THE INTERNAL AUDITINGHANDBOOK

Third edition

K. H. Spencer Pickett

(Assisted by Jennifer M. Pickett)

A John Wiley and Sons, Ltd., Publication

sheeba9780470666340.jpg

THE INTERNAL AUDITING HANDBOOK

THE INTERNAL AUDITINGHANDBOOK

Third edition

K. H. Spencer Pickett

(Assisted by Jennifer M. Pickett)

A John Wiley and Sons, Ltd., Publication

Copyright 2010 K.H. Spencer Pickett

Registered officeJohn Wiley & Sons Ltd, The Atrium, Southern Gate, Chichester, West Sussex, PO19 8SQ, United Kingdom

For details of our global editorial offices, for customer services and for information about how to apply forpermission to reuse the copyright material in this book please see our website at www.wiley.com

The right of the author to be identified as the author of this work has been asserted in accordance with theCopyright, Designs and Patents Act 1988.

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, ortransmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise,except as permitted by the UK Copyright, Designs and Patents Act 1988, without the prior permission ofthe publisher.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may notbe available in electronic books.

Designations used by companies to distinguish their products are often claimed as trademarks. All brandnames and product names used in this book are trade names, service marks, trademarks or registeredtrademarks of their respective owners. The publisher is not associated with any product or vendormentioned in this book. This publication is designed to provide accurate and authoritative information inregard to the subject matter covered. It is sold on the understanding that the publisher is not engaged inrendering professional services. If professional advice or other expert assistance is required, the services of acompetent professional should be sought.

Library of Congress Cataloging-in-Publication Data

Pickett, K. H. Spencer.The internal auditing handbook / K.H. Spencer Pickett. 3rd ed.

p. cm.Includes bibliographical references and index.ISBN 978-0-470-51871-7

1. Auditing, Internal. I. Title.HF5668.25.P53 2010657.458 dc22

2010004323

ISBN 978-0-470-51871-7

A catalogue record for this book is available from the British Library.

Typeset in 9.5/12 Gill Sans Light by Laserwords Private Limited, Chennai, India.Printed in Great Britain by CPI Antony Rowe, Chippenham, Wiltshire.

www.wiley.com

This handbook is dedicated to the memory of my mother, Joycelyn, whopassed away in August 2002

CONTENTS

List of Abbreviations xiForeword to Second Edition xvAcknowledgements xvii

1 Introduction 1Introduction 1

1.1 Reasoning behind the Book 21.2 The IIA Standards and Links to the Book 31.3 How to Navigate around the Book 41.4 The Handbook as a Development Tool 71.5 The Development of Internal Auditing 7

Summary and Conclusions 19References 21

2 Corporate Governance Perspectives 23Introduction 23

2.1 The Agency Concept 242.2 Corporate Ethics and Accountability 292.3 International Scandals and their Impact 392.4 Models of Corporate Governance 472.5 Putting Governance into Practice 732.6 The External Audit 872.7 The Audit Committee 1202.8 Internal Audit 1362.9 The Link to Risk Management and Internal Control 1412.10 Reporting on Internal Controls 1422.11 New Developments 146

Summary and Conclusions 159Assignment Questions 161Multi-choice Questions 161References 168

3 Managing Risk 173Introduction 173

3.1 What Is Risk? 1753.2 The Risk Challenge 1763.3 Risk Management and Residual Risk 1793.4 Mitigation through Controls 1823.5 Risk Registers and Appetites 1863.6 The Risk Policy 192

viii CONTENTS

3.7 Enterprise-wide Risk Management 2033.8 Control Self-assessment 2133.9 Embedded Risk Management 2183.10 The Internal Audit Role in Risk Management 2213.11 New Developments 230

Summary and Conclusions 236Assignment Questions 237Multi-choice Questions 238References 242

4 Internal Controls 245Introduction 245

4.1 Why Controls? 2454.2 Control Framework COSO 2554.3 Control Framework CoCo 2644.4 Other Control Models 2674.5 Links to Risk Management 2724.6 Control Mechanisms 2744.7 Importance of Procedures 2854.8 Integrating Controls 2874.9 The Fallacy of Perfection 2894.10 Internal Control Awareness Training 2924.11 New Developments 299

Summary and Conclusions 301Assignment Questions 302Multi-choice Questions 303References 309

5 The Internal Audit Role 311Introduction 311

5.1 Why Auditing? 3115.2 Defining Internal Audit 3135.3 The Audit Charter 3255.4 Audit Services 3345.5 Independence 3405.6 Audit Ethics 3555.7 Police Officer versus Consultant 3635.8 Managing Expectations through Web Design 3825.9 Audit Competencies 3865.10 Training and Development 3935.11 New Developments 403

Summary and Conclusions 410Assignment Questions 412Multi-choice Questions 412References 420

6 Professionalism 421Introduction 421

CONTENTS ix

6.1 Audit Professionalism 4216.2 Internal Auditing Standards 4296.3 Due Professional Care 4536.4 Professional Consulting Services 4576.5 The Quality Concept 4596.6 Defining the Client 4696.7 Internal Review and External Review 4706.8 Tools and Techniques 4786.9 Marketing the Audit Role 4836.10 Continuous Improvement 4916.11 New Developments 494

Summary and Conclusions 495Assignment Questions 497Multi-choice Questions 497References 502

7 The Audit Approach 505Introduction 505

7.1 The Systems Approach 5067.2 Control Risk Self-assessment (CRSA) 5237.3 Facilitation Skills 5317.4 Integrating Self-assessment and Audit 5397.5 Fraud Investigations 5437.6 Information Systems Auditing 5867.7 Compliance 6367.8 VFM, Social and Financial Audits 6427.9 The Consulting Approach 6537.10 The Right Structure 6697.11 New Developments 675

Summary and Conclusions 677Assignment Questions 677Multi-choice Questions 678References 694

8 Setting an Audit Strategy 697Introduction 697

8.1 Risk-based Strategic Planning 6988.2 Resourcing the Strategy 7148.3 Managing Performance 7228.4 Dealing with Typical Problems 7378.5 The Audit Manual 7458.6 Delegating Audit Work 7588.7 Audit Information Systems 7618.8 Establishing a New Internal Audit Shop 7718.9 The Outsourcing Approach 7788.10 The Audit Planning Process 7898.11 New Developments 802

Summary and Conclusions 807

x CONTENTS

Assignment Questions 810Multi-choice Questions 811References 825

9 Audit Field Work 827Introduction 827

9.1 Planning the Audit 8279.2 Interviewing Skills 8399.3 Ascertaining the System 8589.4 Evaluation 8649.5 Testing Strategies 8779.6 Evidence and Working Papers 8969.7 Statistical Sampling 9099.8 Reporting Results of the Audit 9209.9 Formal Presentations 9539.10 Audit Committee Reporting 9609.11 New Developments 964

Summary and Conclusions 970Assignment Questions 973Multi-choice Questions 974References 1006

10 Meeting the Challenge 1009Introduction 1009

10.1 The New Dimensions of Internal Auditing 100910.2 The Audit Reputation 101010.3 Globalization 101210.4 Examples 101410.5 Meeting the Challenge 1015

Summary and Conclusions 1023Multi-choice Questions 1024References 1025

Appendix A Induction/Orientation Programme 1027

Appendix B CRSA Best Practice Guide 1029

Appendix C A Poem by Professor Gerald Vinten 1033

Appendix D Analytical Techniques by Sue Seamour 1037

Appendix E Multi-choice Questions: Answer Guide 1041

Index 1057

LIST OF ABBREVIATIONS

AC Audit CommitteeACCA Association of Chartered Certified AccountantsACR Assurance, Control and RiskAIB Allied Irish BankAICPA American Institute of Certified Public AccountantsAIRMIC Association of Insurance and Risk ManagersALARM Association of Local Authority Risk ManagersAO Accounting OfficerAPB Auditing Practices BoardBA Business AreaBBC British Broadcasting CorporationBCCI Bank of Credit and Commerce InternationalBCP Business Continuity ProgramBFS Baring Futures SingaporeBV Book ValueC&AG Comptroller and Auditor GeneralCAAT Computer Assisted Audit TechniquesCAE Chief Audit ExecutiveCBI Confederation of British IndustryCBOK Common Body of KnowledgeCCAB Consultative Committee of Accountancy BodiesCEO Chief Executive OfficerCFIA Competency Framework for Internal AuditorsCFO Chief Financial OfficerCG Corporate GovernanceCIA Chief Internal AuditorCICA Canadian Institute of Chartered AccountantsCIMA Chartered Institute of Management AccountantsCIO Chief Information OfficerCIPFA Chartered Institute of Public Finance and AccountancyCISO Chief Information Security OfficerCOSO Committee of Sponsoring Organizations of the Treadway CommissionCPA Certified Public AccountantCPD Continuing Professional DevelopmentCPE Continuing Professional EducationCRO Chief Risk OfficerCRSA Control and Risk Self-AssessmentCSA Control Self-AssessmentCSFB Credit Suisse First Boston

xii LIST OF ABBREVIATIONS

CSI Computer Security InstituteCSR Corporate Social ResponsibilityDA District AuditorDF Director of FinanceDGIA Directorate General for Internal AuditDP Data ProtectionDR Disaster RecoveryDRP Disaster-Recovery ProgramDTI Department of Trade and IndustryEA External AuditEC European CommissionECIIA European Confederation of Institutes of Internal AuditingEFQM European Foundation Quality ModelERM Enterprise Risk ManagementERM Effective Risk ManagementEU European UnionFCO Foreign and Commonwealth OfficeFD Finance DirectorFEI Financial Executives InternationalFRC Financial Reporting CouncilFRRP Financial Reporting Review PanelFSA Financial Services AuthorityGAAP Generally Accepted Accounting PoliciesGAIN Global Audit Information NetworkGAO Government Accountability OfficeGAP Generally Accepted Accounting PrinciplesGAR Guaranteed Annuity RateGRC Governance, Risk, and ControlGSE Government-Sponsored EnterprisesHM Her MajestysHoP Head of PersonnelHR Human ResourceHRM Human Resource ManagementIA Internal AuditIC Input ControlICAEW Institute of Chartered Accountants in England and WalesICE Internal Control EvaluationICGN International Corporate Governance NetworkICQ Internal Control QuestionnaireIFRS International Financial Reporting StandardsIIA Institute of Internal AuditorsIiP Investors in PeopleIMC Institute of Management ConsultantsIoD Institute of DirectorsIPPF International Professional Practices FrameworkIPSAS International Public Sector Accounting StandardsIRC INFOSEC Research CouncilIS Information Systems

LIST OF ABBREVIATIONS xiii

ISO International Standards OrganizationISS Institutional Shareholder ServicesIT Information TechnologyJDS Joint Disciplinary SchemeKPIs Key Performance IndicatorsKPMG Klynveld, Peat, Main and GoerdelerKRCM Key Risk and Control MatrixMIIA Advanced Diploma in Internal Audit ManagementMIS Management Information SystemMO Main OfficeMUS Monetary Unit SamplingNAO National Audit OfficeNDPBs Non-Departmental Public BodiesNED Non-Executive DirectorNHS National Health ServiceNII Nuclear Installations InspectorateNYSE New York Stock ExchangeOC Output ControlOECD Organization for Economic Cooperation and DevelopmentPA Performance AppraisalPAC Public Accounts CommitteePAF Public Audit ForumPC Processing ControlPC Personal ComputerPC Plans and ControlPESTL Political, Economical, Social, Technical and LegalPI Performance IndicatorPIIA Diploma in Internal Audit PracticePIPEDA Personal Information Protection and Electronic Documents ActPM Project ManagerPPF Professional Practices FrameworkPSR Preliminary Survey ReportPwC PricewaterhouseCoopersQA Quality AssuranceQRP Quality Review ProcessRaCE Risk and Control EvaluationRBSA Risk-Based Systems AuditingSBA Systems-Based AuditingSBA Systems-Based ApproachSD Systems DevelopmentSD Standard DeviationSEC Securities and Exchange CommissionSEC Stock Exchange CommissionSEE Social Ethical and EnvironmentalSIC Statement on Internal ControlSIMEX Singapore International Money ExchangeSLAs Service Level AgreementsSWOT Strengths, Weaknesses, Opportunities and Threats