidental, consequential, or other damages For general information on our other produets and services, oF technical support, please contact our Customer Care Department within the United States at 800-762-2974, outside the United States at 317-572-3993 or fax 317-572-4002, Wiley alse publishes its books in a print may not be available jn electronic books, varieey of electronic formats. Some content that appears in For nore intormtion about Wiley products, visit our Web site at hicpy/Awww wiley.com, Library of Congress Cataloging te-Publication Data: Moeller, Rober B. Brink’s modern intemal auuliting : common body of knowledge / Robert Moeller, ~ Tih ed pean. Includes inelex: ISBN 978-0-570.29303-4 (cloth: alk. paper) 1. Auditing, intemal. { ‘Tie, HPS668.25.874 2009 657458422 2008048535 Printed in the United Staies of AmericaContents Preface About the Author PART ONE FOUNDATIONS OF MODERN INTERNAL AUDITING CHAPTER 1 Foundations of Internal Auditing 1.1. Internal Auditing History and Background 1.2. Organization of This Book Note CHAPTER 2. Internal Audit’s Common Body of Knowledge 2.1 What Is a CBOK?: Experiences from Other Professions 2.2. Institute of Internal Auditor's Research Foundation CBOK 2.3. What Does an Internal Auditor Need to Know? 24 Modern Internal Auditing’s CBOK Going Forward Notes PART TWO IMPORTANCE OF INTERNAL CONTROLS CHAPTER 3. Intemal Control Framework: The COSO Standard 3.1 Importance of Effective Internal Controls 3.2. Internal Controls Standards: Background {a) Internal Control Definitions: Foreign Corrupt Practices Act of 1977 (b) PCPA Aftermath: What Happened? 3.3 Events Leading to the Treadway Commission (a) Earlier AIGPA Standards: SAS No. 35 (b) Treadway Committee Report 3.4 COSO Internal Control Framework (@) Control Environment (b) Risk Assessment (©) Control Activities (a) Communications and Information (e) Monitoring xix, xxv 2B 18 19 19 26 28 28 30 30 31 33 39 4a 43 46CHAPTER 4 CHAPTER 5 CHAPTER 6 3.5. Other Dimensions of the COSO Internal Controls Framework 3.6 Internal Audit CBOK Needs Notes Sarbanes-Oxley and Beyond, 4.1 Key Sarbanes-Oxley Act Elements (@) Title 1: Public Company Accounting Oversight Board (b) Tile [f; Auditor Independence (c)_ SOx Title Il: Corporate Responsibility @) Title fV: Enhanced Financial Disclosures (e) Title V: Analyst Conflicts of Interest (Titles VI through X: Fraud Accountability and White-Collar Crime (g) Title XI: Corporate Fraud Accountability 4.2. Performing Section 404 Reviews under AS 5 (a) Section 404 Internal Controls Assessments Today (b) Launching the Section 404 Compliance Review 4.3. AS 5 Rules and Internal Audit 4.4 Impact of the Sarbanes-Oxley Act Notes Another [nternal Controls Framework: CobiT Introduction to CobiT 3.2. CobiT Framework @) CobiT Cube Components: IT Resources (b) CobiT Cube Components Using CobiT to Assess Internal Controls (a) Planning and Enterprise (6) Acquisition and Implementation (©) Delivery and Support @) Monitoring and Evaluation Using CobiT in a SOx Environment biT Assurance Framework Guidance CobiT in Perspective Notes vs Risk Management: COSO ERM 6.1 Risk Management Fundamentals (a) Risk Identification (b) Key Risk Assessments ©) Quantitative Risk Analysi 6.2 COSO ERM: Enterprise Risk Management 63 COSO ERM Key Blements Gd) Internal Environment Component cb) Objective Setting (©) Event Identification o 76 89 90 92 94 4 96 8 100 102 103 lo7 ho. Wi m 113 4 5 us. mI 124 126 127 129 132Contents vii (dc) Risk Assessment (©) Risk Response (D Control Activities (g) Information and Communication ) Types of Audit Evidence VL 7.5. Performing the Internal Audit 172 (a) Internal Audit Fieldwork Initial Procediues 173 (b) Audit Fieldwork Technical Assistance 175 (© Audit Management Fieldwork Monitoring us (@)_ Potential Audit Findings 176 (e) Audit Program and Schedule Modifications 178 (Reporting Preliminary Audit Findings to Management 178 7.6 Wrapping Up the Field Engagement Intemal Audit 179 7.7 Performing an Individual Internal Audit 180 CHAPTER 8 Standards for the Professional Practice of Internal Auditing 183 8.1 Internal Auditing Professional Practice Standards 184 (a) Background of the HA Standards 184vit CHAPTER 9. CHAPTER 10 CHAPTER 11 (b) A's Current Standards: What Has Changed ©) 2009 New Internal Audit Standards Content of the 1A Standards (@)toternal Audit Attribute Stancards (b) Internal Audit Performance Standards. Codes of Ethics: The HA and ISACA Notes ‘Testing, Assessing, and Evaluating Audit Evidence 9. 92 93 9A 95 96 97 98 Gathering Appropriate Audit Evidence Audit Assessment and Evalustion Techniques Internal Audit Juclgmental Sampling Statistical Sampling: An Totroduction (a) Statistical Sampling Concepts (b) Developing a Statistical Sampling Plun () Audit Sampling Approaches Monetary Unit Sampling (a). Selecting the Monetary Unit (b) Performing the Monetary Unit Sampling Test (© Evaluating Monetary Unit Sample Results (@) Monetary Unit Sampling Advantages and Limitations Variables and Stratified Variables Sa Other Audit Sampling Technique: @) Multistage Sampling (b) Replicated Sampling (©) Bayesian Sampling Making Efficient and Effective Use of Audit Sampling Notes npling Audit Programs and Establishing the Audit Universe 104 10.2 10.3, 104 Ww.5 106 Defining the Scope and Objectives of the Internal Audit Universe Assessing Imtecnal Audlit Capabilities and Objectives Audit Universe Time and Resource Limitations Selling” the Audit Universe to the Audit Committee and Management Assembling Audit Programs: Audit Universe Key ‘Components (a) Audit Programm Formats and ‘Their Preparation (b)_ Types of Program Audit Evidence Audit Universe and Program Maintenance Control Self-Assessments and Benchmarking Ma 2 Importance of Control Self- Assessments CSA Model _ Contents 186 187 187 188 it 196, 198 199 199 200 202 204 205 210 214 225 227 228 228 29 232 232 232 233 233 236 247 248 251 252 253 2 5 Sr