The Operational Auditing Handbook: Auditing Business and IT Processes

Table of Contents:
Preface xv Acknowledgements xvii Part I Understanding Operational Auditing 1 1 Approaches to Operational Auditing 3 Definitions of “Operational Auditing” 3 Scope 4 Audit Approach to Operational Audits 12 Resourcing the Internal Audit of Technical Activities 16 Productivity and Performance Measurement Systems 19 Value for Money (VFM) Auditing 22 Benchmarking 23 2 Business Processes 27 Introduction 27 An Audit Universe of Business Processes 28 Self Assessment of Business Processes 30 A Hybrid Audit Universe 30 Reasons For Process Weaknesses 30 Identifying the Processes of an Organisation 32 Why Adopt a “Cycle” or “Process” Approach to Internal Control Design and Review? 35 Business Processes in the Standard Audit Programme Guides 35 The Hallmarks of a Good Business Process 36 Academic Cycles in a University 37 3 Developing Operational Review Programmes For Managerial and Audit Use 40 Scope 40 Practical Use of SAPGs 41 Format of SAPGs 45 Risk in Operational Auditing 50 4 Governance Processes 75 Introduction 75 Internal Control Processes being Part of Risk Management Processes 75 Risk Management Processes being Part of Governance Processes 76 Objectives of Governance, Risk Management and Control Processes 77 The COSO View of Objectives 78 Should there be a Single Set of Objectives? 80 The Internal Governance Processes 81 The Board and External Aspects of Corporate Governance 81 The Board’s Assurance Vacuum 82 Risk and Control Issues for Internal Governance Processes 84 Risk and Control Issues for the Board 87 Risk and Control Issues for External Governance Processes 90 5 Risk Management Processes 95 Introduction 95 Objectives of Risk Management 95 Essential Components of Effective Risk Management 98 The Scope of Internal Audit’s Role in Risk Management 99 Tools for Risk Management 101 The Risk Matrix 101 Risk Registers 106 Risk Management Challenges 107 Control Issues for Risk Management Processes 112 6 Internal Control Processes 116 Introduction 116 Paradigm 1: COSO on Internal Control 118 Paradigm 2: Turnbull on Internal Control 128 Paradigm 3: COCO on Internal Control 129 Paradigm 4: A Systems/Cybernetics Model of Internal Control 130 Paradigm 5: Control by Division with Supervision 135 Paradigm 6: Control by Category 137 The Objectives of Internal Control 139 Determining Whether Internal Control is Effective 141 Control Cost-Effectiveness Considerations 142 Issues for Internal Control Processes 143 7 Review of the Control Environment 147 Introduction 147 Control Objectives for a Review of the Control Environment 147 Risk and Control Issues for a Review of the Control Environment 148 Fraud 149 8 Reviewing Internal Control Over Financial Reporting—The Sarbanes-Oxley Approach 151 Introduction 151 Costs and Benefits 154 2007 SOX-LITE 155 Revised Definitions of “Significant Deficiency” and “Material Weakness” 156 Using a Recognised Internal Control Framework for the Assessment 157 Risk and Control Issues for the Sarbanes-Oxley s. 302 and s. 404 Compliance Process 171 9 Business/Management Techniques and Their Impact On Control and Audit 178 Introduction 178 Business Process Re-Engineering 178 Total Quality Management 181 Delayering 187 Empowerment 189 Outsourcing 191 Just-In-Time Management (JIT) 195 10 Control Self Assessment 199 Introduction 199 Survey and Workshop Approaches to CSA 200 Selecting Workshop Participants 200 Where to Apply CSA 200 CSA Roles for Management and for Internal Audit 201 Avoiding Line Management Disillusionment 202 Encouragement from the Top 203 Facilitating CSA Workshops, and Training for CSA 204 Anonymous Voting Systems 205 Comparing CSA with Internal Audit 205 Control Self Assessment as Reassurance for Internal Audit 206 A Hybrid Approach—Integrating Internal Auditing Engagements with CSA Workshops 206 Workshop Formats 207 Utilising CoCo in CSA 208 Readings 210 Control Self Assessment 210 11 Evaluating the Internal Audit Activity 214 Introduction 214 Ongoing Monitoring 214 Periodic Internal Reviews 215 External Reviews 216 Common Weaknesses Noted by Quality Assurance Reviews 217 Internal Audit Maturity Models 218 Effective Measuring of Internal Auditing’s Contribution to the Enterprise’s Profitability 219 Control Objectives for the Internal Audit Activity 232 Part II Auditing Key Functions 237 12 Auditing the Finance and Accounting Functions 239 Introduction 239 System/Function Components of the Financial and Accounting Environment 239 Control Objectives and Risk and Control Issues 240 Treasury 241 Payroll 243 Accounts Payable 246 Accounts Receivable 248 General Ledger/Management Accounts 251 Fixed Assets (and Capital Charges) 253 Budgeting and Monitoring 256 Bank Accounts and Banking Arrangements 258 Sales Tax (VAT) Accounting 261 Taxation 263 Inventories 266 Product/Project Accounting 268 Petty Cash and Expenses 270 Financial Information and Reporting 272 Investments 274 13 Auditing Subsidiaries, Remote Operating Units and Joint Ventures 276 Introduction 276 Fact Finding 277 High Level Review Programme 278 Joint Ventures 279 14 Auditing Contracts and the Purchasing Function 285 Introduction 285 Control Objectives and Risk and Control Issues 285 Contracting 289 Contract Management Environment 290 Assessing the Viability and Competence of Contractors 295 Maintaining an Approved List of Contractors 297 Tendering Procedures 299 Contracting and Tendering Documentation 302 Selection and Letting of Contracts 304 Performance Monitoring 306 Valuing Work for Interim Payments 308 Contractor’s Final Account 310 Review of Project Outturn and Performance 313 15 Auditing Operations and Resource Management 317 Introduction 317 System/Function Components of a Production/Manufacturing Environment 318 Control Objectives and Risk and Control Issues 318 Planning and Production Control 318 Facilities, Plant and Equipment 321 Personnel 324 Materials and Energy 327 Quality Control 330 Safety 332 Environmental Issues 335 Law and Regulatory Compliance 338 Maintenance 339 16 Auditing Marketing and Sales 343 Introduction 343 System/Function Components of the Marketing and Sales Functions 343 General Comments 344 Control Objectives and Risk and Control Issues 344 Product Development 345 Market Research 348 Promotion and Advertising 350 Pricing and Discount Policies 353 Sales Management 355 Sales Performance and Monitoring 359 Distributors 362 Relationship with the Parent Company 366 Agents 368 Order Processing 371 Warranty Arrangements 375 Maintenance and Servicing 377 Spare Parts and Supply 380 17 Auditing Distribution 383 Introduction 383 System/Function Components of Distribution 383 Control Objectives and Risk and Control Issues 384 Distribution, Transport and Logistics 384 Distributors 388 Stock Control 392 Warehousing and Storage 395 18 Auditing Human Resources 399 Introduction 399 System/Function Components of the Personnel Function 399 Control Objectives and Risk and Control Issues 399 Human Resources Department 400 Recruitment 404 Manpower and Succession Planning 408 Staff Training and Development 410 Welfare 413 Performance-Related Compensation, Pension Schemes (and other Benefits) 415 Health Insurance 422 Staff Appraisal and Disciplinary Matters 424 Health and Safety 427 Labour Relations 430 Company Vehicles 432 19 Auditing Research and Development 437 Introduction 437 System/Function Components of Research and Development 437 Control Objectives and Risk and Control Issues 437 Product Development 438 Project Appraisal and Monitoring 442 Plant and Equipment 445 Development Project Management 447 Legal and Regulatory Issues 450 20 Auditing Security 453 Introduction 453 Control Objectives and Risk and Control Issues 454 Security 454 Health and Safety 457 Insurance 460 21 Auditing Environmental Responsibility 463 Introduction 463 Environmental Auditing 465 The Emergence of Environmental Concerns 465 EMAS—The European Eco-Management and Audit Scheme 466 Linking Environmental Issues to Corporate Strategy and Securing Benefits 467 Environmental Assessment and Auditing System Considerations 468 The Role of Internal Audit 470 Example Programme 470 Part III Auditing Information Technology 477 22 Auditing Information Technology 479 Introduction 479 Introduction to Recognised Standards Related to Information Technology and Related Topics 480 System/Function Components of Information Technology and Management 486 Control Objectives and Risk and Control Issues 488 23 It Strategic Planning 489 24 It Organisation 493 25 It Policy Framework 496 26 Information Asset Register 502 27 Capacity Management 511 28 Information Management (IM) 514 29 Records Management (RM) 524 30 Knowledge Management (KM) 542 31 It Sites and Infrastructure (Including Physical Security) 554 32 Processing Operations 559 33 Back-Up and Media Management 562 34 Removable Media 566 35 System and Operating Software (Including Patch Management) 570 36 System Access Control (Logical Security) 576 37 Personal Computers (Including Laptops and PDAS) 580 38 Remote Working 585 39 Email 590 40 Internet Usage 598 41 Software Maintenance (Including Change Management) 605 42 Networks 609 43 Databases 613 44 Data Protection 616 45 Freedom of Information 627 46 Data Transfer and Sharing (Standards and Protocol) 636 47 Legal Responsibilities 645 48 Facilities Management 648 49 System Development 651 50 Software Selection 655 51 Contingency Planning 658 52 Human Resources Information Security 661 53 Monitoring and Logging 667 54 Information Security Incidents 671 55 Data Retention and Disposal 680 56 Electronic Data Interchange (EDI) 688 57 Viruses 691 58 User Support 694 59 Bacs 696 60 Spreadsheet Design and Good Practice 699 61 It Health Checks 707 62 It Accounting 710 Appendix 1 Index to SAPGs on the Companion Website 712 Appendix 2 Standard Audit Programme Guides 719 Appendix 3 International Data Protection Legislation 729 Appendix 4 International Freedom of Information Legislation 763 Appendix 5 Information Management Definitions 835 Appendix 6 IT and Information Management Policies 839 Bibliography 852 Index 859

About the Author :
Andrew Chambers is Professor of Internal Auditing at London South Bank University and professor emeritus of Cass Business School, London. He runs Management Audit LLP specializing in auditing and corporate governance work, and is a member of the international Internal Auditing Standards Board. Graham Rand specialises in IT auditing, risk management and operational review. His career, in the UK and overseas, has featured involvement in a range of organisations, principally in the electrical retail, financial services and public sectors. Much of his current consultancy is on Information Management, Records Management, IT Security and providing support on the development of Risk Management and Information Security environments.