Guides
The following 237 items are listed by date.
July 27, 2009 Glossary of Sarbanes-Oxley Section 404 Key Terms This glossary contains frequently used terms related to the Sarbanes-Oxley Section 404 compliance process. This document includes terms such as: assertions, control gap, ICFR risk, and segregation of duties. CONTENT AREA: Guides TOPICS: Sarbanes-Oxley Act, PCAOB, Section 404 - Internal Control Reporting, COSO, Segregation of Duties March 30, 2009 Global Technology Audit Guide (GTAG) 12: Auditing IT Projects Whether IT projects are developed in house or are co-sourced with third-party providers, they are filled with challenges that must be considered carefully to ensure success. Insufficient attention to these challenges can result in wasted money and resources, loss of trust, and reputation damage. Early involvement by internal auditors can help ensure positive results. Auditing IT Projects from The IIA provides an overview of techniques for effectively engaging with project teams and management to assess IT project risks. CONTENT AREA: Guides TOPICS: Technology, IT Controls, Internal Audit, Audit Planning, IT Audit, Project Management February 23, 2009 SOX Control Writing and Testing of Operating Effectiveness Guidance The purpose of this document is to provide guidance when documenting controls by category and testing the operating effectiveness of these controls. CONTENT AREA: Guides TOPICS: Sarbanes-Oxley Act, Internal Controls, IT Controls, Section 404 - Internal Control Reporting, Process-Level Control December 8, 2008 SOX Self-Assessment and Self-Testing Instructions This guide provides instructions to companies performing a self-assessment and self-testing for Sarbanes-Oxley compliance. Topics include mapping global risks, reporting results, and managing the project timeline. CONTENT AREA: Guides TOPICS: Internal Audit, Self-Assessment, Sarbanes-Oxley Act, Internal Controls, Project Management, Risk Management & Assessment, GRC October 27, 2008 Oil & Gas Dictionary This dictionary of industry specific terms is an excellent resource for those working with the Oil and Gas industry. CONTENT AREA: Guides TOPICS: Energy & Utilities Industry September 15, 2008 SOX Testing Methodology Example This is a SOX Testing Methodology that highlights several aspects of SOX testing including scope, approach and population. CONTENT AREA: Guides TOPICS: Internal Audit, Audit Testing, Sarbanes-Oxley Act, Section 404 - Internal Control Reporting August 25, 2008 Global Technology Audit Guide (GTAG) 11: Developing the IT Audit Plan As technology becomes more integral to the organization’s operations and activities, a major challenge for internal auditors is how to best approach a company-wide assessment of IT risks and controls within the scope of their overall assurance and consulting services. As pointed out in this GTAG, auditors need to understand the organization’s IT environment; the applications and computer operations that are part of the IT infrastructure; how IT applications and operations are managed; and how IT applications and operations link back to the organization. CONTENT AREA: Guides TOPICS: Technology, IT Controls, Internal Audit, Audit Planning, IT Audit, Risk Management & Assessment, GRC August 11, 2008 Global Technology Audit Guide (GTAG) 10: Business Continuity Management The objective of this GTAG is to provide insight into what BCM means to an organization, how to build a business case, and identify common risks and requirements. It can assist CAEs and other internal auditors in understanding, analyzing, and monitoring their organization's BCM processes. This guide will also help the CAE communicate business continuity risk awareness and support management in its development and maintenance of a BCM program. CONTENT AREA: Guides TOPICS: Business Continuity Management, Disaster Recovery, Internal Audit, Cross Border & Non-US Issues December 24, 2007 Control Gap Remediation Methodology Training Presentation An important part of complying with Sarbanes-Oxley (SOX) Section 404 is ensuring that there is a remediation plan in place to address control gaps and that remediation progress is monitored. This presentation serves as a guide to train SOX-project teams in identifying control gaps and implementing a remediation action plan. CONTENT AREA: Guides TOPICS: Sarbanes-Oxley Act, Internal Controls, Section 404 - Internal Control Reporting, Performance Management/Measurement, Process-Level Control December 10, 2007 Global Technology Audit Guide (GTAG) 9: Identity and Access Management The objective of this GTAG is to provide insight into what IAM means to an organization and to recommend internal audit areas for investigation. It can assist CAEs and other internal auditors in understanding, analyzing, and monitoring their organization's IAM processes. CONTENT AREA: Guides TOPICS: Cross Border & Non-US Issues, Information Technology, IT Audit, IT Controls, Security, Access Control Systems & Methodology October 29, 2007 Sarbanes-Oxley Section 404 – Guidance for Documenting Test Results This guide outlines steps to complete when documenting SOX Section 404 test results. The steps specifically describe how to set-up a standard process for referencing work papers, documenting test results, documenting control remediation, and filing work papers. These steps should be modified to reflect each organization’s Section 404 testing process. CONTENT AREA: Guides TOPICS: Sarbanes-Oxley Act, Internal Controls, Project Management, Section 404 - Internal Control Reporting, Training & Development July 30, 2007 Global Technology Audit Guide (GTAG) 8: Auditing Application Controls This edition of the Global Technology Audit Guide from The IIA provides Chief Audit Executives with information on the role of internal auditors regarding application controls, and how to perform a risk assessment. This guide also includes a list of common application controls, a sample audit plan, and application control review tools. CONTENT AREA: Guides TOPICS: Cross Border & Non-US Issues, Technology, IT Audit, IT Controls, Software Tools, Security, Application Development Security, Segregation of Duties July 30, 2007 Risk Assessment Process - Facilitation Tips This guide provides tips and tricks to be used when facilitating a risk assessment workshop. These tips are organized to guide you through the high-level phases of a risk assessment discussion and provide insight into the facilitator’s role for this process. CONTENT AREA: Guides TOPICS: Internal Audit, Risk Management & Assessment, Enterprise Risk Management, Self-Assessment, Training & Development, GRC July 23, 2007 Using the New SEC and PCAOB Guidance to Make Section 404 Compliance More Cost-Effective The purpose of this guide is to provide a brief overview and update related to the May 2007 SEC guidance and PCAOB standard (AS5). The presentation primarily focuses on what companies can do to lead a more cost-effective Sarbanes-Oxley effort. This presentation explores eight key decisions along the Section 404 compliance process which management needs to consider with the objective of aligning the company’s and auditor’s application of a top-down, risk-based approach and maximizing the cost-effectiveness of the process. CONTENT AREA: Guides TOPICS: Sarbanes-Oxley Act, External Auditor, Internal Controls, PCAOB, Reporting/Disclosure, Section 404 - Internal Control Reporting June 18, 2007 Glossary of Inventory-Related Terms This glossary contains frequently used terms related to the inventory process. This document includes terms such as: activity-based costing, cycle counting, inventory roll-forward, and work order. CONTENT AREA: Guides TOPICS: Financial Reporting, Materials Management & Inventory, Consumer Products & Retail Industry, Distribution Industry April 30, 2007 Glossary of Commonly Used Acronyms and Terms This glossary contains frequently used terms related to financial reporting, internal audit, corporate governance, technology, and risk management processes. This document has been updated with terms such as: accrual accounting, accrued expense, accrued income, accrued interest, balance sheet, cash basis, income statement, and statement of cash flow. CONTENT AREA: Guides TOPICS: Accounting/Finance, Financial Reporting, Internal Audit, Internal Audit Administration, Sarbanes-Oxley Act, Section 302 - Executive Certifications, Section 404 - Internal Control Reporting April 2, 2007 Global Technology Audit Guide (GTAG) 7: Information Technology Outsourcing This edition of the Global Technology Audit Guide from The IIA provides the chief audit executive (CAE), internal auditors, and management with information on the types of IT outsourcing activities, the IT outsourcing lifecycle, and how outsourcing activities should be managed by implementing well-defined plans that are supported by a companywide risk, control, compliance, and governance framework. CONTENT AREA: Guides TOPICS: Business Continuity Management, Cross Border & Non-US Issues, Technology, Outsourcing/Co-sourcing/Shared Services, Privacy, Security March 12, 2007 A Guide for Documenting Processes and Controls for Sarbanes-Oxley This guide is designed to help establish consistent Sarbanes-Oxley documentation standards throughout an organization. It discusses documentation types to use, how to document risks and controls, and follow-up procedures to take after the documentation process is complete. CONTENT AREA: Guides TOPICS: Compliance, Internal Controls, Project Management, Sarbanes-Oxley Act, Section 404 - Internal Control Reporting, GRC February 26, 2007 Sarbanes-Oxley Roles and Responsibilities Guide The purpose of this guide is to describe example roles and responsibilities the various team members involved in Sarbanes-Oxley (SOX) compliance can take on during the project. Roles and responsibilities are described for: process/control owners, risk control specialists, the Project Management Office (PMO), and the Internal Controls Steering Committee (ICSC). CONTENT AREA: Guides TOPICS: Compliance, Internal Controls, Sarbanes-Oxley Act, Training & Development, GRC February 12, 2007 Remediation Efforts and Needs – SOX Training Presentation An important part of complying with Sarbanes-Oxley (SOX) Section 404 is ensuring control deficiencies are accurately communicated to appropriate personnel and properly tracked. This presentation serves as a guide to train SOX project teams in identifying and communicating deficiencies noted during the testing process. CONTENT AREA: Guides TOPICS: External Auditor, Internal Controls, Project Management, Sarbanes-Oxley Act, Section 404 - Internal Control Reporting February 5, 2007 Sarbanes-Oxley Section 404: Report Testing Methodology An important part of complying with Sarbanes-Oxley (SOX) Section 404 is ensuring the completeness and accuracy of system reports. This presentation serves as a guide to train SOX project teams in testing reports that are used during the financial reporting process. Note: Testing individual reports is a relatively inefficient manual process and should only be used if General Computer Controls and/or End User Computing Controls do not provide adequate assurance over reports. CONTENT AREA: Guides TOPICS: Compliance, IT Controls, Sarbanes-Oxley Act, Section 404 - Internal Control Reporting, GRC January 1, 2007 Excel in Managing Spreadsheet Risk Presentation Control over spreadsheets associated with the financial reporting process is an increasing concern for companies. These spreadsheets have achieved an increasingly high profile within regulatory compliance. This presentation serves as a guide to train SOX project teams in testing Section 404 spreadsheet controls and utilizing a spreadsheet control framework. CONTENT AREA: Guides TOPICS: Compliance, Internal Controls, IT Controls, Sarbanes-Oxley Act, Section 404 - Internal Control Reporting, Training & Development, GRC December 11, 2006 Information Security: Design, Implementation, Measurement, and Compliance Tim Layton's new book, Information Security, is a practical guide to help you understand the ISO/IEC 17799 standard and apply its principles within your organization's unique context. Here's Chapter 13, Access Control. CONTENT AREA: Guides TOPICS: Access Control Systems & Methodology, Technology, IT Controls, IT Infrastructure, Security November 27, 2006 Sarbanes-Oxley 404 Compliance Project Testing Guidelines and Documentation Standards Presentation An efficient and organized testing strategy is an important part of complying with Sarbanes-Oxley (SOX) Section 404. This presentation serves as a guide to train SOX project teams in testing Section 404 key controls and documenting testing results. It incorporates the importance of independent testing by Internal Audit to lessen the work required by the external auditor. CONTENT AREA: Guides TOPICS: Financial Reporting, Internal Controls, Project Management, Sarbanes-Oxley Act, Section 404 - Internal Control Reporting, Training & Development, Entity-Level Control October 30, 2006 Global Technology Audit Guide (GTAG) 6: Managing and Auditing IT Vulnerabilities This sixth GTAG was developed to help chief audit executives pose the correct questions to their IT security staff when assessing their vulnerability management processes. The guide recommends specific management practices to help achieve and sustain higher levels of effectiveness and efficiency and illustrates the differences between high- and low-performing vulnerability management efforts. CONTENT AREA: Guides TOPICS: Risk Management & Assessment, Security, Security Management Practices, Cross Border & Non-US Issues, GRC June 12, 2006 Global Technology Audit Guide (GTAG) 5: Managing and Auditing Privacy Risks This fifth GTAG is intended to provide the chief audit executive (CAE), internal auditors, and management with insight into privacy risks that the organization should address when it collects, uses, retains, or discloses personal information. This guide provides an overview of key privacy frameworks. CONTENT AREA: Guides TOPICS: Technology, Internal Audit, Cross Border & Non-US Issues, Privacy, Risk Management & Assessment, IT Audit, GRC April 24, 2006 TCM Audit Principles (“TCM Audit Top 10”) This “TCM Audit Top 10” represents guiding principles that should be applied to Technology Change Management (TCM) Audits. CONTENT AREA: Guides TOPICS: Technology, Internal Audit, IT Audit, Change Management, Segregation of Duties March 27, 2006 Global Technology Audit Guide (GTAG) 4: Management of IT Auditing This fourth GTAG is designed for CAE and internal audit management personnel who are responsible for overseeing IT audits. The focus of this guide is on providing specific recommendations that a CAE can implement immediately, and to help sort through the strategic issues regarding planning, performing, and reporting on IT audits. Consideration is given to the fundamentals as well as emerging issues. CONTENT AREA: Guides TOPICS: Technology, Internal Audit, IT Audit, Cross Border & Non-US Issues March 27, 2006 Ten Best Practices for Enterprise Intrusion Prevention There are many products and tools on the market today that use the "prevention" moniker. The right intrusion prevention solution enables you to circumvent the need for analysis to be done before action can be taken to protect the system. In addition, it prevents attacks from doing damage to your operating system, applications and data. This checklist helps you choose the right type of solution for your organization. CONTENT AREA: Guides TOPICS: Best Practices, Technology, Security, Operations Security March 20, 2006 Cash Management, Treasury, and Banking Glossary This glossary contains terms frequently used in cash management, treasury, and banking. CONTENT AREA: Guides TOPICS: Cash & Treasury, Financial Services Industry February 20, 2006 Example IT Control Metrics to Be Considered by Audit Committees The IT security control metrics are intended to enable boards, management, and technical staff to monitor the status and progress of their organization’s information security program over time. This guide provides two lists of metrics: The first for board members, and the second to help management implement the information security goals and policies established by the board. CONTENT AREA: Guides TOPICS: Technology, Internal Audit, Security, Best Practices, IT Controls, Audit Committee & Board, Security Management Practices February 13, 2006 Compliance Frameworks The process of identifying and assessing the IT controls necessary to address specific risks is aided considerably by the organization’s adoption of a formal control framework. This framework should apply to, and be used by, the whole organization — not just internal auditing. This document identifies the most commonly used frameworks. CONTENT AREA: Guides TOPICS: Corporate Governance, COSO, Cross Border & Non-US Issues, Technology, IT Controls, European Union, United Kingdom, Canada, GRC February 13, 2006 Implementation of a Change Management Policy Presentation Identifying changes in internal controls is important in streamlining the SOX compliance process, specifically 302 and 404 certifications. When identifying changes in internal controls, it is important to have a change management policy for process owners to follow. This presentation serves as a guide in implementing an internal control change management policy. It addresses the types of changes to manage in this process, documentation requirements, and key tools and reports. CONTENT AREA: Guides TOPICS: Compliance, Corporate Governance, Sarbanes-Oxley Act, Internal Controls, Project Management, Section 404 - Internal Control Reporting, Change Management, GRC February 6, 2006 Guidance for Smaller Public Companies Reporting on Internal Control over Financial Reporting This presentation provides a summary of the control approaches for each of the 26 principles that COSO identified in its exposure draft – “Guidance for Smaller Public Companies Reporting on Internal Control over Financial Reporting.” For each principle, this document offers approaches smaller companies can take to achieve the primary objective. Example approaches include leading by example, fraud risk assessments, and setting accountability. CONTENT AREA: Guides TOPICS: Compliance, Corporate Governance, COSO, Risk Management & Assessment, Sarbanes-Oxley Act, Audit Committee & Board, Internal Controls, Entity-Level Control, GRC January 16, 2006 How to Standardize Documentation for Internal Controls As your Sarbanes-Oxley project moves towards a process approach, it is important to standardize the documentation of internal controls. The presentation serves as a guide in achieving standardization. It addresses what to document, how to do it, and to what extent. In addition, this presentation is a useful too when training employees on documentation standards. CONTENT AREA: Guides TOPICS: Sarbanes-Oxley Act, Internal Controls, Project Management, Section 404 - Internal Control Reporting January 9, 2006 Auditing Network Security – Common Findings This multi-part guide details the steps required to ensure that your network is secure. This fifth and final part identifies typical findings resulting from a review or audit of network security. CONTENT AREA: Guides TOPICS: Technology, Security, Internet/Intranet, IT Audit, Network & Internet Security, Wireless January 2, 2006 Auditing Network Security – Assessment Resources This multi-part guide details the steps required to ensure that your network is secure. This fourth part identifies web sites and tools that are likely to provide useful resources. CONTENT AREA: Guides TOPICS: Technology, Security, Network & Internet Security, IT Audit, Internet/Intranet, Wireless December 19, 2005 Auditing Network Security – Review Methodologies This multi-part guide details the steps required to ensure that your network is secure. This third part discusses the various methodologies involved in the review/audit process. CONTENT AREA: Guides TOPICS: Technology, Internet/Intranet, IT Audit, Security, Wireless, Network & Internet Security December 12, 2005 Auditing Network Security - Defining the Scope This multi-part guide details the steps required to ensure that your network is secure. This second part of five provides more detail regarding determining what should be included in a review or audit. CONTENT AREA: Guides TOPICS: Technology, Security, Wireless, IT Audit, Internet/Intranet, Network & Internet Security December 5, 2005 Auditing Network Security – Securing a Network This multi-part guide details the steps required to ensure that your network is secure. This first part discusses the overall approach to reviewing/auditing the existing security. CONTENT AREA: Guides TOPICS: Technology, Security, IT Audit, Internet/Intranet, Wireless, Network & Internet Security November 14, 2005 Using Risk Management Frameworks This presentation defines and describes various types of internal controls. Then it reviews control frameworks including COSO, COSO ERM, and COBIT. Finally, it describes the elements and implementation of an enterprise risk management solution. CONTENT AREA: Guides TOPICS: COSO, Enterprise Risk Management, Internal Controls, Entity-Level Control, GRC November 7, 2005 Audit Committee Briefing –
Internal Audit Standards: Why They Matter Commonly, and in best-practice organizations, internal auditing has a direct reporting line to the audit committee. This publication explains how internal audit activities that adhere to the Standards and Code of Ethics can help audit committees comply with their own charters and regulatory responsibilities. In addition, this briefing provides guidelines for the relationship between audit committees and internal auditors. CONTENT AREA: Guides TOPICS: Corporate Governance, Internal Audit, Sarbanes-Oxley Act, Audit Committee & Board, Audit Reporting, Internal Audit Administration, GRC October 17, 2005 Global Technology Audit Guide (GTAG) 3: Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment This third Global Technology Audit Guide from The Institute of Internal Auditors helps identify what must be done to make effective use of technology in support of continuous auditing, and highlights areas that require further attention. By following the steps described, internal auditors should be in a much better position to use technology and maximize their return on investment as well as to demonstrate to management the need to make appropriate technology investments. CONTENT AREA: Guides TOPICS: Technology, Internal Audit, Internal Controls, COSO, Enterprise Risk Management, Software Tools, Cross Border & Non-US Issues, Continuous Auditing, GRC October 10, 2005 Typical Steps in an Internal Audit Quality Assessment Although an external quality assessment of the internal audit function needs to be tailored to each organization, the reviews typically include the steps outlined in this guide. CONTENT AREA: Guides TOPICS: Internal Audit, Compliance, Internal Audit Administration, Audit Committee & Board, Audit Reporting, Internal Controls, Quality Assessment Review, GRC September 26, 2005 Internal Audit Key Performance Indicators With the passage of SOX, audit committees and management are responsible for implementing an effective risk monitoring process. This involves identifying and performing ongoing monitoring of key performance indicators. To help audit committees and management facilitate this process, The Institute of Internal Auditors – UK and Ireland published this guidance on key performance indicators to monitor. CONTENT AREA: Guides TOPICS: Internal Audit, Sarbanes-Oxley Act, Performance Management/Measurement, Benchmarking, Audit Committee & Board, Internal Audit Administration, External Auditor, Risk Management & Assessment, GRC August 29, 2005 Fraud Schemes and Scenarios Addressing fraud is one of the ways companies are working to restore investor confidence to the marketplace. This checklist provides a list of various different fraud scenarios to be considered by company management. The purpose of this document is to reach a common understanding of the potential fraud schemes and scenarios included in an entity-level fraud risk assessment. CONTENT AREA: Guides TOPICS: Internal Audit, Sarbanes-Oxley Act, Fraud, Ethics, Financial Reporting, Audit Testing August 22, 2005 Top Ten Practical Tips for Surviving and Thriving with the Sarbanes-Oxley Act Recent guidance from the SEC and PCAOB brought forth key points to consider in your SOX approach. In addition, lessons learned from accelerated filers provide insight into challenges and successes for ongoing SOX compliance. This presentation offers ten tips for surviving SOX along with steps to execute each tip to move towards a successful compliance process. CONTENT AREA: Guides TOPICS: Sarbanes-Oxley Act, Compliance, Internal Controls, Audit Committee & Board, IT Controls, Project Management, GRC July 18, 2005 Global Technology Audit Guide (GTAG) 2: Change and Patch Management Controls: Critical for Organizational Success This guide published by The IIA helps internal auditors ask the right questions of the IT organization to assess its change management capability. It is designed to help you quickly assess the overall level of process risk and determine whether a more detailed process review may be necessary. The guide provides risk indicators of poor change management, and field-tested metrics to assess the health of the change management process. It includes top five steps to reduce IT change risks and an IT change management audit program. CONTENT AREA: Guides TOPICS: Technology, COSO, Risk Management & Assessment, IT Controls, Cross Border & Non-US Issues, Change Management, GRC July 11, 2005 Control Objectives and Activities for a Generic Business Enterprise This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for business activities identified in the ‘Value Chain’ model of a generic business enterprise. The activities are sub-divided into different levels, depending on their positions in the model. CONTENT AREA: Guides TOPICS: COSO, Internal Controls, Risk Management & Assessment, Entity-Level Control, GRC July 4, 2005 GLB Suggested Audit Approach This Gramm-Leach-Bliley compliance approach generally segments into the following phases: requirements identification, risk analysis, assessment of current environment, gap analysis, recommendations for improvement and implementation. This methodology can be used in an iterative fashion or tailored to each company’s unique compliance requirements. CONTENT AREA: Guides TOPICS: Internal Audit, Compliance, Risk Management & Assessment, Laws & Regulations, Financial Services Industry, IT Audit, GRC June 27, 2005 The Importance of Integrating Sections 302 and 404 Post-Year One SOX advice often focuses on integrating compliance activities around Section 302 and 404. This presentation reviews the SOX scope determining process, resources, and timing of testing. In addition, it discusses the important of this integration process and offers concrete ideas for integrating the compliance process. CONTENT AREA: Guides TOPICS: Sarbanes-Oxley Act, Compliance, Self-Assessment, Section 302 - Executive Certifications, Section 404 - Internal Control Reporting, Internal Controls, Reporting/Disclosure, Entity-Level Control, GRC May 31, 2005 The Combined Code of Corporate Governance (Turnbull Report) - UK The Combined Code of Corporate Governance challenged directors of listed companies to raise their game on business risk management. To help companies respond, in 1999 the Institute of Chartered Accountants of England and Wales's (ICAEW) Internal Control Working Party chaired by Nigel Turnbull, published Internal Control: Guidance for Directors on the Combined Code ("the Turnbull report"). The Turnbull guidance was updated on October 2005. CONTENT AREA: Guides TOPICS: Accounting Organizations, Internal Audit, Compliance, Cross Border & Non-US Issues, Accounting/Finance, United Kingdom, GRC April 25, 2005 Global Technology Audit Guide (GTAG) 1: Understanding IT Controls This document explains IT controls and audit practice in a format that allows Chief Audit Executives to understand and communicate the need for strong IT controls. Use this guide as a foundation to assess or build your organization’s framework and audit practices for IT business control, compliance, and assurance. CONTENT AREA: Guides TOPICS: Technology, Internal Audit, Sarbanes-Oxley Act, Security, Risk Management & Assessment, COSO, Laws & Regulations, IT Controls, Security Management Practices, Cross Border & Non-US Issues, GRC April 25, 2005 SOX Auditor Walkthrough Presentation - Guide In an SOX review, external auditors are required to perform at least one walkthrough for each significant transaction class at the company. This training presentation was created to help prepare company personnel for audit walkthroughs and to provide tips and suggestions. The presentation covers questions to expect from the auditor and example responses to these questions by different company departments. CONTENT AREA: Guides TOPICS: Corporate Governance, Sarbanes-Oxley Act, Compliance, External Auditor, IT Controls, Internal Controls, GRC February 28, 2005 Best Practices in Ethics Hotlines: A framework for creating an effective anonymous reporting program For many years, companies have been using hotlines to detect theft and fraud with great success. But until recently, some companies still considered them a luxury rather than a necessity. With the introduction of the Sarbanes-Oxley Act, lawmakers have further validated the need for this reporting mechanism. This paper by The Network, Inc. discusses best practice techniques for developing an effective ethics hotline program by examining three critical stages: planning a successful hotline program, communicating to stakeholders about the hotline, and reacting to hotline tips. CONTENT AREA: Guides TOPICS: Corporate Governance, Sarbanes-Oxley Act, Ethics, Whistleblower/Complaint Reporting, Fraud, GRC December 13, 2004 One Christmas present you can do without — make sure Santa fraud stays away this holiday season! Employees tend to have their eyes off the ball during the holiday season. Festive spirit and the extended holiday period provide an opportunity for fraudsters to strike. This article developed by Protiviti’s fraud experts in the U.K. provides 24 tips for a fraud free holiday. CONTENT AREA: Guides TOPICS: Fraud December 13, 2004 Sarbanes-Oxley Walkthrough Guidance for General IT Controls Process walkthroughs are an important part of Sarbanes-Oxley compliance projects. They provide the opportunity to validate the steps necessary to complete a process and view the control environment of a process. This presentation describes the goal of performing a process walkthrough and steps to take during the walkthrough process. CONTENT AREA: Guides TOPICS: Corporate Governance, Sarbanes-Oxley Act, Internal Controls, IT Controls, GRC November 22, 2004 QUALCOMM, Inc. – 2004 Form 10K – Includes Section 404 Internal Control Report Many subscribers have been waiting to see what a Section 404 internal control report and the accompanying auditor attestation looks like. The wait is over. QUALCOMM, Inc. is a company involved in developing Code Division Multiple Access (CDMA), which is one of the three technologies instrumental in digital wireless communication networks. With a September year-end, QUALCOMM has elected to early adopt Section 404. The company has incorporated the Section 404 reporting requirements in its 2004 10-K. Protiviti’s Jim DeLoach directs readers to some of the important items the 10-K. CONTENT AREA: Guides TOPICS: Sarbanes-Oxley Act, Section 404 - Internal Control Reporting, Reporting/Disclosure November 1, 2004 Ten Best Practices for Internal Audit Reporting Despite the tools and technologies we have today for audit tracking and reporting, internal audit teams are still confronted with the challenge of figuring out what to say and how to say it. The purpose of this guide is to help teams effectively communicate with their clients and build stronger customer relationships through proper internal audit reporting. CONTENT AREA: Guides TOPICS: Best Practices, Internal Audit, Internal Audit Administration October 25, 2004 Safeguard Your Contract Negotiation This guide from SoftResources has helpful information and best practices for the software contract review and negotiation process. The primer provides an overview of contract types, components of a maintenance agreement, tips for addressing implementation and training services and a suggested contract review process. CONTENT AREA: Guides TOPICS: Enterprise Risk Management, GRC September 27, 2004 IT Control Best Practices, Part 2 – Application Specific This is Part 2 of a document created to identify leading practices for auditing IT controls. The presentation addresses risk objectives and control points, and notes recommended parameters and minimum settings for Windows 2000 and Sun Solaris as well as several email, network and database applications. CONTENT AREA: Guides TOPICS: Best Practices, Technology, Internal Controls, Security, Application Development Security, IT Audit, IT Controls, IT Infrastructure, Software Tools September 27, 2004 The Changing Role of the Internal Auditor This presentation describes the development of internal auditing and the new forces and legislation impacting the profession. It describes today as the "age of continuous auditing" and looks toward the possibilities for the internal auditor of the future. This insider’s view was presented at the National Convention of Beta Alpha Psi – an international student organization that promotes the study and practice of accounting, finance and information systems. CONTENT AREA: Guides TOPICS: Internal Audit, Training & Development, Internal Audit Administration September 20, 2004 Payroll Compliance Auditing Because the payroll function is governed by numerous and complex laws and regulations at both federal and state levels, traditional annual financial cycle reviews do not even come close to covering the major risks in this fundamental and vital area. Noncompliance with requirements, however, can have far-reaching implications under the Federal Sentencing Guidelines and Sarbanes-Oxley Act as well as significant financial consequences from penalties, back-pay awards and additional tax assessments. This article highlights some of the critical areas that internal audit should consider reviewing for compliance. CONTENT AREA: Guides TOPICS: Internal Audit, Laws & Regulations, Taxation, Compliance, Payroll, Audit Testing, GRC September 9, 2004 IT Controls Best Practices, Part 1 - Generic This is Part 1 of a document created to identify leading practices for auditing IT controls. The presentation includes process maps and defines risk objectives and control points for change management, security administration, operations and application controls. CONTENT AREA: Guides TOPICS: Best Practices, Internal Audit, Internal Controls, IT Audit, IT Controls, IT Infrastructure, Operations Security, Sarbanes-Oxley Act, Security, Software Tools, Technology, Change Management September 3, 2004 Training Presentation: An Overview of COSO Internal Control - Integrated Framework This COSO training presentation from Protiviti provides an introduction to the Internal Control -- Integrated Framework, including the definition of internal control, the three objectives and five components of the framework, entity and activity level assessments, and limitations on internal control. CONTENT AREA: Guides TOPICS: Sarbanes-Oxley Act, COSO, Enterprise Risk Management, Internal Controls, Entity-Level Control, GRC August 26, 2004 Common Fraud Scenarios This document provides illustrations of different types of frauds and how such frauds could be perpetrated -- including fraudulent financial reporting, misappropriation of assets, improper expenditures, and tax fraud. The purpose is to assist those responsible for conducting a fraud risk assessment in accordance with the requirements of Section 404 of Sarbanes-Oxley Act. CONTENT AREA: Guides TOPICS: Ethics, Fraud, Sarbanes-Oxley Act August 16, 2004 Ann's Advice for Auditors These articles and tools have been contributed by Ann Butera, the President of The Whole Person Project, a New York-based organizational development consulting firm. Butera provides monthly training materials for auditors on KnowledgeLeader. CONTENT AREA: Guides TOPICS: Internal Audit, Training & Development, Internal Audit Administration August 16, 2004 Overcoming the Common Misconceptions about Internal Audit In this column, Ann describes a fraud situation that illustrates what happens when management and the auditor’s roles are fundamentally misunderstood and executed poorly. She then clarifies the definition and role of internal audit and explains elements of a risk management education program to help organizations ovecome myths surrounding the role of internal audit. CONTENT AREA: Guides TOPICS: Internal Audit, Training & Development, Internal Audit Administration August 13, 2004 Sarbanes-Oxley and ITIL This presentation discusses the importance of IT in relation to the Sarbanes-Oxley Act (SOA), and provides insights into how the best practice guidelines for service management described in the IT Infrastructure Library (ITIL) can help. CONTENT AREA: Guides TOPICS: Best Practices, Technology, Internal Controls, Sarbanes-Oxley Act, IT Infrastructure, IT Controls July 16, 2004 Process Documentation Narrative and Flow Chart Guide This guide describes techniques for documenting processes and includes a checklist for developing process maps and incorporating risk and controls information within a process map. There is also a process map example. CONTENT AREA: Guides TOPICS: Internal Audit, Training & Development, Audit Reporting July 5, 2004 Is Your Company’s Control Environment Sarbanes Compliant? Ann breaks down the significant components of the PCAOB’s Audit Standard No. 2 and provides practical insight on monitoring the control environment and developing a corporate culture with effective controls. She includes a short list of questions to help you assess your organization’s control environment. CONTENT AREA: Guides TOPICS: Corporate Governance, COSO, Internal Audit, Sarbanes-Oxley Act, Compliance, Internal Controls, Entity-Level Control, GRC May 24, 2004 Assessing Organizational Culture – The Company’s Control Environment When the Committee of Sponsoring Organization’s (COSO) published the Integrated Framework of Control in 1992, this model underscored the importance of organizational culture in the establishment of sound internal control practices. In this column, Ann looks at organizational culture and describes four cultural prototypes, along with eight areas to focus on during an audit to diagnose an organizational culture. CONTENT AREA: Guides TOPICS: Internal Audit, Training & Development, Internal Audit Administration April 12, 2004 Overcoming the Three Challenges of Audit Leadership In today’s competitive business climate auditors at all levels need to display leadership skills within their organization, not just within the audit department. These skills are essential if auditors are to produce valued results and bring about the desired change within their organization’s internal control system and environment. In this month’s column, Ann describes three leadership challenges that face auditors, and offers advice on how to overcome them. CONTENT AREA: Guides TOPICS: Internal Audit, Training & Development, Internal Audit Administration March 18, 2004 Control Objectives and Activities Process Product Costs This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for ‘Process Product Costs.’ CONTENT AREA: Guides TOPICS: Best Practices, Cost Management, COSO, Internal Controls March 11, 2004 Control Objectives and Activities: Process Payroll This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for ‘Process Payroll’, one of the sub-activities of Manage Finance. CONTENT AREA: Guides TOPICS: Best Practices, COSO, Internal Controls, Payroll March 8, 2004 Redefining The Role of Internal Audit in a Post Sarbanes World In this month’s column, Ann discusses whether and how the internal auditor’s role will be permanently changed by their company’s Sarbanes-Oxley initiatives. She says that while the internal audit mission will not change, the manifestation of the mission – the specific services and activities performed by the department – may change. She analyzes some of the factors that will affect change and the new internal audit responsibilities that will likely result. This is a moment of great opportunity for internal audit. CONTENT AREA: Guides TOPICS: Internal Audit, Sarbanes-Oxley Act, Internal Audit Administration, Project Management March 5, 2004 Control Objectives and Activities: Process Benefits and Retiree Information This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for ‘Process Benefits and Retiree Information’, one of the sub-activities of Manage Finance, which is the fourth of the primary generic ‘infrastructure’ activities identified in the ‘Value Chain’ model of a business enterprise. CONTENT AREA: Guides TOPICS: Best Practices, Compliance, COSO, Internal Controls, Human Resources, Compensation & Benefits, GRC February 26, 2004 Control Objectives and Activities: Process Fixed Assets, Analyze and Reconcile This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for ‘Process Fixed Assets, Analyze and Reconcile’, one of the sub-activities of Manage Finance, which is the fourth of the primary generic ‘infrastructure’ activities identified in the ‘Value Chain’ model of a business enterprise. CONTENT AREA: Guides TOPICS: Best Practices, COSO, Internal Controls, Fixed Assets February 26, 2004 E-commerce Security Best Practice Guidelines These guidelines describe a number of best practices related to E-commerce security. In each case, the risk of not implementing the practice is identified. CONTENT AREA: Guides TOPICS: Best Practices, Technology, Security, E-Business, Internet/Intranet, IT Infrastructure, Operations Security February 24, 2004 Control Objectives and Activities - Plan & Provide Administrative Services This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities relating to Planning and Providing Administrative Services. CONTENT AREA: Guides TOPICS: COSO, Internal Audit, Internal Controls, Internal Audit Administration, Entity-Level Control February 20, 2004 Control Objectives and Activities: Process Funds This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for ‘Process Accounts Payable’ and ‘Process Accounts Receivable’, two of the sub-activities of Manage Finance, which is the fourth of the primary generic ‘infrastructure’ activities identified in the ‘Value Chain’ model of a business enterprise. CONTENT AREA: Guides TOPICS: Best Practices, COSO, Internal Controls, Cash & Treasury February 20, 2004 Firewall Security Best Practice Guidelines These guidelines describe a number of best practices related to firewall security. In each case, the risk of not implementing the practice is identified. CONTENT AREA: Guides TOPICS: Best Practices, Technology, Security, Internet/Intranet, IT Infrastructure, Telecommunications, Network & Internet Security, Communications Industry February 13, 2004 Control Objectives and Activities: Process Accounts Payable and Accounts Receivable This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for ‘Process Accounts Payable’ and ‘Process Accounts Receivable’, two of the sub-activities of Manage Finance, which is the fourth of the primary generic ‘infrastructure’ activities identified in the ‘Value Chain’ model of a business enterprise. CONTENT AREA: Guides TOPICS: Best Practices, COSO, Internal Controls, Accounts Receivable, Purchasing & Accounts Payable January 30, 2004 Control Objectives and Activities: Process Tax Compliance and Provide Financial and Management Reporting This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for ‘Process Tax Compliance’ and ‘Provide Financial and Management Reporting’, two of the sub-activities of Manage Finance, which is the fourth of the primary generic ‘infrastructure’ activities identified in the ‘Value Chain’ model of a business enterprise. CONTENT AREA: Guides TOPICS: COSO, Internal Controls, Risk Management & Assessment, Taxation, GRC January 30, 2004 Network Security Best Practice Guidelines These guidelines describe a number of best practices related to network security. In each case, the risk of not implementing the practice is identified. CONTENT AREA: Guides TOPICS: Best Practices, Technology, Security, Telecommunications, Network & Internet Security, Communications Industry January 23, 2004 Control Objectives and Activities: Manage Risks and Manage Legal Affairs This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for ‘Manage Risks’ and ‘Manage Legal Affairs’, two of sub-activities of Administration, which is the fourth of the primary generic ‘infrastructure’ activities identified in the ‘Value Chain’ model of a business enterprise. CONTENT AREA: Guides TOPICS: Compliance, COSO, Technology, Internal Controls, Laws & Regulations, Risk Management & Assessment, GRC January 16, 2004 Control Objectives and Activities: Manage Information Technology This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for Manage Information Technology activities. This is a sub-activity of Administration, which is the fourth of the primary generic ‘infrastructure’ activities identified in the ‘Value Chain’ model of a business enterprise. CONTENT AREA: Guides TOPICS: Compliance, COSO, Technology, Internal Controls, Security, IT Controls, Operations Security, Entity-Level Control, GRC January 9, 2004 Control Objectives and Activities: Manage the Enterprise, and Manage External Resources This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for Manage the Enterprise and Manage External Relations Activities, two of sub-activities of Administration, which is the fourth of the primary generic ‘infrastructure’ activities identified in the ‘Value Chain’ model of a business enterprise. CONTENT AREA: Guides TOPICS: COSO, Internal Controls, Entity-Level Control January 5, 2004 COSO Element – Risk Assessment: A Presentation Risk assessment is one of the five components of the COSO Internal Control Framework. This presentation was developed as part of a training seminar on COSO. It defines risk assessment and then walks through concepts from objective setting to risk identification, risk analysis, and risk assessment evaluation. CONTENT AREA: Guides TOPICS: Compliance, COSO, Enterprise Risk Management, Internal Controls, Risk Management & Assessment, GRC January 5, 2004 Process Mapping – The Updated Form of Flowcharting This is a detailed 'How To' guide for process mapping. Ann describes how to use this powerful tool in Sarbanes-Oxley Section 404 compliance. Process mapping is a key documentation approach that can help all personnel to develop a common understanding of controls. Examples of different control and process maps are included in the appendices. CONTENT AREA: Guides TOPICS: Internal Audit, Internal Controls, Performance Management/Measurement, Risk Management & Assessment, Sarbanes-Oxley Act, Training & Development, Accounting/Finance, Project Management, GRC December 18, 2003 Control Objectives and Activities - Human Resource Management This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for Human Resources Management Activities, one of the four primary generic ‘infrastructure’ activities identified in the ‘Value Chain’ model of a business enterprise. CONTENT AREA: Guides TOPICS: Best Practices, Compliance, COSO, Internal Controls, Human Resources, GRC December 11, 2003 Control Objectives and Activities: Technology Development This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for Technology Development Activities, one of the four primary generic ‘infrastructure’ activities identified in the ‘Value Chain’ model of a business enterprise. CONTENT AREA: Guides TOPICS: Compliance, COSO, Technology, Internal Controls, GRC December 11, 2003 Facilitating SOA Compliance Using Committees Following the release of Sarbanes-Oxley and new SEC regulations, many organizations have created a "Disclosure Committee" and a “Section 404 Committee.” This guide discusses the duties, composition, structure and interrelationships of these committees and suggests some general rules to follow. CONTENT AREA: Guides TOPICS: Corporate Governance, Internal Audit, Risk Management & Assessment, Sarbanes-Oxley Act, Audit Committee & Board, Enterprise Risk Management, Financial Reporting, Project Management, Section 404 - Internal Control Reporting, GRC December 5, 2003 Control Objectives and Activities: Procurement This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities related to Procurement Activities. These are sub-activities of Administration, which is one of the four generic infrastructure activities identified in the ‘Value Chain’ model of a business enterprise. CONTENT AREA: Guides TOPICS: Compliance, COSO, Internal Controls, Purchasing & Accounts Payable, GRC December 5, 2003 Money Laundering Red Flags One of the keys to being able to identify money laundering is understanding the sorts of actions and patterns of transactions - the red flags - that may indicate illegal behavior. The following is a sample list of red flags that may be applicable to different types of transaction activity and businesses. CONTENT AREA: Guides TOPICS: Fraud, Financial Services Industry November 26, 2003 Control Objectives and Activities: Service This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for Service Activities, one of the five primary generic business activities identified in the ‘Value Chain’ model of a business enterprise. CONTENT AREA: Guides TOPICS: COSO, Internal Controls, Customer Fulfillment & Support November 20, 2003 Control Objectives and Activities - Marketing and Sales This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for Marketing and Sales Activities, one of the five primary generic business activities identified in the ‘Value Chain’ model of a business enterprise. CONTENT AREA: Guides TOPICS: COSO, Internal Controls, Sales Process & Marketing November 14, 2003 Control Objectives and Activities: Outbound Logistics This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for Outbound Logistics Activities, one of the five primary generic business activities identified in the ‘Value Chain’ model of a business enterprise. CONTENT AREA: Guides TOPICS: COSO, Internal Controls, Supply Chain, Materials Management & Inventory November 5, 2003 Control Objectives and Activities: Operations This COSO-based guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities for Operations, the second of the five primary generic business activity areas identified in the ‘Value Chain’ model of a business enterprise. CONTENT AREA: Guides TOPICS: Compliance, COSO, Internal Controls, Materials Management & Inventory, Supply Chain, GRC October 30, 2003 Control Objectives and Activities: Inbound Logistics This COSO-based guide provides a list of control objectives, potential risks, and points-of-control for inbound logistics activities – one of the five primary generic business activities identified in the ‘Value Chain’ model of a business enterprise. CONTENT AREA: Guides TOPICS: Compliance, COSO, Internal Controls, Supply Chain, Materials Management & Inventory, GRC October 30, 2003 SOA and NYSE Web Disclosure Guidelines Several Sarbanes-Oxley and related SEC/NYSE mandates require posting of governance information to a corporate website for public access. This guide will highlight a few key areas auditors and financial reporting professionals should be aware of concerning web posting and summarize a few key elements of dealing with entity postings. CONTENT AREA: Guides TOPICS: Corporate Governance, Ethics, Laws & Regulations, Sarbanes-Oxley Act, Compliance, Financial Reporting, Reporting/Disclosure, GRC October 22, 2003 Audit Sampling: A Practice Guide An understanding of audit sampling techniques can help an audit professional properly select test sample sizes and develop a conclusion for various audit tasks. This guide describes basic sampling concepts, provides guidance on developing a sampling plan, and reviews the common approaches of audit sampling. CONTENT AREA: Guides TOPICS: Internal Audit, Internal Controls, Training & Development, Internal Audit Administration October 22, 2003 IT Risks in the Context of Sarbanes-Oxley 404 Compliance This online seminar, broadcast Wednesday, October 15, 2003 addressed IT risks in the context of Section 404 of the Sarbanes-Oxley Act of 2002. The associated presentation includes additional materials related to general IT process risks and controls, and IT risks and controls at the process level. CONTENT AREA: Guides TOPICS: Sarbanes-Oxley Act, Technology, IT Controls, Section 404 - Internal Control Reporting October 13, 2003 Time is Running Out for Sarbanes Section 404 Compliance: Overcoming the Organizational Challenges If your organization has not started Sarbanes-Oxley compliance efforts then Ann’s eight practical tips for overcoming common challenges is a must-read. This month’s column supplies advice for any enterprise on dealing with the organizational challenges that these project present. Executive sponsorship, accountability, and a dedicated communications infrastructure are key. CONTENT AREA: Guides TOPICS: Corporate Governance, Internal Audit, Sarbanes-Oxley Act, Training & Development, Compliance, Project Management, Section 404 - Internal Control Reporting, GRC October 2, 2003 Sarbanes-Oxley Public Disclosure Summary This presentation summarizes public disclosure requirements for Sarbanes-Oxley by section including basic descriptions, rule status or effective date, and related required disclosures. Some applicable SEC Release disclosure items are also included. CONTENT AREA: Guides TOPICS: Corporate Governance, Ethics, Laws & Regulations, Sarbanes-Oxley Act, Financial Reporting, GRC September 15, 2003 Complaint Procedure for Accounting and Auditing Section 301 of the Sarbanes-Oxley Act requires Audit Committees to create a complaint procedure related to accounting, internal controls, or audit matters, and stipulates several required attributes of a complaint handling procedure. This guide assists with the process of developing a complaint procedure. CONTENT AREA: Guides TOPICS: Corporate Governance, Fraud, Internal Audit, Sarbanes-Oxley Act, Audit Committee & Board, Whistleblower/Complaint Reporting, GRC September 2, 2003 Facilitation Techniques: Handling Difficult People This guide reviews six roles that hinder a group's progress and impact the group's process. It also looks at methods a facilitator can use to overcome these problems. CONTENT AREA: Guides TOPICS: Internal Audit, Training & Development, Internal Audit Administration, Self-Assessment August 13, 2003 Sarbanes-Oxley: Strategies for Complying with the Final Section 404 Rules This presentation provides an overview of the final SOA Section 404 rules. It also discusses what companies are doing to comply and why, the options for compliance and the related pros and cons, and why companies should undertake compliance activities now despite the extended deadline provided by the SEC. CONTENT AREA: Guides TOPICS: Corporate Governance, Laws & Regulations, Risk Management & Assessment, Sarbanes-Oxley Act, Enterprise Risk Management, Financial Reporting, Section 404 - Internal Control Reporting, GRC August 8, 2003 COSO Framework Description In 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed a model for evaluating internal controls. This guide provides a brief description of the COSO framework. CONTENT AREA: Guides TOPICS: Corporate Governance, COSO, Laws & Regulations, Risk Management & Assessment, Financial Reporting, Entity-Level Control, GRC August 8, 2003 COSO Internal Control Framework Overview Presentation This presentation explains the key parts of the COSO Internal Control Framework, in particular the objectives and components of COSO. It also defines and explains ‘internal control,’ ‘internal control deficiency,’ and ‘material weakness’ based on COSO. CONTENT AREA: Guides TOPICS: Corporate Governance, COSO, Laws & Regulations, Risk Management & Assessment, Financial Reporting, Entity-Level Control, GRC August 4, 2003 Lessons from the School of Hard Knocks - Six Ways to Overcome Management Resistance to Sarbanes-Oxley Section 404 Compliance Ann presents a third Sarbanes-Oxley article to assist project teams. She recently led Sarbanes-Oxley 404 compliance training sessions for line managers and analyzes the factors that can make the compliance process work smoothly. She suggests six success factors for overcoming line management resistance to the compliance process. CONTENT AREA: Guides TOPICS: Best Practices, Corporate Governance, Enterprise Risk Management, Internal Audit, Risk Management & Assessment, Sarbanes-Oxley Act, Training & Development, Project Management, Section 404 - Internal Control Reporting, GRC August 4, 2003 Overview of the OIG Compliance Program Guidance For Pharmaceutical Manufacturers This guidance applies to companies that develop, manufacture, market, and sell pharmaceutical drugs or biological products, and is intended to assist these companies in implementing internal controls to ensure compliance with applicable laws and requirements of the federal health care program. This summary outlines the seven elements of an effective compliance program. CONTENT AREA: Guides TOPICS: Fraud, Internal Controls, Laws & Regulations, Healthcare & Pharmaceuticals Industry July 31, 2003 Information Systems Security Organization Planning Guide This guide is intended to help companies prepare recommendations for the structure of an information systems security organization, including functional requirements and responsibilities, and staffing options to fulfill those responsibilities. The guide includes an outline of functional responsibilities, staffing options, and comments on the impact of training and other costs. CONTENT AREA: Guides TOPICS: Best Practices, Technology, Security, Human Resources, IT Infrastructure, Security Management Practices July 28, 2003 Developing an Effective Code of Conduct As many organizations already understand, a formal, written code of conduct is critical in order to transform ethical behavior into something more tangible for employees. Such a code is now a requirement for public companies, as mandated by the Sarbanes-Oxley Act and by the listing requirements of major stock exchanges. Executing a successful code of conduct depends on three key elements: proper definition, effective communication and appropriate warning signals as monitoring tools. This article describes the elements of a successful code and lists ethics warning signs to watch for. CONTENT AREA: Guides TOPICS: Best Practices, Corporate Governance, Ethics, Internal Audit, GRC July 21, 2003 Refining the Plan for Sarbanes-Oxley Attestation Compliance Ann provides practical advice in light of the SEC’s final rules regarding SOA issued on June 6, 2003. She comments on the scope of the attestation process, selecting a framework, and using consultative resources to assist through the compliance process. CONTENT AREA: Guides TOPICS: Corporate Governance, Enterprise Risk Management, Internal Audit, Risk Management & Assessment, Sarbanes-Oxley Act, Training & Development, Compliance, Project Management, GRC June 30, 2003 An Approach to Managed Care Rebate and Wholesaler Chargeback Audits for Pharmaceutical Companies Because the base price of pharmaceutical products is established by regulation, the pharmaceutical industry has had to offer a number of creative incentives to customers in order to obtain market share and build a loyal customer base. Many manufacturers use rebate and chargeback programs - which often have complex contracts and provisions. The purpose of this article is to provide an overview of pharmaceutical rebate and chargeback programs, and to describe recommended processes, steps and considerations for auditing these contracts. The author, David Ross, is the chair of Protiviti’s national Healthcare and Life Sciences industry taskforce. CONTENT AREA: Guides TOPICS: Internal Audit, Healthcare & Pharmaceuticals Industry June 16, 2003 Wireless Networking Glossary This short glossary contains terms frequently used to describe wireless networking. CONTENT AREA: Guides TOPICS: Technology, Wireless June 5, 2003 HIPAA Gap Analysis Summary This guide contains tables summarizing the different HIPAA security standards, and illustrates the different types of security policies that apply to each. The tables can be used to determine what security policies are needed within your organization to adequately address and comply with HIPAA regulations. CONTENT AREA: Guides TOPICS: Technology, Laws & Regulations, Risk Management & Assessment, Security, Healthcare & Pharmaceuticals Industry, Security Management Practices, GRC May 26, 2003 Making Sarbanes-Oxley Compliance Easier Considering the importance of strong governance to all organizations and the complexity of related Sarbanes-Oxley compliance efforts, Ann’s practical advice is both timely and helpful. First, Ann points out several factors that differentiate organizations’ readiness for SOA compliance: culture, industry, and internal control infrastructure. Next, Ann describes practical actions that will ease compliance implementation programs. CONTENT AREA: Guides TOPICS: Corporate Governance, Enterprise Risk Management, Internal Audit, Risk Management & Assessment, Sarbanes-Oxley Act, Training & Development, Project Management, GRC May 23, 2003 Assessing Risks and Internal Controls: A Training Presentation for Process Owners As part of their Sarbanes-Oxley compliance efforts or enterprise risk management programs, many internal auditors are involved in training process owners to assess risks and take responsibility for managing internal controls. This presentation was developed to help with this training activity. CONTENT AREA: Guides TOPICS: Corporate Governance, COSO, Enterprise Risk Management, Internal Controls, Risk Management & Assessment, Sarbanes-Oxley Act, Internal Audit, Project Management, Entity-Level Control, GRC May 15, 2003 Internal Audit Reporting: Impact and Clarity: Guide and Example Effective Internal Audit reports and communications are a critical aspect of the audit process. Strong reporting is more than just appearance, and should be a reflection of the audit approach, performance, and organizational governance objectives. This guide provides practical advice for audit reporting, and includes an example report to the Audit Committee. CONTENT AREA: Guides TOPICS: Internal Audit, Audit Committee & Board, Audit Reporting, Internal Audit Administration May 1, 2003 Ethics Program Best Practices An effective ethics program serves as a basis for policy making as well as providing guidance in daily decision-making. This guide describes steps that companies should consider when developing or strengthening their ethics program. CONTENT AREA: Guides TOPICS: Corporate Governance, Ethics, Best Practices, GRC April 28, 2003 Achieving Effective Board Performance In this month's column, Ann describes the hallmarks of effective Boards of Directors. She provides a list of six specific actions that internal auditors can take to promote increased board effectiveness. CONTENT AREA: Guides TOPICS: Corporate Governance, Internal Audit, Performance Management/Measurement, Sarbanes-Oxley Act, Audit Committee & Board, GRC April 25, 2003 Sarbanes-Oxley Section 404 Committees: A Guide This guide describes the composition, function and operating style of an SOA Section 404 Compliance Steering Committee, and the interrelationship between a Steering Committee and a Disclosure Committee. It addresses the scope, membership, and interaction of these committees. CONTENT AREA: Guides TOPICS: Internal Audit, Sarbanes-Oxley Act, Audit Committee & Board, Section 404 - Internal Control Reporting April 10, 2003 Finance Function Resource Assessment Guide Internal auditors can use this guide to help perform and document a resource assessment of the company’s financial functions. The purpose of such a review is to assess these functions from a people, process, and technology perspective in performance of their "business as usual" job functions. CONTENT AREA: Guides TOPICS: Corporate Governance, Internal Audit, Internal Controls, Risk Management & Assessment, Financial Reporting, Human Resources, Self-Assessment, Project Management, Accounting/Finance, Process-Level Control, GRC April 4, 2003 Security Awareness Program Components This guide discusses some components that should be included in a security awareness program, including policies, communication methods, and topics for ongoing communications with systems users. CONTENT AREA: Guides TOPICS: Technology, Security, Security Management Practices March 27, 2003 Internal Audit’s Role: A Summary for the Board of Directors - Guide This summary presents an overview of the role of the Internal Audit department to the Board of Directors. It informs the Board about the definition of internal audit and internal control, and briefly describes what auditors do and who is involved in the work. This example also includes a brief overview of the projects on which the audit department intends to focus. CONTENT AREA: Guides TOPICS: Corporate Governance, Internal Audit, Audit Committee & Board, Internal Audit Administration, GRC March 27, 2003 Wireless Security Policies: Overlooked Issues Corporate security policies must be in place to address the unique risks of wireless technologies. The following guide contains a list of commonly overlooked issues in organizational security policies. CONTENT AREA: Guides TOPICS: Technology, Security, Security Management Practices, Network & Internet Security, Wireless March 24, 2003 Ways to Promote Positive Change in Your Audit Department In this month's column, Ann details seven actions to take to promote change within your audit department. Before internal audit can effectively promote change in their organization, they need to be able to embrace it for themselves. Ann describes common behavioral attributes of auditors that are helpful in understanding how and why some auditors resist change. CONTENT AREA: Guides TOPICS: Internal Audit, Training & Development, Internal Audit Administration, Self-Assessment March 21, 2003 Travel Safety Guidelines When planning a business trip there are some basic steps that will help to avoid travel risks and prepare for threatening situations. This guide contains suggestions for travel planning and personal safety, and links to related resources. CONTENT AREA: Guides TOPICS: Internal Audit, Security, Human Resources, Cross Border & Non-US Issues March 18, 2003 British Standard 7799 (ISO 17799) BS 7799-1 was first issued in 1995 to provide a comprehensive set of controls comprising best practices in information security. It is intended to serve as a single reference point for identifying the range of controls needed for most situations where information systems are used in industry and commerce, and to be used by large, medium and small organizations. CONTENT AREA: Guides TOPICS: Technology, Security, Compliance, Cross Border & Non-US Issues, IT Infrastructure, Operations Security, Security Management Practices, United Kingdom, GRC March 6, 2003 Wireless Security: Best Practices This guide provides recommendations for wireless security best practices in the areas of: Policies and Procedures; Network Architecture; Device Configuration; and Assessment. CONTENT AREA: Guides TOPICS: Best Practices, Technology, Security, IT Infrastructure, Network & Internet Security, Wireless February 27, 2003 Wireless Discovery Tools: A Guide This guide is intended to help with the selection of hardware and software tools to be used during wireless network penetration tests, or in other tests of wireless network security issues. CONTENT AREA: Guides TOPICS: Technology, Security, IT Infrastructure, Software Tools, Network & Internet Security, Wireless February 24, 2003 Six Actions for Better Time Estimates Ann provides practical advice on the importance of time management, how to avoid common audit time estimating pit-falls, and six actions to be taken for effective (and constantly improving) estimations. Following these six guidelines will assist all levels of audit personnel to be more effective professionals -- and may improve audit cycles. CONTENT AREA: Guides TOPICS: Internal Audit, Training & Development, Human Resources, Internal Audit Administration, Audit Planning January 27, 2003 Four Tactics for Making New Year Resolutions that Get Results New Year’s resolutions, especially those regarding our own professional development, have a tendency to fade. Ann presents some practical advice and concrete professional development examples that will assist an internal auditor in becoming a more action oriented and valued professional. These include: Four ways to make solid resolutions and stick to them. CONTENT AREA: Guides TOPICS: Internal Audit, Internal Controls, Training & Development, Internal Audit Administration December 23, 2002 Business Continuity Management Standards - A Side-by-Side Comparison An increasing number of regulations and standards apply to Business Continuity Management. After studying and comparing the various BCM guidelines, Protiviti has identified common themes and best practices that will help in the implementation of a successful BCM process. This guide is our list of BCM standards and the associated agencies that advocate each best practice. CONTENT AREA: Guides TOPICS: Best Practices, Business Continuity Management, Technology, Risk Management & Assessment, Security, GRC December 23, 2002 Solid Techniques for Assessing “Soft Controls" Ann describes the recognition and importance of "soft controls" in the internal control environment. She advises that an organizational assessment can be used as a tool to assess soft controls and the organization's culture. Five tactics for performing organizational climate assessments are included in her column this month. These techniques can be incorporated into audit planning to help you get better insights about the culture of an area under review. CONTENT AREA: Guides TOPICS: Internal Audit, Internal Controls, Internal Audit Administration November 18, 2002 Effective Policy Management in an Age of Corporate Crisis Policy Management describes the activities necessary to document a company's rules, illustrate how specific situations should be handled, and communicate this information to employees. While this may appear to be a basic concept, management, audit committees, and auditors are waking up to the fact that their companies have been operating in spite of a significant lack of clear company policies. This white paper describes the 10 Steps to Effective Policy Management. CONTENT AREA: Guides TOPICS: Internal Controls, Risk Management & Assessment, GRC November 4, 2002 Governance Guidelines Proposed New York Stock Exchange rules will require listed companies to adopt formal Governance Guidelines within six months after the SEC approves the proposed rules. Since the general topic of Governance Guidelines may be somewhat unfamiliar to many people, the law firm of O’Melveny & Myers LLP prepared and contributed these frequently asked questions. CONTENT AREA: Guides TOPICS: Corporate Governance, Sarbanes-Oxley Act, GRC October 31, 2002 Rigorous Business Impact Analysis Using Facilitated Methods This presentation describes a particular methodology for conduction a Business Impact Analysis (BIA). The BIA is the careful study of individual business processes and support functions, as well as the system of business processes in its entirety, to better understand objectives regarding continuity of operations. CONTENT AREA: Guides TOPICS: Business Continuity Management, Technology, Risk Management & Assessment, GRC October 28, 2002 Auditing a New Process? Techniques to Help You Decide Where Controls Should Be In this column Ann provides some practical advice to consider when approaching an area to be audited that may be unfamiliar. In fact, principles such as follow the money, focus on high risk, and locate evidence are worthwhile during any audit -- particularly if audit tests have raised unanswered questions. Ann also offers some additional ‘short cuts’ to deciding where controls should be. CONTENT AREA: Guides TOPICS: Internal Audit, Internal Controls, Training & Development, Internal Audit Administration October 28, 2002 Tips for hiring a Chief Audit Executive The IIA believes in and promotes the CAE’s role in providing advice, counsel, and opinions regarding the organization’s efficiency and effectiveness in risk management, corporate governance, and internal control. This article from Tone at the Top, published by the Institute of Internal Auditors, outlines the role of the chief audit executive, the qualifications one should have, personal skills, and the selection process. CONTENT AREA: Guides TOPICS: Best Practices, Internal Audit, Human Resources September 30, 2002 The Need for Leadership in Internal Audit In today’s competitive business climate, in which pressure to hit the numbers drives organizational behavior and priorities, auditors at every level need to display leadership skills within their organization, not just within the audit department, if they are to produce valued results and bring about the desired change within their organization’s internal control system and environment. CONTENT AREA: Guides TOPICS: Internal Audit, Internal Audit Administration August 19, 2002 COSO Implementation: A Risk-Based Approach This presentation links the Protiviti Risk Model to the COSO framework, and can be used by companies who are implementing COSO concepts. CONTENT AREA: Guides TOPICS: Accounting Organizations, COSO, Accounting/Finance August 16, 2002 Self Assessment: Three Levels of Activities Self Assessments are performed by company personnel/process owners who are held accountable for executing, monitoring and improving the business process in question. CONTENT AREA: Guides TOPICS: Internal Audit, Self-Assessment August 13, 2002 Managing Customer Service: Good Practice This list is a summary of good practices and suggestions for managing customer service, based on personal experience and observation. CONTENT AREA: Guides TOPICS: Customer Satisfaction, Customer Fulfillment & Support, Best Practices April 16, 2002 Cost Management Primer This guide provides an overview of Activity-Based Management (ABM), a useful but sometimes overlooked cost management technique that allows companies to determine not only accurate costs, but also the costs of alternative actions. CONTENT AREA: Guides TOPICS: Cost Management, Best Practices April 3, 2002 Checklist for Planning Audits Audit planning is one - if not the most - critical step in the audit process. Whether you formally draft and submit the results of your planning efforts, make it a point to follow a consistent approach during this phase of the audit. You will find that the time spent planning will save you time during the rest of the audit. CONTENT AREA: Guides TOPICS: Internal Audit, Internal Audit Administration April 1, 2002 Techniques for Planning Audits More Efficiently Audit planning is one - if not the most - critical step in the audit process. Whether or not you formally draft and submit the results of your planning efforts, make it a point to follow a consistent approach during this phase of the audit. You will find that the time spent planning will save you time during the rest of the audit. Included with this month’s column is a checklist for audit planning. CONTENT AREA: Guides TOPICS: Internal Audit, Internal Audit Administration March 6, 2002 Travel Safety Guidelines: International Business travelers can use this guide both before and during an international trip. The safety tips are broken into sections: Before you go, At the airport/train station, Hotel safety, Upon arrival, Getting around town, Personal conduct, and Security contact information. CONTENT AREA: Guides TOPICS: Cross Border & Non-US Issues, Internal Audit, Internal Controls, Internal Audit Administration March 1, 2002 Techniques for Developing High Impact Presentations Although accomplished speakers make it look easy and effortless, the ability to present is a skill that requires a great deal of preparation and practice. Therefore, if you really want to become a more proficient speaker, seek every opportunity you can to make a presentation. CONTENT AREA: Guides TOPICS: Internal Audit, Internal Audit Administration February 11, 2002 Audit Committee Activities and Schedule The audit committee is a committee of the board of directors. This guide describes the general and as-needed activities of an audit committee and provides a schedule of activities that should be addressed in quarterly meetings. CONTENT AREA: Guides TOPICS: Corporate Governance, Internal Audit, Audit Committee & Board, Internal Audit Administration, Audit Planning, GRC February 11, 2002 Fraud: Internal Audit's Role in Detection and Prevention This presentation discusses the fundamentals of fraud and the role of internal audit in detection and prevention of fraud. CONTENT AREA: Guides TOPICS: Fraud, Ethics, Internal Audit, Training & Development February 1, 2002 Unleashing Creativity in Your Audits Creative thinking during audits is more important now than ever before. Your internal clients want cost-effective and efficient controls as they race to reduce operating costs and improve net operating income. Tap your creativity and you will be able to meet this challenge. CONTENT AREA: Guides TOPICS: Internal Audit, Internal Audit Administration January 1, 2002 Deliver Effective Audit Results Using Project Management Techniques The four essential project management techniques outlined in this guide will help internal auditors to complete their audits and advisory services more easily, within budget, while still focusing on the issues that matter. CONTENT AREA: Guides TOPICS: Internal Audit, Internal Audit Administration December 13, 2001 Data Processing Control: Guide to Effective Practices This guide provides descriptions of effective data processing control practices. It includes major control areas from design principles to file controls to trouble symptoms, and lists specific practices and their descriptions under each area. CONTENT AREA: Guides TOPICS: Technology December 1, 2001 Techniques for Overcoming Client Objections While objections sound like negatives, they are actually disguised buying signals. Objections are your customer's way of opening up to you and really getting to the bottom of what is needed in a suitable corrective action plan. By encouraging the customer to voice such objections, you can quickly assess your customer's whole package of needs, and turn each objection into a benefit your findings and recommendations can offer. CONTENT AREA: Guides TOPICS: Internal Audit, Internal Audit Administration November 20, 2001 Facilitation Techniques: Building agreements amongst meeting participants This guide shows how successful facilitators find that consensus is more easily accomplished through a series of tiny agreements along the way on what to do and how to do it. CONTENT AREA: Guides TOPICS: Internal Audit, Internal Audit Administration, Self-Assessment November 20, 2001 Facilitation Techniques: Creating facilitated meeting process awareness As a facilitator of a meeting, it is important to make your participants aware of your process, that is, how you are going to achieve the purpose of your meeting. Use this guide to create process awareness during your meeting. CONTENT AREA: Guides TOPICS: Internal Audit, Self-Assessment November 20, 2001 Facilitation Techniques: Generating ideas through brainstorming This guide suggests alternative methods you can use to conduct a group brainstorming session. CONTENT AREA: Guides TOPICS: Internal Audit, Internal Audit Administration, Self-Assessment November 20, 2001 Facilitation Techniques: Managing meeting discussion flow Use this guide when facilitating discussions, to help you keep all participants working on the same content and using the same processes at the same time. CONTENT AREA: Guides TOPICS: Internal Audit, Self-Assessment November 20, 2001 Facilitation Techniques: Meeting purpose statement This guide will help you to develop an effective meeting purpose statement, in order to gain commitment from your participants in a facilitated workshop. CONTENT AREA: Guides TOPICS: Internal Audit, Internal Audit Administration, Self-Assessment October 19, 2001 Financial Ratio Analysis Guide This guide describes several types of ratios and calculations that can be used in conjunction with Ratio Analytical Techniques. CONTENT AREA: Guides TOPICS: Internal Audit, Performance Management/Measurement, Accounting/Finance, Audit Testing October 2, 2001 Data Collection Interviewing Techniques This guide provides techniques for organizing and planning interviews, setting a good interview climate and posing questions, and collecting and verifying accurate information. It also suggests 'red flags' to watch out for, and special guidelines for telephone interviews. CONTENT AREA: Guides TOPICS: Internal Audit, Training & Development, Human Resources, Internal Audit Administration September 6, 2001 Unhealthy Organizations: Fifty More Signs This is the second of two guides, each of which identify fifty signs of an unhealthy organization. These guides can be used to help identify and understand symptoms of deeper organizational problems. CONTENT AREA: Guides TOPICS: Internal Controls, Risk Management & Assessment, GRC August 30, 2001 Protecting Intellectual Property Assets: Guidelines These guidelines present some considerations for internal auditors looking to evaluate, review and protect IP assets. CONTENT AREA: Guides TOPICS: Intellectual Property August 30, 2001 Unhealthy Organizations: Fifty Signs This guide identifies fifty general signs of an unhealthy organization. The guide can be used to understand where future problems may arise. CONTENT AREA: Guides TOPICS: Internal Controls, Risk Management & Assessment, GRC July 20, 2001 Analytical Review for Internal Auditors This review is a guide to four major types of analytical tools and their methods: trend analysis, benchmarking, ratio analysis, and modeling. CONTENT AREA: Guides TOPICS: Internal Audit, Training & Development, Audit Testing, Internal Audit Administration July 10, 2001 Internal Controls and Shareholder Value An effective system of internal controls forms one of the keystones necessary to building, maintaining and improving shareholder value. This presentation can be used as a training piece describing what internal controls are, why they are important, and how they relate to shareholder or stakeholder value. CONTENT AREA: Guides TOPICS: Corporate Governance, Risk Management & Assessment, Training & Development, GRC July 3, 2001 Laptop Computer Security: Loss Prevention Techniques Good laptop security policies and policy education will not only reduce the expense of replacing computers, but will help to protect valuable intellectual assets as well. This guide can be used to assist in the development of loss prevention and security policies, and associated monitoring activities. CONTENT AREA: Guides TOPICS: Technology, Security, Fixed Assets, Physical Security May 2, 2001 Initial Public Offerings: A Guide This guide summarizes the rules and procedures essential to the process of public ownership though the initial public offering (IPO). It is intended to guide you though the necessary research and analysis. CONTENT AREA: Guides TOPICS: Accounting/Finance, Financial Reporting April 12, 2001 AICPA/CICA SysTrust This guide provides a high-level overview of SysTrust, an assurance service designed to increase the comfort of management, customers, and business partners with the systems that support a business or a particular activity. CONTENT AREA: Guides TOPICS: Technology, Internal Audit, Risk Management & Assessment, Security, Compliance, Internal Audit Administration, IT Infrastructure, Security Management Practices, GRC April 12, 2001 Generally Accepted Systems Security Principles (GASSP) This guide provides an overview of the Generally Accepted Systems Security Principles (GASSP), which comprise a comprehensive hierarchy of guidance for security of information and supporting technology. CONTENT AREA: Guides TOPICS: Corporate Governance, Technology, Security, IT Infrastructure, Security Architecture & Models, GRC April 12, 2001 Managing Security of Information: Guidelines This guidance from the International Federation of Accountants (IFAC) identifies core principles of information security and an implementation approach. CONTENT AREA: Guides TOPICS: Best Practices, Technology, Risk Management & Assessment, Security, Accounting Organizations, IT Infrastructure, Security Management Practices, Australia, GRC April 12, 2001 Security of Information Systems: OECD Guidelines These guidelines provide a foundation from which countries and the private sector, acting singly and in concert, may construct a framework for security of information systems. CONTENT AREA: Guides TOPICS: Technology, Risk Management & Assessment, Security, IT Infrastructure, Laws & Regulations, Security Management Practices, GRC March 21, 2001 Business Plan Preparation Guide This is a comprehensive guide preparing a business plan. With useful commentary, visuals, and "Ask yourself" questions, this guide will help you create a well thought out and attention grabbing business plan. CONTENT AREA: Guides TOPICS: Accounting/Finance, Financial Services Industry, Investments & Foreign Exchange February 1, 2001 Employee Retention Program Customization Guide The ability to retain talent can dramatically impact an organization's competitive position. This presentation describes the characteristics of the 'new' workforce and some causes of employee turnover. It suggests best practice approaches and then walks through a step-by-step process for designing and implementing a retention strategy. CONTENT AREA: Guides TOPICS: Human Resources January 10, 2001 Human Resources Risk Management Presentation This short guide helps define human resources risk, and identify the major HR processes and sub-processes where risks occur. CONTENT AREA: Guides TOPICS: Risk Management & Assessment, Compensation & Benefits, Human Resources, GRC January 10, 2001 Interviewing Essentials - Presentation This guide can help audit groups develop training courses for auditors inexperienced in the art and skill of interviewing. It also provides a refresher to more experienced auditors. CONTENT AREA: Guides TOPICS: Internal Audit, Training & Development, Internal Audit Administration January 10, 2001 Online Banking: Services, Risks and Controls This guide describes the background behind internet/online banking, its historical and expected growth rates, and gives definitions of many terms and products associated with the internet and online banking. CONTENT AREA: Guides TOPICS: Technology, Internal Audit, Risk Management & Assessment, Security, E-Business, Financial Services Industry, Operations Security, GRC January 9, 2001 CAAT (Computer Assisted Auditing Technique) Tests Computer Assisted Auditing Techniques provide a new approach to audit tests, replacing tests that would have been performed manually by the internal audit team. CONTENT AREA: Guides TOPICS: Fraud, Technology, Internal Audit, Risk Management & Assessment, Audit Testing, Internal Audit Administration, Software Tools, Segregation of Duties, Continuous Auditing, GRC January 9, 2001 Common Frauds: By Business Process This guide identifies common forms of fraud that can occur in most companies. CONTENT AREA: Guides TOPICS: Fraud, Accounting/Finance, Accounts Receivable, Cash & Treasury, Human Resources, Supply Chain, Materials Management & Inventory, Payroll, Purchasing & Accounts Payable January 5, 2001 IT Review Discussion Guidelines for an IA Quality Assurance Review This guide can be used by a Quality Assurance Review (QAR) team as a guide to reviewing overall Internal Audit coverage for IT). CONTENT AREA: Guides TOPICS: Best Practices, Technology, Internal Audit, IT Audit, Quality Assessment Review January 2, 2001 Work Program Guide: Sample Audit Administration Steps This guide contains sample work program steps for the administration of a typical audit. CONTENT AREA: Guides TOPICS: Internal Audit, Internal Audit Administration January 2, 2001 Work Program Guide: Sample Audit Fieldwork Steps This guide contains sample work program steps for a typical audit. CONTENT AREA: Guides TOPICS: Internal Audit, Internal Audit Administration December 22, 2000 Turnbull Report - A Best Practices Guide Publication of the Internal Control Working Party's recommendations on the Combined Code ('Turnbull Report') presents businesses with an opportunity. For the first time, the link between risk management and improved business performance is being acknowledged by governance regulations. CONTENT AREA: Guides TOPICS: Best Practices, Corporate Governance, Risk Management & Assessment, Financial Reporting, United Kingdom, GRC December 19, 2000 Budgeting Best Practice Presentation This presentation goes through one of business' most time consuming financial processes, budgeting. It describes at a high level the best practice steps that most companies should consider implementing in the budgeting process, with the goal of linking it to corporate strategy. CONTENT AREA: Guides TOPICS: Budgeting December 15, 2000 Fraud Prevention/Detection: Top Ten Tips for Audit Committees This guide contains a list of the top ten fraud prevention tips CONTENT AREA: Guides TOPICS: Fraud, Internal Audit, Audit Committee & Board December 14, 2000 Cooking the Books: Common Schemes, Warning Signs, and Methods "Cooking the books" may occur at one or multiple points throughout a company's information flow. A solid grasp of how data from business is captured will improve the internal audit team's ability to recognize the schemes, warning signs, and methods identified in this guide. CONTENT AREA: Guides TOPICS: Fraud, Internal Audit, Accounting/Finance December 4, 2000 Business Continuity Practitioners - Standards of Competence This guide specifies the ten certification standards for business continuity practitioners as defined by the Business Continuity Institute (BCI). CONTENT AREA: Guides TOPICS: Business Continuity Management, Technology, IT Infrastructure December 4, 2000 IT Related Business Risks: Definitions This guide contains definitions of specific business risks that relate to IT. CONTENT AREA: Guides TOPICS: Technology, Risk Management & Assessment, IT Infrastructure, GRC December 1, 2000 Performance Measures for Internal Audit CONTENT AREA: Guides TOPICS: Customer Satisfaction, Internal Audit, Performance Management/Measurement, Audit Planning December 1, 2000 Process Mapping Guidelines: Flowcharting This guide provides definitions of flowcharting symbols, specific guidelines to aid in preparing a clear, easy to read flowchart, and descriptions of useful flowchart additions. CONTENT AREA: Guides TOPICS: Internal Audit, Performance Management/Measurement, Audit Reporting, Internal Audit Administration November 30, 2000 Fraud Detection - Scenarios & Tests by Process This guide provides examples of fraud, and analytical procedures used to detect them in six areas. CONTENT AREA: Guides TOPICS: Fraud, Internal Audit, Accounts Receivable, Audit Testing, Cash & Treasury, Materials Management & Inventory, Payroll, Purchasing & Accounts Payable November 29, 2000 Responding to Audit Committee Responsibilities: Best Practices This guide provides an overview of what typically encompass the most common audit committee responsibilities, together with "Best Practices" related to carrying out these responsibilities. CONTENT AREA: Guides TOPICS: Benchmarking, Best Practices, Corporate Governance, Internal Audit, Audit Committee & Board, Audit Planning, GRC November 28, 2000 Comparison of Reconciliation Systems This matrix can be used to evaluate different types of account reconciliation systems, based on their functionality and based on some best practice criteria. CONTENT AREA: Guides TOPICS: Accounting/Finance November 21, 2000 Facilitated Sessions: The Participant's Roles This guide describes the role of the facilitator, co-facilitator and content expert in a risk self assessment session. CONTENT AREA: Guides TOPICS: Internal Audit, Self-Assessment November 21, 2000 Self Assessment: Beginning and Beyond This guide shows how to get started with self assessment, and includes suggestions for other advanced uses of this approach CONTENT AREA: Guides TOPICS: Internal Audit, Self-Assessment November 16, 2000 Self Assessment Agenda Guide: Why+What+How+When All self assessment meetings have four common elements. This tool describes these elements and how they can be combined to create an effective agenda for a self assessment meeting. CONTENT AREA: Guides TOPICS: Internal Audit, Self-Assessment November 16, 2000 Self Assessment Meeting Technologies This guide presents two types of computer-based techniques which are helpful in conducting self assessment meetings. CONTENT AREA: Guides TOPICS: Internal Audit, Self-Assessment November 15, 2000 Multiple Risk Assessment Meetings: Results Analysis Guide A guide to combining the results of multiple self-assessment meetings for a process owner into easily-accessed and understandable information. CONTENT AREA: Guides TOPICS: Internal Audit, Risk Management & Assessment, Self-Assessment, GRC November 15, 2000 Self Assessment Questionnaires: Guide to Development This guide provides a framework for developing a self assessment questionnaire. CONTENT AREA: Guides TOPICS: Internal Audit, Risk Management & Assessment, Self-Assessment, GRC November 14, 2000 Computer Voting Methods Guidelines This guide discusses some types of votes and issues to consider when using automated voting techniques. CONTENT AREA: Guides TOPICS: Internal Audit, Self-Assessment November 13, 2000 Audit Exit Meeting Guidelines These guidelines contain helpful hints and ideas for conducting a smooth and effective exit meeting. CONTENT AREA: Guides TOPICS: Internal Audit, Audit Reporting, Internal Audit Administration November 13, 2000 Internal Audit Report Writing Guidelines These guidelines provide suggestions on the internal audit report writing process, including suggestions about format, content, and style. CONTENT AREA: Guides TOPICS: Internal Audit, Audit Reporting, Internal Audit Administration November 13, 2000 Interviewing to Understand a Process This guide provides an auditor with a starting point for generating and customizing interview questions to aid in understanding a process. CONTENT AREA: Guides TOPICS: Internal Audit, Training & Development, Internal Audit Administration November 9, 2000 Audit Tests: Types, Advantages, & Disadvantages This guide compares fifteen types of tests that can be used to analyze a process during an internal audit assignment. CONTENT AREA: Guides TOPICS: Internal Audit, Training & Development, Audit Testing, Internal Audit Administration November 6, 2000 Information Security: Ten Myths Commonly held but incorrect beliefs about information security. CONTENT AREA: Guides TOPICS: Technology, Security, Security Management Practices November 6, 2000 Transactional Flowchart: Guidelines and Examples Use this guide to create a Transactional Flowchart, which depicts all the activities in a process from beginning to end. CONTENT AREA: Guides TOPICS: Internal Audit, Performance Management/Measurement, Audit Reporting, Internal Audit Administration November 6, 2000 Treasury Settlement Best Practices This guide lists select best practices for activities surrounding treasury settlement within a financial services institution. CONTENT AREA: Guides TOPICS: Benchmarking, Best Practices, Cash & Treasury, Financial Services Industry November 4, 2000 Network Security Attacks: Guide to Reducing Exposure There is no way to totally prevent all security-related exposures -- but there are ways to monitor and quickly respond to these events to reduce the exposures. This guide summarizes some steps that companies should take to assess how well prepared their organization is to address these issues. CONTENT AREA: Guides TOPICS: Technology, Risk Management & Assessment, Security, Telecommunications, Network & Internet Security, Communications Industry, GRC November 4, 2000 Performance Measures: Guide to Do's and Don'ts This guide identifies twelve common problems with individual or group performance measures. During a review of performance measures this guide can alert an internal auditor about potential problems to watch out for. CONTENT AREA: Guides TOPICS: Performance Management/Measurement November 4, 2000 Physical Security Audit for Information Systems: Guidelines This guide suggests controls for the physical security of information technology and systems related to information processing CONTENT AREA: Guides TOPICS: Technology, Internal Audit, Security, Fixed Assets, IT Audit, Physical Security November 4, 2000 Presentation Pointers Guide This guide provides tips that help the internal auditor give a smooth, professional oral presentation. The tips cover planning, speaking style and use of visual aids. CONTENT AREA: Guides TOPICS: Internal Audit, Training & Development, Internal Audit Administration November 4, 2000 Prioritizing Using the N/3 Technique This guide describes N/3, a technique that can be used during a meeting to prioritize a list of brainstormed ideas. Participants choose their top three ideas, placing equal weight on each item. When the votes are tallied, a rank order is established based on the number of votes received. CONTENT AREA: Guides TOPICS: Internal Audit, Risk Management & Assessment, Training & Development, Internal Audit Administration, Self-Assessment, GRC November 4, 2000 Process Description Chart: Guide and Example A Process Description Chart summarizes, classifies and measures activities within a process to determine their value. This guide shows how to complete one. CONTENT AREA: Guides TOPICS: Internal Audit, Performance Management/Measurement, Audit Reporting, Internal Audit Administration November 4, 2000 Process Overview Form: Guide and Example This form summarizes vital information about a process: mission, inputs, outputs, departments involved and performance measures. This guide contains instructions for using the form. CONTENT AREA: Guides TOPICS: Internal Audit, Performance Management/Measurement, Audit Reporting, Internal Audit Administration November 4, 2000 Procurement Card Programs: Guide to Internal Control This guide describes how by implementing an effective internal control structure, a procurement card program can serve its intended use without creating unmitigated risks, thereby increasing operating efficiency and cost savings for the company. CONTENT AREA: Guides TOPICS: Purchasing & Accounts Payable November 4, 2000 Recruiting Tips for Internal Auditors This guide contains suggestions that can help with finding and retaining good internal audit candidates, despite a labor market that has made the recruitment of internal auditors more challenging. CONTENT AREA: Guides TOPICS: Internal Audit, Human Resources, Internal Audit Administration November 4, 2000 Risk Considerations Checklist This checklist draws attention to 17 factors that should be considered prior to assessing risk at the process level. CONTENT AREA: Guides TOPICS: Internal Audit, Risk Management & Assessment, Internal Audit Administration, GRC November 4, 2000 Stop/Start/Continue Technique: Guide to Use Stop/Start/Continue is a technique for generating ideas, solving problems, and negotiating behavior changes between two groups, individuals, or departments. CONTENT AREA: Guides TOPICS: Internal Audit, Internal Audit Administration November 4, 2000 SWOT Analysis Guide A SWOT (Strengths, Weaknesses, Opportunities, and Threats) analysis is a structured group technique useful in identifying the internal and external forces that drive an organization's competitive position in the market. This guide describes how to perform a SWOT analysis. CONTENT AREA: Guides TOPICS: Internal Audit, Performance Management/Measurement, Internal Audit Administration, Self-Assessment November 2, 2000 Prioritizing Using the Nominal Group Technique This guide describes the nominal group technique, which can be used during a group meeting or brainstorming session. It allows a group to rank a list of options or ideas in order of importance. CONTENT AREA: Guides TOPICS: Internal Audit, Risk Management & Assessment, Training & Development, Internal Audit Administration, Self-Assessment, GRC October 31, 2000 Interview Guidelines This guide helps an interviewer to prepare for, conduct, and document an interview. Although the example questions are tailored to internal audit, this tool applies to all types of interviews. CONTENT AREA: Guides TOPICS: Internal Audit, Training & Development, Internal Audit Administration October 31, 2000 Organizational Performance Measurement Presentation This presentation outlines some objectives for and benefits of measuring organizational performance, and includes performance measurement examples from seven companies. CONTENT AREA: Guides TOPICS: Benchmarking, Corporate Governance, Performance Management/Measurement, Best Practices, GRC October 30, 2000 Common Frauds: Insider, Outsider, and Frauds for the Company This guide identifies various types of fraud committed by insiders, outsiders, and management. CONTENT AREA: Guides TOPICS: Fraud October 30, 2000 Fraud Detection - Guidelines and Techniques This guide identifies ways that fraud can be committed from an accounting, operations, and IT internal controls perspective, and includes examples of fraud detection techniques using Data Analysis, Trend Analysis, and Proportional Analysis. CONTENT AREA: Guides TOPICS: Ethics, Fraud, Technology, Internal Audit, Audit Testing, Software Tools October 30, 2000 Fraud Detection: Red Flags This guide lists opportunity red flags, personal characteristic red flags, and situational pressure red flags of possible fraudulent activity. CONTENT AREA: Guides TOPICS: Fraud, Segregation of Duties October 30, 2000 Fraud Indicators Detectable through Data Analysis This guide lists data tests and data comparisons which can be run for common business processes to reveal anomalies that may indicate fraud or control problems. CONTENT AREA: Guides TOPICS: Fraud, Technology, Internal Audit, Accounts Receivable, Audit Testing, Cash & Treasury, Payroll, Purchasing & Accounts Payable, Software Tools October 30, 2000 Fraud Indicators: Financial Performance This guide identifies some of the red flags within a entity's financial performance that indicate the potential existence of embezzlement, financial statement fraud, and other illegal acts (e.g., bribery, kickbacks, price-fixing, bid-rigging and tax evasion.) CONTENT AREA: Guides TOPICS: Ethics, Fraud, Internal Audit, Performance Management/Measurement, Taxation, Audit Testing October 30, 2000 Internal Audit Competency Model and Assessment Guide This guide suggests competency objectives for internal auditors at junior, intermediate, and senior levels. The competency model sets expectations about the types and levels of skills that all internal auditors within a department are expected to possess. CONTENT AREA: Guides TOPICS: Internal Audit, Performance Management/Measurement, Training & Development, Human Resources, Internal Audit Administration October 30, 2000 Performance Measurement Process Development Guide This guide describes eight steps to consider when putting a performance measurement process into place. CONTENT AREA: Guides TOPICS: Performance Management/Measurement October 30, 2000 Quality Assurance Review (QAR) Information Gathering Guide This guide identifies a comprehensive list of information that should be gathered during a Quality Assurance Review (QAR). The information will be used in conjunction with the insights gathered during QAR interviews to provide the QAR team with a clear picture of internal audit operations. CONTENT AREA: Guides TOPICS: Internal Audit, Audit Reporting, Quality Assessment Review October 28, 2000 Audit Tracking Options Many internal audit departments find it helpful to track audit findings within a spreadsheet or database. A well-organized, easily updated database can significantly reduce the time it takes to track audit findings and follow up with the individuals responsible for taking action. CONTENT AREA: Guides TOPICS: Internal Audit, Audit Reporting, Internal Audit Administration October 28, 2000 Business Continuity Planning: Guide This presentation is a guide to various types of business continuity planning, including the objectives of and approaches to BCP. It discusses the variety of objectives that organizations may have for BCP, and then links these objectives to different planning approaches that can be used. CONTENT AREA: Guides TOPICS: Business Continuity Management, Technology, IT Infrastructure October 28, 2000 Business Continuity Planning: Ten Common Mistakes With increasing reliance on electronic markets companies are becoming more and more concerned about business continuity planning (BCP). This guide identifies ten common BCP mistakes. CONTENT AREA: Guides TOPICS: Business Continuity Management, Technology, IT Infrastructure October 28, 2000 Cost Benefit Analysis Methods This guide outlines various methods of performing a cost-benefit analysis of solutions to issues/gaps. CONTENT AREA: Guides TOPICS: Cost Management, Internal Audit, Training & Development, Audit Reporting, Internal Audit Administration
|