Financial Statement Risk Assessment Approach – Qualitative and Quantitative Considerations Guide
This guide outlines the financial statement risk assessment process that is used to prioritize the financial elements and processes for Sarbanes-Oxley Section 404 purposes.
GTAG 17: Auditing IT Governance
This GTAG provides internal auditors, in both the public and private sectors, with the knowledge necessary to fulfill their responsibilities in providing assurance and consulting services for IT governance. The guidance covers the different aspects of governance that should be in place to ensure IT supports the organization’s strategies and objectives, and discusses red flags to look for that might signal this is not the case.
GTAG 2: Change and Patch Management Controls, 2nd Edition
Every “IT risk” creates some degree of business risk, making it important for chief audit executives (CAE) to thoroughly understand IT change and patch management issues. This GTAG discusses these issues in a language that allows CAEs to build confidence in their knowledge of the area and add value to the conversation when communicating with senior management, the board and IT management.
GTAG 1: IT Risk and Controls, 2nd Edition
This GTAG helps chief audit executives (CAE) and their teams keep pace with the ever-changing and sometimes complex world of IT. By providing an overview of IT-related risks and controls written in a reader-friendly style for business executives, rather than the highly technical language, both senior management and the audit committee have an expectation that the internal audit activity will provide assurance around all important risks.
Ann's Advice for Auditors
These articles and tools have been contributed by Ann Butera, the President of The Whole Person Project, a New York-based organizational development consulting firm. Butera provides monthly training materials for auditors on KnowledgeLeader.
Checklist for Planning Audits
Audit planning is one - if not the most - critical step in the audit process. Whether you formally draft and submit the results of your planning efforts, make it a point to follow a consistent approach during this phase of the audit. You will find that the time spent planning will save you time during the rest of the audit.
GTAG 16: Data Analysis Technologies
Because all organizations are impacted by IT in various forms, it is nearly impossible to conduct an effective audit without using technology. This guide aims to help CAEs understand how to move beyond the tried and true methods of manual auditing toward improved data analysis using technology.
ERM Summary Approach – Guide
Identifying, understanding and evaluating the organization’s most significant risk areas will set the foundation for a robust ERM program. This guide outlines an approach to building ERM capabilities that includes the following components: planning, facilitated risk discussion, risk analysis, external verification, management review and gap assessment.
International Internal Auditing Standards
The Standards represent the basic principles of the practice of internal audit. They are intended to provide a framework for internal audit activities, establish the basis for evaluation of internal audit performance, and foster improved organizational processes and operations. The Standards consist of Attribute Standards, Performance Standards, and Implementation Standards and are part of the IIA’s Professional Practices Framework.
Information Asset Classification Guide
The purpose of the information asset classification process is to ensure assets are identified, properly classified and protected throughout their lifecycles. The five phased approach to classification involves: management education, implementation strategy, employee education, implementation and maintenance.
Process and Activity-Level Controls Assessment Guide
The document summarizes the steps needed to assess controls at the process or activity-level. The steps include selecting priority elements, understanding the processes, sourcing risks, documenting key controls, assessing control design, validating control operation and reporting.
Visio Formatting Tips – Guide
This guide is a step-by-step document to create process maps using Microsoft Visio. It starts with explaining how to get started with Visio, basic flowchart shapes, setting favorite stencils, creating backgrounds on new pages as well as to existing ones and how to align, distribute and format various shapes in Visio.
Process Map Fundamentals – Guide
"This presentation addresses how to prepare a process map. It starts with the definition of a process map and then covers detailed steps to create and format this type of document using the Microsoft Visio tool.
An Effective Way to Conduct a Risk Assessment - Guide
There are many ways to conduct a risk assessment. For example, companies may conduct interviews or surveys of key personnel, review key documents, conduct facilitated workshops, perform targeted reviews, or utilize any combination of these options. This guide describes various options to conduct an effective risk assessment.
Global Technology Audit Guide (GTAG) 15: Information Security Governance
Information is a significant component of most organizations’ competitive strategy either by the direct collection, management, and interpretation of business information or the retention of information for day-to-day business processing. This guide will provide a thought process to assist the chief audit executive in incorporating an audit of information security governance (ISG) into the audit plan, focusing on whether the organization’s ISG activity delivers the correct behaviors, practices, and execution of information security.
Global Technology Audit Guide (GTAG) 14: Auditing User-developed Applications
Almost every organization uses some form of user-developed applications (UDA) because they can be more easily developed, are less costly to produce, and can typically be changed with relative ease versus programs and reports developed by IT personnel. However, once end users are given freedom to extract, manipulate, summarize, and analyze their UDA data without assistance from IT personnel, end users inherit risks once controlled by IT. These risks include data integrity, availability, and confidentiality. Because management relies on UDAs, which can be a significant part of financial reporting and operational processes, as well as related decision making; the internal auditor must determine and review UDA risks and build an audit of UDAs into the annual internal audit plan as appropriate.
ERM Concepts, Process and Objectives – Guide
This presentation defines risk management (what it is, and what it is not). It also outlines a five-part risk management framework: Establish the Context, Identify Risks, Anaylze Risks, Evaluate Risks, Treat Risks.
Enterprise Risk Management Education and Awareness Presentation - Guide
The presentation focuses on enterprise risk management (ERM) and how to begin educating an organization on this concept.
Risks in Cloud Based Services: A Primer - Guide
This presentation serves as a guide on cloud computing, providing an overview and various intricacies involved with this process. The benefits, levels, models, obstacles, opportunity and risks are discussed in detail to help the user obtain a clear picture on cloud computing.
Human Resources Glossary of Terms
This glossary contains frequently used terms related to Human Resources and its functions.
ITIL Glossary Terms & Acronyms
ITIL® is a consistent and comprehensive documentation of best practice for IT Service Management. This guide provides definitions to commonly used ITIL acronyms and terms.
Work Papers Guidance - You are as Good as your Work Papers
Work papers are documents produced during an audit engagement. These papers are formally referred to as audit documentation or sometimes as the audit file. The documents serve as a guide to organizing manual audit work papers.
Global Technology Audit Guide (GTAG) 13: Fraud Prevention and Detection in an Automated World
As technology advances, so do schemes to commit fraud. Therefore, technology can be used not only to perpetrate fraud, but also to prevent and detect it. Using technology to implement real-time fraud prevention and detection programs will enable organizations to reduce the cost of fraud by lessening the time from which a fraud is committed to the time it is detected. Considering this, it is crucial that auditors stay ahead of fraudsters in their knowledge of technology and available tools. This GTAG focuses on IT-related fraud risks and risk assessments and how the use of technology can help internal auditors and other key stakeholders within the organization address fraud and fraud risks.
Controls Self-Assessment Program Overview - Training Presentation
Self-assessment is a recognized best practice and has been applied to risks and controls for many years. When systematically applied across the organization at the entity and process levels, self-assessment is a pre-determined approach whereby individuals self-review or self-audit the controls for which they are responsible and communicate the results to appropriate management. The intent of this training document is to assist control owners, process owners and internal audit with implementing and executing the self-assessment process focused on IT controls.
Glossary of Sarbanes-Oxley Section 404 Key Terms
This glossary contains frequently used terms related to the Sarbanes-Oxley Section 404 compliance process. This document includes terms such as: assertions, control gap, ICFR risk, and segregation of duties.
Global Technology Audit Guide (GTAG) 12: Auditing IT Projects
Whether IT projects are developed in house or are co-sourced with third-party providers, they are filled with challenges that must be considered carefully to ensure success. Insufficient attention to these challenges can result in wasted money and resources, loss of trust, and reputation damage. Early involvement by internal auditors can help ensure positive results. Auditing IT Projects from The IIA provides an overview of techniques for effectively engaging with project teams and management to assess IT project risks.
SOX Control Writing and Testing of Operating Effectiveness Guidance
The purpose of this document is to provide guidance when documenting controls by category and testing the operating effectiveness of these controls.
SOX Self-Assessment and Self-Testing Instructions
This guide provides instructions to companies performing a self-assessment and self-testing for Sarbanes-Oxley compliance. Topics include mapping global risks, reporting results, and managing the project timeline.
Oil & Gas Dictionary
This dictionary of industry specific terms is an excellent resource for those working with the Oil and Gas industry.
SOX Testing Methodology Example
This is a SOX Testing Methodology that highlights several aspects of SOX testing including scope, approach and population.
Global Technology Audit Guide (GTAG) 11: Developing the IT Audit Plan
As technology becomes more integral to the organization’s operations and activities, a major challenge for internal auditors is how to best approach a company-wide assessment of IT risks and controls within the scope of their overall assurance and consulting services. As pointed out in this GTAG, auditors need to understand the organization’s IT environment; the applications and computer operations that are part of the IT infrastructure; how IT applications and operations are managed; and how IT applications and operations link back to the organization.
Global Technology Audit Guide (GTAG) 10: Business Continuity Management
The objective of this GTAG is to provide insight into what BCM means to an organization, how to build a business case, and identify common risks and requirements. It can assist CAEs and other internal auditors in understanding, analyzing, and monitoring their organization's BCM processes. This guide will also help the CAE communicate business continuity risk awareness and support management in its development and maintenance of a BCM program.
Control Gap Remediation Methodology Training Presentation
An important part of complying with Sarbanes-Oxley (SOX) Section 404 is ensuring that there is a remediation plan in place to address control gaps and that remediation progress is monitored. This presentation serves as a guide to train SOX-project teams in identifying control gaps and implementing a remediation action plan.
Global Technology Audit Guide (GTAG) 9: Identity and Access Management
The objective of this GTAG is to provide insight into what IAM means to an organization and to recommend internal audit areas for investigation. It can assist CAEs and other internal auditors in understanding, analyzing, and monitoring their organization's IAM processes.
Sarbanes-Oxley Section 404 – Guidance for Documenting Test Results
This guide outlines steps to complete when documenting SOX Section 404 test results. The steps specifically describe how to set-up a standard process for referencing work papers, documenting test results, documenting control remediation, and filing work papers. These steps should be modified to reflect each organization’s Section 404 testing process.
Global Technology Audit Guide (GTAG) 8: Auditing Application Controls
This edition of the Global Technology Audit Guide from The IIA provides Chief Audit Executives with information on the role of internal auditors regarding application controls, and how to perform a risk assessment. This guide also includes a list of common application controls, a sample audit plan, and application control review tools.
Risk Assessment Process - Facilitation Tips
This guide provides tips and tricks to be used when facilitating a risk assessment workshop. These tips are organized to guide you through the high-level phases of a risk assessment discussion and provide insight into the facilitator’s role for this process.
Using the New SEC and PCAOB Guidance to Make Section 404 Compliance More Cost-Effective
The purpose of this guide is to provide a brief overview and update related to the May 2007 SEC guidance and PCAOB standard (AS5). The presentation primarily focuses on what companies can do to lead a more cost-effective Sarbanes-Oxley effort. This presentation explores eight key decisions along the Section 404 compliance process which management needs to consider with the objective of aligning the company’s and auditor’s application of a top-down, risk-based approach and maximizing the cost-effectiveness of the process.
Glossary of Inventory-Related Terms
This glossary contains frequently used terms related to the inventory process. This document includes terms such as: activity-based costing, cycle counting, inventory roll-forward, and work order.
Glossary of Commonly Used Acronyms and Terms
This glossary contains frequently used terms related to financial reporting, internal audit, corporate governance, technology, and risk management processes. This document has been updated with terms such as: accrual accounting, accrued expense, accrued income, accrued interest, balance sheet, cash basis, income statement, and statement of cash flow.
Global Technology Audit Guide 7 - Information Technology Outsourcing
This edition of the Global Technology Audit Guide from The IIA provides the chief audit executive (CAE), internal auditors, and management with information on the types of IT outsourcing activities, the IT outsourcing lifecycle, and how outsourcing activities should be managed by implementing well-defined plans that are supported by a companywide risk, control, compliance, and governance framework.
A Guide for Documenting Processes and Controls for Sarbanes-Oxley
This guide is designed to help establish consistent Sarbanes-Oxley documentation standards throughout an organization. It discusses documentation types to use, how to document risks and controls, and follow-up procedures to take after the documentation process is complete.
Sarbanes-Oxley Roles and Responsibilities Guide
The purpose of this guide is to describe example roles and responsibilities the various team members involved in Sarbanes-Oxley (SOX) compliance can take on during the project. Roles and responsibilities are described for: process/control owners, risk control specialists, the Project Management Office (PMO), and the Internal Controls Steering Committee (ICSC).
Remediation Efforts and Needs – SOX Training Presentation
An important part of complying with Sarbanes-Oxley (SOX) Section 404 is ensuring control deficiencies are accurately communicated to appropriate personnel and properly tracked. This presentation serves as a guide to train SOX project teams in identifying and communicating deficiencies noted during the testing process.
Sarbanes-Oxley Section 404: Report Testing Methodology
An important part of complying with Sarbanes-Oxley (SOX) Section 404 is ensuring the completeness and accuracy of system reports. This presentation serves as a guide to train SOX project teams in testing reports that are used during the financial reporting process. Note: Testing individual reports is a relatively inefficient manual process and should only be used if General Computer Controls and/or End User Computing Controls do not provide adequate assurance over reports.
Excel in Managing Spreadsheet Risk Presentation
Control over spreadsheets associated with the financial reporting process is an increasing concern for companies. These spreadsheets have achieved an increasingly high profile within regulatory compliance. This presentation serves as a guide to train SOX project teams in testing Section 404 spreadsheet controls and utilizing a spreadsheet control framework.
Information Security: Design, Implementation, Measurement, and Compliance
Tim Layton's new book, Information Security, is a practical guide to help you understand the ISO/IEC 17799 standard and apply its principles within your organization's unique context. Here's Chapter 13, Access Control.
Sarbanes-Oxley 404 Compliance Project Testing Guidelines and Documentation Standards Presentation
An efficient and organized testing strategy is an important part of complying with Sarbanes-Oxley (SOX) Section 404. This presentation serves as a guide to train SOX project teams in testing Section 404 key controls and documenting testing results. It incorporates the importance of independent testing by Internal Audit to lessen the work required by the external auditor.
Global Technology Audit Guide: Managing and Auditing Privacy Risks
This fifth GTAG is intended to provide the chief audit executive (CAE), internal auditors, and management with insight into privacy risks that the organization should address when it collects, uses, retains, or discloses personal information. This guide provides an overview of key privacy frameworks.
TCM Audit Principles
This “TCM Audit Top 10” represents guiding principles that should be applied to Technology Change Management (TCM) Audits.
Global Technology Audit Guide 4: Management of IT Auditing
This fourth GTAG is designed for CAE and internal audit management personnel who are responsible for overseeing IT audits. The focus of this guide is on providing specific recommendations that a CAE can implement immediately, and to help sort through the strategic issues regarding planning, performing, and reporting on IT audits. Consideration is given to the fundamentals as well as emerging issues.
Ten Best Practices for Enterprise Intrusion Prevention
There are many products and tools on the market today that use the "prevention" moniker. The right intrusion prevention solution enables you to circumvent the need for analysis to be done before action can be taken to protect the system. In addition, it prevents attacks from doing damage to your operating system, applications and data. This checklist helps you choose the right type of solution for your organization.
Cash Management, Treasury, and Banking Glossary
This glossary contains terms frequently used in cash management, treasury, and banking.
Example IT Control Metrics to Be Considered by Audit Committees
The IT security control metrics are intended to enable boards, management, and technical staff to monitor the status and progress of their organization’s information security program over time. This guide provides two lists of metrics: The first for board members, and the second to help management implement the information security goals and policies established by the board.
Implementation of a Change Management Policy Presentation
Identifying changes in internal controls is important in streamlining the SOX compliance process, specifically 302 and 404 certifications. When identifying changes in internal controls, it is important to have a change management policy for process owners to follow. This presentation serves as a guide in implementing an internal control change management policy. It addresses the types of changes to manage in this process, documentation requirements, and key tools and reports.
The process of identifying and assessing the IT controls necessary to address specific risks is aided considerably by the organization’s adoption of a formal control framework. This framework should apply to, and be used by, the whole organization — not just internal auditing. This document identifies the most commonly used frameworks.
COSO Guidance for Small Public Companies
This presentation provides a summary of the control approaches for each of the 26 principles that COSO identified in its exposure draft – “Guidance for Smaller Public Companies Reporting on Internal Control over Financial Reporting.” For each principle, this document offers approaches smaller companies can take to achieve the primary objective. Example approaches include leading by example, fraud risk assessments, and setting accountability.
How to Standardize Documentation for Internal Controls
As your Sarbanes-Oxley project moves towards a process approach, it is important to standardize the documentation of internal controls. The presentation serves as a guide in achieving standardization. It addresses what to document, how to do it, and to what extent. In addition, this presentation is a useful too when training employees on documentation standards.
Auditing Network Security – Common Findings
This multi-part guide details the steps required to ensure that your network is secure. This fifth and final part identifies typical findings resulting from a review or audit of network security.
Auditing Network Security – Assessment Resources
This multi-part guide details the steps required to ensure that your network is secure. This fourth part identifies web sites and tools that are likely to provide useful resources.
Auditing Network Security – Review Methodologies
This multi-part guide details the steps required to ensure that your network is secure. This third part discusses the various methodologies involved in the review/audit process.
Auditing Network Security - Part 2
This multi-part guide details the steps required to ensure that your network is secure. This second part of five provides more detail regarding determining what should be included in a review or audit.
Auditing Network Security – Securing a Network
This multi-part guide details the steps required to ensure that your network is secure. This first part discusses the overall approach to reviewing/auditing the existing security.
Using Risk Management Frameworks
This presentation defines and describes various types of internal controls. Then it reviews control frameworks including COSO, COSO ERM, and COBIT. Finally, it describes the elements and implementation of an enterprise risk management solution.
Audit Committee Briefing – Internal Audit Standards:
Commonly, and in best-practice organizations, internal auditing has a direct reporting line to the audit committee. This publication explains how internal audit activities that adhere to the Standards and Code of Ethics can help audit committees comply with their own charters and regulatory responsibilities. In addition, this briefing provides guidelines for the relationship between audit committees and internal auditors.
Global Technology Audit Guide 3 - Continuous Auditing
This third Global Technology Audit Guide from The Institute of Internal Auditors helps identify what must be done to make effective use of technology in support of continuous auditing, and highlights areas that require further attention. By following the steps described, internal auditors should be in a much better position to use technology and maximize their return on investment as well as to demonstrate to management the need to make appropriate technology investments.
Internal Audit Key Performance Indicators
With the passage of SOX, audit committees and management are responsible for implementing an effective risk monitoring process. This involves identifying and performing ongoing monitoring of key performance indicators. To help audit committees and management facilitate this process, The Institute of Internal Auditors – UK and Ireland published this guidance on key performance indicators to monitor.
Fraud Schemes and Scenarios
Addressing fraud is one of the ways companies are working to restore investor confidence to the marketplace. This checklist provides a list of various different fraud scenarios to be considered by company management. The purpose of this document is to reach a common understanding of the potential fraud schemes and scenarios included in an entity-level fraud risk assessment.
Top Ten Practical Tips for Surviving and Thriving with SOX
Recent guidance from the SEC and PCAOB brought forth key points to consider in your SOX approach. In addition, lessons learned from accelerated filers provide insight into challenges and successes for ongoing SOX compliance. This presentation offers ten tips for surviving SOX along with steps to execute each tip to move towards a successful compliance process.
Control Objectives and Activities for a Generic Business Enterprise
This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for business activities identified in the ‘Value Chain’ model of a generic business enterprise. The activities are sub-divided into different levels, depending on their positions in the model.
GLB Suggested Audit Approach
This Gramm-Leach-Bliley compliance approach generally segments into the following phases: requirements identification, risk analysis, assessment of current environment, gap analysis, recommendations for improvement and implementation. This methodology can be used in an iterative fashion or tailored to each company’s unique compliance requirements.
The Importance of Integrating Sections 302 and 404
Post-Year One SOX advice often focuses on integrating compliance activities around Section 302 and 404. This presentation reviews the SOX scope determining process, resources, and timing of testing. In addition, it discusses the important of this integration process and offers concrete ideas for integrating the compliance process.
Internal Control: Guidance for Directors on the Combined Code
The Combined Code of Corporate Governance challenged directors of listed companies to raise their game on business risk management. To help companies respond, in 1999 the Institute of Chartered Accountants of England and Wales's (ICAEW) Internal Control Working Party chaired by Nigel Turnbull, published Internal Control: Guidance for Directors on the Combined Code ("the Turnbull report"). The Turnbull guidance was updated on October 2005.
SOX Auditor Walkthrough Presentation - Guide
In an SOX review, external auditors are required to perform at least one walkthrough for each significant transaction class at the company. This training presentation was created to help prepare company personnel for audit walkthroughs and to provide tips and suggestions. The presentation covers questions to expect from the auditor and example responses to these questions by different company departments.
Best Practices in Ethics Hotlines:
For many years, companies have been using hotlines to detect theft and fraud with great success. But until recently, some companies still considered them a luxury rather than a necessity. With the introduction of the Sarbanes-Oxley Act, lawmakers have further validated the need for this reporting mechanism. This paper by The Network, Inc. discusses best practice techniques for developing an effective ethics hotline program by examining three critical stages: planning a successful hotline program, communicating to stakeholders about the hotline, and reacting to hotline tips.
Sarbanes-Oxley Walkthrough Guidance for General IT Controls
Process walkthroughs are an important part of Sarbanes-Oxley compliance projects. They provide the opportunity to validate the steps necessary to complete a process and view the control environment of a process. This presentation describes the goal of performing a process walkthrough and steps to take during the walkthrough process.
Make sure Santa fraud stays away this holiday season!
Employees tend to have their eyes off the ball during the holiday season. Festive spirit and the extended holiday period provide an opportunity for fraudsters to strike. This article developed by Protiviti’s fraud experts in the U.K. provides 24 tips for a fraud free holiday.
Qualcomm Inc. – 2004 Form 10K
Many subscribers have been waiting to see what a Section 404 internal control report and the accompanying auditor attestation looks like. The wait is over. QUALCOMM, Inc. is a company involved in developing Code Division Multiple Access (CDMA), which is one of the three technologies instrumental in digital wireless communication networks. With a September year-end, QUALCOMM has elected to early adopt Section 404. The company has incorporated the Section 404 reporting requirements in its 2004 10-K. Protiviti’s Jim DeLoach directs readers to some of the important items the 10-K.
Ten Best Practices for Internal Audit Reporting
Despite the tools and technologies we have today for audit tracking and reporting, internal audit teams are still confronted with the challenge of figuring out what to say and how to say it. The purpose of this guide is to help teams effectively communicate with their clients and build stronger customer relationships through proper internal audit reporting.
Safeguard Your Contract Negotiation
This guide from SoftResources has helpful information and best practices for the software contract review and negotiation process. The primer provides an overview of contract types, components of a maintenance agreement, tips for addressing implementation and training services and a suggested contract review process.
IT Control Best Practices, Part 2 – Application Specific
This is Part 2 of a document created to identify leading practices for auditing IT controls. The presentation addresses risk objectives and control points, and notes recommended parameters and minimum settings for Windows 2000 and Sun Solaris as well as several email, network and database applications.
The Changing Role of the Internal Auditor
This presentation describes the development of internal auditing and the new forces and legislation impacting the profession. It describes today as the "age of continuous auditing" and looks toward the possibilities for the internal auditor of the future. This insider’s view was presented at the National Convention of Beta Alpha Psi – an international student organization that promotes the study and practice of accounting, finance and information systems.
Payroll Compliance Auditing
Because the payroll function is governed by numerous and complex laws and regulations at both federal and state levels, traditional annual financial cycle reviews do not even come close to covering the major risks in this fundamental and vital area. Noncompliance with requirements, however, can have far-reaching implications under the Federal Sentencing Guidelines and Sarbanes-Oxley Act as well as significant financial consequences from penalties, back-pay awards and additional tax assessments. This article highlights some of the critical areas that internal audit should consider reviewing for compliance.
IT Control Best Practices, Part 1 - Generic
This is Part 1 of a document created to identify leading practices for auditing IT controls. The presentation includes process maps and defines risk objectives and control points for change management, security administration, operations and application controls.
An Overview of COSO
This COSO training presentation from Protiviti provides an introduction to the Internal Control -- Integrated Framework, including the definition of internal control, the three objectives and five components of the framework, entity and activity level assessments, and limitations on internal control.
Common Fraud Scenarios
This document provides illustrations of different types of frauds and how such frauds could be perpetrated -- including fraudulent financial reporting, misappropriation of assets, improper expenditures, and tax fraud. The purpose is to assist those responsible for conducting a fraud risk assessment in accordance with the requirements of Section 404 of Sarbanes-Oxley Act.
Overcoming the Common Misconceptions about Internal Audit
In this column, Ann describes a fraud situation that illustrates what happens when management and the auditor’s roles are fundamentally misunderstood and executed poorly. She then clarifies the definition and role of internal audit and explains elements of a risk management education program to help organizations ovecome myths surrounding the role of internal audit.
Sarbanes-Oxley and ITIL
This presentation discusses the importance of IT in relation to the Sarbanes-Oxley Act (SOA), and provides insights into how the best practice guidelines for service management described in the IT Infrastructure Library (ITIL) can help.
Process Documentation Narrative and Flow Chart Guide
This guide describes techniques for documenting processes and includes a checklist for developing process maps and incorporating risk and controls information within a process map. There is also a process map example.
Is Your Company’s Control Environment Sarbanes Compliant?
Ann breaks down the significant components of the PCAOB’s Audit Standard No. 2 and provides practical insight on monitoring the control environment and developing a corporate culture with effective controls. She includes a short list of questions to help you assess your organization’s control environment.
Assessing Organizational Culture –
When the Committee of Sponsoring Organization’s (COSO) published the Integrated Framework of Control in 1992, this model underscored the importance of organizational culture in the establishment of sound internal control practices. In this column, Ann looks at organizational culture and describes four cultural prototypes, along with eight areas to focus on during an audit to diagnose an organizational culture.
Overcoming the Three Challenges of Audit Leadership
In today’s competitive business climate auditors at all levels need to display leadership skills within their organization, not just within the audit department. These skills are essential if auditors are to produce valued results and bring about the desired change within their organization’s internal control system and environment. In this month’s column, Ann describes three leadership challenges that face auditors, and offers advice on how to overcome them.
Control Objectives and Activities Process Product Costs
This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for ‘Process Product Costs.’
Control Objectives and Activities Process Payroll
This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for ‘Process Payroll’, one of the sub-activities of Manage Finance.
Redefining The Role of Internal Audit in a Post Sarbanes World
In this month’s column, Ann discusses whether and how the internal auditor’s role will be permanently changed by their company’s Sarbanes-Oxley initiatives. She says that while the internal audit mission will not change, the manifestation of the mission – the specific services and activities performed by the department – may change. She analyzes some of the factors that will affect change and the new internal audit responsibilities that will likely result. This is a moment of great opportunity for internal audit.
Control Objectives and Activities: Process Benefits
This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for ‘Process Benefits and Retiree Information’, one of the sub-activities of Manage Finance, which is the fourth of the primary generic ‘infrastructure’ activities identified in the ‘Value Chain’ model of a business enterprise.
E-commerce Security Best Practice Guidelines
These guidelines describe a number of best practices related to E-commerce security. In each case, the risk of not implementing the practice is identified.
Process Fixed Assets, Analyze and Reconcile
This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for ‘Process Fixed Assets, Analyze and Reconcile’, one of the sub-activities of Manage Finance, which is the fourth of the primary generic ‘infrastructure’ activities identified in the ‘Value Chain’ model of a business enterprise.
Control Objectives and Activities: Plan & Provide Admin Svcs
This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities relating to Planning and Providing Administrative Services.
Firewall Security Best Practice Guidelines
These guidelines describe a number of best practices related to firewall security. In each case, the risk of not implementing the practice is identified.
Control Objectives and Activities: Process Funds
This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for ‘Process Accounts Payable’ and ‘Process Accounts Receivable’, two of the sub-activities of Manage Finance, which is the fourth of the primary generic ‘infrastructure’ activities identified in the ‘Value Chain’ model of a business enterprise.
Control Objectives and Activities: Process AP and AR
This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for ‘Process Accounts Payable’ and ‘Process Accounts Receivable’, two of the sub-activities of Manage Finance, which is the fourth of the primary generic ‘infrastructure’ activities identified in the ‘Value Chain’ model of a business enterprise.
Network Security Best Practice Guidelines
These guidelines describe a number of best practices related to network security. In each case, the risk of not implementing the practice is identified.
Control Objectives and Activities:
This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for ‘Process Tax Compliance’ and ‘Provide Financial and Management Reporting’, two of the sub-activities of Manage Finance, which is the fourth of the primary generic ‘infrastructure’ activities identified in the ‘Value Chain’ model of a business enterprise.
Control Objectives and Activities: Manage Risks & Legal Affairs
This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for ‘Manage Risks’ and ‘Manage Legal Affairs’, two of sub-activities of Administration, which is the fourth of the primary generic ‘infrastructure’ activities identified in the ‘Value Chain’ model of a business enterprise.
Control Objectives and Activities: Manage IT
This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for Manage Information Technology activities. This is a sub-activity of Administration, which is the fourth of the primary generic ‘infrastructure’ activities identified in the ‘Value Chain’ model of a business enterprise.
Control Objectives and Activities: Manage the Enterprise
This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for Manage the Enterprise and Manage External Relations Activities, two of sub-activities of Administration, which is the fourth of the primary generic ‘infrastructure’ activities identified in the ‘Value Chain’ model of a business enterprise.
Process Mapping – The Updated Form of Flowcharting
This is a detailed 'How To' guide for process mapping. Ann describes how to use this powerful tool in Sarbanes-Oxley Section 404 compliance. Process mapping is a key documentation approach that can help all personnel to develop a common understanding of controls. Examples of different control and process maps are included in the appendices.
COSO Element – Risk Assessment: A Presentation
Risk assessment is one of the five components of the COSO Internal Control Framework. This presentation was developed as part of a training seminar on COSO. It defines risk assessment and then walks through concepts from objective setting to risk identification, risk analysis, and risk assessment evaluation.
Control Objectives and Activities - Human Resource Management
This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for Human Resources Management Activities, one of the four primary generic ‘infrastructure’ activities identified in the ‘Value Chain’ model of a business enterprise.
Facilitating SOA Compliance Using Committees
Following the release of Sarbanes-Oxley and new SEC regulations, many organizations have created a "Disclosure Committee" and a “Section 404 Committee.” This guide discusses the duties, composition, structure and interrelationships of these committees and suggests some general rules to follow.
Control Objectives and Activities: Technology Development
This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for Technology Development Activities, one of the four primary generic ‘infrastructure’ activities identified in the ‘Value Chain’ model of a business enterprise.
Control Objectives and Activities: Procurement
This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities related to Procurement Activities. These are sub-activities of Administration, which is one of the four generic infrastructure activities identified in the ‘Value Chain’ model of a business enterprise.
Money Laundering Red Flags
One of the keys to being able to identify money laundering is understanding the sorts of actions and patterns of transactions - the red flags - that may indicate illegal behavior. The following is a sample list of red flags that may be applicable to different types of transaction activity and businesses.
Control Objectives and Activities: Service
This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for Service Activities, one of the five primary generic business activities identified in the ‘Value Chain’ model of a business enterprise.
Control Objectives and Activities - Marketing and Sales
This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for Marketing and Sales Activities, one of the five primary generic business activities identified in the ‘Value Chain’ model of a business enterprise.
Control Objectives and Activities: Outbound Logistics
This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for Outbound Logistics Activities, one of the five primary generic business activities identified in the ‘Value Chain’ model of a business enterprise.
Control Objectives and Activities: Operations
This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for Operations, the second of the five primary generic business activity areas identified in the ‘Value Chain’ model of a business enterprise.
Control Objectives and Activities: Inbound Logistics
This COSO-based guide provides a list of control objectives, potential risks, and points-of-control for inbound logistics activities – one of the five primary generic business activities identified in the ‘Value Chain’ model of a business enterprise.
SOA and NYSE Web Disclosure Guidelines
Several Sarbanes-Oxley and related SEC/NYSE mandates require posting of governance information to a corporate website for public access. This guide will highlight a few key areas auditors and financial reporting professionals should be aware of concerning web posting and summarize a few key elements of dealing with entity postings.
IT Risks in the Context of SOA 404 Compliance
This online seminar, broadcast Wednesday, October 15, 2003 addressed IT risks in the context of Section 404 of the Sarbanes-Oxley Act of 2002. The associated presentation includes additional materials related to general IT process risks and controls, and IT risks and controls at the process level.
Audit Sampling: A Practice Guide
An understanding of audit sampling techniques can help an audit professional properly select test sample sizes and develop a conclusion for various audit tasks. This guide describes basic sampling concepts, provides guidance on developing a sampling plan, and reviews the common approaches of audit sampling.
Time is Running Out for Sarbanes Section 404 Compliance:
If your organization has not started Sarbanes-Oxley compliance efforts then Ann’s eight practical tips for overcoming common challenges is a must-read. This month’s column supplies advice for any enterprise on dealing with the organizational challenges that these project present. Executive sponsorship, accountability, and a dedicated communications infrastructure are key.
Sarbanes-Oxley Public Disclosure Summary
This presentation summarizes public disclosure requirements for Sarbanes-Oxley by section including basic descriptions, rule status or effective date, and related required disclosures. Some applicable SEC Release disclosure items are also included.
Complaint Procedure for Accounting and Auditing
Section 301 of the Sarbanes-Oxley Act requires Audit Committees to create a complaint procedure related to accounting, internal controls, or audit matters, and stipulates several required attributes of a complaint handling procedure. This guide assists with the process of developing a complaint procedure.
Facilitation Techniques: Handling Difficult People
This guide reviews six roles that hinder a group's progress and impact the group's process. It also looks at methods a facilitator can use to overcome these problems.
Sarbanes-Oxley: Strategies for Complying with Section 404
This presentation provides an overview of the final SOA Section 404 rules. It also discusses what companies are doing to comply and why, the options for compliance and the related pros and cons, and why companies should undertake compliance activities now despite the extended deadline provided by the SEC.
COSO Framework Description
In 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed a model for evaluating internal controls. This guide provides a brief description of the COSO framework.
COSO Overview Presentation
This presentation explains the key parts of the COSO Internal Control Framework, in particular the objectives and components of COSO. It also defines and explains ‘internal control,’ ‘internal control deficiency,’ and ‘material weakness’ based on COSO.
Overview of the OIG Compliance Program Guidance
This guidance applies to companies that develop, manufacture, market, and sell pharmaceutical drugs or biological products, and is intended to assist these companies in implementing internal controls to ensure compliance with applicable laws and requirements of the federal health care program. This summary outlines the seven elements of an effective compliance program.
Lessons from the School of Hard Knocks
Ann presents a third Sarbanes-Oxley article to assist project teams. She recently led Sarbanes-Oxley 404 compliance training sessions for line managers and analyzes the factors that can make the compliance process work smoothly. She suggests six success factors for overcoming line management resistance to the compliance process.
Information Systems Security Organization Planning Guide
This guide is intended to help companies prepare recommendations for the structure of an information systems security organization, including functional requirements and responsibilities, and staffing options to fulfill those responsibilities. The guide includes an outline of functional responsibilities, staffing options, and comments on the impact of training and other costs.
Developing an Effective Code of Conduct
As many organizations already understand, a formal, written code of conduct is critical in order to transform ethical behavior into something more tangible for employees. Such a code is now a requirement for public companies, as mandated by the Sarbanes-Oxley Act and by the listing requirements of major stock exchanges. Executing a successful code of conduct depends on three key elements: proper definition, effective communication and appropriate warning signals as monitoring tools. This article describes the elements of a successful code and lists ethics warning signs to watch for.
Refining the Plan for SOA Attestation Compliance
Ann provides practical advice in light of the SEC’s final rules regarding SOA issued on June 6, 2003. She comments on the scope of the attestation process, selecting a framework, and using consultative resources to assist through the compliance process.
Managed Care Rebate and Wholesaler Chargeback Audits
Because the base price of pharmaceutical products is established by regulation, the pharmaceutical industry has had to offer a number of creative incentives to customers in order to obtain market share and build a loyal customer base. Many manufacturers use rebate and chargeback programs - which often have complex contracts and provisions. The purpose of this article is to provide an overview of pharmaceutical rebate and chargeback programs, and to describe recommended processes, steps and considerations for auditing these contracts. The author, David Ross, is the chair of Protiviti’s national Healthcare and Life Sciences industry taskforce.
Wireless Networking Glossary
This short glossary contains terms frequently used to describe wireless networking.
HIPAA Gap Analysis Summary
This guide contains tables summarizing the different HIPAA security standards, and illustrates the different types of security policies that apply to each. The tables can be used to determine what security policies are needed within your organization to adequately address and comply with HIPAA regulations.
Making Sarbanes-Oxley Compliance Easier
Considering the importance of strong governance to all organizations and the complexity of related Sarbanes-Oxley compliance efforts, Ann’s practical advice is both timely and helpful. First, Ann points out several factors that differentiate organizations’ readiness for SOA compliance: culture, industry, and internal control infrastructure. Next, Ann describes practical actions that will ease compliance implementation programs.
Assessing Risks and Internal Controls: A Training Presentation
As part of their Sarbanes-Oxley compliance efforts or enterprise risk management programs, many internal auditors are involved in training process owners to assess risks and take responsibility for managing internal controls. This presentation was developed to help with this training activity.
Internal Audit Reporting: Impact and Clarity: Guide and Example
Effective Internal Audit reports and communications are a critical aspect of the audit process. Strong reporting is more than just appearance, and should be a reflection of the audit approach, performance, and organizational governance objectives. This guide provides practical advice for audit reporting, and includes an example report to the Audit Committee.
Ethics Program Best Practices
An effective ethics program serves as a basis for policy making as well as providing guidance in daily decision-making. This guide describes steps that companies should consider when developing or strengthening their ethics program.
Achieving Effective Board Performance
In this month's column, Ann describes the hallmarks of effective Boards of Directors. She provides a list of six specific actions that internal auditors can take to promote increased board effectiveness.
Sarbanes-Oxley Section 404 Committees: A Guide
This guide describes the composition, function and operating style of an SOA Section 404 Compliance Steering Committee, and the interrelationship between a Steering Committee and a Disclosure Committee. It addresses the scope, membership, and interaction of these committees.
Finance Function Resource Assessment Guide
Internal auditors can use this guide to help perform and document a resource assessment of the company’s financial functions. The purpose of such a review is to assess these functions from a people, process, and technology perspective in performance of their "business as usual" job functions.
Security Awareness Program Components
This guide discusses some components that should be included in a security awareness program, including policies, communication methods, and topics for ongoing communications with systems users.
Internal Audit’s Role: A Summary for the Board of Directors - Guide
This summary presents an overview of the role of the Internal Audit department to the Board of Directors. It informs the Board about the definition of internal audit and internal control, and briefly describes what auditors do and who is involved in the work. This example also includes a brief overview of the projects on which the audit department intends to focus.
Wireless Security Policies: Overlooked Issues
Corporate security policies must be in place to address the unique risks of wireless technologies. The following guide contains a list of commonly overlooked issues in organizational security policies.
Ways to Promote Positive Change in Your Audit Department
In this month's column, Ann details seven actions to take to promote change within your audit department. Before internal audit can effectively promote change in their organization, they need to be able to embrace it for themselves. Ann describes common behavioral attributes of auditors that are helpful in understanding how and why some auditors resist change.
Travel Safety Guidelines
When planning a business trip there are some basic steps that will help to avoid travel risks and prepare for threatening situations. This guide contains suggestions for travel planning and personal safety, and links to related resources.
British Standard 7799 (ISO 17799)
BS 7799-1 was first issued in 1995 to provide a comprehensive set of controls comprising best practices in information security. It is intended to serve as a single reference point for identifying the range of controls needed for most situations where information systems are used in industry and commerce, and to be used by large, medium and small organizations.
Wireless Security: Best Practices
This guide provides recommendations for wireless security best practices in the areas of: Policies and Procedures; Network Architecture; Device Configuration; and Assessment.
Wireless Discovery Tools: A Guide
This guide is intended to help with the selection of hardware and software tools to be used during wireless network penetration tests, or in other tests of wireless network security issues.
Six Actions for Better Time Estimates
Ann provides practical advice on the importance of time management, how to avoid common audit time estimating pit-falls, and six actions to be taken for effective (and constantly improving) estimations. Following these six guidelines will assist all levels of audit personnel to be more effective professionals -- and may improve audit cycles.
Four Tactics for Making New Year Resolutions that Get Results
New Year’s resolutions, especially those regarding our own professional development, have a tendency to fade. Ann presents some practical advice and concrete professional development examples that will assist an internal auditor in becoming a more action oriented and valued professional. These include: Four ways to make solid resolutions and stick to them.
Business Continuity Management Standards - A Side-by-Side Comparison
An increasing number of regulations and standards apply to Business Continuity Management. After studying and comparing the various BCM guidelines, Protiviti has identified common themes and best practices that will help in the implementation of a successful BCM process. This guide is our list of BCM standards and the associated agencies that advocate each best practice.
Effective Policy Management in an Age of Corporate Crisis
Policy Management describes the activities necessary to document a company's rules, illustrate how specific situations should be handled, and communicate this information to employees. While this may appear to be a basic concept, management, audit committees, and auditors are waking up to the fact that their companies have been operating in spite of a significant lack of clear company policies. This white paper describes the 10 Steps to Effective Policy Management.
Proposed New York Stock Exchange rules will require listed companies to adopt formal Governance Guidelines within six months after the SEC approves the proposed rules. Since the general topic of Governance Guidelines may be somewhat unfamiliar to many people, the law firm of O’Melveny & Myers LLP prepared and contributed these frequently asked questions.
Rigorous Business Impact Analysis Using Facilitated Methods
This presentation describes a particular methodology for conduction a Business Impact Analysis (BIA). The BIA is the careful study of individual business processes and support functions, as well as the system of business processes in its entirety, to better understand objectives regarding continuity of operations.
Ann's Advice for Auditors: Auditing a New Process?
In this column Ann provides some practical advice to consider when approaching an area to be audited that may be unfamiliar. In fact, principles such as follow the money, focus on high risk, and locate evidence are worthwhile during any audit -- particularly if audit tests have raised unanswered questions. Ann also offers some additional ‘short cuts’ to deciding where controls should be.
Tips for hiring a Chief Audit Executive
The IIA believes in and promotes the CAE’s role in providing advice, counsel, and opinions regarding the organization’s efficiency and effectiveness in risk management, corporate governance, and internal control. This article from Tone at the Top, published by the Institute of Internal Auditors, outlines the role of the chief audit executive, the qualifications one should have, personal skills, and the selection process.
COSO Implementation: A Risk-Based Approach
This presentation links the Protiviti Risk Model to the COSO framework, and can be used by companies who are implementing COSO concepts.
Self Assessment: Three Levels of Activities
Self Assessments are performed by company personnel/process owners who are held accountable for executing, monitoring and improving the business process in question.
Managing Customer Service: Good Practices
This list is a summary of good practices and suggestions for managing customer service, based on personal experience and observation.
Cost Management Primer
This guide provides an overview of Activity-Based Management (ABM), a useful but sometimes overlooked cost management technique that allows companies to determine not only accurate costs, but also the costs of alternative actions.
Travel Safety Guidelines: International
Business travelers can use this guide both before and during an international trip. The safety tips are broken into sections: Before you go, At the airport/train station, Hotel safety, Upon arrival, Getting around town, Personal conduct, and Security contact information.
Audit Committee Activities and Schedule
The audit committee is a committee of the board of directors. This guide describes the general and as-needed activities of an audit committee and provides a schedule of activities that should be addressed in quarterly meetings.
Fraud: Internal Audit's Role in Detection and Prevention
This presentation discusses the fundamentals of fraud and the role of internal audit in detection and prevention of fraud.
Unleashing Creativity in Your Audits
Creative thinking during audits is more important now than ever before. Your internal clients want cost-effective and efficient controls as they race to reduce operating costs and improve net operating income. Tap your creativity and you will be able to meet this challenge.
Data Processing Control: Guide to Effective Practices
This guide provides descriptions of effective data processing control practices. It includes major control areas from design principles to file controls to trouble symptoms, and lists specific practices and their descriptions under each area.
Techniques for Overcoming Client Objections
While objections sound like negatives, they are actually disguised buying signals. Objections are your customer's way of opening up to you and really getting to the bottom of what is needed in a suitable corrective action plan. By encouraging the customer to voice such objections, you can quickly assess your customer's whole package of needs, and turn each objection into a benefit your findings and recommendations can offer.
Facilitation Techniques: Generating ideas through brainstorming
This guide suggests alternative methods you can use to conduct a group brainstorming session.
Facilitation Techniques: Managing meeting discussion flow
Use this guide when facilitating discussions, to help you keep all participants working on the same content and using the same processes at the same time.
Facilitation Techniques: Building Agreements
This guide shows how successful facilitators find that consensus is more easily accomplished through a series of tiny agreements along the way on what to do and how to do it.
Facilitation Techniques: Creating process awareness
As a facilitator of a meeting, it is important to make your participants aware of your process, that is, how you are going to achieve the purpose of your meeting. Use this guide to create process awareness during your meeting.
Facilitation Techniques: Meeting purpose statement
This guide will help you to develop an effective meeting purpose statement, in order to gain commitment from your participants in a facilitated workshop.
Financial Ratio Analysis Guide
This guide describes several types of ratios and calculations that can be used in conjunction with Ratio Analytical Techniques.
Data Collection Interviewing Techniques
This guide provides techniques for organizing and planning interviews, setting a good interview climate and posing questions, and collecting and verifying accurate information. It also suggests 'red flags' to watch out for, and special guidelines for telephone interviews.
Unhealthy Organizations: Fifty More Signs
This is the second of two guides, each of which identify fifty signs of an unhealthy organization. These guides can be used to help identify and understand symptoms of deeper organizational problems.
Protecting Intellectual Property Assets: Guidelines
These guidelines present some considerations for internal auditors looking to evaluate, review and protect IP assets.
Unhealthy Organizations: Fifty Signs
This guide identifies fifty general signs of an unhealthy organization. The guide can be used to understand where future problems may arise.
Analytical Review for Internal Auditors
This review is a guide to four major types of analytical tools and their methods: trend analysis, benchmarking, ratio analysis, and modeling.
Internal Controls and Shareholder Value
An effective system of internal controls forms one of the keystones necessary to building, maintaining and improving shareholder value. This presentation can be used as a training piece describing what internal controls are, why they are important, and how they relate to shareholder or stakeholder value.
Laptop Computer Security: Loss Prevention Techniques
Good laptop security policies and policy education will not only reduce the expense of replacing computers, but will help to protect valuable intellectual assets as well. This guide can be used to assist in the development of loss prevention and security policies, and associated monitoring activities.
Initial Public Offerings: A Guide
This guide summarizes the rules and procedures essential to the process of public ownership though the initial public offering (IPO). It is intended to guide you though the necessary research and analysis.
Generally Accepted Systems Security Principles (GASSP)
This guide provides an overview of the Generally Accepted Systems Security Principles (GASSP), which comprise a comprehensive hierarchy of guidance for security of information and supporting technology.
This guide provides a high-level overview of SysTrust, an assurance service designed to increase the comfort of management, customers, and business partners with the systems that support a business or a particular activity.
Managing Security of Information: Guidelines
This guidance from the International Federation of Accountants (IFAC) identifies core principles of information security and an implementation approach.
Security of Information Systems: OECD Guidelines
These guidelines provide a foundation from which countries and the private sector, acting singly and in concert, may construct a framework for security of information systems.
Business Plan Preparation Guide
This is a comprehensive guide preparing a business plan. With useful commentary, visuals, and "Ask yourself" questions, this guide will help you create a well thought out and attention grabbing business plan.
Employee Retention Program Customization Guide
The ability to retain talent can dramatically impact an organization's competitive position. This presentation describes the characteristics of the 'new' workforce and some causes of employee turnover. It suggests best practice approaches and then walks through a step-by-step process for designing and implementing a retention strategy.
Online Banking:- Services, Risks, and Controls
This guide describes the background behind internet/online banking, its historical and expected growth rates, and gives definitions of many terms and products associated with the internet and online banking.
Interviewing Essentials Guide
This guide can help audit groups develop training courses for auditors inexperienced in the art and skill of interviewing. It also provides a refresher to more experienced auditors.
Human Resources Risk Management Guide
This short guide helps define human resources risk, and identify the major HR processes and sub-processes where risks occur.
Common Frauds: By Business Process
This guide identifies common forms of fraud that can occur in most companies.
CAAT (Computer Assisted Auditing Technique) Tests
Computer Assisted Auditing Techniques provide a new approach to audit tests, replacing tests that would have been performed manually by the internal audit team.
IT Review Discussion Guidelines for an IA QAR
This guide can be used by a Quality Assurance Review (QAR) team as a guide to reviewing overall Internal Audit coverage for IT).
Work Program Guide: Sample Audit Administration Steps
This guide contains sample work program steps for the administration of a typical audit.
Work Program Guide: Sample Audit Fieldwork Steps
This guide contains sample work program steps for a typical audit.
Turnbull Report - A Best Practices Guide
Publication of the Internal Control Working Party's recommendations on the Combined Code ('Turnbull Report') presents businesses with an opportunity. For the first time, the link between risk management and improved business performance is being acknowledged by governance regulations.
Budgeting Best Practice Presentation
This presentation goes through one of business' most time consuming financial processes, budgeting. It describes at a high level the best practice steps that most companies should consider implementing in the budgeting process, with the goal of linking it to corporate strategy.
Fraud Prevention/Detection: Top Ten Tips for Audit Committees
This guide contains a list of the top ten fraud prevention tips
Cooking the Books: Common Schemes, Warning Signs, and Methods
"Cooking the books" may occur at one or multiple points throughout a company's information flow. A solid grasp of how data from business is captured will improve the internal audit team's ability to recognize the schemes, warning signs, and methods identified in this guide.
Business Continuity Practitioners: Standards of Competence
This guide specifies the ten certification standards for business continuity practitioners as defined by the Business Continuity Institute (BCI).
IT Related Business Risks: Definitions
This guide contains definitions of specific business risks that relate to IT.
Process Mapping Guidelines: Flowcharting
This guide provides definitions of flowcharting symbols, specific guidelines to aid in preparing a clear, easy to read flowchart, and descriptions of useful flowchart additions.
Fraud Detection - Scenarios & Tests by Process
This guide provides examples of fraud, and analytical procedures used to detect them in six areas.
Responding to Audit Committee Responsibilities: Best Practices
This guide provides an overview of what typically encompass the most common audit committee responsibilities, together with "Best Practices" related to carrying out these responsibilities.
Comparison of Reconciliation Systems
This matrix can be used to evaluate different types of account reconciliation systems, based on their functionality and based on some best practice criteria.
Self Assessment: Beginning and Beyond
This guide shows how to get started with self assessment, and includes suggestions for other advanced uses of this approach
Facilitated Sessions: The Participant's Roles
This guide describes the role of the facilitator, co-facilitator and content expert in a risk self assessment session.
Self Assessment Meeting Technologies
This guide presents two types of computer-based techniques which are helpful in conducting self assessment meetings.
Self Assessment Agenda Guide: Why, What, How, When
All self assessment meetings have four common elements. This tool describes these elements and how they can be combined to create an effective agenda for a self assessment meeting.
Self Assessment Questionnaires: Guide to Development
This guide provides a framework for developing a self assessment questionnaire.
Multiple Risk Assessment Meetings: Results Analysis Guide
A guide to combining the results of multiple self-assessment meetings for a process owner into easily-accessed and understandable information.
Computer Voting Methods Guidelines
This guide discusses some types of votes and issues to consider when using automated voting techniques.
Interviewing to Understand a Process
This guide provides an auditor with a starting point for generating and customizing interview questions to aid in understanding a process.
Internal Audit Report Writing Guidelines
These guidelines provide suggestions on the internal audit report writing process, including suggestions about format, content, and style.
Audit Exit Meeting Guidelines
These guidelines contain helpful hints and ideas for conducting a smooth and effective exit meeting.
Audit Tests: Types, Advantages, & Disadvantages
This guide compares fifteen types of tests that can be used to analyze a process during an internal audit assignment.
Information Security: Ten Myths
Commonly held but incorrect beliefs about information security.
Treasury Settlement Best Practices
This guide lists select best practices for activities surrounding treasury settlement within a financial services institution.
Transactional Flowchart: Guidelines & Examples
Use this guide to create a Transactional Flowchart, which depicts all the activities in a process from beginning to end.
Prioritizing Using the N/3 Technique
This guide describes N/3, a technique that can be used during a meeting to prioritize a list of brainstormed ideas. Participants choose their top three ideas, placing equal weight on each item. When the votes are tallied, a rank order is established based on the number of votes received.
Procurement Card Programs: Guide to Internal Controls
This guide describes how by implementing an effective internal control structure, a procurement card program can serve its intended use without creating unmitigated risks, thereby increasing operating efficiency and cost savings for the company.
Performance Measures: Guide to Do's and Don'ts
This guide identifies twelve common problems with individual or group performance measures. During a review of performance measures this guide can alert an internal auditor about potential problems to watch out for.
Presentation Pointers Guide
This guide provides tips that help the internal auditor give a smooth, professional oral presentation. The tips cover planning, speaking style and use of visual aids.
Physical Security Audit for Information Systems: Guidelines
This guide suggests controls for the physical security of information technology and systems related to information processing
SWOT Analysis Guide
A SWOT (Strengths, Weaknesses, Opportunities, and Threats) analysis is a structured group technique useful in identifying the internal and external forces that drive an organization's competitive position in the market. This guide describes how to perform a SWOT analysis.
Stop/Start/Continue Technique: Guide to Use
Stop/Start/Continue is a technique for generating ideas, solving problems, and negotiating behavior changes between two groups, individuals, or departments.
Risk Considerations Checklist
This checklist draws attention to 17 factors that should be considered prior to assessing risk at the process level.
Network Security Attacks: Guide to Reducing Exposure
There is no way to totally prevent all security-related exposures -- but there are ways to monitor and quickly respond to these events to reduce the exposures. This guide summarizes some steps that companies should take to assess how well prepared their organization is to address these issues.
Process Overview Form: Guide and Example
This form summarizes vital information about a process: mission, inputs, outputs, departments involved and performance measures. This guide contains instructions for using the form.
Process Description Chart: Guide and Example
A Process Description Chart summarizes, classifies and measures activities within a process to determine their value. This guide shows how to complete one.
Recruiting Tips for Internal Auditors
This guide contains suggestions that can help with finding and retaining good internal audit candidates, despite a labor market that has made the recruitment of internal auditors more challenging.
Prioritizing Using the Nominal Group Technique
This guide describes the nominal group technique, which can be used during a group meeting or brainstorming session. It allows a group to rank a list of options or ideas in order of importance.
This guide helps an interviewer to prepare for, conduct, and document an interview. Although the example questions are tailored to internal audit, this tool applies to all types of interviews.
Organizational Performance Measurement Presentation
This presentation outlines some objectives for and benefits of measuring organizational performance, and includes performance measurement examples from seven companies.
Internal Audit Competency Model and Assessment Guide
This guide suggests competency objectives for internal auditors at junior, intermediate, and senior levels. The competency model sets expectations about the types and levels of skills that all internal auditors within a department are expected to possess.
Fraud Detection: Red Flags
This guide lists opportunity red flags, personal characteristic red flags, and situational pressure red flags of possible fraudulent activity.
Fraud Indicators: Financial Performance
This guide identifies some of the red flags within a entity's financial performance that indicate the potential existence of embezzlement, financial statement fraud, and other illegal acts (e.g., bribery, kickbacks, price-fixing, bid-rigging and tax evasion.)
Common Frauds: Insider, Outsider, and Frauds for the Company
This guide identifies various types of fraud committed by insiders, outsiders, and management.
Fraud Indicators Detectable Through Data Analysis
This guide lists data tests and data comparisons which can be run for common business processes to reveal anomalies that may indicate fraud or control problems.
Fraud Detection: Guidelines and Techniques
This guide identifies ways that fraud can be committed from an accounting, operations, and IT internal controls perspective, and includes examples of fraud detection techniques using Data Analysis, Trend Analysis, and Proportional Analysis.
Performance Measurement Process Development Guide
This guide describes eight steps to consider when putting a performance measurement process into place.
Quality Assurance Review (QAR) Information Gathering Guide
This guide identifies a comprehensive list of information that should be gathered during a Quality Assurance Review (QAR). The information will be used in conjunction with the insights gathered during QAR interviews to provide the QAR team with a clear picture of internal audit operations.
Audit Tracking Options
Many internal audit departments find it helpful to track audit findings within a spreadsheet or database. A well-organized, easily updated database can significantly reduce the time it takes to track audit findings and follow up with the individuals responsible for taking action.
Business Continuity Planning: Ten Common Mistakes
With increasing reliance on electronic markets companies are becoming more and more concerned about business continuity planning (BCP). This guide identifies ten common BCP mistakes.
Cost Benefit Analysis Methods
This guide outlines various methods of performing a cost-benefit analysis of solutions to issues/gaps.
Business Continuity Planning: Guide
This presentation is a guide to various types of business continuity planning, including the objectives of and approaches to BCP. It discusses the variety of objectives that organizations may have for BCP, and then links these objectives to different planning approaches that can be used.