This guide outlines the financial statement risk assessment process that is used to prioritize the financial elements and processes for Sarbanes-Oxley Section 404 purposes.

This GTAG provides internal auditors, in both the public and private sectors, with the knowledge necessary to fulfill their responsibilities in providing assurance and consulting services for IT governance. The guidance covers the different aspects of governance that should be in place to ensure IT supports the organization’s strategies and objectives, and discusses red flags to look for that might signal this is not the case.

Every “IT risk” creates some degree of business risk, making it important for chief audit executives (CAE) to thoroughly understand IT change and patch management issues. This GTAG discusses these issues in a language that allows CAEs to build confidence in their knowledge of the area and add value to the conversation when communicating with senior management, the board and IT management.

This GTAG helps chief audit executives (CAE) and their teams keep pace with the ever-changing and sometimes complex world of IT. By providing an overview of IT-related risks and controls written in a reader-friendly style for business executives, rather than the highly technical language, both senior management and the audit committee have an expectation that the internal audit activity will provide assurance around all important risks.

These articles and tools have been contributed by Ann Butera, the President of The Whole Person Project, a New York-based organizational development consulting firm. Butera provides monthly training materials for auditors on KnowledgeLeader.

Audit planning is one - if not the most - critical step in the audit process. Whether you formally draft and submit the results of your planning efforts, make it a point to follow a consistent approach during this phase of the audit. You will find that the time spent planning will save you time during the rest of the audit.

Because all organizations are impacted by IT in various forms, it is nearly impossible to conduct an effective audit without using technology. This guide aims to help CAEs understand how to move beyond the tried and true methods of manual auditing toward improved data analysis using technology.

Identifying, understanding and evaluating the organization’s most significant risk areas will set the foundation for a robust ERM program. This guide outlines an approach to building ERM capabilities that includes the following components: planning, facilitated risk discussion, risk analysis, external verification, management review and gap assessment.

The Standards represent the basic principles of the practice of internal audit. They are intended to provide a framework for internal audit activities, establish the basis for evaluation of internal audit performance, and foster improved organizational processes and operations. The Standards consist of Attribute Standards, Performance Standards, and Implementation Standards and are part of the IIA’s Professional Practices Framework.

The purpose of the information asset classification process is to ensure assets are identified, properly classified and protected throughout their lifecycles. The five phased approach to classification involves: management education, implementation strategy, employee education, implementation and maintenance.

The document summarizes the steps needed to assess controls at the process or activity-level. The steps include selecting priority elements, understanding the processes, sourcing risks, documenting key controls, assessing control design, validating control operation and reporting.

This guide is a step-by-step document to create process maps using Microsoft Visio. It starts with explaining how to get started with Visio, basic flowchart shapes, setting favorite stencils, creating backgrounds on new pages as well as to existing ones and how to align, distribute and format various shapes in Visio.

"This presentation addresses how to prepare a process map. It starts with the definition of a process map and then covers detailed steps to create and format this type of document using the Microsoft Visio tool. "

There are many ways to conduct a risk assessment. For example, companies may conduct interviews or surveys of key personnel, review key documents, conduct facilitated workshops, perform targeted reviews, or utilize any combination of these options. This guide describes various options to conduct an effective risk assessment.

Information is a significant component of most organizations’ competitive strategy either by the direct collection, management, and interpretation of business information or the retention of information for day-to-day business processing. This guide will provide a thought process to assist the chief audit executive in incorporating an audit of information security governance (ISG) into the audit plan, focusing on whether the organization’s ISG activity delivers the correct behaviors, practices, and execution of information security.

Almost every organization uses some form of user-developed applications (UDA) because they can be more easily developed, are less costly to produce, and can typically be changed with relative ease versus programs and reports developed by IT personnel. However, once end users are given freedom to extract, manipulate, summarize, and analyze their UDA data without assistance from IT personnel, end users inherit risks once controlled by IT. These risks include data integrity, availability, and confidentiality. Because management relies on UDAs, which can be a significant part of financial reporting and operational processes, as well as related decision making; the internal auditor must determine and review UDA risks and build an audit of UDAs into the annual internal audit plan as appropriate.

" This presentation defines risk management (what it is, and what it is not). It also outlines a five-part risk management framework: Establish the Context, Identify Risks, Anaylze Risks, Evaluate Risks, Treat Risks. "

The presentation focuses on enterprise risk management (ERM) and how to begin educating an organization on this concept.

This presentation serves as a guide on cloud computing, providing an overview and various intricacies involved with this process. The benefits, levels, models, obstacles, opportunity and risks are discussed in detail to help the user obtain a clear picture on cloud computing.

This glossary contains frequently used terms related to Human Resources and its functions.

ITIL® is a consistent and comprehensive documentation of best practice for IT Service Management. This guide provides definitions to commonly used ITIL acronyms and terms.

Work papers are documents produced during an audit engagement. These papers are formally referred to as audit documentation or sometimes as the audit file. The documents serve as a guide to organizing manual audit work papers.

As technology advances, so do schemes to commit fraud. Therefore, technology can be used not only to perpetrate fraud, but also to prevent and detect it. Using technology to implement real-time fraud prevention and detection programs will enable organizations to reduce the cost of fraud by lessening the time from which a fraud is committed to the time it is detected. Considering this, it is crucial that auditors stay ahead of fraudsters in their knowledge of technology and available tools. This GTAG focuses on IT-related fraud risks and risk assessments and how the use of technology can help internal auditors and other key stakeholders within the organization address fraud and fraud risks.

Self-assessment is a recognized best practice and has been applied to risks and controls for many years. When systematically applied across the organization at the entity and process levels, self-assessment is a pre-determined approach whereby individuals self-review or self-audit the controls for which they are responsible and communicate the results to appropriate management. The intent of this training document is to assist control owners, process owners and internal audit with implementing and executing the self-assessment process focused on IT controls.

This glossary contains frequently used terms related to the Sarbanes-Oxley Section 404 compliance process. This document includes terms such as: assertions, control gap, ICFR risk, and segregation of duties.

Whether IT projects are developed in house or are co-sourced with third-party providers, they are filled with challenges that must be considered carefully to ensure success. Insufficient attention to these challenges can result in wasted money and resources, loss of trust, and reputation damage. Early involvement by internal auditors can help ensure positive results. Auditing IT Projects from The IIA provides an overview of techniques for effectively engaging with project teams and management to assess IT project risks.

The purpose of this document is to provide guidance when documenting controls by category and testing the operating effectiveness of these controls.

This guide provides instructions to companies performing a self-assessment and self-testing for Sarbanes-Oxley compliance. Topics include mapping global risks, reporting results, and managing the project timeline.

This dictionary of industry specific terms is an excellent resource for those working with the Oil and Gas industry.

This is a SOX Testing Methodology that highlights several aspects of SOX testing including scope, approach and population.

As technology becomes more integral to the organization’s operations and activities, a major challenge for internal auditors is how to best approach a company-wide assessment of IT risks and controls within the scope of their overall assurance and consulting services. As pointed out in this GTAG, auditors need to understand the organization’s IT environment; the applications and computer operations that are part of the IT infrastructure; how IT applications and operations are managed; and how IT applications and operations link back to the organization.

The objective of this GTAG is to provide insight into what BCM means to an organization, how to build a business case, and identify common risks and requirements. It can assist CAEs and other internal auditors in understanding, analyzing, and monitoring their organization's BCM processes. This guide will also help the CAE communicate business continuity risk awareness and support management in its development and maintenance of a BCM program.

An important part of complying with Sarbanes-Oxley (SOX) Section 404 is ensuring that there is a remediation plan in place to address control gaps and that remediation progress is monitored. This presentation serves as a guide to train SOX-project teams in identifying control gaps and implementing a remediation action plan.

The objective of this GTAG is to provide insight into what IAM means to an organization and to recommend internal audit areas for investigation. It can assist CAEs and other internal auditors in understanding, analyzing, and monitoring their organization's IAM processes.

This guide outlines steps to complete when documenting SOX Section 404 test results. The steps specifically describe how to set-up a standard process for referencing work papers, documenting test results, documenting control remediation, and filing work papers. These steps should be modified to reflect each organization’s Section 404 testing process.

This edition of the Global Technology Audit Guide from The IIA provides Chief Audit Executives with information on the role of internal auditors regarding application controls, and how to perform a risk assessment. This guide also includes a list of common application controls, a sample audit plan, and application control review tools.

This guide provides tips and tricks to be used when facilitating a risk assessment workshop. These tips are organized to guide you through the high-level phases of a risk assessment discussion and provide insight into the facilitator’s role for this process.

The purpose of this guide is to provide a brief overview and update related to the May 2007 SEC guidance and PCAOB standard (AS5). The presentation primarily focuses on what companies can do to lead a more cost-effective Sarbanes-Oxley effort. This presentation explores eight key decisions along the Section 404 compliance process which management needs to consider with the objective of aligning the company’s and auditor’s application of a top-down, risk-based approach and maximizing the cost-effectiveness of the process.

This glossary contains frequently used terms related to the inventory process. This document includes terms such as: activity-based costing, cycle counting, inventory roll-forward, and work order.

This glossary contains frequently used terms related to financial reporting, internal audit, corporate governance, technology, and risk management processes. This document has been updated with terms such as: accrual accounting, accrued expense, accrued income, accrued interest, balance sheet, cash basis, income statement, and statement of cash flow.

This edition of the Global Technology Audit Guide from The IIA provides the chief audit executive (CAE), internal auditors, and management with information on the types of IT outsourcing activities, the IT outsourcing lifecycle, and how outsourcing activities should be managed by implementing well-defined plans that are supported by a companywide risk, control, compliance, and governance framework.

This guide is designed to help establish consistent Sarbanes-Oxley documentation standards throughout an organization. It discusses documentation types to use, how to document risks and controls, and follow-up procedures to take after the documentation process is complete.

The purpose of this guide is to describe example roles and responsibilities the various team members involved in Sarbanes-Oxley (SOX) compliance can take on during the project. Roles and responsibilities are described for: process/control owners, risk control specialists, the Project Management Office (PMO), and the Internal Controls Steering Committee (ICSC).

An important part of complying with Sarbanes-Oxley (SOX) Section 404 is ensuring control deficiencies are accurately communicated to appropriate personnel and properly tracked. This presentation serves as a guide to train SOX project teams in identifying and communicating deficiencies noted during the testing process.

An important part of complying with Sarbanes-Oxley (SOX) Section 404 is ensuring the completeness and accuracy of system reports. This presentation serves as a guide to train SOX project teams in testing reports that are used during the financial reporting process. Note: Testing individual reports is a relatively inefficient manual process and should only be used if General Computer Controls and/or End User Computing Controls do not provide adequate assurance over reports.

Control over spreadsheets associated with the financial reporting process is an increasing concern for companies. These spreadsheets have achieved an increasingly high profile within regulatory compliance. This presentation serves as a guide to train SOX project teams in testing Section 404 spreadsheet controls and utilizing a spreadsheet control framework.

Tim Layton's new book, Information Security, is a practical guide to help you understand the ISO/IEC 17799 standard and apply its principles within your organization's unique context. Here's Chapter 13, Access Control.

An efficient and organized testing strategy is an important part of complying with Sarbanes-Oxley (SOX) Section 404. This presentation serves as a guide to train SOX project teams in testing Section 404 key controls and documenting testing results. It incorporates the importance of independent testing by Internal Audit to lessen the work required by the external auditor.

This fifth GTAG is intended to provide the chief audit executive (CAE), internal auditors, and management with insight into privacy risks that the organization should address when it collects, uses, retains, or discloses personal information. This guide provides an overview of key privacy frameworks.

This “TCM Audit Top 10” represents guiding principles that should be applied to Technology Change Management (TCM) Audits.

This fourth GTAG is designed for CAE and internal audit management personnel who are responsible for overseeing IT audits. The focus of this guide is on providing specific recommendations that a CAE can implement immediately, and to help sort through the strategic issues regarding planning, performing, and reporting on IT audits. Consideration is given to the fundamentals as well as emerging issues.

There are many products and tools on the market today that use the "prevention" moniker. The right intrusion prevention solution enables you to circumvent the need for analysis to be done before action can be taken to protect the system. In addition, it prevents attacks from doing damage to your operating system, applications and data. This checklist helps you choose the right type of solution for your organization.

This glossary contains terms frequently used in cash management, treasury, and banking.

The IT security control metrics are intended to enable boards, management, and technical staff to monitor the status and progress of their organization’s information security program over time. This guide provides two lists of metrics: The first for board members, and the second to help management implement the information security goals and policies established by the board.

Identifying changes in internal controls is important in streamlining the SOX compliance process, specifically 302 and 404 certifications. When identifying changes in internal controls, it is important to have a change management policy for process owners to follow. This presentation serves as a guide in implementing an internal control change management policy. It addresses the types of changes to manage in this process, documentation requirements, and key tools and reports.

The process of identifying and assessing the IT controls necessary to address specific risks is aided considerably by the organization’s adoption of a formal control framework. This framework should apply to, and be used by, the whole organization — not just internal auditing. This document identifies the most commonly used frameworks.

This presentation provides a summary of the control approaches for each of the 26 principles that COSO identified in its exposure draft – “Guidance for Smaller Public Companies Reporting on Internal Control over Financial Reporting.” For each principle, this document offers approaches smaller companies can take to achieve the primary objective. Example approaches include leading by example, fraud risk assessments, and setting accountability.

As your Sarbanes-Oxley project moves towards a process approach, it is important to standardize the documentation of internal controls. The presentation serves as a guide in achieving standardization. It addresses what to document, how to do it, and to what extent. In addition, this presentation is a useful too when training employees on documentation standards.

This multi-part guide details the steps required to ensure that your network is secure. This fifth and final part identifies typical findings resulting from a review or audit of network security.

This multi-part guide details the steps required to ensure that your network is secure. This fourth part identifies web sites and tools that are likely to provide useful resources.

This multi-part guide details the steps required to ensure that your network is secure. This third part discusses the various methodologies involved in the review/audit process.

This multi-part guide details the steps required to ensure that your network is secure. This second part of five provides more detail regarding determining what should be included in a review or audit.

This multi-part guide details the steps required to ensure that your network is secure. This first part discusses the overall approach to reviewing/auditing the existing security.

This presentation defines and describes various types of internal controls. Then it reviews control frameworks including COSO, COSO ERM, and COBIT. Finally, it describes the elements and implementation of an enterprise risk management solution.

Commonly, and in best-practice organizations, internal auditing has a direct reporting line to the audit committee. This publication explains how internal audit activities that adhere to the Standards and Code of Ethics can help audit committees comply with their own charters and regulatory responsibilities. In addition, this briefing provides guidelines for the relationship between audit committees and internal auditors.

This third Global Technology Audit Guide from The Institute of Internal Auditors helps identify what must be done to make effective use of technology in support of continuous auditing, and highlights areas that require further attention. By following the steps described, internal auditors should be in a much better position to use technology and maximize their return on investment as well as to demonstrate to management the need to make appropriate technology investments.

With the passage of SOX, audit committees and management are responsible for implementing an effective risk monitoring process. This involves identifying and performing ongoing monitoring of key performance indicators. To help audit committees and management facilitate this process, The Institute of Internal Auditors – UK and Ireland published this guidance on key performance indicators to monitor.

Addressing fraud is one of the ways companies are working to restore investor confidence to the marketplace. This checklist provides a list of various different fraud scenarios to be considered by company management. The purpose of this document is to reach a common understanding of the potential fraud schemes and scenarios included in an entity-level fraud risk assessment.

Recent guidance from the SEC and PCAOB brought forth key points to consider in your SOX approach. In addition, lessons learned from accelerated filers provide insight into challenges and successes for ongoing SOX compliance. This presentation offers ten tips for surviving SOX along with steps to execute each tip to move towards a successful compliance process.

This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for business activities identified in the ‘Value Chain’ model of a generic business enterprise. The activities are sub-divided into different levels, depending on their positions in the model.

This Gramm-Leach-Bliley compliance approach generally segments into the following phases: requirements identification, risk analysis, assessment of current environment, gap analysis, recommendations for improvement and implementation. This methodology can be used in an iterative fashion or tailored to each company’s unique compliance requirements.

Post-Year One SOX advice often focuses on integrating compliance activities around Section 302 and 404. This presentation reviews the SOX scope determining process, resources, and timing of testing. In addition, it discusses the important of this integration process and offers concrete ideas for integrating the compliance process.

The Combined Code of Corporate Governance challenged directors of listed companies to raise their game on business risk management. To help companies respond, in 1999 the Institute of Chartered Accountants of England and Wales's (ICAEW) Internal Control Working Party chaired by Nigel Turnbull, published Internal Control: Guidance for Directors on the Combined Code ("the Turnbull report"). The Turnbull guidance was updated on October 2005.

In an SOX review, external auditors are required to perform at least one walkthrough for each significant transaction class at the company. This training presentation was created to help prepare company personnel for audit walkthroughs and to provide tips and suggestions. The presentation covers questions to expect from the auditor and example responses to these questions by different company departments.

For many years, companies have been using hotlines to detect theft and fraud with great success. But until recently, some companies still considered them a luxury rather than a necessity. With the introduction of the Sarbanes-Oxley Act, lawmakers have further validated the need for this reporting mechanism. This paper by The Network, Inc. discusses best practice techniques for developing an effective ethics hotline program by examining three critical stages: planning a successful hotline program, communicating to stakeholders about the hotline, and reacting to hotline tips.

Process walkthroughs are an important part of Sarbanes-Oxley compliance projects. They provide the opportunity to validate the steps necessary to complete a process and view the control environment of a process. This presentation describes the goal of performing a process walkthrough and steps to take during the walkthrough process.

Employees tend to have their eyes off the ball during the holiday season. Festive spirit and the extended holiday period provide an opportunity for fraudsters to strike. This article developed by Protiviti’s fraud experts in the U.K. provides 24 tips for a fraud free holiday.

Many subscribers have been waiting to see what a Section 404 internal control report and the accompanying auditor attestation looks like. The wait is over. QUALCOMM, Inc. is a company involved in developing Code Division Multiple Access (CDMA), which is one of the three technologies instrumental in digital wireless communication networks. With a September year-end, QUALCOMM has elected to early adopt Section 404. The company has incorporated the Section 404 reporting requirements in its 2004 10-K. Protiviti’s Jim DeLoach directs readers to some of the important items the 10-K.

Despite the tools and technologies we have today for audit tracking and reporting, internal audit teams are still confronted with the challenge of figuring out what to say and how to say it. The purpose of this guide is to help teams effectively communicate with their clients and build stronger customer relationships through proper internal audit reporting.

This guide from SoftResources has helpful information and best practices for the software contract review and negotiation process. The primer provides an overview of contract types, components of a maintenance agreement, tips for addressing implementation and training services and a suggested contract review process.

This is Part 2 of a document created to identify leading practices for auditing IT controls. The presentation addresses risk objectives and control points, and notes recommended parameters and minimum settings for Windows 2000 and Sun Solaris as well as several email, network and database applications.

This presentation describes the development of internal auditing and the new forces and legislation impacting the profession. It describes today as the "age of continuous auditing" and looks toward the possibilities for the internal auditor of the future. This insider’s view was presented at the National Convention of Beta Alpha Psi – an international student organization that promotes the study and practice of accounting, finance and information systems.

Because the payroll function is governed by numerous and complex laws and regulations at both federal and state levels, traditional annual financial cycle reviews do not even come close to covering the major risks in this fundamental and vital area. Noncompliance with requirements, however, can have far-reaching implications under the Federal Sentencing Guidelines and Sarbanes-Oxley Act as well as significant financial consequences from penalties, back-pay awards and additional tax assessments. This article highlights some of the critical areas that internal audit should consider reviewing for compliance.

This is Part 1 of a document created to identify leading practices for auditing IT controls. The presentation includes process maps and defines risk objectives and control points for change management, security administration, operations and application controls.

This COSO training presentation from Protiviti provides an introduction to the Internal Control -- Integrated Framework, including the definition of internal control, the three objectives and five components of the framework, entity and activity level assessments, and limitations on internal control.

This document provides illustrations of different types of frauds and how such frauds could be perpetrated -- including fraudulent financial reporting, misappropriation of assets, improper expenditures, and tax fraud. The purpose is to assist those responsible for conducting a fraud risk assessment in accordance with the requirements of Section 404 of Sarbanes-Oxley Act.

In this column, Ann describes a fraud situation that illustrates what happens when management and the auditor’s roles are fundamentally misunderstood and executed poorly. She then clarifies the definition and role of internal audit and explains elements of a risk management education program to help organizations ovecome myths surrounding the role of internal audit.

This presentation discusses the importance of IT in relation to the Sarbanes-Oxley Act (SOA), and provides insights into how the best practice guidelines for service management described in the IT Infrastructure Library (ITIL) can help.

This guide describes techniques for documenting processes and includes a checklist for developing process maps and incorporating risk and controls information within a process map. There is also a process map example.

Ann breaks down the significant components of the PCAOB’s Audit Standard No. 2 and provides practical insight on monitoring the control environment and developing a corporate culture with effective controls. She includes a short list of questions to help you assess your organization’s control environment.

When the Committee of Sponsoring Organization’s (COSO) published the Integrated Framework of Control in 1992, this model underscored the importance of organizational culture in the establishment of sound internal control practices. In this column, Ann looks at organizational culture and describes four cultural prototypes, along with eight areas to focus on during an audit to diagnose an organizational culture.

In today’s competitive business climate auditors at all levels need to display leadership skills within their organization, not just within the audit department. These skills are essential if auditors are to produce valued results and bring about the desired change within their organization’s internal control system and environment. In this month’s column, Ann describes three leadership challenges that face auditors, and offers advice on how to overcome them.

This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for ‘Process Product Costs.’

This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for ‘Process Payroll’, one of the sub-activities of Manage Finance.

In this month’s column, Ann discusses whether and how the internal auditor’s role will be permanently changed by their company’s Sarbanes-Oxley initiatives. She says that while the internal audit mission will not change, the manifestation of the mission – the specific services and activities performed by the department – may change. She analyzes some of the factors that will affect change and the new internal audit responsibilities that will likely result. This is a moment of great opportunity for internal audit.

This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for ‘Process Benefits and Retiree Information’, one of the sub-activities of Manage Finance, which is the fourth of the primary generic ‘infrastructure’ activities identified in the ‘Value Chain’ model of a business enterprise.

These guidelines describe a number of best practices related to E-commerce security. In each case, the risk of not implementing the practice is identified.

This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for ‘Process Fixed Assets, Analyze and Reconcile’, one of the sub-activities of Manage Finance, which is the fourth of the primary generic ‘infrastructure’ activities identified in the ‘Value Chain’ model of a business enterprise.

This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities relating to Planning and Providing Administrative Services.

These guidelines describe a number of best practices related to firewall security. In each case, the risk of not implementing the practice is identified.

This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for ‘Process Accounts Payable’ and ‘Process Accounts Receivable’, two of the sub-activities of Manage Finance, which is the fourth of the primary generic ‘infrastructure’ activities identified in the ‘Value Chain’ model of a business enterprise.

This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for ‘Process Accounts Payable’ and ‘Process Accounts Receivable’, two of the sub-activities of Manage Finance, which is the fourth of the primary generic ‘infrastructure’ activities identified in the ‘Value Chain’ model of a business enterprise.

These guidelines describe a number of best practices related to network security. In each case, the risk of not implementing the practice is identified.

This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for ‘Process Tax Compliance’ and ‘Provide Financial and Management Reporting’, two of the sub-activities of Manage Finance, which is the fourth of the primary generic ‘infrastructure’ activities identified in the ‘Value Chain’ model of a business enterprise.

This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for ‘Manage Risks’ and ‘Manage Legal Affairs’, two of sub-activities of Administration, which is the fourth of the primary generic ‘infrastructure’ activities identified in the ‘Value Chain’ model of a business enterprise.

This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for Manage Information Technology activities. This is a sub-activity of Administration, which is the fourth of the primary generic ‘infrastructure’ activities identified in the ‘Value Chain’ model of a business enterprise.

This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for Manage the Enterprise and Manage External Relations Activities, two of sub-activities of Administration, which is the fourth of the primary generic ‘infrastructure’ activities identified in the ‘Value Chain’ model of a business enterprise.

This is a detailed 'How To' guide for process mapping. Ann describes how to use this powerful tool in Sarbanes-Oxley Section 404 compliance. Process mapping is a key documentation approach that can help all personnel to develop a common understanding of controls. Examples of different control and process maps are included in the appendices.

Risk assessment is one of the five components of the COSO Internal Control Framework. This presentation was developed as part of a training seminar on COSO. It defines risk assessment and then walks through concepts from objective setting to risk identification, risk analysis, and risk assessment evaluation.

This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for Human Resources Management Activities, one of the four primary generic ‘infrastructure’ activities identified in the ‘Value Chain’ model of a business enterprise.

Following the release of Sarbanes-Oxley and new SEC regulations, many organizations have created a "Disclosure Committee" and a “Section 404 Committee.” This guide discusses the duties, composition, structure and interrelationships of these committees and suggests some general rules to follow.

This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for Technology Development Activities, one of the four primary generic ‘infrastructure’ activities identified in the ‘Value Chain’ model of a business enterprise.

This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities related to Procurement Activities. These are sub-activities of Administration, which is one of the four generic infrastructure activities identified in the ‘Value Chain’ model of a business enterprise.

One of the keys to being able to identify money laundering is understanding the sorts of actions and patterns of transactions - the red flags - that may indicate illegal behavior. The following is a sample list of red flags that may be applicable to different types of transaction activity and businesses.

This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for Service Activities, one of the five primary generic business activities identified in the ‘Value Chain’ model of a business enterprise.

This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for Marketing and Sales Activities, one of the five primary generic business activities identified in the ‘Value Chain’ model of a business enterprise.

This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for Outbound Logistics Activities, one of the five primary generic business activities identified in the ‘Value Chain’ model of a business enterprise.

This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for Operations, the second of the five primary generic business activity areas identified in the ‘Value Chain’ model of a business enterprise.

This COSO-based guide provides a list of control objectives, potential risks, and points-of-control for inbound logistics activities – one of the five primary generic business activities identified in the ‘Value Chain’ model of a business enterprise.

Several Sarbanes-Oxley and related SEC/NYSE mandates require posting of governance information to a corporate website for public access. This guide will highlight a few key areas auditors and financial reporting professionals should be aware of concerning web posting and summarize a few key elements of dealing with entity postings.

This online seminar, broadcast Wednesday, October 15, 2003 addressed IT risks in the context of Section 404 of the Sarbanes-Oxley Act of 2002. The associated presentation includes additional materials related to general IT process risks and controls, and IT risks and controls at the process level.

An understanding of audit sampling techniques can help an audit professional properly select test sample sizes and develop a conclusion for various audit tasks. This guide describes basic sampling concepts, provides guidance on developing a sampling plan, and reviews the common approaches of audit sampling.

If your organization has not started Sarbanes-Oxley compliance efforts then Ann’s eight practical tips for overcoming common challenges is a must-read. This month’s column supplies advice for any enterprise on dealing with the organizational challenges that these project present. Executive sponsorship, accountability, and a dedicated communications infrastructure are key.

This presentation summarizes public disclosure requirements for Sarbanes-Oxley by section including basic descriptions, rule status or effective date, and related required disclosures. Some applicable SEC Release disclosure items are also included.

Section 301 of the Sarbanes-Oxley Act requires Audit Committees to create a complaint procedure related to accounting, internal controls, or audit matters, and stipulates several required attributes of a complaint handling procedure. This guide assists with the process of developing a complaint procedure.

This guide reviews six roles that hinder a group's progress and impact the group's process. It also looks at methods a facilitator can use to overcome these problems.

This presentation provides an overview of the final SOA Section 404 rules. It also discusses what companies are doing to comply and why, the options for compliance and the related pros and cons, and why companies should undertake compliance activities now despite the extended deadline provided by the SEC.

In 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed a model for evaluating internal controls. This guide provides a brief description of the COSO framework.

This presentation explains the key parts of the COSO Internal Control Framework, in particular the objectives and components of COSO. It also defines and explains ‘internal control,’ ‘internal control deficiency,’ and ‘material weakness’ based on COSO.

This guidance applies to companies that develop, manufacture, market, and sell pharmaceutical drugs or biological products, and is intended to assist these companies in implementing internal controls to ensure compliance with applicable laws and requirements of the federal health care program. This summary outlines the seven elements of an effective compliance program.

Ann presents a third Sarbanes-Oxley article to assist project teams. She recently led Sarbanes-Oxley 404 compliance training sessions for line managers and analyzes the factors that can make the compliance process work smoothly. She suggests six success factors for overcoming line management resistance to the compliance process.

This guide is intended to help companies prepare recommendations for the structure of an information systems security organization, including functional requirements and responsibilities, and staffing options to fulfill those responsibilities. The guide includes an outline of functional responsibilities, staffing options, and comments on the impact of training and other costs.

As many organizations already understand, a formal, written code of conduct is critical in order to transform ethical behavior into something more tangible for employees. Such a code is now a requirement for public companies, as mandated by the Sarbanes-Oxley Act and by the listing requirements of major stock exchanges. Executing a successful code of conduct depends on three key elements: proper definition, effective communication and appropriate warning signals as monitoring tools. This article describes the elements of a successful code and lists ethics warning signs to watch for.

Ann provides practical advice in light of the SEC’s final rules regarding SOA issued on June 6, 2003. She comments on the scope of the attestation process, selecting a framework, and using consultative resources to assist through the compliance process.

Because the base price of pharmaceutical products is established by regulation, the pharmaceutical industry has had to offer a number of creative incentives to customers in order to obtain market share and build a loyal customer base. Many manufacturers use rebate and chargeback programs - which often have complex contracts and provisions. The purpose of this article is to provide an overview of pharmaceutical rebate and chargeback programs, and to describe recommended processes, steps and considerations for auditing these contracts. The author, David Ross, is the chair of Protiviti’s national Healthcare and Life Sciences industry taskforce.

This short glossary contains terms frequently used to describe wireless networking.

This guide contains tables summarizing the different HIPAA security standards, and illustrates the different types of security policies that apply to each. The tables can be used to determine what security policies are needed within your organization to adequately address and comply with HIPAA regulations.

Considering the importance of strong governance to all organizations and the complexity of related Sarbanes-Oxley compliance efforts, Ann’s practical advice is both timely and helpful. First, Ann points out several factors that differentiate organizations’ readiness for SOA compliance: culture, industry, and internal control infrastructure. Next, Ann describes practical actions that will ease compliance implementation programs.

As part of their Sarbanes-Oxley compliance efforts or enterprise risk management programs, many internal auditors are involved in training process owners to assess risks and take responsibility for managing internal controls. This presentation was developed to help with this training activity.

Effective Internal Audit reports and communications are a critical aspect of the audit process. Strong reporting is more than just appearance, and should be a reflection of the audit approach, performance, and organizational governance objectives. This guide provides practical advice for audit reporting, and includes an example report to the Audit Committee.

An effective ethics program serves as a basis for policy making as well as providing guidance in daily decision-making. This guide describes steps that companies should consider when developing or strengthening their ethics program.

In this month's column, Ann describes the hallmarks of effective Boards of Directors. She provides a list of six specific actions that internal auditors can take to promote increased board effectiveness.

This guide describes the composition, function and operating style of an SOA Section 404 Compliance Steering Committee, and the interrelationship between a Steering Committee and a Disclosure Committee. It addresses the scope, membership, and interaction of these committees.

Internal auditors can use this guide to help perform and document a resource assessment of the company’s financial functions. The purpose of such a review is to assess these functions from a people, process, and technology perspective in performance of their "business as usual" job functions.

This guide discusses some components that should be included in a security awareness program, including policies, communication methods, and topics for ongoing communications with systems users.

This summary presents an overview of the role of the Internal Audit department to the Board of Directors. It informs the Board about the definition of internal audit and internal control, and briefly describes what auditors do and who is involved in the work. This example also includes a brief overview of the projects on which the audit department intends to focus.

Corporate security policies must be in place to address the unique risks of wireless technologies. The following guide contains a list of commonly overlooked issues in organizational security policies.

In this month's column, Ann details seven actions to take to promote change within your audit department. Before internal audit can effectively promote change in their organization, they need to be able to embrace it for themselves. Ann describes common behavioral attributes of auditors that are helpful in understanding how and why some auditors resist change.

When planning a business trip there are some basic steps that will help to avoid travel risks and prepare for threatening situations. This guide contains suggestions for travel planning and personal safety, and links to related resources.

BS 7799-1 was first issued in 1995 to provide a comprehensive set of controls comprising best practices in information security. It is intended to serve as a single reference point for identifying the range of controls needed for most situations where information systems are used in industry and commerce, and to be used by large, medium and small organizations.

This guide provides recommendations for wireless security best practices in the areas of: Policies and Procedures; Network Architecture; Device Configuration; and Assessment.

This guide is intended to help with the selection of hardware and software tools to be used during wireless network penetration tests, or in other tests of wireless network security issues.

Ann provides practical advice on the importance of time management, how to avoid common audit time estimating pit-falls, and six actions to be taken for effective (and constantly improving) estimations. Following these six guidelines will assist all levels of audit personnel to be more effective professionals -- and may improve audit cycles.

New Year’s resolutions, especially those regarding our own professional development, have a tendency to fade. Ann presents some practical advice and concrete professional development examples that will assist an internal auditor in becoming a more action oriented and valued professional. These include: Four ways to make solid resolutions and stick to them.

An increasing number of regulations and standards apply to Business Continuity Management. After studying and comparing the various BCM guidelines, Protiviti has identified common themes and best practices that will help in the implementation of a successful BCM process. This guide is our list of BCM standards and the associated agencies that advocate each best practice.

Policy Management describes the activities necessary to document a company's rules, illustrate how specific situations should be handled, and communicate this information to employees. While this may appear to be a basic concept, management, audit committees, and auditors are waking up to the fact that their companies have been operating in spite of a significant lack of clear company policies. This white paper describes the 10 Steps to Effective Policy Management.

Proposed New York Stock Exchange rules will require listed companies to adopt formal Governance Guidelines within six months after the SEC approves the proposed rules. Since the general topic of Governance Guidelines may be somewhat unfamiliar to many people, the law firm of O’Melveny & Myers LLP prepared and contributed these frequently asked questions.

This presentation describes a particular methodology for conduction a Business Impact Analysis (BIA). The BIA is the careful study of individual business processes and support functions, as well as the system of business processes in its entirety, to better understand objectives regarding continuity of operations.

In this column Ann provides some practical advice to consider when approaching an area to be audited that may be unfamiliar. In fact, principles such as follow the money, focus on high risk, and locate evidence are worthwhile during any audit -- particularly if audit tests have raised unanswered questions. Ann also offers some additional ‘short cuts’ to deciding where controls should be.

The IIA believes in and promotes the CAE’s role in providing advice, counsel, and opinions regarding the organization’s efficiency and effectiveness in risk management, corporate governance, and internal control. This article from Tone at the Top, published by the Institute of Internal Auditors, outlines the role of the chief audit executive, the qualifications one should have, personal skills, and the selection process.

This presentation links the Protiviti Risk Model to the COSO framework, and can be used by companies who are implementing COSO concepts.

Self Assessments are performed by company personnel/process owners who are held accountable for executing, monitoring and improving the business process in question.

This list is a summary of good practices and suggestions for managing customer service, based on personal experience and observation.

This guide provides an overview of Activity-Based Management (ABM), a useful but sometimes overlooked cost management technique that allows companies to determine not only accurate costs, but also the costs of alternative actions.

Business travelers can use this guide both before and during an international trip. The safety tips are broken into sections: Before you go, At the airport/train station, Hotel safety, Upon arrival, Getting around town, Personal conduct, and Security contact information.

The audit committee is a committee of the board of directors. This guide describes the general and as-needed activities of an audit committee and provides a schedule of activities that should be addressed in quarterly meetings.

This presentation discusses the fundamentals of fraud and the role of internal audit in detection and prevention of fraud.

Creative thinking during audits is more important now than ever before. Your internal clients want cost-effective and efficient controls as they race to reduce operating costs and improve net operating income. Tap your creativity and you will be able to meet this challenge.

This guide provides descriptions of effective data processing control practices. It includes major control areas from design principles to file controls to trouble symptoms, and lists specific practices and their descriptions under each area.

While objections sound like negatives, they are actually disguised buying signals. Objections are your customer's way of opening up to you and really getting to the bottom of what is needed in a suitable corrective action plan. By encouraging the customer to voice such objections, you can quickly assess your customer's whole package of needs, and turn each objection into a benefit your findings and recommendations can offer.

This guide suggests alternative methods you can use to conduct a group brainstorming session.

Use this guide when facilitating discussions, to help you keep all participants working on the same content and using the same processes at the same time.

This guide shows how successful facilitators find that consensus is more easily accomplished through a series of tiny agreements along the way on what to do and how to do it.

As a facilitator of a meeting, it is important to make your participants aware of your process, that is, how you are going to achieve the purpose of your meeting. Use this guide to create process awareness during your meeting.

This guide will help you to develop an effective meeting purpose statement, in order to gain commitment from your participants in a facilitated workshop.

This guide describes several types of ratios and calculations that can be used in conjunction with Ratio Analytical Techniques.

This guide provides techniques for organizing and planning interviews, setting a good interview climate and posing questions, and collecting and verifying accurate information. It also suggests 'red flags' to watch out for, and special guidelines for telephone interviews.

This is the second of two guides, each of which identify fifty signs of an unhealthy organization. These guides can be used to help identify and understand symptoms of deeper organizational problems.

These guidelines present some considerations for internal auditors looking to evaluate, review and protect IP assets.

This guide identifies fifty general signs of an unhealthy organization. The guide can be used to understand where future problems may arise.

This review is a guide to four major types of analytical tools and their methods: trend analysis, benchmarking, ratio analysis, and modeling.

An effective system of internal controls forms one of the keystones necessary to building, maintaining and improving shareholder value. This presentation can be used as a training piece describing what internal controls are, why they are important, and how they relate to shareholder or stakeholder value.

Good laptop security policies and policy education will not only reduce the expense of replacing computers, but will help to protect valuable intellectual assets as well. This guide can be used to assist in the development of loss prevention and security policies, and associated monitoring activities.

This guide summarizes the rules and procedures essential to the process of public ownership though the initial public offering (IPO). It is intended to guide you though the necessary research and analysis.

This guide provides an overview of the Generally Accepted Systems Security Principles (GASSP), which comprise a comprehensive hierarchy of guidance for security of information and supporting technology.

This guide provides a high-level overview of SysTrust, an assurance service designed to increase the comfort of management, customers, and business partners with the systems that support a business or a particular activity.

This guidance from the International Federation of Accountants (IFAC) identifies core principles of information security and an implementation approach.

These guidelines provide a foundation from which countries and the private sector, acting singly and in concert, may construct a framework for security of information systems.

This is a comprehensive guide preparing a business plan. With useful commentary, visuals, and "Ask yourself" questions, this guide will help you create a well thought out and attention grabbing business plan.

The ability to retain talent can dramatically impact an organization's competitive position. This presentation describes the characteristics of the 'new' workforce and some causes of employee turnover. It suggests best practice approaches and then walks through a step-by-step process for designing and implementing a retention strategy.

This guide describes the background behind internet/online banking, its historical and expected growth rates, and gives definitions of many terms and products associated with the internet and online banking.

This guide can help audit groups develop training courses for auditors inexperienced in the art and skill of interviewing. It also provides a refresher to more experienced auditors.

This short guide helps define human resources risk, and identify the major HR processes and sub-processes where risks occur.

This guide identifies common forms of fraud that can occur in most companies.

Computer Assisted Auditing Techniques provide a new approach to audit tests, replacing tests that would have been performed manually by the internal audit team.

This guide can be used by a Quality Assurance Review (QAR) team as a guide to reviewing overall Internal Audit coverage for IT).

This guide contains sample work program steps for the administration of a typical audit.

This guide contains sample work program steps for a typical audit.

Publication of the Internal Control Working Party's recommendations on the Combined Code ('Turnbull Report') presents businesses with an opportunity. For the first time, the link between risk management and improved business performance is being acknowledged by governance regulations.

This presentation goes through one of business' most time consuming financial processes, budgeting. It describes at a high level the best practice steps that most companies should consider implementing in the budgeting process, with the goal of linking it to corporate strategy.

This guide contains a list of the top ten fraud prevention tips

"Cooking the books" may occur at one or multiple points throughout a company's information flow. A solid grasp of how data from business is captured will improve the internal audit team's ability to recognize the schemes, warning signs, and methods identified in this guide.

This guide specifies the ten certification standards for business continuity practitioners as defined by the Business Continuity Institute (BCI).

This guide contains definitions of specific business risks that relate to IT.

This guide provides definitions of flowcharting symbols, specific guidelines to aid in preparing a clear, easy to read flowchart, and descriptions of useful flowchart additions.

This guide provides examples of fraud, and analytical procedures used to detect them in six areas.

This guide provides an overview of what typically encompass the most common audit committee responsibilities, together with "Best Practices" related to carrying out these responsibilities.

This matrix can be used to evaluate different types of account reconciliation systems, based on their functionality and based on some best practice criteria.

This guide shows how to get started with self assessment, and includes suggestions for other advanced uses of this approach

This guide describes the role of the facilitator, co-facilitator and content expert in a risk self assessment session.

This guide presents two types of computer-based techniques which are helpful in conducting self assessment meetings.

All self assessment meetings have four common elements. This tool describes these elements and how they can be combined to create an effective agenda for a self assessment meeting.

This guide provides a framework for developing a self assessment questionnaire.

A guide to combining the results of multiple self-assessment meetings for a process owner into easily-accessed and understandable information.

This guide discusses some types of votes and issues to consider when using automated voting techniques.

This guide provides an auditor with a starting point for generating and customizing interview questions to aid in understanding a process.

These guidelines provide suggestions on the internal audit report writing process, including suggestions about format, content, and style.

These guidelines contain helpful hints and ideas for conducting a smooth and effective exit meeting.

This guide compares fifteen types of tests that can be used to analyze a process during an internal audit assignment.

Commonly held but incorrect beliefs about information security.

This guide lists select best practices for activities surrounding treasury settlement within a financial services institution.

Use this guide to create a Transactional Flowchart, which depicts all the activities in a process from beginning to end.

This guide describes N/3, a technique that can be used during a meeting to prioritize a list of brainstormed ideas. Participants choose their top three ideas, placing equal weight on each item. When the votes are tallied, a rank order is established based on the number of votes received.

This guide describes how by implementing an effective internal control structure, a procurement card program can serve its intended use without creating unmitigated risks, thereby increasing operating efficiency and cost savings for the company.

This guide identifies twelve common problems with individual or group performance measures. During a review of performance measures this guide can alert an internal auditor about potential problems to watch out for.

This guide provides tips that help the internal auditor give a smooth, professional oral presentation. The tips cover planning, speaking style and use of visual aids.

This guide suggests controls for the physical security of information technology and systems related to information processing

A SWOT (Strengths, Weaknesses, Opportunities, and Threats) analysis is a structured group technique useful in identifying the internal and external forces that drive an organization's competitive position in the market. This guide describes how to perform a SWOT analysis.

Stop/Start/Continue is a technique for generating ideas, solving problems, and negotiating behavior changes between two groups, individuals, or departments.

This checklist draws attention to 17 factors that should be considered prior to assessing risk at the process level.

There is no way to totally prevent all security-related exposures -- but there are ways to monitor and quickly respond to these events to reduce the exposures. This guide summarizes some steps that companies should take to assess how well prepared their organization is to address these issues.

This form summarizes vital information about a process: mission, inputs, outputs, departments involved and performance measures. This guide contains instructions for using the form.

A Process Description Chart summarizes, classifies and measures activities within a process to determine their value. This guide shows how to complete one.

This guide contains suggestions that can help with finding and retaining good internal audit candidates, despite a labor market that has made the recruitment of internal auditors more challenging.

This guide describes the nominal group technique, which can be used during a group meeting or brainstorming session. It allows a group to rank a list of options or ideas in order of importance.

This guide helps an interviewer to prepare for, conduct, and document an interview. Although the example questions are tailored to internal audit, this tool applies to all types of interviews.

This presentation outlines some objectives for and benefits of measuring organizational performance, and includes performance measurement examples from seven companies.

This guide suggests competency objectives for internal auditors at junior, intermediate, and senior levels. The competency model sets expectations about the types and levels of skills that all internal auditors within a department are expected to possess.

This guide lists opportunity red flags, personal characteristic red flags, and situational pressure red flags of possible fraudulent activity.

This guide identifies some of the red flags within a entity's financial performance that indicate the potential existence of embezzlement, financial statement fraud, and other illegal acts (e.g., bribery, kickbacks, price-fixing, bid-rigging and tax evasion.)

This guide identifies various types of fraud committed by insiders, outsiders, and management.

This guide lists data tests and data comparisons which can be run for common business processes to reveal anomalies that may indicate fraud or control problems.

This guide identifies ways that fraud can be committed from an accounting, operations, and IT internal controls perspective, and includes examples of fraud detection techniques using Data Analysis, Trend Analysis, and Proportional Analysis.

This guide describes eight steps to consider when putting a performance measurement process into place.

This guide identifies a comprehensive list of information that should be gathered during a Quality Assurance Review (QAR). The information will be used in conjunction with the insights gathered during QAR interviews to provide the QAR team with a clear picture of internal audit operations.

Many internal audit departments find it helpful to track audit findings within a spreadsheet or database. A well-organized, easily updated database can significantly reduce the time it takes to track audit findings and follow up with the individuals responsible for taking action.

With increasing reliance on electronic markets companies are becoming more and more concerned about business continuity planning (BCP). This guide identifies ten common BCP mistakes.

This guide outlines various methods of performing a cost-benefit analysis of solutions to issues/gaps.

This presentation is a guide to various types of business continuity planning, including the objectives of and approaches to BCP. It discusses the variety of objectives that organizations may have for BCP, and then links these objectives to different planning approaches that can be used.