This page contains many of the guides that are available on KnowledgeLeader. These guides are all provided in downloadable versions so they can be repurposed for use in your organization.
Select one of the areas below to view summaries of these guides, or click to view the full list by Date, Title, or by Topic.
Glossary of Sarbanes-Oxley Section 404 Key Terms
This glossary contains frequently used terms related to the Sarbanes-Oxley Section 404 compliance process. This document includes terms such as: assertions, control gap, ICFR risk, and segregation of duties.
Global Technology Audit Guide (GTAG) 12: Auditing IT Projects
Whether IT projects are developed in house or are co-sourced with third-party providers, they are filled with challenges that must be considered carefully to ensure success. Insufficient attention to these challenges can result in wasted money and resources, loss of trust, and reputation damage. Early involvement by internal auditors can help ensure positive results. Auditing IT Projects from The IIA provides an overview of techniques for effectively engaging with project teams and management to assess IT project risks.
SOX Control Writing and Testing of Operating Effectiveness Guidance
The purpose of this document is to provide guidance when documenting controls by category and testing the operating effectiveness of these controls.
SOX Self-Assessment and Self-Testing Instructions
This guide provides instructions to companies performing a self-assessment and self-testing for Sarbanes-Oxley compliance. Topics include mapping global risks, reporting results, and managing the project timeline.
Oil & Gas Dictionary
This dictionary of industry specific terms is an excellent resource for those working with the Oil and Gas industry.
SOX Testing Methodology Example
This is a SOX Testing Methodology that highlights several aspects of SOX testing including scope, approach and population.
Global Technology Audit Guide (GTAG) 11: Developing the IT Audit Plan
As technology becomes more integral to the organization’s operations and activities, a major challenge for internal auditors is how to best approach a company-wide assessment of IT risks and controls within the scope of their overall assurance and consulting services. As pointed out in this GTAG, auditors need to understand the organization’s IT environment; the applications and computer operations that are part of the IT infrastructure; how IT applications and operations are managed; and how IT applications and operations link back to the organization.
Global Technology Audit Guide (GTAG) 10: Business Continuity Management
The objective of this GTAG is to provide insight into what BCM means to an organization, how to build a business case, and identify common risks and requirements. It can assist CAEs and other internal auditors in understanding, analyzing, and monitoring their organization's BCM processes. This guide will also help the CAE communicate business continuity risk awareness and support management in its development and maintenance of a BCM program.
Global Technology Audit Guide (GTAG) 9: Identity and Access Management
The objective of this GTAG is to provide insight into what IAM means to an organization and to recommend internal audit areas for investigation. It can assist CAEs and other internal auditors in understanding, analyzing, and monitoring their organization's IAM processes.
Global Technology Audit Guide (GTAG) 8: Auditing Application Controls
This edition of the Global Technology Audit Guide from The IIA provides Chief Audit Executives with information on the role of internal auditors regarding application controls, and how to perform a risk assessment. This guide also includes a list of common application controls, a sample audit plan, and application control review tools.
Global Technology Audit Guide (GTAG) 7: Information Technology Outsourcing
This edition of the Global Technology Audit Guide from The IIA provides the chief audit executive (CAE), internal auditors, and management with information on the types of IT outsourcing activities, the IT outsourcing lifecycle, and how outsourcing activities should be managed by implementing well-defined plans that are supported by a companywide risk, control, compliance, and governance framework.
Global Technology Audit Guide (GTAG) 6: Managing and Auditing IT Vulnerabilities
This sixth GTAG was developed to help chief audit executives pose the correct questions to their IT security staff when assessing their vulnerability management processes. The guide recommends specific management practices to help achieve and sustain higher levels of effectiveness and efficiency and illustrates the differences between high- and low-performing vulnerability management efforts.
Global Technology Audit Guide (GTAG) 5: Managing and Auditing Privacy Risks
This fifth GTAG is intended to provide the chief audit executive (CAE), internal auditors, and management with insight into privacy risks that the organization should address when it collects, uses, retains, or discloses personal information. This guide provides an overview of key privacy frameworks.
Global Technology Audit Guide (GTAG) 4: Management of IT Auditing
This fourth GTAG is designed for CAE and internal audit management personnel who are responsible for overseeing IT audits. The focus of this guide is on providing specific recommendations that a CAE can implement immediately, and to help sort through the strategic issues regarding planning, performing, and reporting on IT audits. Consideration is given to the fundamentals as well as emerging issues.
Global Technology Audit Guide (GTAG) 3: Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment
This third Global Technology Audit Guide from The Institute of Internal Auditors helps identify what must be done to make effective use of technology in support of continuous auditing, and highlights areas that require further attention. By following the steps described, internal auditors should be in a much better position to use technology and maximize their return on investment as well as to demonstrate to management the need to make appropriate technology investments.
Global Technology Audit Guide (GTAG) 2: Change and Patch Management Controls: Critical for Organizational Success
This guide published by The IIA helps internal auditors ask the right questions of the IT organization to assess its change management capability. It is designed to help you quickly assess the overall level of process risk and determine whether a more detailed process review may be necessary. The guide provides risk indicators of poor change management, and field-tested metrics to assess the health of the change management process. It includes top five steps to reduce IT change risks and an IT change management audit program.
Global Technology Audit Guide (GTAG) 1: Understanding IT Controls
This document explains IT controls and audit practice in a format that allows Chief Audit Executives to understand and communicate the need for strong IT controls. Use this guide as a foundation to assess or build your organization’s framework and audit practices for IT business control, compliance, and assurance.
Control Gap Remediation Methodology Training Presentation
An important part of complying with Sarbanes-Oxley (SOX) Section 404 is ensuring that there is a remediation plan in place to address control gaps and that remediation progress is monitored. This presentation serves as a guide to train SOX-project teams in identifying control gaps and implementing a remediation action plan.
Sarbanes-Oxley Section 404 – Guidance for Documenting Test Results
This guide outlines steps to complete when documenting SOX Section 404 test results. The steps specifically describe how to set-up a standard process for referencing work papers, documenting test results, documenting control remediation, and filing work papers. These steps should be modified to reflect each organization’s Section 404 testing process.
Risk Assessment Process - Facilitation Tips
This guide provides tips and tricks to be used when facilitating a risk assessment workshop. These tips are organized to guide you through the high-level phases of a risk assessment discussion and provide insight into the facilitator’s role for this process.
Using the New SEC and PCAOB Guidance to Make Section 404 Compliance More Cost-Effective
The purpose of this guide is to provide a brief overview and update related to the May 2007 SEC guidance and PCAOB standard (AS5). The presentation primarily focuses on what companies can do to lead a more cost-effective Sarbanes-Oxley effort. This presentation explores eight key decisions along the Section 404 compliance process which management needs to consider with the objective of aligning the company’s and auditor’s application of a top-down, risk-based approach and maximizing the cost-effectiveness of the process.
Glossary of Inventory-Related Terms
This glossary contains frequently used terms related the inventory process. This document includes terms such as: activity-based costing, cycle counting, inventory roll-forward, and work order.
Glossary of Commonly Used Acronyms and Terms
This glossary contains frequently used terms related to financial reporting, internal audit, corporate governance, technology, and risk management processes. This document has been updated with terms such as: accrual accounting, accrued expense, accrued income, accrued interest, balance sheet, cash basis, income statement, and statement of cash flow.
A Guide for Documenting Processes and Controls for Sarbanes-Oxley
This guide is designed to help establish consistent Sarbanes-Oxley documentation standards throughout an organization. It discusses documentation types to use, how to document risks and controls, and follow-up procedures to take after the documentation process is complete.
Sarbanes-Oxley Roles and Responsibilities Guide
The purpose of this guide is to describe example roles and responsibilities the various team members involved in Sarbanes-Oxley (SOX) compliance can take on during the project. Roles and responsibilities are described for: process/control owners, risk control specialists, the Project Management Office (PMO), and the Internal Controls Steering Committee (ICSC).
Remediation Efforts and Needs – SOX Training Presentation
An important part of complying with Sarbanes-Oxley (SOX) Section 404 is ensuring control deficiencies are accurately communicated to appropriate personnel and properly tracked. This presentation serves as a guide to train SOX project teams in identifying and communicating deficiencies noted during the testing process.
Sarbanes-Oxley Section 404: Report Testing Methodology
An important part of complying with Sarbanes-Oxley (SOX) Section 404 is ensuring the completeness and accuracy of system reports. This presentation serves as a guide to train SOX project teams in testing reports that are used during the financial reporting process. Note: Testing individual reports is a relatively inefficient manual process and should only be used if General Computer Controls and/or End User Computing Controls do not provide adequate assurance over reports.
Excel in Managing Spreadsheet Risk Presentation
Control over spreadsheets associated with the financial reporting process is an increasing concern for companies. These spreadsheets have achieved an increasingly high profile within regulatory compliance. This presentation serves as a guide to train SOX project teams in testing Section 404 spreadsheet controls and utilizing a spreadsheet control framework.
Information Security: Design, Implementation, Measurement, and Compliance
Tim Layton's new book, Information Security, is a practical guide to help you understand the ISO/IEC 17799 standard and apply its principles within your organization's unique context. Here's Chapter 13, Access Control.
Sarbanes-Oxley 404 Compliance Project Testing Guidelines and Documentation Standards Presentation
An efficient and organized testing strategy is an important part of complying with Sarbanes-Oxley (SOX) Section 404. This presentation serves as a guide to train SOX project teams in testing Section 404 key controls and documenting testing results. It incorporates the importance of independent testing by Internal Audit to lessen the work required by the external auditor.
TCM Audit Principles (“TCM Audit Top 10”)
This “TCM Audit Top 10” represents guiding principles that should be applied to Technology Change Management (TCM) Audits.
Ten Best Practices for Enterprise Intrusion Prevention
There are many products and tools on the market today that use the "prevention" moniker. The right intrusion prevention solution enables you to circumvent the need for analysis to be done before action can be taken to protect the system. In addition, it prevents attacks from doing damage to your operating system, applications and data. This checklist helps you choose the right type of solution for your organization.
Cash Management, Treasury, and Banking Glossary
This glossary contains terms frequently used in cash management, treasury, and banking.
Example IT Control Metrics to Be Considered by Audit Committees
The IT security control metrics are intended to enable boards, management, and technical staff to monitor the status and progress of their organization’s information security program over time. This guide provides two lists of metrics: The first for board members, and the second to help management implement the information security goals and policies established by the board.
Compliance Frameworks
The process of identifying and assessing the IT controls necessary to address specific risks is aided considerably by the organization’s adoption of a formal control framework. This framework should apply to, and be used by, the whole organization — not just internal auditing. This document identifies the most commonly used frameworks.
Implementation of a Change Management Policy Presentation
Identifying changes in internal controls is important in streamlining the SOX compliance process, specifically 302 and 404 certifications. When identifying changes in internal controls, it is important to have a change management policy for process owners to follow. This presentation serves as a guide in implementing an internal control change management policy. It addresses the types of changes to manage in this process, documentation requirements, and key tools and reports.
Guidance for Smaller Public Companies Reporting on Internal Control over Financial Reporting
This presentation provides a summary of the control approaches for each of the 26 principles that COSO identified in its exposure draft – “Guidance for Smaller Public Companies Reporting on Internal Control over Financial Reporting.” For each principle, this document offers approaches smaller companies can take to achieve the primary objective. Example approaches include leading by example, fraud risk assessments, and setting accountability.
How to Standardize Documentation for Internal Controls
As your Sarbanes-Oxley project moves towards a process approach, it is important to standardize the documentation of internal controls. The presentation serves as a guide in achieving standardization. It addresses what to document, how to do it, and to what extent. In addition, this presentation is a useful too when training employees on documentation standards.
Auditing Network Security – Common Findings
This multi-part guide details the steps required to ensure that your network is secure. This fifth and final part identifies typical findings resulting from a review or audit of network security.
Auditing Network Security – Assessment Resources
This multi-part guide details the steps required to ensure that your network is secure. This fourth part identifies web sites and tools that are likely to provide useful resources.
Auditing Network Security – Review Methodologies
This multi-part guide details the steps required to ensure that your network is secure. This third part discusses the various methodologies involved in the review/audit process.
Auditing Network Security - Defining the Scope
This multi-part guide details the steps required to ensure that your network is secure. This second part of five provides more detail regarding determining what should be included in a review or audit.
Auditing Network Security – Securing a Network
This multi-part guide details the steps required to ensure that your network is secure. This first part discusses the overall approach to reviewing/auditing the existing security.
Using Risk Management Frameworks
This presentation defines and describes various types of internal controls. Then it reviews control frameworks including COSO, COSO ERM, and COBIT. Finally, it describes the elements and implementation of an enterprise risk management solution.
Audit Committee Briefing – Internal Audit Standards: Why They Matter
Commonly, and in best-practice organizations, internal auditing has a direct reporting line to the audit committee. This publication explains how internal audit activities that adhere to the Standards and Code of Ethics can help audit committees comply with their own charters and regulatory responsibilities. In addition, this briefing provides guidelines for the relationship between audit committees and internal auditors.
Typical Steps in an Internal Audit Quality Assessment
Although an external quality assessment of the internal audit function needs to be tailored to each organization, the reviews typically include the steps outlined in this guide.
Internal Audit Key Performance Indicators
With the passage of SOX, audit committees and management are responsible for implementing an effective risk monitoring process. This involves identifying and performing ongoing monitoring of key performance indicators. To help audit committees and management facilitate this process, The Institute of Internal Auditors – UK and Ireland published this guidance on key performance indicators to monitor.
Fraud Schemes and Scenarios
Addressing fraud is one of the ways companies are working to restore investor confidence to the marketplace. This checklist provides a list of various different fraud scenarios to be considered by company management. The purpose of this document is to reach a common understanding of the potential fraud schemes and scenarios included in an entity-level fraud risk assessment.
Top Ten Practical Tips for Surviving and Thriving with the Sarbanes-Oxley Act
Recent guidance from the SEC and PCAOB brought forth key points to consider in your SOX approach. In addition, lessons learned from accelerated filers provide insight into challenges and successes for ongoing SOX compliance. This presentation offers ten tips for surviving SOX along with steps to execute each tip to move towards a successful compliance process.
Control Objectives and Activities for a Generic Business Enterprise
This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for business activities identified in the ‘Value Chain’ model of a generic business enterprise. The activities are sub-divided into different levels, depending on their positions in the model.
GLB Suggested Audit Approach
This Gramm-Leach-Bliley compliance approach generally segments into the following phases: requirements identification, risk analysis, assessment of current environment, gap analysis, recommendations for improvement and implementation. This methodology can be used in an iterative fashion or tailored to each company’s unique compliance requirements.
The Importance of Integrating Sections 302 and 404
Post-Year One SOX advice often focuses on integrating compliance activities around Section 302 and 404. This presentation reviews the SOX scope determining process, resources, and timing of testing. In addition, it discusses the important of this integration process and offers concrete ideas for integrating the compliance process.
The Combined Code of Corporate Governance (Turnbull Report) - UK
The Combined Code of Corporate Governance challenged directors of listed companies to raise their game on business risk management. To help companies respond, in 1999 the Institute of Chartered Accountants of England and Wales's (ICAEW) Internal Control Working Party chaired by Nigel Turnbull, published Internal Control: Guidance for Directors on the Combined Code ("the Turnbull report"). The Turnbull guidance was updated on October 2005.
SOX Auditor Walkthrough Presentation - Guide
In an SOX review, external auditors are required to perform at least one walkthrough for each significant transaction class at the company. This training presentation was created to help prepare company personnel for audit walkthroughs and to provide tips and suggestions. The presentation covers questions to expect from the auditor and example responses to these questions by different company departments.
Best Practices in Ethics Hotlines: A framework for creating an effective anonymous reporting program
For many years, companies have been using hotlines to detect theft and fraud with great success. But until recently, some companies still considered them a luxury rather than a necessity. With the introduction of the Sarbanes-Oxley Act, lawmakers have further validated the need for this reporting mechanism. This paper by The Network, Inc. discusses best practice techniques for developing an effective ethics hotline program by examining three critical stages: planning a successful hotline program, communicating to stakeholders about the hotline, and reacting to hotline tips.
Sarbanes-Oxley Walkthrough Guidance for General IT Controls
Process walkthroughs are an important part of Sarbanes-Oxley compliance projects. They provide the opportunity to validate the steps necessary to complete a process and view the control environment of a process. This presentation describes the goal of performing a process walkthrough and steps to take during the walkthrough process.
QUALCOMM, Inc. – 2004 Form 10K – Includes Section 404 Internal Control Report
Many subscribers have been waiting to see what a Section 404 internal control report and the accompanying auditor attestation looks like. The wait is over. QUALCOMM, Inc. is a company involved in developing Code Division Multiple Access (CDMA), which is one of the three technologies instrumental in digital wireless communication networks. With a September year-end, QUALCOMM has elected to early adopt Section 404. The company has incorporated the Section 404 reporting requirements in its 2004 10-K. Protiviti’s Jim DeLoach directs readers to some of the important items the 10-K.
Ten Best Practices for Internal Audit Reporting
Despite the tools and technologies we have today for audit tracking and reporting, internal audit teams are still confronted with the challenge of figuring out what to say and how to say it. The purpose of this guide is to help teams effectively communicate with their clients and build stronger customer relationships through proper internal audit reporting.
Safeguard Your Contract Negotiation
This guide from SoftResources has helpful information and best practices for the software contract review and negotiation process. The primer provides an overview of contract types, components of a maintenance agreement, tips for addressing implementation and training services and a suggested contract review process.
IT Control Best Practices, Part 2 – Application Specific
This is Part 2 of a document created to identify leading practices for auditing IT controls. The presentation addresses risk objectives and control points, and notes recommended parameters and minimum settings for Windows 2000 and Sun Solaris as well as several email, network and database applications.
The Changing Role of the Internal Auditor
This presentation describes the development of internal auditing and the new forces and legislation impacting the profession. It describes today as the "age of continuous auditing" and looks toward the possibilities for the internal auditor of the future. This insider’s view was presented at the National Convention of Beta Alpha Psi – an international student organization that promotes the study and practice of accounting, finance and information systems.
IT Controls Best Practices, Part 1 - Generic
This is Part 1 of a document created to identify leading practices for auditing IT controls. The presentation includes process maps and defines risk objectives and control points for change management, security administration, operations and application controls.
Training Presentation: An Overview of COSO Internal Control - Integrated Framework
This COSO training presentation from Protiviti provides an introduction to the Internal Control -- Integrated Framework, including the definition of internal control, the three objectives and five components of the framework, entity and activity level assessments, and limitations on internal control.
Common Fraud Scenarios
This document provides illustrations of different types of frauds and how such frauds could be perpetrated -- including fraudulent financial reporting, misappropriation of assets, improper expenditures, and tax fraud. The purpose is to assist those responsible for conducting a fraud risk assessment in accordance with the requirements of Section 404 of Sarbanes-Oxley Act.
Ann's Advice for Auditors
These articles and tools have been contributed by Ann Butera, the President of The Whole Person Project, a New York-based organizational development consulting firm. Butera provides monthly training materials for auditors on KnowledgeLeader.
Overcoming the Common Misconceptions about Internal Audit
In this column, Ann describes a fraud situation that illustrates what happens when management and the auditor’s roles are fundamentally misunderstood and executed poorly. She then clarifies the definition and role of internal audit and explains elements of a risk management education program to help organizations ovecome myths surrounding the role of internal audit.
Sarbanes-Oxley and ITIL
This presentation discusses the importance of IT in relation to the Sarbanes-Oxley Act (SOA), and provides insights into how the best practice guidelines for service management described in the IT Infrastructure Library (ITIL) can help.
Process Documentation Narrative and Flow Chart Guide
This guide describes techniques for documenting processes and includes a checklist for developing process maps and incorporating risk and controls information within a process map. There is also a process map example.
Is Your Company’s Control Environment Sarbanes Compliant?
Ann breaks down the significant components of the PCAOB’s Audit Standard No. 2 and provides practical insight on monitoring the control environment and developing a corporate culture with effective controls. She includes a short list of questions to help you assess your organization’s control environment.
Assessing Organizational Culture – The Company’s Control Environment
When the Committee of Sponsoring Organization’s (COSO) published the Integrated Framework of Control in 1992, this model underscored the importance of organizational culture in the establishment of sound internal control practices. In this column, Ann looks at organizational culture and describes four cultural prototypes, along with eight areas to focus on during an audit to diagnose an organizational culture.
Overcoming the Three Challenges of Audit Leadership
In today’s competitive business climate auditors at all levels need to display leadership skills within their organization, not just within the audit department. These skills are essential if auditors are to produce valued results and bring about the desired change within their organization’s internal control system and environment. In this month’s column, Ann describes three leadership challenges that face auditors, and offers advice on how to overcome them.
Control Objectives and Activities Process Product Costs
This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for ‘Process Product Costs.’
Control Objectives and Activities: Process Payroll
This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for ‘Process Payroll’, one of the sub-activities of Manage Finance.
Redefining The Role of Internal Audit in a Post Sarbanes World
In this month’s column, Ann discusses whether and how the internal auditor’s role will be permanently changed by their company’s Sarbanes-Oxley initiatives. She says that while the internal audit mission will not change, the manifestation of the mission – the specific services and activities performed by the department – may change. She analyzes some of the factors that will affect change and the new internal audit responsibilities that will likely result. This is a moment of great opportunity for internal audit.
Control Objectives and Activities: Process Benefits and Retiree Information
This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for ‘Process Benefits and Retiree Information’, one of the sub-activities of Manage Finance, which is the fourth of the primary generic ‘infrastructure’ activities identified in the ‘Value Chain’ model of a business enterprise.
Control Objectives and Activities: Process Fixed Assets, Analyze and Reconcile
This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for ‘Process Fixed Assets, Analyze and Reconcile’, one of the sub-activities of Manage Finance, which is the fourth of the primary generic ‘infrastructure’ activities identified in the ‘Value Chain’ model of a business enterprise.
E-commerce Security Best Practice Guidelines
These guidelines describe a number of best practices related to E-commerce security. In each case, the risk of not implementing the practice is identified.
Control Objectives and Activities - Plan & Provide Administrative Services
This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities relating to Planning and Providing Administrative Services.
Control Objectives and Activities: Process Funds
This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for ‘Process Accounts Payable’ and ‘Process Accounts Receivable’, two of the sub-activities of Manage Finance, which is the fourth of the primary generic ‘infrastructure’ activities identified in the ‘Value Chain’ model of a business enterprise.
Firewall Security Best Practice Guidelines
These guidelines describe a number of best practices related to firewall security. In each case, the risk of not implementing the practice is identified.
Control Objectives and Activities: Process Accounts Payable and Accounts Receivable
This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for ‘Process Accounts Payable’ and ‘Process Accounts Receivable’, two of the sub-activities of Manage Finance, which is the fourth of the primary generic ‘infrastructure’ activities identified in the ‘Value Chain’ model of a business enterprise.
Control Objectives and Activities: Process Tax Compliance and Provide Financial and Management Reporting
This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for ‘Process Tax Compliance’ and ‘Provide Financial and Management Reporting’, two of the sub-activities of Manage Finance, which is the fourth of the primary generic ‘infrastructure’ activities identified in the ‘Value Chain’ model of a business enterprise.
Network Security Best Practice Guidelines
These guidelines describe a number of best practices related to network security. In each case, the risk of not implementing the practice is identified.
Control Objectives and Activities: Manage Risks and Manage Legal Affairs
This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for ‘Manage Risks’ and ‘Manage Legal Affairs’, two of sub-activities of Administration, which is the fourth of the primary generic ‘infrastructure’ activities identified in the ‘Value Chain’ model of a business enterprise.
Control Objectives and Activities: Manage Information Technology
This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for Manage Information Technology activities. This is a sub-activity of Administration, which is the fourth of the primary generic ‘infrastructure’ activities identified in the ‘Value Chain’ model of a business enterprise.
Control Objectives and Activities: Manage the Enterprise, and Manage External Resources
This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for Manage the Enterprise and Manage External Relations Activities, two of sub-activities of Administration, which is the fourth of the primary generic ‘infrastructure’ activities identified in the ‘Value Chain’ model of a business enterprise.
COSO Element – Risk Assessment: A Presentation
Risk assessment is one of the five components of the COSO Internal Control Framework. This presentation was developed as part of a training seminar on COSO. It defines risk assessment and then walks through concepts from objective setting to risk identification, risk analysis, and risk assessment evaluation.
Process Mapping – The Updated Form of Flowcharting
This is a detailed 'How To' guide for process mapping. Ann describes how to use this powerful tool in Sarbanes-Oxley Section 404 compliance. Process mapping is a key documentation approach that can help all personnel to develop a common understanding of controls. Examples of different control and process maps are included in the appendices.
Control Objectives and Activities - Human Resource Management
This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for Human Resources Management Activities, one of the four primary generic ‘infrastructure’ activities identified in the ‘Value Chain’ model of a business enterprise.
Control Objectives and Activities: Technology Development
This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for Technology Development Activities, one of the four primary generic ‘infrastructure’ activities identified in the ‘Value Chain’ model of a business enterprise.
Facilitating SOA Compliance Using Committees
Following the release of Sarbanes-Oxley and new SEC regulations, many organizations have created a "Disclosure Committee" and a “Section 404 Committee.” This guide discusses the duties, composition, structure and interrelationships of these committees and suggests some general rules to follow.
Control Objectives and Activities: Procurement
This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities related to Procurement Activities. These are sub-activities of Administration, which is one of the four generic infrastructure activities identified in the ‘Value Chain’ model of a business enterprise.
Money Laundering Red Flags
One of the keys to being able to identify money laundering is understanding the sorts of actions and patterns of transactions - the red flags - that may indicate illegal behavior. The following is a sample list of red flags that may be applicable to different types of transaction activity and businesses.
Control Objectives and Activities: Service
This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for Service Activities, one of the five primary generic business activities identified in the ‘Value Chain’ model of a business enterprise.
Control Objectives and Activities - Marketing and Sales
This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for Marketing and Sales Activities, one of the five primary generic business activities identified in the ‘Value Chain’ model of a business enterprise.
Control Objectives and Activities: Outbound Logistics
This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for Outbound Logistics Activities, one of the five primary generic business activities identified in the ‘Value Chain’ model of a business enterprise.
Control Objectives and Activities: Operations
This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for Operations, the second of the five primary generic business activity areas identified in the ‘Value Chain’ model of a business enterprise.
Control Objectives and Activities: Inbound Logistics
This COSO-based guide provides a list of control objectives, potential risks, and points-of-control for inbound logistics activities – one of the five primary generic business activities identified in the ‘Value Chain’ model of a business enterprise.
SOA and NYSE Web Disclosure Guidelines
Several Sarbanes-Oxley and related SEC/NYSE mandates require posting of governance information to a corporate website for public access. This guide will highlight a few key areas auditors and financial reporting professionals should be aware of concerning web posting and summarize a few key elements of dealing with entity postings.
Audit Sampling: A Practice Guide
An understanding of audit sampling techniques can help an audit professional properly select test sample sizes and develop a conclusion for various audit tasks. This guide describes basic sampling concepts, provides guidance on developing a sampling plan, and reviews the common approaches of audit sampling.
IT Risks in the Context of Sarbanes-Oxley 404 Compliance
This online seminar, broadcast Wednesday, October 15, 2003 addressed IT risks in the context of Section 404 of the Sarbanes-Oxley Act of 2002. The associated presentation includes additional materials related to general IT process risks and controls, and IT risks and controls at the process level.
Time is Running Out for Sarbanes Section 404 Compliance: Overcoming the Organizational Challenges
If your organization has not started Sarbanes-Oxley compliance efforts then Ann’s eight practical tips for overcoming common challenges is a must-read. This month’s column supplies advice for any enterprise on dealing with the organizational challenges that these project present. Executive sponsorship, accountability, and a dedicated communications infrastructure are key.
Sarbanes-Oxley Public Disclosure Summary
This presentation summarizes public disclosure requirements for Sarbanes-Oxley by section including basic descriptions, rule status or effective date, and related required disclosures. Some applicable SEC Release disclosure items are also included.
Complaint Procedure for Accounting and Auditing
Section 301 of the Sarbanes-Oxley Act requires Audit Committees to create a complaint procedure related to accounting, internal controls, or audit matters, and stipulates several required attributes of a complaint handling procedure. This guide assists with the process of developing a complaint procedure.
The Role of Internal Audit in a Post-Sarbanes World
According to Ann, Sarbanes has made managers involved in the financial reporting process much more aware of the risks and the need for viable, functioning controls over this process. It has also served to highlight the importance of the internal auditor's role within the organization. The challenge for internal auditors in a post-Sarbanes environment will be finding the time to enhance their skill base to keep up with the new demand for their skills. She provides a list of 16 key professional competencies for internal auditors.
Facilitation Techniques: Handling Difficult People
This guide reviews six roles that hinder a group's progress and impact the group's process. It also looks at methods a facilitator can use to overcome these problems.
Sarbanes-Oxley: Strategies for Complying with the Final Section 404 Rules
This presentation provides an overview of the final SOA Section 404 rules. It also discusses what companies are doing to comply and why, the options for compliance and the related pros and cons, and why companies should undertake compliance activities now despite the extended deadline provided by the SEC.
COSO Framework Description
In 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed a model for evaluating internal controls. This guide provides a brief description of the COSO framework.
COSO Internal Control Framework Overview Presentation
This presentation explains the key parts of the COSO Internal Control Framework, in particular the objectives and components of COSO. It also defines and explains ‘internal control,’ ‘internal control deficiency,’ and ‘material weakness’ based on COSO.
Lessons from the School of Hard Knocks - Six Ways to Overcome Management Resistance to Sarbanes-Oxley Section 404 Compliance
Ann presents a third Sarbanes-Oxley article to assist project teams. She recently led Sarbanes-Oxley 404 compliance training sessions for line managers and analyzes the factors that can make the compliance process work smoothly. She suggests six success factors for overcoming line management resistance to the compliance process.
Overview of the OIG Compliance Program Guidance For Pharmaceutical Manufacturers
This guidance applies to companies that develop, manufacture, market, and sell pharmaceutical drugs or biological products, and is intended to assist these companies in implementing internal controls to ensure compliance with applicable laws and requirements of the federal health care program. This summary outlines the seven elements of an effective compliance program.
Information Systems Security Organization Planning Guide
This guide is intended to help companies prepare recommendations for the structure of an information systems security organization, including functional requirements and responsibilities, and staffing options to fulfill those responsibilities. The guide includes an outline of functional responsibilities, staffing options, and comments on the impact of training and other costs.
Developing an Effective Code of Conduct
As many organizations already understand, a formal, written code of conduct is critical in order to transform ethical behavior into something more tangible for employees. Such a code is now a requirement for public companies, as mandated by the Sarbanes-Oxley Act and by the listing requirements of major stock exchanges. Executing a successful code of conduct depends on three key elements: proper definition, effective communication and appropriate warning signals as monitoring tools. This article describes the elements of a successful code and lists ethics warning signs to watch for.
Refining the Plan for Sarbanes-Oxley Attestation Compliance
Ann provides practical advice in light of the SEC’s final rules regarding SOA issued on June 6, 2003. She comments on the scope of the attestation process, selecting a framework, and using consultative resources to assist through the compliance process.
An Approach to Managed Care Rebate and Wholesaler Chargeback Audits for Pharmaceutical Companies
Because the base price of pharmaceutical products is established by regulation, the pharmaceutical industry has had to offer a number of creative incentives to customers in order to obtain market share and build a loyal customer base. Many manufacturers use rebate and chargeback programs - which often have complex contracts and provisions. The purpose of this article is to provide an overview of pharmaceutical rebate and chargeback programs, and to describe recommended processes, steps and considerations for auditing these contracts. The author, David Ross, is the chair of Protiviti’s national Healthcare and Life Sciences industry taskforce.
Wireless Networking Glossary
This short glossary contains terms frequently used to describe wireless networking.
HIPAA Gap Analysis Summary
This guide contains tables summarizing the different HIPAA security standards, and illustrates the different types of security policies that apply to each. The tables can be used to determine what security policies are needed within your organization to adequately address and comply with HIPAA regulations.
Making Sarbanes-Oxley Compliance Easier
Considering the importance of strong governance to all organizations and the complexity of related Sarbanes-Oxley compliance efforts, Ann’s practical advice is both timely and helpful. First, Ann points out several factors that differentiate organizations’ readiness for SOA compliance: culture, industry, and internal control infrastructure. Next, Ann describes practical actions that will ease compliance implementation programs.
Assessing Risks and Internal Controls: A Training Presentation for Process Owners
As part of their Sarbanes-Oxley compliance efforts or enterprise risk management programs, many internal auditors are involved in training process owners to assess risks and take responsibility for managing internal controls. This presentation was developed to help with this training activity.
Internal Audit Reporting: Impact and Clarity: Guide and Example
Effective Internal Audit reports and communications are a critical aspect of the audit process. Strong reporting is more than just appearance, and should be a reflection of the audit approach, performance, and organizational governance objectives. This guide provides practical advice for audit reporting, and includes an example report to the Audit Committee.
Ethics Program Best Practices
An effective ethics program serves as a basis for policy making as well as providing guidance in daily decision-making. This guide describes steps that companies should consider when developing or strengthening their ethics program.
Achieving Effective Board Performance
In this month's column, Ann describes the hallmarks of effective Boards of Directors. She provides a list of six specific actions that internal auditors can take to promote increased board effectiveness.
Sarbanes-Oxley Section 404 Committees: A Guide
This guide describes the composition, function and operating style of an SOA Section 404 Compliance Steering Committee, and the interrelationship between a Steering Committee and a Disclosure Committee. It addresses the scope, membership, and interaction of these committees.
Finance Function Resource Assessment Guide
Internal auditors can use this guide to help perform and document a resource assessment of the company’s financial functions. The purpose of such a review is to assess these functions from a people, process, and technology perspective in performance of their "business as usual" job functions.
Security Awareness Program Components
This guide discusses some components that should be included in a security awareness program, including policies, communication methods, and topics for ongoing communications with systems users.
Internal Audit’s Role: A Summary for the Board of Directors - Guide
This summary presents an overview of the role of the Internal Audit department to the Board of Directors. It informs the Board about the definition of internal audit and internal control, and briefly describes what auditors do and who is involved in the work. This example also includes a brief overview of the projects on which the audit department intends to focus.
Wireless Security Policies: Overlooked Issues
Corporate security policies must be in place to address the unique risks of wireless technologies. The following guide contains a list of commonly overlooked issues in organizational security policies.
Ways to Promote Positive Change in Your Audit Department
In this month's column, Ann details seven actions to take to promote change within your audit department. Before internal audit can effectively promote change in their organization, they need to be able to embrace it for themselves. Ann describes common behavioral attributes of auditors that are helpful in understanding how and why some auditors resist change.
Travel Safety Guidelines
When planning a business trip there are some basic steps that will help to avoid travel risks and prepare for threatening situations. This guide contains suggestions for travel planning and personal safety, and links to related resources.
British Standard 7799 (ISO 17799)
BS 7799-1 was first issued in 1995 to provide a comprehensive set of controls comprising best practices in information security. It is intended to serve as a single reference point for identifying the range of controls needed for most situations where information systems are used in industry and commerce, and to be used by large, medium and small organizations.
Wireless Security: Best Practices
This guide provides recommendations for wireless security best practices in the areas of: Policies and Procedures; Network Architecture; Device Configuration; and Assessment.
Wireless Discovery Tools: A Guide
This guide is intended to help with the selection of hardware and software tools to be used during wireless network penetration tests, or in other tests of wireless network security issues.
Six Actions for Better Time Estimates
Ann provides practical advice on the importance of time management, how to avoid common audit time estimating pit-falls, and six actions to be taken for effective (and constantly improving) estimations. Following these six guidelines will assist all levels of audit personnel to be more effective professionals -- and may improve audit cycles.
Four Tactics for Making New Year Resolutions that Get Results
New Year’s resolutions, especially those regarding our own professional development, have a tendency to fade. Ann presents some practical advice and concrete professional development examples that will assist an internal auditor in becoming a more action oriented and valued professional. These include: Four ways to make solid resolutions and stick to them.
>> Sign up now for a 30-day free trial or an annual subscription.
Find out more about our subscription prices and group discounts.
If you have any questions please contact us.