An Integrated Approach

Internal auditing
Third edition
Third edition

Internal
auditing
An Integrated Approach
Internal Auditing – An Integrated Approach 3e covers the basic concepts, philosophy and principles
underlying the practice of Internal Auditing, and the relationships between the internal auditor,
management and the external auditor.

This updated edition is recommended for students of Internal Auditing preparing for BCom, BCom Hons
and BTech examinations and for the professional CIA examination of the Institute of Internal Auditors
Inc. It is also suitable for internal and external auditors employed in internal departments or professional
practices providing outsourced internal audit or management assurance services, as well as senior
financial personnel responsible for corporate governance, risk management and internal controls. It will
also be of interest to Chartered Accountants with a specialist interest in governance and control issues.

Some new information in this edition includes:

• The changing role of Internal Audit in today’s business environment
• The Free Market and the Marxist critique of the free market system
• Corporate Morality and Ethical Management

Richard Cascarino
• The “Cube” approach to risk assessment

Richard Cascarino
• ERM and Internal Audit
• Auditing Business Process Cycles
• Auditing Business Environments
• Current and emerging technology issues for internal auditors.

Internal
About the author
Third edition
Richard Cascarino is CEO of Richard Cascarino & Associates, a successful audit consulting and training
company based in Johannesburg, SA and Denver, USA. He has been involved in the development of
courses in Internal Auditing, IT Auditing and Governance for the School of Accountancy, University of
the Witwatersrand, Johannesburg. His books are used at universities worldwide and serve as reference

auditing
guides for Internal, IT and Forensic auditors. He is chairman of the Audit and Risk Committee of the
Department of Public Enterprises in South Africa.

www.jutaacademic.co.za An Integrated Approach

 Juta Support Material
To access supplementary student and lecturer resources for this title visit the support material web page at
http://jutaacademic.co.za/support-material/detail/internal-auditing

Student Support
This book comes with the following online resources accessible from the resource page on the
Juta Academic website:
• Access to a demo version of IDEA® data analysis software
• Exam and study skills.

Help and Support

For help with accessing support material, email [email protected]
For print or electronic desk and inspection copies, email [email protected]
 INTERNAL AUDITING:
An Integrated Approach

Third edition

Richard Cascarino CIA, CRMA, CFE, CISM

Internal_Auditing.indb 1 16/04/2015 11:12

Internal Auditing: An Integrated Approach
Third edition

First published 2015

First print published 2005
Second edition 2007
Reprinted January 2012
Reprinted August 2012
Reprinted March 2013
Third edition 2015

Juta and Company Ltd

PO Box 14373, Lansdowne, 7779, Cape Town, South Africa
© 2015 Juta & Company Ltd

ISBN 978 1 48511 059 0 (Print)

ISBN 978 1 48511 474 1 (WebPDF)

All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means,
electronic or mechanical, including photocopying, recording, or any information storage or retrieval system, without
prior permission in writing from the publisher. Subject to any applicable licensing terms and conditions in the case of
electronically supplied publications, a person may engage in fair dealing with a copy of this publication for his or her
personal or private use, or his or her research or private study. See Section 12(1)(a) of the Copyright Act 98 of 1978.

Project manager: Carlyn Bartlett-Cronje

Editor: Pat Hanekom
Cover designer: Joan Baker
Typesetter: ANdtp Services
Indexer: Adami Geldenhuys

The author and the publisher believe on the strength of due diligence exercised that this work does not contain any
material that is the subject of copyright held by another person. In the alternative, they believe that any protected
pre-existing material that may be comprised in it has been used with appropriate authority or has been used in
circumstances that make such use permissible under the law.
 Contents

Preface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii
The Author . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

Section 1: Theory of Internal Auditing. . . . . . . . . . . . . . . . . . . . . . . . 1

Chapter 1: The Emerging Role of Internal Auditing . . . . . . . . . . . . . . 3

Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
In the Beginning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
The Genesis of Internal Auditing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
The Institute of Internal Auditors (IIA). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Internal Auditing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
What is Management? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Executive Management’s Responsibility and Corporate Governance. . . . . . . . . . . 7
Professionalism within the Internal Auditing Function. . . . . . . . . . . . . . . . . . . . . . 8
The Internal Audit Charter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
The Relationship of Internal Audit to Other Company Activities. . . . . . . . . . . . . . . 9
The Relationship of Internal Audit to the Board of Directors. . . . . . . . . . . . . . . . . 9
The Relationship of Internal Audit to the External Auditor. . . . . . . . . . . . . . . . . . 10
The Relationship Between Internal Audit and the Audit Committee . . . . . . . . . . . 10
Three Lines of Defense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
The Changing Role of Internal Audit in Today’s Business Environment . . . . . . . . . 12

Chapter 2: The IIA’s Standards for the Professional Practice of

Internal Auditing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Origins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
New Standards for the Professional Performance of Internal Auditing . . . . . . . . . 15
Internal Auditor Education. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Chapter 3: Internal Audit Quality. . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Quality Assurance Reviews . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Performing a Quality Assurance Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Quality Assurance Methodology. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Chapter 4: Ethics Theory and Practice in the Modern World. . . . . . 23

Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Business Ethics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Ethical Theories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
A Conceptual Framework. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Internal_Auditing.indb 3 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Employee Ethics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Codes of Conduct. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Corporate Ethical Practices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
The Free Market and the Marxist Critique of The Free Market System. . . . . . . . . 28
Corporate Morality. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Ethical Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Resolving Ethical Conflicts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
The Role of Ethics in Distinguishing a Profession . . . . . . . . . . . . . . . . . . . . . . . . 33
Independence and Objectivity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Chapter 5: The Performance Objectives of Organizations. . . . . . . . 37

Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
The Nature of Business Organizations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Strategic Planning and Organizational Performance. . . . . . . . . . . . . . . . . . . . . . 39
Performance Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Performance Measurement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Public Sector Performance Measurement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
The Balanced Scorecard and Performance Measurement. . . . . . . . . . . . . . . . . . 41
Improving Performance Measurement Systems. . . . . . . . . . . . . . . . . . . . . . . . . 44
Effectiveness, Efficiency and Economy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
The Role of Performance Objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Chapter 6: Risk Assessment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Broad Concepts of Control and Risk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
The Nature of Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
The Effect of Risk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Entity-wide Risk Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Techniques to Identify Risks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Risk Analysis and Internal Auditing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Conducting a Risk Assessment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
The ‘Cube’ Approach to Risk Assessment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
ERM and Internal Audit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Chapter 7: Control Frameworks. . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Control Processes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
COSO’s Internal Control: An Integrated Framework. . . . . . . . . . . . . . . . . . . . . . 66
Internal Controls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Systems of Internal Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Elements of Internal Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Control Self-assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Implementing CSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Other Control Frameworks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
CobIT® . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Other Self-assessment Methods. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Chapter 8: Audit Evidence. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

iv

Internal_Auditing.indb 4 16/04/2015 11:12

 CONTENTS

The Nature of Audit Evidence. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Reliability of Audit Evidence. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Audit Evidence Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Documenting the Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Gathering Computerized Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Section 2: The Environment of Business . . . . . . . . . . . . . . . . . . . . . 85

Chapter 9: Communication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
The Elements of Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Communication at Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Barriers to Communications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Overcoming the Barriers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Written Communications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Verbal and Non-verbal Communications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Chapter 10: Strategic Management. . . . . . . . . . . . . . . . . . . . . . . . . 95

Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
The Nature of Strategic Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Implementing Strategic Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
The Strategic Analysis of Industries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Competitive Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Chapter 11: Global Business Environments. . . . . . . . . . . . . . . . . . 107

Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Business Globalization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
The History of Globalization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Problems of Globalization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Cultural Issues in Globalization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Organizational Culture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Culture and Ethics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
The Nature of Industries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Chapter 12: Organizational Behavior. . . . . . . . . . . . . . . . . . . . . . . 115

Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
The Organizational Behavior of Managers. . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Groups within Organizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Conflict. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Group Decision-making. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Group Techniques. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Chapter 13: Management Skills. . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
The Evolution of Management Practices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Current Management Theory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Skills Required of a Modern Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
The Challenges of Increasing Business Uncertainty. . . . . . . . . . . . . . . . . . . . . . 126
Types of Managerial Decisions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Internal_Auditing.indb 5 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Values and Job Satisfaction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

Leadership Styles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Motivation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Work Stress. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Building Staff Competencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Performance Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

Chapter 14: Auditing Business Process Cycles. . . . . . . . . . . . . . . . 133

Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Auditing Business Process Cycles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Revenue and Receivable Business Cycles . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Supply Chain Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Inventory and Production Cycles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Payroll and Human Resource Cycles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Research and Development Cycles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Contract Auditing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Auditing Corporate Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Chapter 15: Negotiation Skills. . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Negotiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
The Climate for Negotiations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Negotiating Common Ground. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Power. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Persuasion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Negotiating Conflict . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Interviewing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Negotiating/Interviewing as a Consultant. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

Section 3: The Practice of Internal Auditing. . . . . . . . . . . . . . . . . . 149

Chapter 16: Types of Internal Audit. . . . . . . . . . . . . . . . . . . . . . . . 151

Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Compliance Audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Financial Audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Performance and Operational Audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Environmental Audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Fraud Audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Quality Audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Program Results Audits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
IT Audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Application Audits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Audits of Significant Balances and Classes of Transactions . . . . . . . . . . . . . . . . 155
Impact on the Skill Mix. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

Chapter 17: The Internal Audit Process and Documentation. . . . . 157

Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Objectives of Audit Service Delivery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
The Macroprocesses of the Internal Audit Process. . . . . . . . . . . . . . . . . . . . . . 158

vi

Internal_Auditing.indb 6 16/04/2015 11:12

 CONTENTS

The Management Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

Implementation of the Generic Audit Process . . . . . . . . . . . . . . . . . . . . . . . . . 162
The Audit Process Structure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Audit Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Developing and Reporting Findings and Recommendations. . . . . . . . . . . . . . . . 166
Audit Evaluation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

Chapter 18: Control and Performance Evaluation . . . . . . . . . . . . . 169

Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
The Nature of Internal Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Internal Controls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Testing of Internal Controlss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

Chapter 19: Engagement Planning. . . . . . . . . . . . . . . . . . . . . . . . . 175

Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Engagement Planning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Unplanned Work. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Project Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

Chapter 20: Audit Reporting and Follow-up. . . . . . . . . . . . . . . . . . 183

Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Audit Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Clear Writing Techniques. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Preparing to Write . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
The Basic Audit Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
The Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Detailed Findings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Polishing the Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Distributing the Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Interim Reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Closing Conferences. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Follow-up Reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Types of Follow-up Action. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Audit Follow-up Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

Chapter 21: Audit Engagement Tools, Statistics and Quantitative

Methods. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Audit Engagement Tools, Statistics and Quantitative Methods . . . . . . . . . . . . . 190
What is Sampling? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Why Do We Sample? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Judgmental (or Non-mathematical) Sampling . . . . . . . . . . . . . . . . . . . . . . . . . 191
Statistical Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Sampling Risk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Assessing Sampling Risk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Planning a Sampling Application. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Quantitative Methods. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

vii

Internal_Auditing.indb 7 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Ratio and Regression Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

Project Scheduling Techniques. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Simulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

Section 4: Business Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

Chapter 22: Corporate Governance. . . . . . . . . . . . . . . . . . . . . . . . 205

Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
International Corporate Governance Developments. . . . . . . . . . . . . . . . . . . . . 205
Corporate Stakeholders and Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Investors, qua Owners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Board Structure, Roles and Responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Board Committees. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
The Role of Audit Committees. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
External Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Internal Audit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
A Risk-based Approach to Internal Audit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Resourcing Internal Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Outsourcing Internal Audit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

Chapter 23: Financial Accounting and Finance. . . . . . . . . . . . . . . . 220

Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Financial Reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Auditing the Financial Reporting Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Appointment of External Auditor and Consultants . . . . . . . . . . . . . . . . . . . . . . 222
Audit Plans and Co-ordination with External Audit. . . . . . . . . . . . . . . . . . . . . . 224
External Auditors’ Use of the Work of Internal Audit. . . . . . . . . . . . . . . . . . . . . 224
Internal Controls over Financial Reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

Chapter 24: Cost and Managerial Accounting . . . . . . . . . . . . . . . . 227

Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
The Importance of Cost and Managerial Accounting Principles . . . . . . . . . . . . . 227
A Value Chain for Business . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
The Public Sector. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Cost Accounting Principles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Analyzing Costs and Evaluating Cost Management. . . . . . . . . . . . . . . . . . . . . . 234
Capital Budgeting and Cost Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Quality Control Costs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

Chapter 25: The Legal and Regulatory Environment . . . . . . . . . . . 237

Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
The Legal and Regulatory Environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Impact on the Internal Auditor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Identifying and Monitoring Non-compliance . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Internal Audit Programs to Evaluate the Effectiveness of Controls. . . . . . . . . . . 239

viii

Internal_Auditing.indb 8 16/04/2015 11:12

 CONTENTS

Section 5: Information Technology. . . . . . . . . . . . . . . . . . . . . . . . . 241

Chapter 26: Auditing Information Technology . . . . . . . . . . . . . . . . 243

Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Control and Audit of Information Technology. . . . . . . . . . . . . . . . . . . . . . . . . . 243
Some Computing Terminology. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Systems of Internal Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
General Control Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Program Control Objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Batch vs Online . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Other Communication Concepts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253

Chapter 27: Auditing General and Application Controls. . . . . . . . . 255

Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
The Control Environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Computer Operations Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Application Controls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Systems Controls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Overall Control Objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

Chapter 28: Auditing Systems under Development. . . . . . . . . . . . 263

Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Why Do Systems Fail?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Systems Development. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Micro-based Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273

Chapter 29: The Use of CAATs in Auditing Computerized Systems. . 274

Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Computer-assisted Audit Tools and Techniques. . . . . . . . . . . . . . . . . . . . . . . . 274
CAATs Case Study. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278

Chapter 30: Auditing Security and Privacy. . . . . . . . . . . . . . . . . . . 279

Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
Auditing Operating Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Auditing Communications Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282

Chapter 31: Disaster Recovery and Business Continuity Planning. 285

Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
Disasters: ‘Before and After’. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
Business Continuity Planning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Business Impact Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290

Chapter 32: Auditing e-Commerce and the Internet . . . . . . . . . . . 294

Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Changing the World . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
e-Commerce . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
The Internet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300

ix

Internal_Auditing.indb 9 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Chapter 33: Current and Emerging Technology Issues for Internal

Auditors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
IT Audit Approach and Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
IT Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Project Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Outsourcing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Cloud Computing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Smart Mobility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Social Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Advanced Persistent Threats and Targeted Cyber Attacks. . . . . . . . . . . . . . . . . 320

Section 6: Fraud and Forensic Auditing. . . . . . . . . . . . . . . . . . . . . 323

Chapter 34: Fraud Auditing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Fraud Detection and Identification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
The Context of Fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Red Flags for Fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
Personal Fraud Indicators. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
Triggering Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
Fraud Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
Codes of Conduct. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
Internal Audit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336

Chapter 35: Forensic Evidence. . . . . . . . . . . . . . . . . . . . . . . . . . . . 337

Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Courts and the Administration of Justice. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Forensic Evidence. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
What Constitutes Best Evidence?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Forensic Audit Department . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
Polygraph Testing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341

Chapter 36 Conducting Fraud Investigations. . . . . . . . . . . . . . . . . 343

Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
What are Fraud Investigations? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Elements Required to Establish Evidence of Theft . . . . . . . . . . . . . . . . . . . . . . 343
The Power of the Investigator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
Corporate Investigation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345

Chapter 37: IT Fraud Investigation . . . . . . . . . . . . . . . . . . . . . . . . 349

Learning objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
The Exponential Growth of Computer Crime . . . . . . . . . . . . . . . . . . . . . . . . . . 349
Classification of Computer Fraud. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
The Investigation of IT Frauds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350

Appendices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Appendix A Internal Auditors’ Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Appendix B Sample Audit Committee Charter. . . . . . . . . . . . . . . . . . . . . . . . . 360
Appendix C Sample Internal Audit Charter . . . . . . . . . . . . . . . . . . . . . . . . . . . 362

Internal_Auditing.indb 10 16/04/2015 11:12

 CONTENTS

Appendix D Working Papers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365

Appendix E General Standards of Completion. . . . . . . . . . . . . . . . . . . . . . . . . 370
Appendix F Sample Working Papers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
Appendix G Sample Job Descriptions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
Appendix H Sample Engagement Contract . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
Appendix I    Sample Audit Program. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
Appendix J Sample Audit Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400

Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405

xi

Internal_Auditing.indb 11 16/04/2015 11:12

 Preface

The capital markets rocked with recent corporate scandals and business failures
are demanding sound corporate governance from corporations and those charged
with governance of public listed companies, financial services entities, large non-
governmental organizations and the public sector. Investor confidence has been
severely eroded by these events and the tangled web of multiple stakeholders
involved. It is in this context that the role of the internal auditor has come to the fore,
able to provide support to management in meeting its responsibilities for responsible,
accountable and transparent governance and risk management.
To restore public confidence in the governance processes, government regulations
have become more stringent, and corporate governance reports recommending
changes all include requirements for greater involvement by internal audit and an
enhanced role for audit committees. Auditing standards governing the external
auditors have become more demanding and legislation such as the Sarbanes-
Oxley Act in the United Stated reaches across the world in demanding evidence of
compliance from US listed companies and their affiliates anywhere in the world. The
internal auditor has an important role to play in this process, whether employed by
the organization or providing outsourced internal audit assurance services.
The Institute of Internal Auditors believes that organizations are best served by a
fully resourced and professionally competent internal auditing staff providing value-
added services which are critical to the efficient and effective management of an
organization.
This book addresses the area of professional competence within internal auditing
staff.
The text is designed primarily for lecturers and students of Internal Auditing at
an undergraduate and post-graduate level, intending to pursue a career in internal
auditing, as well as those with a specialist interest in governance, risk and control
issues for organizations. The basic concepts, philosophy and principles underlying
the practice of internal auditing, including the relationships between the internal
auditor, management and the external auditor are covered in the text.
In addition, the student will gain a knowledge and understanding of the nature
of an organization as well as risk management and the role of internal auditing in
managing organizational risks and understanding current developments in corporate
governance in both the public and private sectors.
The text will also prove an invaluable aid to those studying for the Certified Internal
Auditor professional qualification since it addresses the syllabus requirements of
the Institute of Internal Auditors and the Standards for the Professional Practice of
Internal Auditing and Competency Framework for Internal Auditors. Access to the
IDEA® data analysis software with the educational case study is an added bonus,
exposing students to a hands-on application of CAATs.

Internal_Auditing.indb 12 16/04/2015 11:12

 PREFACE

The text represents a practical integrated approach to the Institute of Internal

Auditors’ recommended internal audit approach, and may be implemented within an
Internal Audit Department in a cost-effective manner. Accordingly, the text may be
useful as a reference manual for internal audits in practice.

The book is recommended reading for:

➤➤ students of Internal Auditing at universities and universities of technology
preparing for BCom, BComHons and BTech examinations and for the professional
CIA examination of the Institute of Internal Auditors Inc;
➤➤ internal and external auditors employed in internal departments or professional
practices providing outsourced internal audit or management assurance services;
➤➤ internal auditors employed in the public sector departments and municipalities
governed by the Public Finance Management Act and the more recent Municipal
Finance Management Act; and
➤➤ senior financial personnel charged with responsibility for corporate governance,
risk management and internal controls.

xiii

Internal_Auditing.indb 13 16/04/2015 11:12

 The Author

Richard Cascarino CIA, CRMA, CFE, CISM

Richard Cascarino is CEO of Richard Cascarino & Associates, a successful audit
consulting and training company based in Johannesburg, SA and Denver, USA. He
has been involved in the development of courses in internal auditing, IT auditing
and governance for the School of Accountancy, University of the Witwatersrand,
Johannesburg. His books are used at universities worldwide and as reference guides
for internal, IT and forensic auditors. He is chairman of the Audit and Risk Committee
of the Department of Public Enterprises in South Africa.

Acknowledgements

This textbook is the third edition of a book which was originally a dream that I had
for many years, and that Sandy van Esch had co-authored in its first edition. Without
Sandy’s encouragement there would have been no book.
There had been a demand for many years for an affordable internal auditing
textbook for students at universities and universities of technology in southern Africa
that incorporates local laws and regulations affecting the internal audit practitioner
in this region, while at the same time preparing students for the professional,
international CIA examinations. I hope that the text will go some way to address
these demands.
I wish to thank sincerely all those who contributed to the text along the way and
helped ensure that it reflects current practice, and for permissions granted to use
copyright material.
In particular my thanks go to:
➤➤ Margaret Cascarino and my family for their support.
➤➤ CaseWare International for permission to add the educational version of IDEA© as
downloadable with this book.

My sincere appreciation as well to the editorial and production team at Juta Academic.

Richard Cascarino CIA, CRMA, CFE, CISM Johannesburg, 14 November 2014

Internal_Auditing.indb 14 16/04/2015 11:12

 1
SECTION

Theory of Internal Auditing

Internal_Auditing.indb 1 16/04/2015 11:12

Internal_Auditing.indb 2 16/04/2015 11:12
 1
CHAPTER

The Emerging Role of

Internal Auditing

Learning objectives
After studying this chapter, you should be able to:
➤ Outline briefly the origins and history of internal auditing
➤ Explain the development of the internal auditing profession in South Africa
➤ Explain the emerging role of internal auditing
➤ Explain the different responsibilities of an internal auditor
➤ Define the contents of an internal audit charter

In the Beginning ...

From early times dating back to 3500 BC, extant records of various civilizations
indicate by patterns of checks and ticks that verification of records took place. In
ancient Egyptian, Greek, Chinese and Roman civilizations, rulers sought to confirm
official records by comparing two sets of such records. Presumably, this was done
by two officials working together, with one official reading from one of the record
sheets and the other checking against the other record sheet: the name ‘auditor’
derives from the Latin ‘auditus’, meaning ‘hearer’.
With the fall of the Roman Empire, auditing and control disappeared and it
was not until the Middle Ages that the growth of centralized control once again
demanded proof of the adequacy and correctness of record-keeping.

The Genesis of Internal Auditing

The profession of internal auditing, as with many other professions, has its roots
in the industrial revolution of the nineteenth century. The enormous growth of the
business sector found existing professionals scrambling to keep up. Specialists
appeared, coping with such innovations as corporate law, banking provisions and
bankruptcies. This led to the formation of a plethora of organizations and associa-
tions that over a period of time amalgamated into the British Institute of Chartered
Accountants and the American Certified Public Accountants in their respective
countries. The main difference, at that time, was the method of achieving profes-
sionalism within the two bodies. The American body adopted a style combining the
academic and business worlds and produced professionals that were a hybrid of
both. The British institute took the more traditional English path of a trade appren-
ticeship outside of the tertiary education system.

Internal_Auditing.indb 3 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

This situation continued into the mid-1950s, with the two institutes dominat-
ing the business world in those countries and becoming an increasingly integrated
part of corporate life, to the extent that almost half of all qualified professional
accountants were employed outside audit firms.
By the start of the 1940s, professional internal control evaluators were employed
and distributed throughout organizations to such an extent that the differentiation
between internal and external auditors became a meaningful concept.
The statutory role of the external auditor has remained as the attest function,
confirming that the financial records of organizations have been fairly presented. The
role of the internal auditor has developed over the past 70 years to one of assisting
management in the discharge of their responsibilities by ensuring that the internal
control structures are appropriate to a given level of risk and function, as manage-
ment intended. Increasingly, internal auditors are called upon to act as internal
control, risk and corporate governance consultants within organizations.

The Institute of Internal Auditors (IIA)

In 1941, the Institute of Internal Auditors Inc. was formed. Based in New York, it
was confined to America only. Its role was to provide a clearing house for ideas and
education, and generally to unite the developing profession. After World War II,
the growth in multinational corporations virtually guaranteed the spread of the IIA
to the rest of the industrialized world. The IIA was not alone in this. External audit
firms formed working agreements with other firms across national boundaries, which
eventually led to the large international partnerships we see today.
By the 1960s, the IIA had grown and flourished, becoming the acknowledged
international leader of the internal auditing profession. The IIA‘s motto of ‘Progress
Through Sharing’ defined its role as a non-elitist coming together of like-minded
individuals to offer mutual support and advancement through the propagation of
knowledge.
From the IIA‘s inception, it was recognized that the multidisciplinary and evolu-
tionary nature of the business world would have to be reflected in the IIA. It had
therefore to provide the umbrella beneath which individual skills and talents needed
to audit the internal control mechanisms of modern business could come together
as equals to share knowledge and to grow in the process.

The IIA has defined its vision as follows:

‘The IIA will be the global voice of the internal audit profession: Advocating its
value, promoting best practice, and providing exceptional service to its members’

and its mission as follows:

‘The mission of The Institute of Internal Auditors is to provide dynamic leader-
ship for the global profession of internal auditing. Activities in support of this
mission will include, but will not be limited to:
➤ advocating and promoting the value that internal audit professionals add to
their organizations;
➤ providing comprehensive professional educational and development opportu-
nities; standards and other professional practice guidance; and certification
programs;

Internal_Auditing.indb 4 16/04/2015 11:12

 THE EMERGING ROLE OF INTERNAL AUDITING

➤ researching, disseminating, and promoting to practitioners and stakehold-

ers knowledge concerning internal auditing and its appropriate role in con-
trol, risk management, and governance;
➤ educating practitioners and other relevant audiences on best practices in
internal auditing; and
➤ bringing together internal auditors from all countries to share information
and experiences.’1

Internal Auditing
Internal auditing has been defined by the IIA as follows:
‘Internal Auditing is an independent, objective assurance and consulting activ-
ity designed to add value and improve an organization‘s operations. It helps
an organization accomplish its objectives by bringing a systematic, disciplined
approach to evaluate and improve the effectiveness of risk management, con-
trol, and governance processes.
Independence is established by the organizational and reporting structure.
Objectivity is achieved by an appropriate mind-set. The internal audit activity
evaluates risk exposures relating to the organization‘s governance, operations
and information systems, in relation to:
➤ effectiveness and efficiency of operations;
➤ reliability and integrity of financial and operational information;
➤ safeguarding of assets;
➤ compliance with laws, regulations, and contracts.’ 2

Internal Auditing has traditionally been based on the paradigms of:

➤ internal control = management control;
➤ management control starts with governance;
➤ top management can control everything; and
➤ internal control is imposed from the top.

Today‘s business environment indicates that a more appropriate paradigm might be

that continuous improvement focuses control with owners of the process.
The role of internal audit must change to reflect this new reality. The fact that
internal audit is ultimately responsible to the organization will not change; however,
the owners of the process are becoming the custodians of internal control rather than
traditional management structures. Internal auditors frequently become experts at
describing the best design and implementation of all types of controls. However, inter-
nal auditors are not expected to equal – let alone exceed – the technical and opera-
tional expertise pertaining to the various activities of the organization. Nevertheless,
they may help the responsible individuals achieve more effective results by appraising
the existing controls and providing a basis for helping to improve them.
With the increased demand for sound corporate governance processes, the role
of the internal audit is evolving into a more advisory role to assist management
with risk identification processes and the design of appropriate controls for effec-
tive management of such risks at the various levels of the organization.

1. www.theiia.org.
2. www.theiia.org.

Internal_Auditing.indb 5 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

What is Management?
Management can be defined as the optimization of the utilization of corporate
resources through the planning, organizing, leading and controlling of the members
of any organization. It is a process of continuous improvement in which the business
itself is constantly adapting to its environment, and management is changing in the
same way.

The Management Process

The management process begins with an understanding of the organization‘s busi-
ness. Until this is achieved, any attempt to decide on organizational needs will be
at best misleading and at worst disastrous. Once the overall objectives and envi-
ronment of the business have been established, establishing the needs becomes a
comparatively easy task.
The organization‘s needs may be determined by identifying and examining the
key activities whose effective performances can either make or break it. These
key activities must themselves be monitored and therefore ambitious performance
objectives must be established early in the planning process. For every performance
objective, there will be a range of threats, which, if fulfilled, will either reduce the
effectiveness of or totally negate the objective. These must be assessed in a formal
risk assessment to determine an appropriate corporate coping strategy.
The coping or control strategies of the organization must be determined by man-
agement and appropriate controls designed to address the risks to be managed.
The actual controls must be implemented and monitored and controls should exist
to ensure that this happens. Controls, once implemented, must be effective in per-
formance and periodically management must evaluate and review performance with
this in mind.

Understanding an organization’s business

This is a combination of a theoretical approach using literature searches about
the organization and its functions in the business press and relevant Internet sites,
combined with a reading of the organization‘s annual reports and other internal and
external communications, in order to obtain the whole picture.
This theory will be combined with a more practical approach involving interview-
ing staff in order to both evaluate their understanding of the business and confirm
your own understanding. Site visits to observe the operation of specific business
functions will also help. An auditor may obtain further information and confirmation
by comparing the current understandings to those in effect and identified during
previous internal audit reviews.

Establishing needs
Once an auditor has established the overall objectives and environment of the
business, he/she must decide on its overall needs. A study of the organization‘s
mission statement should clarify the general performance objectives. Management
should have established strategic plans and objectives in order to ensure that the
general performance objectives are achieved. By interviewing executive manage-
ment, employees, and perhaps even customers and suppliers, the auditor can
determine what the business needs to successfully accomplish the objectives.

Internal_Auditing.indb 6 16/04/2015 11:12

 THE EMERGING ROLE OF INTERNAL AUDITING

Identifying key activities

The auditor should then identify the major products and services provided to meet the
business objectives. Once again, this will involve determining the level of management‘s
understanding of customer needs and numbers, the competition and their probable
response patterns, as well as management‘s understanding of which are their own key
performance areas (KPAs), ie those activities that can make or break the organization.

Establishing performance objectives

For each KPA, performance objectives must be established. This involves defin-
ing core activity targets that are both achievable and at the same time stretch the
organization‘s capacity. Key performance indicators will be required to measure per-
formance. The risks and threats that could lead to non- or underachievement must
be assessed, including both external and internal threats.

Deciding on control strategies

Once the full risk analysis is complete, management are in a position to decide what
activities must be ensured, which risks must be managed and which transferred.
This, in turn, will dictate which risks can be cost-effectively prevented, which must
be detected and how any risk can be corrected.
Business risks must be prioritized, and here trade-offs will be required, since con-
trol measures are commonly contradictory, so that, for example, efficiency often has
to be traded off against effectiveness.

Implementing and monitoring controls

Wishing controls into existence will not make them appear. Controls result from the
planned and thoughtful intervention of management to achieve a specific end.
For controls to be effective, they must be monitored. Monitoring may take several
forms, including self-assessment, the use of regular audits and the introduction of
continuous improvement programs. Controls must be frequently reviewed for both
their ongoing relevance and their effectiveness, and must be modified and adapted
where required.

Evaluating and reviewing performance

The auditing process is designed to determine where to audit as well as what to
audit, and may use any and all of:
➤ control strategy assessment;
➤ control adequacy and effectiveness;
➤ performance quality assessment;
➤ unit performance reporting; and
➤ follow-up.

Overall, the standards of audit performance must be set at a professional level.

This normally means to a level laid down in the IIA‘s Standards for the Professional
Practice of Internal Auditing.

Executive Management’s Responsibility and Corporate Governance

Corporate governance can be defined as the relationship among various partici-
pants in determining the direction and performance of companies and involves:

Internal_Auditing.indb 7 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

➤ shareholders;
➤ management; and
➤ the board of directors.

Under this definition, the objectives of a corporation may be further defined as

including the attainment of human satisfaction in a social structure. Efficiency and
effectiveness, flexibility and continuity then form a significant part of fulfilling a
corporation‘s objectives.
Management then become the link between the providers of capital (owners
and shareholders) and the users of capital (operational or functional management).
Executive management will normally review and approve financial and operating
objectives. They will also offer advice to general management, recommend board
candidates and review the adequacy of internal controls.

Professionalism within the Internal Auditing Function

Internal auditing responsibilities include:
➤ reviewing the reliability and integrity of financial and operating information;
➤ reviewing operational systems to ensure compliance with policies, plans, proce-
dures, laws and regulations;
➤ reviewing the means of safeguarding assets and verifying their existence;
➤ appraising the economy and efficiency of the use of resources; and
➤ reviewing operational effectiveness.

Internal audit can demonstrate its professionalism by adhering to the IIA‘s

Standards for the Professional Practice of Internal Auditing. Adherence can also
assure the head of internal audit that internal audit is complying with company and
departmental policies and procedures, and that fieldwork also complies with these
policies and procedures. The board of directors gains assurance that the internal
audit function complies with internationally accepted norms, while the independent
external auditors will be satisfied that the work of internal audit can be used as
audit evidence for particular aspects of their work. Internal auditors themselves
also gain confidence that they are achieving quality and proficiency of output at a
measurable and acceptable standard.

The Internal Audit Charter

The principle that any internal audit charter developed by an organization should
follow is embodied in the following extract from IIA Practice Advisory 1000-1:
Internal Audit Charter.
‘The purpose, authority, and responsibility of the internal audit activity should
be defined in a charter. The chief audit executive (CAE) should seek approval
of the charter by senior management as well as acceptance by the board. The
approval of the charter should be documented in the governing body minutes.
The charter should:
(a) establish the internal audit activity‘s position within the organization;
(b) authorize access to records, personnel, and physical properties relevant to
the performance of engagements; and
(c) define the scope of internal audit activities.’

Internal_Auditing.indb 8 16/04/2015 11:12

 THE EMERGING ROLE OF INTERNAL AUDITING

Whilst internal audit charters have a common approach and structure, the details
of each individual charter must be uniquely formulated to meet the needs of a
given organization. Its function is to lay down the relationship and responsibilities
that should exist among the chief executive, the head of internal audit and the line
managers.
The chief executive should take a close interest in the drafting of the charter, since
it is a definition of the terms of reference for the head of internal audit. If these are
defined, they will provide top management with a reliable way of measuring the reli-
ability and quality of internal control within an organization. They also act as a point
of reference when internal audit‘s structure, plans or reports are being reviewed.
For the head of internal auditor, the charter provides an essential foundation con-
taining absolute directives and objectives that must always be kept in view. These
facilitate the drafting of job specifications and descriptions, as well as internal audit
manuals and audit plans.
To the main body of organizational managers, the charter indicates the level of
authority to act delegated to the head of internal audit in reviewing each of their
systems of internal control. They will, correctly, expect to see constraints within the
body of the document that preserve their rights as decision makers.

Content
The head of internal audit usually selects the form, content and wording of the
charter. These will be influenced by internal audit standards and should encourage
best professional practice. Both the chief executive and the chairman of the audit
committee will normally sign the charter (Appendix C contains a sample internal
audit charter).

The actual content will include:

➤ a formal definition of internal audit within the organization and its key objec-
tives;
➤ the authority under which the head of internal audit acts, including the line of
reporting, as well as rights of access to people, properties, assets and records;
and
➤ terms of reference describing in detail the role and working objectives of the
head of internal audit.

The Relationship of Internal Audit to Other Company Activities

An understanding of the relationship between internal auditing and other company
activities is needed in order to fully understand the nature of internal auditing. An
internal auditor must be detached from the normal operations of the company in
order to be truly independent and objective. Management may occasionally attempt
to assign line responsibilities to an internal auditor. In addition, an internal auditor
must not attempt to usurp the role and responsibility of management.

The Relationship of Internal Audit to the Board of Directors

In recent years, the board of directors has been playing a more active role in cor-
porate governance and internal control. One of the ways that boards have coped

Internal_Auditing.indb 9 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

with these increased responsibilities is through the establishment of an audit

committee. (Refer to Chapter 22 for a more detailed discussion of this.) Although
in many companies the actual role of the audit committee is still evolving, it is
intended to include maintaining an overview of the effectiveness of the system of
internal control, the completeness and integrity of the financial statements, and
the adequacy of the total audit effort. As stated, an internal auditor normally has
a dual relationship with corporate management and with the audit committee.

The Relationship of Internal Audit to the External Auditor

While the external auditor has a statutory responsibility to parties outside the cli-
ent company, the internal auditor is primarily responsible to the organization and
all of its stakeholders. Although the two groups have different objectives, there are
many common areas of concern that provide a basis for an extensive co-ordination
of effort.

The Relationship between Internal Audit and the Audit Committee

Of the many committees involved in the governance and control of organizations,
the audit committee has the most significant impact on the role and effectiveness of
the chief audit executive (CAE). Audit committees fulfill a similar function within all
organizations, however, the nature of the organization itself can prescribe a particular
emphasis in the working of the audit committee. This, in turn, affects the nature of
the relationship between the chief audit executive and the committee as a whole.
The authority of an audit committee derives from the board of directors, the rules
and regulations within the organization, as well as any relevant governance legislation
of the country or countries within which the organization operates and the operative
market sector. Its primary function is to assist an organization achieve an effective
internal control structure derived directly from the tone at the top.

The Relationship with Internal Audit

A healthy relationship with the internal auditors can be fostered when the audit
committee chair ensures the keeping of open communications channels. This can
take many forms including getting to know the CAE on a personal basis, frequent
contact between meetings, and the committee chair taking an interest in, and
caring about, the internal audit activity. It is also good practice for the audit
committee chair to meet with the entire senior internal audit staff from time to
time to get to know some of the individuals who report to the CAE, and to thank
them for their efforts.
The audit committee provides internal audit with oversight, strategic direction,
accountability and enforcement where required. Part of its oversight involves ensuring
that the internal audit function is properly positioned, adequately resourced and
strongly supported, including reviewing and approving:
➤➤ the internal audit activity’s charter and mission statement to ensure the needs of
the organization can be met;
➤➤ the annual work plan to ensure all significant risk areas are being appropriately
addressed and that no inappropriate restrictions are placed on the scope of
internal audit activities;

10

Internal_Auditing.indb 10 16/04/2015 11:12

 THE EMERGING ROLE OF INTERNAL AUDITING

➤➤ the adequacy of resources, skill levels, and budget to ensure the work plan is
achievable within the appropriate time; and
➤➤ the selection of internal audit projects, adequacy of performance and
appropriateness of recommendations.

The CAE needs to be up to date on appropriate governance best practices and trends
for the area within which the organization operates as well as its market sector. There
will always be a need to remain current on emerging issues and the audit committee
will seek reassurance in this area.
The audit committee also needs assurance that the internal auditors understand
the overall corporate strategy and have sufficient professional judgement to identify
all forms of risk at an early enough opportunity to facilitate management intervention
where appropriate. In order for the audit committee to be appropriately assured,
performance assessment of both the CAE and internal audit will be required.

Independence
The audit committee relies heavily on the internal audit function to provide objective
opinions, information and, when necessary, education to the audit committee while
the audit committee in turn will provide oversight and validation to the internal audit
function. In today’s environment this could include the outsourcing or co-sourcing of
all or part of the internal audit function but the audit committee should ensure that
the role of the chief audit executive remains within the organization itself.
As part of the audit committee’s responsibility for ensuring the independence
of internal audit, the audit committee is responsible for providing input into the
appointment, dismissal, evaluation, compensation, and succession planning of the
chief audit executive. This is a critical activity of the audit committee since the CAE
will, of neccessity, have a high degree of interaction with the audit committee. The
committee will typically seek to ensure that candidates for a CAE position have
distinguished themselves professionally. They would normally have an advanced
degree, the appropriate professional designation, and several years’ experience in
an audit supervisory role.
The committee is also responsible for ensuring that a continuous quality
assurance (QA) program within internal audit exists and that full disclosure of the
results be made to the audit committee, in order to give the audit committee assurance
that the work of the internal audit function is being conducted to internationally
accepted standards. The CAE is functionally required to ensure quality on an ongoing
basis. This may include benchmarking to develop an internal auditor scorecard for the
audit committee to use for assessing the performance of the internal audit function.
An objective and independent evaluation would, nevertheless, include such areas
as audit scope and coverage (including financial, compliance, operational, IT, and
fraud auditing), audit capabilities, independence, objectivity, supervision and project
quality control.
The Standards for the Professional Practice of Internal Auditing©3 promulgated
by the Institute of Internal Auditors requires that an external Quality Assurance
Review (QAR), performed by appropriately qualified reviewers and carried out to
professional standards, be conducted every five years.

3. Available from the Institute of Internal Auditors – http://www.theiia.org

11

Internal_Auditing.indb 11 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Three Lines of Defense

As part of the King III findings, companies are expected to operate using a triple
bottom line namely social, environmental and economic issues. This approach
recognizes the impact of the modern organization on both society and the natural
environment and the imperative for good corporate citizenship, again, shifts the
focus of internal audit to ensuring the control structures are appropriate to achieve
such a triple bottom line.
This should not be confused with the Three Lines of Defense or LOD model as
defined by the IIA in their 2013 Position Paper4 which categorizes management control
as the first line of defense and mismanagement, the accumulation of risk control and
compliance oversight functions under the direction of management as being the second
line of defense, while the independent assurance forms the third line.
Under this model, both management controls and the implemented internal control
measures form the first line of defense while the second line of defense is made up
of risk management, financial control, quality assurance, security, inspection and
compliance. Internal audit is seen to be the underpinning of the third line of defense.

The Changing role of Internal Audit in Today’s Business Environment

Over recent years, the nature and role of the internal audit function have changed as,
indeed, the nature of business has changed. Increasing regulatory changes resulting in
higher levels of demand from governing bodies within organizations have shifted the
focus of many internal audit functions from straightforward compliance to a wider range
of evaluation criteria. The organizational focus on enterprise-wide risk management
(ERM) including, in some instances, the expansion of the role of the audit committee
into an audit and risk committee, brings changes to the internal audit role and requires
the function to provide objective assurance to the board on the effectiveness of the
organization’s ERM activities. This moves internal audit from ensuring that business
key risks are managed appropriately within an effective internal control framework into
assisting in and evaluating such areas as:
➤➤ identification and prioritization of operational and strategic risks across the
business activities of the organisation;
➤➤ identification and quantification of changing risk factors as business priorities and
initiatives change and key performance indicators change accordingly;
➤➤ the effectiveness of organization processes and systems in maintaining the
alignment with the changing business strategies and priorities; and
➤➤ the use of data analytics to understand the nature and threats of the evolving
business environment.

4. Available from the Institute of Internal Auditors – The Three Lines of Defense in Effective Risk Management.
https://na.theiia.org/standards-guidance/Public%20Documents/PP%20The%20Three%20Lines%20
of%20Defense%20in%20Effective%20Risk%20Management%20and%20Control.pdf

12

Internal_Auditing.indb 12 16/04/2015 11:12

 THE EMERGING ROLE OF INTERNAL AUDITING

The traditional audit role of independent adviser on value preservation through the
application of effective and efficient internal control structures, moves to a role
including the strategic issues leading the business and the improvement of value-
creation by supporting risk management across the organization. Overall, the range
of activities being performed by internal audit is increasingly trending towards an
advisory role and support for strategic initiatives.
In addition, the recognition that the overall Governance Risk and Compliance
activities are intrinsically interconnected and rely on common information sources,
technology and processes has meant the internal audit must, itself, morph into an
integrated discipline leveraging the insider knowledge of the organizational processes
and environment.
This means that internal audit has to comprehensively understand the stresses
operating on the business through the use of the appropriate data analytical tools
and methodologies. Internal audit is increasingly moving towards development of
improved skilled resources in order to achieve the data analytical capabilities required.
Overall, this means that internal audit must strike a balance between the assurance
and advisory functionality. Internationally, internal audit is seen to be playing a more
prominent role in strategic initiatives such as the implementation of major capital
projects and critical IT systems implementation. The strengthening of internal controls
in order to prevent fraud and corruption continue to be an imperative with particular
reference to the corporate needs to reduce costs overall.
In order to maximize benefits, an improved integration of internal audit with other
corporate risk interventions is required to avoid duplication of efforts. In small-to-
medium sized companies, internal audit is seen to play a pivotal role within ERM and
in some cases actually administer the programs.

13

Internal_Auditing.indb 13 16/04/2015 11:12

 2 The IIA’s Standards for the
C HAPTER

Professional Practice of Internal

Auditing
Learning objectives
After studying this chapter, you should be able to:
➤ Outline briefly the history and purpose of the IIA Standards
➤ Differentiate between attribute and performance standards and explain the
role of each in achieving internal audit quality
➤ Explain the role of audit standards Practice Advisories

Origins
In 1978, the IIA introduced the Standards for the Professional Practice of Internal
Auditing to be used around the world in order to provide international consis-
tency and as a measurement tool for audit quality assurance. These consisted of
five general and 25 specific Standards, together with numerous Statements on
Auditing Standards. The Standards are considered mandatory, while non-mandatory
GuideIines are also included.
The IIA Standards were intended to establish a yardstick for consistent measure-
ment of internal auditing operations. This allowed the unification of internal auditing
worldwide by improving internal audit practice; proclaiming the role, scope, per-
formance and objectives of internal auditing; promoting the recognition of internal
auditing as a profession; and promoting responsibility within the internal auditing
profession.
As part of its ongoing research into the evolving role of internal auditing, the IIA
undertook an extensive research project known as the Competency Framework for
Internal Auditing (CFIA). It was intended to update the common body of knowledge
(CBOK) expected from a professional internal auditor.
The CFIA included not only the competencies needed by auditors, but also how
these competencies would be assessed. Based on this research, the IIA brought
together an international group of audit professionals, the Guidance Task Force
(GTF), to formulate a guidance framework for the future.
This resulted in the Professional Practices Framework, which comprises manda-
tory, advisory and practical guidance in the forms of the Standards for the
Professional Practice of Internal Auditing, Practice Advisories, and Development and
Practice Aids, respectively.
In January 2002, the IIA adopted revised standards. Included within these revi-
sions is the new definition of internal auditing:

‘Internal auditing is an independent, objective assurance and consulting activity

designed to add value and improve an organization’s operations. It helps an organization

Internal_Auditing.indb 14 16/04/2015 11:12

 THE IIA’s STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING

accomplish its objectives by bringing a systematic, disciplined approach to evaluate and

improve the effectiveness of risk management, control, and governance processes.’

Mandatory
IIA Practice Advisory 1300-1: Internal Audit Quality Assurance and Improvement
Program, requires the following:

‘The Chief Audit Executive (CAE) is responsible for establishing an internal audit activity
whose scope of work includes all the activities in the Standards and in The IIA’s
definition of internal auditing’ (Introduction, p. 3).

Compliance with both the IIA’s Code of Ethics (Appendix A) and the Standards is
mandatory. All mandatory statements are first promulgated for discussion by the
entire profession through the issuing of exposure drafts. The individual internal
auditor or internal audit practitioner, and an internal audit function or department
in an organization will consider compliance with the IIA Standards essential for the
delivery of professional services.

Advisory
The Guidelines were replaced with Practice Advisories representing the best
approaches to implementation of the Standards. Essentially, the Practice Advisories
are designed to assist an auditor by interpreting the Standards in a variety of inter-
nal auditing environments. Practice Advisories will continue to be issued from time
to time, both as general aids and to meet specialized needs within a given industry,
geographic location or audit speciality.
An example of these requirements is contained in IIA Practice Advisory 1210-1:
Proficiency, which requires the following of an internal auditor:

‘Proficiency in applying internal audit standards, procedures, and techniques is required

in performing engagements. Proficiency means the ability to apply knowledge to
situations likely to be encountered and to deal with them without extensive recourse to
technical research and assistance.’

Aids
The IIA has also developed or endorsed Development and Practice Aids. These
include educational products, research studies, seminars, conferences and other
aids related to the professional practice of internal auditing. These are not intended
to be either compulsory, as are the Standards, or advisory, as are the Practice
Advisories. They are intended solely to assist in the development of internal audit
staff by introducing them to techniques and processes developed by a variety of
experts in their fields.

New Standards for the Professional Performance of Internal Auditing

The individual Standards themselves have been regrouped and redefined into attri-
bute, performance and implementation Standards.

15

Internal_Auditing.indb 15 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Attribute Standards
These address the attributes of organizations and individuals performing internal
audit services, and apply to all internal audit services.

Performance Standards
These describe the nature of internal audit services provided and give quality crite-
ria against which the performance of these services can be measured.

Implementation Standards
These prescribe standards applicable in specific types of engagements in a variety
of industries, as well as specialist areas of service delivery.
The Standards for the Professional Practice of Internal Auditing, a list of the
current Practice Advisories are downloadable (see Appendix A).

Internal Auditor Education

A variety of educational qualifications are available in southern Africa. These range
from degrees at BCom, BCom (Hons) and BTech level to diploma courses offered by
both university and private educational establishments. These can be studied on a
full- or part-time basis and are generally based on the Competencies Framework of
the IIA worldwide.

Certified Internal Auditor

One distinguishing characteristic of a profession is the existence of a measurable
body of knowledge and competencies that a member of the profession may reason-
ably be expected to possess.
For internal auditors, this is demonstrated by the attainment of the Certified
Internal Auditor (CIA) designation. This is a prerequisite for personal career growth,
as well as for organizational governance success. The CIA is the only globally
accepted certification designation for internal auditors and is the standard by which
the competency and professionalism of individuals in the internal auditing field is
established.
The CIA program is based on the IIA’s Competency Framework and CIAs must
demonstrate their mastery of management principles and controls, as well as
audit standards and practices. In addition, expertise in information technology
and emerging strategies to improve business and government must also be dem-
onstrated.
Internationally, an individual does not have to be a member of the IIA to take
the certification examinations or to become certified, although the IIA (SA) has
implemented a local rule that requires membership. Regardless of membership,
all candidates and certified individuals must agree to abide by the IIA's Code of
Ethics5, and practising internal auditors with an IIA certification must comply with
the IIA's International Standards for the Professional Practice of Internal Auditing.

5. Available from http://www.theiia.org/iia/index.cfm?doc_id=92

16

Internal_Auditing.indb 16 16/04/2015 11:12

 THE IIA’s STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING

Requirements of the international IIA to qualify to write the CIA examinations

include:
➤ a US Baccalaureate four-year degree or equivalent. In South Africa, an under-
graduate degree (usually three years) in a relevant field is taken as the equiva-
lent. Credit is given for certain modules of the CIA examination depending on
other qualifications held (for further details, see the IIA’s website at http://www.
theiia.org);
➤ three years’ practical experience in:
◗ an organization (in-house internal audit department); or
◗ a professional practice offering outsourced management assurance/internal
audit services; and
➤ passing the CIA examinations.

CIA preparation courses are offered by a variety of organizations in southern Africa,

including the University of the Witwatersrand, the University of Pretoria and Unisa, the
IIA (SA) and Compact Business Services for the various stages of the CIA examinations.
An individual can sit for the examination, prior to satisfying the experience
requirement; however, he/she will not be certified until his/her work experience is
sufficient and all other requirements have been met.
In all cases, the IIA requires that after certification, CIAs, CCSAs, CGAPs and CFSAs
maintain their knowledge and skills and stay abreast of improvements and current
developments in their area of certification through continuing professional education
(CPE). This is facilitated through a self-certification process with the completion of
required CPE hours on a biennial basis.

Certificate in Control Self-Assessment

Beginning in the 1990s, the concept of control self-assessment (CSA) emerged glob-
ally and grew into a truly innovative specialty area that today is highly regarded and
widely accepted.
In 1999, the IIA introduced the Certification in Control Self-Assessment (CCSA),
giving practitioners validation of their knowledge of the various aspects of CSA, as
well as the confidence to facilitate organizational change.
The CCSA examination, offered twice a year in May and November, explores
candidates’ knowledge of CSA fundamentals, process and integration. The study
process assists candidates in honing their CSA knowledge; takes them through a
review of related topics, such as risk, controls and business objectives; and generally
primes them for CSA practice. Program candidates must also complete education,
work experience and facilitation requirements.
The CSSA certification serves as a professional recognition credit for Part IV of
the CIA examination.

Certified Government Auditing Professional

The Certified Government Auditing Professional (CGAP) specialty certification is
designed specifically for government auditing professionals at all levels. It tests the
candidates’ comprehension of government auditing practices and methodologies as
well as the government environment and related standards and risk/control models.

17

Internal_Auditing.indb 17 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

The CGAP certification serves as a professional recognition credit for Part IV of

the CIA examination.

Certified Financial Services Auditor

The Certified Financial Services Auditor (CFSA) is the IIA’s specialty certification
program that measures an individual’s knowledge of, and proficiency in, audit prin-
ciples and practices within the banking, insurance and securities financial services
industries.
The CFSA examination tests a candidate’s knowledge of current internal audit-
ing practices and understanding of internal audit issues, risks and remedies in the
financial services industry.
The CFSA certification serves as a professional recognition credit for Part IV of the
CIA examination.

18

Internal_Auditing.indb 18 16/04/2015 11:12

 3
C HAPTER

Internal Audit Quality

Learning objectives
After studying this chapter, you should be able to:
➤ Outline briefly the need for quality reviews of the internal audit function
➤ Differentiate between internal and external reviews
➤ Identify acceptable external reviewers
➤ Describe the process for conducting an internal review
➤ Define the relationship between the IIA Standards and other standards bodies

Quality Assurance Reviews

‘The internal audit activity ... should adopt a process to monitor and assess the overall
effectiveness of the quality program’ (Standard 1310).

In the modern world, the extremely low tolerance of failure of technical devices
such as nuclear power plants, or process such as life-saving operations has created
extremely refined approaches to Quality Assurance. Total Quality Control was the
revolutionary concept outlined in Feigenbaum’s book, Quality Control: Principles,
Practice, and Administration,6 and nowadays is taken to consist of 4 major focuses:
➤ continuous process improvement, to make processes visible, repeatable and
measureable;
➤ the intangible effects on processes and ways to optimize or reduce their effects;
➤ examining the way the user applies the product can lead to improvement in
the product itself; and
➤ broadening management concern beyond the immediate product.

Today, internal audit functions are increasingly under pressure to provide value.
Senior management and audit committees expect the internal audit function to be
composed of an informed, experienced and objective team of well-qualified individu-
als. Unfortunately, all internal audit functions are not created equal. Frederick Taylor
(1919) said as much nearly 100 years ago.
‘Among the various methods and implements used in each element of each trade there
is always one method and one implement which is quicker and
better than any of the rest.’ 7

6. F eigenbaum, A.V. 1951. Quality Control Principles, Practice and Administration. New York: McGraw-
Hill.
7. Taylor, F. 1919. The Principles of Scientific Management. New York: Harper & Brothers Publishers.

Internal_Auditing.indb 19 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

As such, many internal audit departments seek assurance of the professional qual-
ity of their work. They can obtain this through the performance of quality assurance
reviews or reviews of best practices for the internal audit function.
Quality Assurance Reviews (QARs) provide timely, independent and objective
reviews of Internal Audit Functions, their audits and their difficulties, including, but
not limited to, an assessment of the quality of deliverables
QARs serve the wider corporate interest of assuring the adequacy and effective-
ness of the internal audit function. To that end, QARs provide a common source of
reliable information to those charged with the oversight of internal audit.
Within Standard 1310, the IIA recommends the assessment of the quality of the
IA department through either an internal or external review.
The quality assurance review evaluates the degree to which the internal audit
department conforms to the IIA Standards and its own charter, plans, policies, pro-
cedures and systems; and the extent to which it meets the needs of its customers.
External reviews are needed every five years in order to independently appraise the
internal audit department’s operations. They should be conducted by qualified people
who are independent of the organization and who do not have a conflict of interest,
either real or apparent. QA professionals provide ongoing advice, counsel and recom-
mendations to internal audit, the Audit Committee and/or executive management.
The content of formal QA reports is consistent and provided in a timely manner to all
key decision-makers as defined under their scope of work, including normally internal
audit management, executive management and the audit committee. In addition to
external reviews, internal quality assurance reviews should be conducted annually
by members of the internal audit staff. This is a control self-assessment in order to
assess the ongoing quality of the audit work that is being performed.
The standard IIA quality assurance review methodology allows the review team
to assess:
➤ deviations in performance from acknowledged best practices for internal
auditing, from IIA Standards, and from the internally prescribed internal audit
func-tion procedures; and
➤ the operation of the internal auditing function as perceived by the internal
audit function’s members and customers.

The review team should also evaluate other issues that affect the internal audit
function, including:
➤ the integration of the concepts of business controls into the internal audit practice;
➤ the adding of value to the organization by providing insights into efficiency and
effectiveness;
➤ the optimization of internal audit staff performance;
➤ the effectiveness of communication with staff and company personnel;
➤ the development of internal audit staff, both personally and professionally;
➤ the use of technology to increase efficiency and effectiveness; and
➤ the effectiveness of ongoing internal quality assurance programs.

Performing a Quality Assurance Review

To comply with the requirements of Standard 1310, a quality assurance review must
itself follow a standardized and professional approach. This takes the form of a five-
stage process, including:

20

Internal_Auditing.indb 20 16/04/2015 11:12

 INTERNAL AUDIT QUALITY

➤ planning and preparation;

➤ determining the customers’ needs;
➤ analyzing the internal audit process;
➤ communicating the results of the review; and
➤ ongoing improvement.

Planning and Preparation

As part of the planning and preparation process, the quality assurance review team
reviews the latest quality standards and internal audit best practices as established
by the IIA. At this stage, the team will normally plan its initial meetings with stake-
holders and prepare its information requests for the internal audit department.

Determining the Customer’s Needs

The main aim of this phase is an assessment of management’s commitment to and
support of internal auditing. This is done by getting comments and observations
about the internal audit function from its customers, including management, the
audit committee and auditees.
An understanding of the environment within which the internal audit function
operates is essential to gaining a clearer understanding of corporate objectives. In
addition, where performance shortfalls are subsequently noted, practical recom-
mendations for improvement can be drawn up.
Without an understanding of the needs and wants of internal audit’s stakehold-
ers, it is impossible to evaluate the quality of its service delivery.

Analyzing the Internal Audit Process

Critical internal audit processes are generally taken to include:
➤ developing the overall audit plan;
➤ planning individual audits;
➤ carrying out the audit program;
➤ communicating results; and
➤ follow-up.

In order to evaluate the process against the IIA Standards, the quality assurance
review team needs a comprehensive understanding of the internal audit process
implemented within the organization. The team should also be up-to-date with the
latest of the IIA’s Practice Advisories in order to make acceptable recommendations
for improving the existing process.

Communicating the Results of the Review

As with any audit, the aim of this phase is to communicate the results of the review
to management and the audit committee in a form that meets their requirements. The
report should make clear to management the overall conclusions, significant points and
items requiring action. As such, it should interpret the results of the findings and focus
the reporting on high-level aspects of the review, particularly for the audit committee.
The audit committee may have questions about the review, and the quality
assurance review team should be prepared to respond to requests for additional

21

Internal_Auditing.indb 21 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

information or further insights on their findings.

The report should normally include an assessment of the extent to which specific
standards were achieved. Where deficiencies are noted, the findings, improvement
opportunities and recommendations should be stated. As in any conventional audit,
an action plan with dates and allocated responsibilities should have been agreed
with the head of internal audit and should be included in the report.

Ongoing Improvement
The Japanese word kaizen has become popular in today’s organizational language
and stresses the importance of efforts to constantly improve. This concept is the
antithesis of commonly accepted notions of best practice. Some organizations con-
sider that, having adopted Best Practice in their Internal Audit processes, further
improvement is no longer a priority. Best Practice is a moving target involving the
definition of methods used to get things done and the benefits often include the
assurance of quality results and consistency when the process is followed.
As part of providing an effective service, ongoing quality improvement should
focus on the overall objective of the audit process, namely the achievement of maxi-
mum customer satisfaction. This can be done by developing an understanding of all
stakeholders’ needs and by attempting to exceed their expectations continuously.
Constant simplification and improvement of the effectiveness of the internal audit
processes will result in more efficient service delivery.
As part of ongoing supervision and the management process, an internal audit
should evaluate the degree to which it meets its stakeholders’ expectations.

Follow-up
As with any audit, the recommendations resulting from the quality assurance review
are of little value if they are not effectively implemented. The quality assurance
review team, together with the audit committee, must establish a clear follow-up
process to make sure that the action plan is implemented and effective.

Quality Assurance Methodology

In order to achieve professionally acceptable standards of review, the conducting
of a quality assurance review has been carefully structured by the IIA to follow a
specific methodology. This involves, at a minimum, interviews with internal audit-
ing stakeholders, and a review of the internal auditing department charter and of a
representative sample of working papers and reports.
The stakeholder interviews should be scheduled as early as possible in the process in
order to structure the review to meet stakeholders’ requirements and expectations.
All members of the review team must have a thorough knowledge of each of the
IIA’s Standards, Practice Advisories and Development and Practice Aids, and of
internal auditing best practices and the IIA’s Code of Ethics. In practical terms, this
means that the individual members of the team should be operating at a certified
internal auditor level of knowledge and experience. Team members should also have
a thorough understanding of the policies and practices of the department.
The IIA has developed a comprehensive set of tools and aids to assist in the pro-
cess. These can be acquired directly from the IIA.

22

Internal_Auditing.indb 22 16/04/2015 11:12

 4
C HAPTER

Ethics Theory and Practice in the

Modern World
Learning objectives
After studying this chapter, you should be able to:
➤ Outline briefly the primary classes of ethical theory
➤ Explain how ethical theories are applied to ethical decisions in business
➤ Explain the role of ethics in distinguishing a profession
➤ Briefly explain the structure of the IIA Code of Ethics
➤ Apply the code in a variety of situations of ethical choice
➤ Explain the function and structure of a corporate code of conduct

Business Ethics
An understanding of business ethics is relevant for an internal auditor, who will
encounter ethical issues and dilemmas in his/her daily interaction with manage-
ment and auditees in an organization, and in the organization’s interaction with the
public sector, its employees, its customers, its suppliers and the community within
which it operates. Therefore, before briefly examining the underlying ethical theo-
ries that have evolved over the centuries, it is useful to understand that the gen-
eral areas of economic activity where management makes decisions often present
tensions between ethical and legal choices. Rossouw8 identifies three main areas:
➤ the macro- or systemic dimension, consisting of the policy framework created
by the state, which determines the basis for economic exchanges both nation-
ally and internationally;
➤ the meso- or institutional dimension, consisting of the relations among
economic organizations, such as public sector entities, private sector entities,
private individuals and those outside the organizations; and
➤ the micro- or intraorganizational dimension, consisting of the economic actions
and decisions of individuals within an organization.

Rossouw9 also uses the example of affirmative action in South Africa to demon-
strate how these three dimensions may be interrelated. Affirmative action has
become a strategic objective for government’s macroeconomic policy, as indicated
by the passing of enabling legislation, such as the Employment Equity Act No. 55
of 1998 and the Skills Development Act No. 97 of 1998. A private institution may
decide to participate in community upliftment programs in education or in support
of AIDS sufferers and orphans in previously disadvantaged communities to demon-
strate its commitment to corporate social responsibility. Within an organization, the

8. Rossouw, D. 2002. Business Ethics in Africa. 2nd ed. Cape Town: Oxford University Press,
Southern Africa.
9. Ibid., pp. 2–3.

Internal_Auditing.indb 23 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

implementation of affirmative action policies may give rise to conflicts in staff appoint-
ments and efforts to meet demographic quotas in staff recruitment policies.

Ethical Theories
Ethics are often confused with individual moral principles, but in fact go far beyond
them. They are designed to address issues from both practical and idealistic
standpoints, as a result of which the ideal may frequently be in conflict with the
practical. Ethics have thus been described as being ‘above the law but below the
ideal’.10

From the professional’s perspective, they become a way of life. Wheelwright11

defined three key elements in defining the impact of ethics on decision making.
➤ Ethics involve questions requiring reflective choice.
➤ Ethics involve guidance as to what is right and wrong.
➤ Ethics are concerned with the consequences of decisions.

Over the years, different classes of ethical theory have evolved.

➤ The imperative principle requires strict compliance with the code of ethics.
There are effectively no choices, since no exceptions are allowed. No ‘lesser of
two evils’ is seen to exist. Many religions use this form of ethical judgment and
it is a standard frequently applied by, for example, anti-abortionists, where the
taking of life is seen to be wrong under any circumstances and where there can
be no exceptions. This class of ethical theory can cause problems when two or
more provisions appear to be at odds or where the ethical principle produces
results out of proportion to the actual situation.
➤ The second class of ethics is that of the utilitarian school. This class seeks
courses of action bringing the most good to the most people. This is the
primary principle of social ethics in countries where the good of the majority is
the measurement criterion, and individual unethical acts must be tolerated to
bring about the ‘greater good’.
➤ A sub-set of this class is act utilitarianism, where acts must lead to the greatest
good for the greatest number. It holds that if existing rules do not assist this
process, they should be broken. This type of ethics is common in revolutionary
societies and corporate politics.
➤ Rule utilitarianism advocates firm and publicly advocated moral rules to which
all acts must conform. Once again, there can be no special cases. Many funda-
mentalist religions employ this class of ethical standard.
➤ Deontological ethics focuses on the consequences of acts. Within this class,
actions commonly result from the concept of duty. Here, ethical principles are
‘independent of each person's conscience’.12 This can be a dangerous ethi-
cal stance, since anything can be justified in the name of duty, and individual
consciences may condone acts that could lead to societal disintegration. This
ethical argument is common in repressive organizations where it is ‘accept-

10. Kell W.G & Ziegler R.E. 1980. Modern Auditing. Boston: Warren Gordon & Lamont. p. 769.
11. Wheelwright, P. 1959. A Critical Introduction to Ethics. 3rd ed. New York: Odyssey Press. p. 4.
12. Kant, I. 1923. Fundamental Principles of the Metaphysics of Morals. 9th ed. New York: Longmans/
Green.

24

Internal_Auditing.indb 24 16/04/2015 11:12

 ETHICS THEORY AND PRACTICE IN THE MODERN WORLD

able’ to lie, cheat and steal as long as the organization benefits. Loyalty to
the cause or organization subordinates an individual’s sense of ethical behav-
ior. In this ethical system, consistency is a major requirement.
➤ Ethical theoreticians such as Plato, Aristotle and Adam Smith have espoused
classical theories of business ethics. Under classical theory, business has no
relationship to societal goals and social objectives.
➤ This philosophy has been modified over the years to show business as being
bent on achieving egotistical goals by following established rules for the benefit
of all. In this ethical system, business is seen to have distinct social responsibili-
ties. This view is held by moralists who believe that business should have spe-
cial (community) goals outside of its normal ones of survival and making profits.
This gives rise to Kant’s view of business as a good citizen.

A Conceptual Framework
Business executives are faced on a daily basis with the challenges of making ethical
decisions in complex competitive business environments with multiple goals and
objectives; cultural contradictions; changing regulatory environments; and pressure
for sustainability, accountability and transparency in their actions and decisions.
Public scrutiny of an organization’s activities is heightened especially where environ-
mental implications arise.

Chryssides and Kaler13 introduce a useful means of classifying ethical decisions by

management, which is set out in Figure 4.1.
➤ Whilst ideally management should aspire to make decisions that fall into
Quadrant I: Ethical and Legal, many business decisions may in fact fall into
Quadrants II, III or IV, giving rise to business risks arising from non-compliance
or adverse public reaction, and at worst threatening the sustainability of the
organization.
➤ Quadrant II: Ethical and Illegal covers many controversial decisions, eg the dis-
tribution of AIDS drugs prior to government approval, or whistleblowing where
the complexity of the legal requirements or company rules may find the ethical
whistleblower being prosecuted, rather than bringing the real defaulters to book.
➤ Quadrant III: Unethical and Legal would have included accepting apartheid
practices that were legal but unethical. Issues also arise around excessive
payments to management. Business may frequently opt for the ‘legal’ option
without properly considering the underlying ethical issues.
➤ Quadrant IV: Unethical and Illegal includes discrimination against handicapped
people, the illegal disposal of toxic waste and operating in unsafe conditions.

Given the dynamic and constantly changing regulatory environment in which busi-
ness operates on a global basis, decisions made by management could affect any
and all of these quadrants.
An internal auditor’s function may include auditing compliance with organization-
al values and regulatory requirements or assessing the effectiveness of processes
to accommodate ethical values. It may also include identifying and assessing fraud
arising from management decisions falling into Quadrant IV.
13. Chryssides, G. & Kaler, J. 2002. An Introduction to Business Ethics. London: Thomson Learning.
p. 56.

25

Internal_Auditing.indb 25 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Quadrant II: Ethical Quadrant I:

Ethical and Illegal Ethical and Legal

Codification
– Decisions

Manifestation

Corporate
Illegal Decisions Legal

Public
Scrutiny

Quadrant IV: Unethical Quadrant III:

Unethical and Illegal Unethical and Legal

Figure 4.1: The classification of ethical decisions

Employee Ethics
Employees themselves have specific ethical obligations to comply with, including
those discussed below.

➤ The Duty of Obedience

This is seen as a duty to obey all reasonable directions but involves no obligation
to perform illegal or unethical acts.

➤ The Duty of Loyalty

Here, acts should be performed only in the interests of employers. While certain
organizations may try to exploit this duty by insisting that it applies 24 hours a
day, it is generally taken to apply only when the person is acting as an employee.

➤ The Duty of Confidentiality

This duty aims at ensuring that information acquired as a result of an organization’s
operations is not used to further the interests of either the employee or any other
person or organization. While this duty covers such concerns as insider trading and
the use of information obtained in the course of the employer’s business, it does
not apply if the information is general knowledge or freely available.

26

Internal_Auditing.indb 26 16/04/2015 11:12

 ETHICS THEORY AND PRACTICE IN THE MODERN WORLD

Codes of Conduct
One of the common controls in this area is the implementation of a corporate code
of conduct. Such codes are directive controls and do not, in themselves, enforce
‘ethical’ behavior. Where they are combined with detective controls designed to
identify breaches of the code and corrective controls designed to take effective
action where such breaches are identified, they may serve as a means of expelling
non-conforming members of a population.
Codes of conduct should be in place for all companies (as recommended in 1987
by the Treadway Commission and confirmed by King II14) and should be enforced.
They help to set an ethical tone at the top of the organization and must apply
to all levels from the top down. They open channels of communication between
management and employees and help prevent, for example, fraudulent reporting.

Codes of conduct may take two forms, namely:

➤ a positive statement of honest intentions (all-embracing but impossible to con-
trol); or
➤ a list of improper behavior (easier to audit but difficult to keep comprehensive).

The most effective codes contain a combination of positive generalizations and

specific prohibitions. They include the basic rules of acceptable and unacceptable
behavior, and cover corporate positions and rules concerning:
➤ the acceptance of gifts;
➤ confidentiality;
➤ conflicts of interest; and
➤ standards of corporate practice.

Gifts
Corporate positions on gifts to employees are generally determined by the degree to
which employees will be influenced or will be assumed to be influenced by such gifts.
Most companies have strict prohibitions on the receiving of gifts as such. Loans to
corporate officers are assumed to have bought influence, and entertainment accepted
that is on a lavish scale is also usually considered to be inappropriate.
Certain low-value gifts may be acceptable to the organization and these would
typically include normal business lunches, gifts of nominal value and normal promo-
tional gifts. A common measurement criterion for the value of gifts is whether the
gift was freely available or whether it was given only to selected people because of
their positions. The fundamental test applied is normally: Will employee actions or
decisions be affected by receipt of the gift?

Confidentiality
All information obtained in the course of employment is considered to be confiden-
tial. This means such information may not be privately used for the employee's or

14. Treadway, J. C. Jr et al. 1987. Report of the National Commission on Fraudulent Financial
Reporting, New York: National Commission on Fraudulent Financial Reporting; and Institute of
Directors (IOD). 2002.The King Report on Corporate Governance for South Africa, Johannesburg:
IOD.

27

Internal_Auditing.indb 27 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

for another's gain. Even without such gain, it must not be used to the company's
detriment. This includes divulging it to outsiders without authority.

Conflicts of Interest
In order to prevent conflicts of interest, employees must have no direct interest
in suppliers, customers or competitors. Also, there must be no indirect interest in
organizations dealing with the company, or in organizations where a relative has
an interest. No holding of public office should exist where a conflict of interest may
exist or be deemed to exist. For example, public sector entities have stringent regu-
lations laid down in the Public Finance Management Act and regulations to prevent
abuses of authority in tender practices and the awarding of contracts to related par-
ties. Instances of these are often reported in the media, eg infringements of tender
processes at hospitals in Mpumalanga, where contracts for the supply of expen-
sive medical equipment were awarded to close family members of senior hospital
administrators.

Corporate Ethical Practices

Sound corporate governance practices call for corporate ethics to be spelled out in
codes of ethics to deal with any failure by management and employees to comply
with laws and regulations affecting an organization. Such a code may include a list
of unacceptable practices and the penalties for, among other things, non-compli-
ance with the Companies Act, the Banks Act, the Insurance Act and other statutes;
exchange control violations; corporate bribery; and corruption in contravention of
the Prevention of Corruption Act. General business ethics codes may require, among
other things, that all products sold should meet safety standards, all guarantees
should be met, all untrue or misleading advertising should be prohibited and all labor
laws should be complied with. For a code of ethics to be accepted and effectively
implemented, it should be drawn up in consultation with all key stakeholders.

Employees should not:

➤ divert business opportunities from the company;
➤ manipulate corporate incentive schemes to their benefit;
➤ publicly denigrate the company, its services or products;
➤ use corporate assets in an unauthorized or illegal way; or
➤ make false or deceptive statements about corporate affairs to the company’s
detriment.

Ultimately, ethical standards are set by example and stem from the top of the orga-
nization. Good or bad, they devolve all the way down and affect all employees. They
may be blocked at any level by the active or passive actions of management.

The Free Market and the Marxist Critique of the Free Market System
A Free Market is a term used to describe a political or ideological perspective on policy
rather than an economic description. It may be defined as a market economy based
primarily on supply and demand and one in which government exercises little or no
control. In its purest form, a completely free market would be one in which buyers

28

Internal_Auditing.indb 28 16/04/2015 11:12

 ETHICS THEORY AND PRACTICE IN THE MODERN WORLD

and sellers can voluntarily agree to trade freely based upon mutual agreements on
price with no state intervention in the form of regulations, taxes or subsidies. Trade
is entered into without coercion and pricing structures are taken to be the results of
buying and selling decisions governed by the effects of supply and demand. Demand
is taken to be the pressure placed upon the market by those attempting to buy
specific goods, labor and services. Within this, sellers will operate a minimum price at
which they are prepared to deliver goods, labor and services while buyers will have
a maximum price which they are prepared to pay for such goods, labor and services.
The point at which these two intersect is known as equilibrium price which is taken to
be the point at which both buyers and sellers are satisfied as to the acceptability of
the trade.
In such a market, buyers and sellers are free to participate in the market, enter or
leave it at their discretion.
Each exchange would take the form of a voluntary agreement between two parties
to trade in goods or services. No restrictions would exist to prevent new competitors
from entering a market and no controls would exist other than the enforcement of
private contracts and such controls as are necessary to regulate the ownership of
property. In common parlance, this term is used to imply that the overall means of
production is under private control rather than state control.
In practice, the completely free market is impractical and probably impossible.
In most countries pressures, both social and political, mean that governments will
intervene in a variety of ways such as erection of price controls, subsidy of production,
introduction of minimum wages and other such interventions.
Regulated or controlled markets are those in which governments intervened to
actively regulate prices as well as supplies in either an indirect or direct manner. If this
intervention is substantial, the market may be classed as a mixed economy. Should
this intervention take the form of direct control in order to achieve specific goals, the
market is generally classed as a command economy.
In looking at the development of global economies, regard must be given to the
critique of capitalism by Karl Marx.15 Based upon his fundamental belief that capitalism
was morally exploitative, Marx was highly critical of the economic philosophies and
assumptions of his day such as those espoused by Adam Smith16 which saw the
acquisition of private property as being the driver motivating people to produce
wealth. One of the underlying fundamentals of capitalism is the concept of private
property which was seen by Marx to be primarily sustained by the power of the state.
This, according to Marx, resulted in one person’s ownership of an object denying its
benefits to another thus creating conflict over resources.
When this concept is applied to labor, the logical conclusion is that labor is reduced
to mere commodity and becomes alienated from those who own the results of such
labor. This concept of alienated labor was fundamental to his understanding of the
history and impact of the class struggle. This he defined as the division between the
bourgeoisie who owned a means of production and the proletariat who, as laborers,
had to sell themselves as a commodity. Under such a system, Marx believed,

15. Shumpeter, Joseph. 1952. 10 Great Economists: from Marx to Keynes. Taylor and Francis Group,
Unwin University Books, Edition 4, Vol 26.
16. Adam Smith, An Enquiry into the Nature and Causes of the Wealth of Nations. Project Gutenberg ebook.
http://www.gutenberg.org/files/3300/3300-h/3300-h.htm

29

Internal_Auditing.indb 29 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

irreconcilable conflict could be the only result since labor was the only real source of
wealth and all capital assets were simply the result of stored labor.
Of recent years, Marx’s belief in the labor theory of value has come into conflict with
the concept of automated labor. His argument that only humans can add value to raw
materials conflicts with today’s understanding that automated process with minimal
human intervention can be an effective way to improve the lot of the population as
a whole and that labor without direction can be totally ineffective. In addition, the
emergence of trade unions in the twentieth century as a significant party in economic
and political negotiations has changed the nature of the capitalist society. Many
countries class antagonism as described by Marx as having largely been replaced by
neo-liberalism.

Corporate Morality
Generally, corporate morality is taken to mean conformance to a recognized system
of rules for code regarding right and wrong and the degree of acceptable behavior.
Morality itself derives from the Latin word mores meaning habits. In sociology, the
term refers to norms which are generally acceptable within a given society and are
held to have more moral significance.
Business morality may then be seen as deriving from the ethical and moral
standards of the individual in the context of the political and cultural environment
encompassing the organization itself.
Johnson, Scholes and Whittington in their book Exploring Corporate Strategy17,
indicate that the organization purposes of a given entity are detailed within the
corporate values, mission and objectives. These, in turn, are derived with input from
the corporate governance beliefs, the business ethics in place, the stakeholders
served and the cultural context within which purposes are prioritized. They also draw
attention to issues affecting corporate morality such as:
➤➤ the moralities of marketing and markets;
➤➤ moral issues within employment practices;
➤➤ respect for human rights;
➤➤ moral issues regarding the environment;
➤➤ product safety;
➤➤ fairness of dealing with suppliers and customers; and
➤➤ corporate support for communities.

This, then, leads corporate morality in the direction of corporate social responsibility
where, from a non-altruistic perspective, commercial success may be seen to be
dependent upon showing the highest levels of good citizenship in the organization’s
behavior within the community, effectively migrating the organization from merely
its legal responsibilities through its ethical responsibilities into its voluntary
responsibilities. Corporate social responsibility invokes moral, ethical and philanthropic
responsibilities for organizations over and above their traditional responsibilities of
complying with the law while achieving a fair return on investment for shareholders.

17. Johnson, G., Scholes, K. & Whittington, R. 2008. Exploring Corporate Strategy. 8th ed. Prentice Hall:
New Jersey.

30

Internal_Auditing.indb 30 16/04/2015 11:12

 ETHICS THEORY AND PRACTICE IN THE MODERN WORLD

Ethical Management
In the traditional ‘classical’ economic model espoused by Adam Smith in the
eighteenth century, it was suggested that society’s needs could be accomplished
by individuals acting in a self-interested manner. This meant the delivering of goods
and services to meet the needs of others in a manner which would earn them profits.
Even at that stage it was recognized the marketplace participants must act honestly
and fairly towards each other in order to achieve a free market.
In the twentieth century regulations were enacted in many countries to rein in
the power of large corporations while the labor movement sought greater social
responsibility from corporate bodies. This is not to say that such concepts were
universally accepted. Many economists believed that it was not economically
feasible nor desirable for corporations to take on social and moral issues. It was
believed that assuming social responsibilities could place those corporations doing
so at a competitive disadvantage compared to those who did not undertake such
responsibilities. In some cases it is still believed that, lacking the knowledge and
skills required to deal with social issues, involvement at the corporate level may
exacerbate the problems found.
This view is contradicted by those believing that appropriate social involvement
can assist an organization to create an improved future operating environment with
long-term benefits to borrowing profitability.
A variation on the social involvement view is held by those advocating stakeholder
management as a corporate ethical position. Under this concept, taking into
consideration the legitimate interests and concerns of its own stakeholders can assist
the organization to enhance the ethics of this decision-making process. In this context,
stakeholder management goes beyond the convention definition of stakeholders as
owners, employees, customers, suppliers and government agencies to include all
groups or individuals who are impacted by, or can themselves influence, the products
and processes of the organization.

Resolving Ethical Conflicts

In the conduct of business it is inevitable that ethical dilemmas will arise as a result
of conflicting values among various stakeholders. These dilemmas will have to be
faced and resolved. There is often no way of telling which values are correct or
incorrect, because different people have different values. This may often lead to
violence that does nothing to resolve the different points of view, eg ongoing taxi
violence to secure competitive advantage in taxi routes or violence between com-
peting political parties in hotly contested areas. Consequently, business needs a
strategy for resolving ethical dilemmas and making ethical decisions. Rossouw18
proposes the rational interaction for moral sensitivity (RIMS) strategy for this pur-
pose. He suggests that when a moral dispute arises between two or more parties,
there are three basic options open to the parties:
➤ ‘Irrational methods such as violence or throwing a dice to determine which
rival opinion should be chosen.
➤ Suspension of the dispute by declaring it in principle impossible to attempt to
find a solution – and then going on strike.
➤ Interaction between the rival parties with the aim of finding a solution.’

18. Rossouw, 2002:69–79.

31

Internal_Auditing.indb 31 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

The first two options are not realistic, as they do not result in a solution acceptable
to the parties. Whereas the ethics theories presented earlier in this chapter gener-
ally focused on content (ie rights and wrongs), the purpose of the group decision-
making RIMS strategy is to structure a process that will result in morally sensitive
group discussions. RIMS is concerned with the structural features of the discussion
to reach a situation where all participants in the discourse are equal and all forms
of force or coercion are removed. Rossouw advocates four basic rules:
➤ ‘The only evidence that participants may introduce into the discourse is empiri-
cal experience which is objectively accessible.
➤ The process of communicative interaction is driven only by the force of the
strongest rational argument.
➤ Only those experiences, arguments and norms that can attain consensual
agreement are regarded as knowledge.
➤ Any knowledge formulated in this way is always open to future revision.’19

The six assumptions underlying the RIMS strategy20 are as follows:

➤ Moral dissensus21 is a given.
➤ Moral dissensus does not equal ethical relativism.
➤ Dialogue can produce solutions and participants commit themselves to finding
a solution.
➤ Focusing on motives is futile and should not dominate.
➤ Good information is essential and there is no factually incorrect information.
➤ Only moral arguments that display a concern and respect for the interests of
all parties are allowed.

The RIMS strategy requires participation by stakeholders and the exercise of toler-
ance by all parties.

Thereafter, Rossouw suggests there are three basic steps to the RIMS process:
➤ ‘Step one: Generate and evaluate the arguments that satisfy the following
three criteria: The argument should take into consideration the interests of oth-
ers, as well as your own; it should be clear and intelligible; the facts should be
correct and logically coherent.
➤ Step two: Identify the implications – namely the positive and negative implica-
tions of the various arguments, rather than participants’ motives or moral con-
victions.
➤ Step three: Find solutions in a co-operative manner that will keep negative
implications to a minimum while retaining the positive aspects.’22

19. Ibid., p. 73.

20. Ibid., pp. 74–6.
21. ‘Modernity, in an attempt to find secular and rational grounding for morality, has produced any
number of varying moral theories, all of which are rationally justifiable and defensible. This has
resulted in the current condition of dissensus, where no competing moral theory can succeed in
gaining superiority over another. All need to be taken seriously or all need to be rejected. The first
option forms the first assumption of the RIMS strategy’ (Rossouw, 2002:74).
22. Ibid., p. 77.

32

Internal_Auditing.indb 32 16/04/2015 11:12

 ETHICS THEORY AND PRACTICE IN THE MODERN WORLD

The Role of Ethics in Distinguishing a Profession

The hallmark of a profession is that its members are bound by a code of ethics
that requires adherence to a generally accepted body of standards in an ethical
manner. Also, members are subject to disciplinary action by their professional
body for conduct unbecoming of a member of that body. This principle is clearly
recognized in the introduction to the IIA’s Code of Ethics (see Appendix A) and
states the following:

‘A code of ethics is necessary and appropriate for the profession of internal auditing,
founded as it is on the trust placed in its objective assurance about risk management,
control, and governance. The Institute's Code of Ethics extends beyond the definition
of internal auditing to include two essential components:
1. Principles that are relevant to the profession and practice of internal auditing;
2. Rules of Conduct that describe behavior norms expected of internal auditors. These
rules are an aid to interpreting the Principles into practical applications and are
intended to guide the ethical conduct of internal auditors.’

The IIA’s Code of Ethics, its Professional Practices Framework and other relevant
IIA pronouncements provide guidance to internal auditors serving others. ‘Internal
auditors’ are:
➤ IIA members;
➤ recipients of, or candidates for, IIA professional certifications; and
➤ those who provide internal auditing services within the definition of internal
auditing, including both individuals and entities that provide internal auditing
services.

It is generally held that a body of ethics is a hallmark of a profession. A profession

is characterized by most of the following:
➤ a common body of knowledge;
➤ a body of standards containing the technical requirements and methodology
of the profession;
➤ a code of ethics;
➤ acceptance by society;
➤ service to society; and
➤ the imposition by itself or by society of sanctions when its ethics or standards
are not met.

One of the key requirements to establish credibility for members of a profession

is the existence of a code of ethics. Enforcement of the code must be seen to be
objective, timely and noticeable. Most professional bodies’ codes of ethics require
compliance with the standards of performance of that profession. The visibility of
enforcement is essential for the gaining and maintaining of public confidence in
the profession. However, the public is normally not in a position to evaluate the
proficiency of the practitioner.
The IIA’s Code of Ethics contains the following principles and related rules of
conduct, which internal auditors are expected to apply and uphold.

33

Internal_Auditing.indb 33 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

➤ Integrity
The integrity of internal auditors establishes trust and thus provides the basis for
reliance on their judgment.

➤ Objectivity
Internal auditors should exhibit the highest level of professional objectivity in
gathering, evaluating and communicating information about the activity or process
they are examining. Internal auditors should make a balanced assessment of all the
relevant circumstances and should not be unduly influenced by their own interests
or by others in forming judgments.

➤ Confidentiality
Internal auditors respect the value and ownership of information they receive and
do not disclose information without appropriate authority, unless there is a legal
or professional obligation to do so.

➤ Competence
Internal auditors competently apply the knowledge, skills and experience needed
in the performance of internal auditing services.

Independence and Objectivity

Following the recent collapse of organizations such as Enron and WorldCom in
the US and Parmalat in Europe, the issue of the independence of both external
and internal auditors has come under close scrutiny, with concerns that due
professional care may be compromised where independence and objectivity
are impaired. The promulgation of the Sarbanes-Oxley Act in the US precludes
external auditors from providing internal audit services to external audit clients
where these are US corporations that are Security and Exchange Commission
(SEC) registrants listed on the New York Stock Exchange and NASDAQ. This
includes their subsidiaries and associated entities, wherever in the world they
may be registered. The role of the audit committee for listed companies has
become more critical in managing the threats to auditor independence for both
internal and external auditors.
Currently the IIA Code of Ethics recognizes the principle of integrity and objec-
tivity as indicated above. The IIA Standards recognizes the importance of internal
auditors maintaining their independence and objectivity when performing internal
audit activities, whether employed in the organization, or providing consulting
services or management assurance services as outsourced services by a profes-
sional practice.
Consequently, the more detailed implementation guidance and interpretation
contained in the Practice Advisories is extremely important for internal auditors to
understand and implement, albeit that compliance is not obligatory. In practice,
procedures to ensure the independence and objectivity of internal auditors and
their functions in larger organizations is probably running ahead of the require-
ments presently contained in the IIA Standards and Practice Advisories at this
stage, due to public demands and developments in the corporate governance
responsibility and accountability of management. This issue is less applicable to
small businesses managed by their owners.

34

Internal_Auditing.indb 34 16/04/2015 11:12

 ETHICS THEORY AND PRACTICE IN THE MODERN WORLD

Table 4.1 sets out the various IIA standards regarding independence and objec-
tivity and the related implementation guidance in the Practice Advisories:

Table 4.1: IIA Standards and related advisories regarding independence

and objectivity

IIA Related
Practice Advisory
IIA Standard (PA) Standard requirement

1100: PA 1100-1: The internal audit activity should be inde-

Independence and Independence and pendent, and internal auditors should be
Objectivity Objectivity objective in performing their work.

1110: PA 1110-1: The chief audit executive should report to

Organizational Organizational a level within the organization that allows
Independence Independence the internal audit activity to fulfill its
responsibilities.

1110.A1 PA 1110. The internal audit activity should be free

A1-1:Disclosing from interference in determining the
Reasons for scope of internal auditing, performing
Information Requests work, and communicating results.

1120: Individual PA 1120- Internal auditors should have an impar-

Objectivity 1: Individual tial, unbiased attitude and avoid conflicts
Objectivity of interest.

1130: Impairments PA 1130-1: If independence or objectivity is impaired

to Independence or Impairments to in fact or appearance, the details of the
Objectivity Independence or impairment should be disclosed to
Objectivity appropriate parties. The nature of the
disclosure will depend upon the
impairment.

1130.A1 PA 1130. Internal auditors should refrain from

A1-1: Assessing assessing specific operations for which
Operations for which they were previously responsible.
Internal Auditors Objectivity is presumed to be impaired if
were Previously an auditor provides assurance services for
Responsible an activity for which he/she had
responsibility within the previous year.

35

Internal_Auditing.indb 35 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Table 4.1: IIA Standards and related advisories regarding independence

and objectivity (continued)

IIA Related
Practice Advisory
IIA Standard (PA) Standard requirement

1130.A2 PA 1130.A1-2: Assurance engagements for functions

Internal Audit over which the chief audit executive has
Responsibility for responsibility should be overseen by a
Other (Non-audit) party outside the internal audit activity.
Functions

1130.C1 None Internal auditors may provide consulting

services relating to operations for which
they previously had responsibilities.

1130.C2 None If internal auditors have potential

impairments to independence or
objectivity relating to proposed consulting
services, disclosure should be made to
the engagement client prior to accepting
the engagement.

36

Internal_Auditing.indb 36 16/04/2015 11:12

 5
C HAPTER

The Performance Objectives of

Organizations
Learning objectives
After studying this chapter, you should be able to:
➤ Outline briefly the types of organizations to be found in the public and private
sectors
➤ Explain the impact of performance objectives on the desired risk position of
the organization
➤ Differentiate between effectiveness, efficiency and economy in achieving per-
formance objectives
➤ Explain the role of performance objectives in designing appropriate controls

The Nature of Business Organizations

Organizations have various characteristics in common. They:
➤ provide services;
➤ perform activities;
➤ acquire and use resources;
➤ are objective driven;
➤ use collective effort;
➤ function on an ongoing basis; and
➤ are formally constituted.

Organizations satisfy a variety of needs, including, but not limited to, profit making
(usually for the benefit of the owners). Non-profit-making organizations also exist
and are designed to benefit the constituencies they serve. Most organizations are
geared to satisfy internal needs only.
In South Africa, business organizations may take several forms, which are briefly
discussed below.

Sole Proprietor
In this form of business operation, a single person wholly owns the business and it
operates to meet the needs of that person.

Partnership
This consists of two or more partners who agree to be jointly and severally liable
for the business affairs of the other partners. This form is generally restricted in the
number of partners, with the notable exception of external audit firms.

Internal_Auditing.indb 37 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Close Corporation (CC)

This uniquely South African form of business operates in the space between the
less formal nature of a partnership and the more formal nature of a company.
The regulatory requirements applicable to close corporations are contained in the
Close Corporations Act of 1984. The members of a CC may consist of from one to
ten ‘natural persons’, ie a company or a trust cannot be a member of a CC. A CC
may, however, be a member of a company and may even be the sole shareholder.
Annual financial statements are to be prepared and must be reported on by
the CC’s accounting officer, although an external audit is not required. The CC is
owned and operated by members and not directors. Ownership is referred to as
the member’s interest and expressed as a percentage pro rata of the capital con-
tributed. Following any distribution of profits or any other repayments to members,
the Close Corporations Act requires the CC to meet the solvency requirements,
ie that the CC is still able to pay outside creditors in the ordinary course of business
immediately thereafter. If not, the members may be held personally, jointly and sever-
ally liable for the debts of the CC, and may be required to repay any excess distribution
received.
In 2008 amendments to the Companies Act required the calculation of a ‘public
interest’ score in order to determine whether the Close Corporation required to
be audited. In addition, the 2008 amendment prohibited the registration of any
new close corporations after the 1st of May 2011. This cut-off was subsequently
amended to the 22nd of December 2011. Close corporations can be converted to
companies but companies can no longer be converted to close corporations. Existing
close corporations continue to be administered under the Close Corporations Act.

Private Company
In this formal organization, shares in a private company (designated by (Pty) Ltd),
are issued and ownership rests with the shareholders in proportion to the equity
they hold. Directors are appointed at general meetings by the shareholders, in
accordance with the articles of association of the company. Audited annual financial
statements are required by law to be presented to the shareholders at the annual
general meeting. Private companies, by their articles of association, restrict the right
to transfer their shares, which consequently may not be traded publicly on a securi-
ties exchange. There is a maximum of 50 shareholders and a minimum of one.

Incorporated Company
An incorporated company (designated by Inc.) is a form of private company that is
used by professionals such as accountants, engineers and architects to practice as
a legal entity. In terms of the Companies Act, the members must all be directors
and hold the relevant professional qualification, eg a registered auditor (RA), and
will continue to bear professional liability for the personal negligent performance
of members of the company.

38

Internal_Auditing.indb 38 16/04/2015 11:12

 THE PERFORMANCE OBJECTIVES OF ORGANIZATIONS

Public Company
Companies are incorporated under the Companies Act of 1973 and must have a
minimum of seven shareholders, with no maximum.
Public companies have shares that may be owned by the general public. Where
the company is listed, for example on the Johannesburg Securities Exchange (JSE),
its shares are traded openly on the stock exchange. Subscriptions may be invited
from the public by means of a prospectus, and different classes of shares may be
issued.

Section 21 Company
Companies registered under section 21 of the Companies Act are not-for-profit organi-
zations. That is not to say that they do not trade at a profit, but the business intention
is not specifically to make profits, and tax is not payable. A Section 21 company may
not distribute profits to its members, but uses profits for the purpose for which the
entity was formed. The Institute of Internal Auditors (SA) is a Section 21 company, as
are many welfare organizations and NPOs (Non Profit Organizations) providing donor
funding to projects.

Public Entities
In addition to these various forms of private sector organizations, there are also
public sector utilities, parastatals and public entities. Public entities include govern-
ment organizations such as the Financial Services Board, the Department of Trade
and Industry, and municipalities, which are all governed by the Public Finance
Management Act. Public entities are audited by the auditor-general and are all
required by the Act to establish an audit committee and an internal audit function.
Other parastatals such as Eskom, Telkom, Transnet, the SA Airports Company and
Iscor are examples of large public entities providing strategic and infrastructure ser-
vices to South Africa and other countries.

Strategic Planning and Organizational Performance

A strategic plan is composed of:
➤ a mission statement;
➤ quantifiable goals related to the organization's overall mission; and
➤ strategic interventions necessary to accomplish each goal.

The mission statement describes the fundamental reason that the organization or
function exists. The goals specify which results will further that mission, and strategic
interventions define the specific steps that must be taken to achieve these results.

Strategic planning is a dynamic process that may be revisited at intervals on an

annual or biannual basis. Organizational performance is about how well the activi-
ties are performed and involves both achievement of objectives and consumption of
resources, such as the five Ms:
➤ manpower;
➤ money;
➤ materials;

39

Internal_Auditing.indb 39 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

➤ machines; and
➤ methodologies.

The cost of resources can be another major standard of performance.

Standards of performance, generally, are written statements describing how well a
job should be performed. Performance standards should be developed in collaboration
with employees whenever possible in order to ensure their commitment to the process.
Performance standards provide benchmarks against which work performance
may be evaluated. They define how well each function or task must be performed
in order to meet or exceed expectations.
When performance standards are in place, both management and employees
know the expectations for the quality of performance of essential tasks. This com-
mon understanding provides the basis for ongoing measurement by both manage-
ment and the internal audit department.

Where no performance standards exist, an internal auditor may be requested by

management to help develop them.
➤ One method is the directive approach, in which an internal auditor develops
the standards in consultation with management. The standards are then shared
with the employees affected for their feedback and to deal with any problems
they may have.
➤ Another technique involves a collaborative approach, in which employees work
with the auditor and management to develop the performance standards for
their positions.

While a directive approach is a perfectly legitimate option, a collaborative approach

can generate support for the process that may be critical for the successful function-
ing of the measurement criteria that are set.

Performance Objectives
Operational auditors must have standards against which current operations can
be compared and evaluated. For financial auditing, the criteria for evaluating the
presentation of financial statements are generally accepted accounting principles.
But it is management's responsibility to develop and use appropriate standards to
evaluate operating activities. Operational auditors will usually start with criteria that
have been established by management (performance standards) or by some over-
sight board or agency.
In the absence of standards, operational auditors will have to borrow from other
sources or develop some type of criteria against which to compare performance.
This is often a difficult task, and auditors should get management's reaction to the
suitability of any criteria developed in this way. Reasonable criteria for evaluating
performance are absolutely essential for successful operational auditing, because
no evaluation of operations is possible without a standard for comparison. While
subjectivity cannot be completely avoided, objective criteria that are considered
appropriate and reasonable by both the internal auditors and auditees are neces-
sary for the process to be successful.

40

Internal_Auditing.indb 40 16/04/2015 11:12

 THE PERFORMANCE OBJECTIVES OF ORGANIZATIONS

Performance Measurement
Performance measurement is a philosophy in which feedback is used to make ongo-
ing adjustments to the way in which an organization goes about achieving its vision.
For example, information from financial reports, client satisfaction feedback, and
feedback from programs and services may help the organization assess its effec-
tiveness in a variety of ways. Using this feedback, the organization can continue to
provide excellent programs and services in response to changes in both the internal
and external environments.
The process starts with the setting of business objectives and the development of
strategies and plans to achieve these objectives. This is followed by the development
of appropriate performance measures to assess progress towards the objectives.
Performance measurement systems provide the feedback information required
to assess whether executive management strategies have been effectively con-
verted into operational decisions.
Performance measurement is a balanced, methodical attempt to assess an
organization’s effectiveness in various terms – financial, client satisfaction, internal
business and innovation/learning.

Public Sector Performance Measurement

Performance measurement can be more difficult in the public sector than it is in
the private sector, since it works best when there is clarity about what is being
measured and why. In the private sector, the ‘bottom line’ that managers aim for
is clear: private companies try to make a profit and create wealth for their owners.
There are well-recognized methods of measuring whether a private enterprise is
achieving these objectives. Indicators such as profits, revenue, share price, market
share, etc, form the normal criteria.
Performance measurement in the public sector is an entirely different matter,
since governments are generally supposed to aim at improving people’s lives. This
occurs in ways that often cannot easily be measured in rands and cents, and there
is often confusion over what the ‘bottom line’ actually is. This confusion causes
disagreement over what constitutes ‘results’ and ‘performance’, resulting in dis-
agreement over the choice of appropriate performance measurement.

The Balanced Scorecard and Performance Measurement

The ‘balanced scorecard’ approach to measuring organizational performance was
developed by Robert S. Kaplan and David P. Norton at Harvard Business School. This
approach augments the traditional focus on financial measures in the public service
by adding client satisfaction, internal business processes, and innovation and learning.
The mechanics of performance measurement are complex, and the development
and deployment of the process may be painful. Usually many measures will be
evaluated before a key set emerges. Many choices will involve industry best prac-
tices measures so that a competitive benchmark can be established.
The most apparent change introduced by the balanced scorecard
methodology was the integration of other dimensions than the financial
one in the overall performance picture, hence the ‘balanced’ view of
organizational achievements. These dimensions are briefly discussed below.

41

Internal_Auditing.indb 41 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Financial measures
This component traditionally deals with the measurement of the financial perfor-
mance of programs and services. The financial impact of programs and services
in the public service is normally measured through indicators such as actual ver-
sus budgeted revenue, actual versus budgeted expenditures, and achieving or
exceeding revenue projections.

Client satisfaction
This measures how effectively an organization's products and services satisfy client
needs. Examples of client satisfaction performance indicators in the public service
include the degree of service availability, prompt response to service requests, on-
time service delivery or ease of access to service providers.

Internal business processes

This component of the balanced scorecard relates to the quality of internal busi-
ness processes used to provide programs and services that satisfy client needs.
Internal business performance indicators for the public service could include the
numbers of projects completed successfully, on time and on budget, the competi-
tiveness of fees or the setting and meeting of targets.

Innovation and learning

This component measures the ability of an organization to keep innovating
and growing through continually improving itself. This is achieved by its human
resources, technology, programs and services. Innovation and learning perfor-
mance indicators for the public service could include the degree of improvement in
key operational business processes, the number of employee suggestions coming
forward and implemented for program and service innovations and improvements,
and the number of new products and services introduced each year.

This balanced scorecard framework for measuring organizational performance must

be founded on a particular organization's mission and strategic objectives. It uses
traditional financial measures to provide comparison to past performance and
focuses on internal business processes and the level of client satisfaction to measure
current operations. It also provides input on future requirements that may arise from
changing technology, client needs or employee needs.
When considering change, the most revolutionary aspect of the balanced scorecard
is probably the way in which it manages causal relationships. Instead of just reacting
to bad performance, so constantly running behind the facts, the concept of the bal-
anced scorecard enables an organization to manage performance in a proactive way.
Grouping together those ‘related’ indicators in the performance management
system for every causal relationship that must be followed allows an organization
to see just what the factors are that drive its performance. In order to achieve the
effects it wants, the organization must check both the defined causal relationships
and the impact of performance improvement actions on them.

42

Internal_Auditing.indb 42 16/04/2015 11:12

 THE PERFORMANCE OBJECTIVES OF ORGANIZATIONS

Applying the Balanced Scorecard

A balanced approach to performance measurement helps an organization to:
➤ assess, develop and implement improved information and practices;
➤ ensure that investment supports the organization’s business objectives and
employees; and
➤ ensure that spending is focused on the most appropriate areas within the
organization.

The development of a performance measurement framework requires a top-down

approach. Business objectives must be established, then departmental goals,
and then plans and strategies can be developed to support the business direc-
tions. Performance measures can then be designed for the business function. This
approach to business performance measurement uses both qualitative and quantita-
tive information and formal approaches to data gathering.
The performance measures developed must be objective, quantifiable and output
oriented. The unit of measurement of this approach to performance measurement is
the whole of, or a part of, the business program. To apply this framework effectively,
however, the same approach must also be applied to each major service area within
the business program.
As can be seen, the balanced scorecard approach must be tailored to fit each
business environment. An organization should conduct an impact analysis to deter-
mine the level of its readiness to adopt such an approach to performance measure-
ment and to determine the cultural, functional, technical and cost implications of
adopting such a regime.

Based on the results of the impact analysis, a pilot project may be started within one
of the service lines. This involves:
➤ building consensus on the long-term objectives of the pilot organizational unit;
➤ developing performance measurement architecture to assess the performance
of the organizational unit; and
➤ developing an implementation strategy to make the transition to a new perfor-
mance measurement environment.

Developing a Balanced Scorecard

The balanced scorecard is a systematic, ongoing process aimed at aligning depart-
mental performance and corporate strategy. This involves identifying clearly defined
value drivers that major stakeholders agree are most vital to the superior perfor-
mance of a specific unit. Ultimately, the goal is to reach consensus on between four
and eight value drivers that will underpin successful unit programs. These value driv-
ers can then be used to define the balanced scorecard's categories.
The actions needed to support each of the value drivers must then be specified.
Since most value drivers are difficult to measure directly, this step involves defin-
ing those actions that, if successfully accomplished, will result in the desired value.
Categories and action steps must be reviewed with key stakeholders. Based on
feedback from stakeholders, a balanced scorecard of between four and eight value
drivers and the action steps needed to achieve them will be identified. The value
drivers must then be reviewed with stakeholders to confirm that they accurately

43

Internal_Auditing.indb 43 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

reflect their expectations. Once agreed on, a working set of value drivers and a
concise, one-page scorecard can be created
A process for measuring what has been accomplished must be implemented in
order to gauge how successfully the value-enhancing actions were completed. Each
individual action step would need to have a complete set of success measures
attached to it.
To complete the process, a system for reporting results to key stakeholders must
be established. Communicating the results is a critical step in the scorecard pro-
cess. The balanced scorecard can then be fine-tuned to ensure that it accurately
matches evolving company priorities.
At the managerial level, management will become more effective if the company
strategy includes measurable goals that the company is trying to achieve and when
the measurement system encourages behavior that is good for the organization.

Improving Performance Measurement Systems

Improving performance measurement involves the development of integrated per-
formance measurement systems. Integrated systems are built around a strategic
theme, such as business strategy or value creation. They involve measuring those
aspects of the corporate structure that relate the activities of people and processes
in the organization to the outcomes the company is trying to achieve.

Integrated systems use measurement criteria such as money, units, time, feelings
and other expressions of actions and results. They are seen as discrete parts of a
single, overall depiction of all aspects of company activity. The measures that repre-
sent the performance of a particular unit of the organization reflect:
➤ the unit's performance;
➤ the connections between the unit and other organizational units;
➤ the connection between the unit and the organization as a whole;
➤ the quality concerns of production;
➤ the customer-satisfaction focus of sales and marketing; and
➤ the monetary discipline of accounting.

Integrated performance measurement systems are a significant improvement over

previous evaluation structures; however, they still do not eliminate some of the basic
difficulties of performance measurement. Businesses are highly complex organiza-
tions that offer many more opportunities for measurement than management can
effectively exploit. The difficulties inherent in reducing the number of measures to a
significant few will always present a major challenge.
In spite of these difficulties, the benefits of measurement integration far out-
weigh the costs. A more effective measurement system helps to align the activities
of people in the organization and ensure that they work in a co-ordinated way to
accomplish the organization’s goals. An integrated system helps avoid misunder-
standings resulting from inconsistent data or inappropriate comparisons. Also, it
motivates individuals by demonstrating to everyone concerned that the measure-
ment system will accurately and impartially measure the contributions they make
and the extent of their success.
Managers generally understand how effective measurement provides key support
in the pursuit of corporate goals when they understand the consequences of per-

44

Internal_Auditing.indb 44 16/04/2015 11:12

 THE PERFORMANCE OBJECTIVES OF ORGANIZATIONS

formance results. They tend to support the concept of performance measurement,

because their experience has shown that it helps to achieve corporate success.
Managers who use performance measurement regularly understand the difficulties
inherent in the process. Many measurement criteria imperfectly define the under-
lying idea. For example, return on assets is intended to reflect and measure the
efficiency of the use of capital. In reality, assets are generally measured using the
principles of accrual accounting and are thereby measured by historical cost.
Most managers understand the shortcomings of measurement systems. They are
fully aware that distortions may be introduced through cost and asset allocations.
They recognize that there may be a temptation to measure the things that are easy
to measure, and to avoid measures that are more difficult, with the distortions this
creates.

Effectiveness, Efficiency and Economy

Effectiveness
The Canadian Institute of Chartered Accountants has defined effectiveness as ‘the
extent to which a program achieves its goals or other intended effects’.23

Attributes of effectiveness include the following:

➤ Management direction measures the extent to which the objectives of an orga-
nization, its components programs, its lines of business and its employees are
clear, well integrated and understood and appropriately reflected in the organiza-
tion's plans, procedures, delegations of authority and decision-making processes.
➤ Relevance measures the extent to which a program or line of business con-
tinues to make sense with regard to the problems or conditions to which it is
intended to respond.
➤ Appropriateness measures the extent to which the design of a program or its
major components and the level of effort being made are logical, given the spe-
cific objectives to be achieved.
➤ Achievement of intended results refers to the extent to which goals and objec-
tives have been realized.
➤ Acceptance defines the extent to which the constituencies of customers for
whom a program or line of business is designed judge it to be satisfactory.
➤ Secondary impacts quantify the extent to which other significant consequences,
either intended or unintended and either positive or negative, have an impact.
➤ Cost and productivity measure the relationships among costs, inputs and outputs.
➤ Responsiveness is a measure of an organization's ability to adapt to changes in
such factors as markets, competition, available resources or technology.
➤ Financial results involve the matching of, and accounting for, revenues and
costs and the accounting and valuation of assets, liabilities and equity.
➤ Working environment takes into consideration the extent to which the organi-
zation provides an appropriate work atmosphere for its employees; provides
appropriate opportunities for development and achievement; and promotes
commitment, initiative and safety.

23. Canadian Institute of Chartered Accountants. 1995. Guidance on Control. Toronto: Canadian
Institute of Chartered Accountants.

45

Internal_Auditing.indb 45 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

➤ Monitoring and reporting quantify the extent to which key matters pertaining
to performance and organizational strengths are identified, reported and care-
fully monitored.
➤ Protection of assets evaluates the extent to which important assets such as
sources of supply, valuable property, key personnel, agreements and impor-
tant records or information are safeguarded so that the organization is pro-
tected from the danger of losses that could threaten its success, credibility,
continuity and perhaps its very existence.

Efficiency
This relates to the relationship between goods or services produced and the quanti-
ty of resources used to produce them. An efficient operation produces the maximum
output for any given set of resource inputs. Alternatively, it has minimum inputs for
any given level of goods or services produced.

Economy
This refers to the terms and conditions under which resources are acquired. An eco-
nomical operation procures an appropriate quantity of resources of an appropriate
quality at the lowest overall cost and at the right time.

The Role of Performance Objectives

Management control is meant to ensure that an organization is working towards its
stated performance objectives. Performance objectives and goals are the statement
of corporate intent, while management objectives define how the corporate objec-
tives will be met. In line with these objectives, internal control ensures that programs
to ensure performance objectives are properly planned and executed. Internal audit
provides an independent assessment and ensures that management’s system of
internal control will be effective and function as intended.
Performance objectives direct the emphasis of day-to-day activities within the
organization and may, in themselves, conflict. For example, the need for control may
conflict with the need for timeliness, or efficiency objectives may conflict with effec-
tiveness objectives. ‘As quickly as possible’ implies no controls while ‘No rejects’
implies strict controls. The way in which management prioritizes performance objec-
tives directs the development of controls. This will affect the overall system of con-
trols designed and therefore the audit priorities.
A final point is that performance objectives must take account of the cost of trying
to achieve them.

46

Internal_Auditing.indb 46 16/04/2015 11:12

 6
C HAPTER

Risk Assessment

Learning objectives
After studying this chapter, you should be able to:
➤ Explain the importance of risk management and internal control
➤ Define and discuss the nature and sources of risk to an organization
➤ Explain the methods used by an internal auditor to establish and document
the levels of inherent risk within an organization or a part of it
➤ Describe the role and limitations of internal controls in reducing risks to
acceptable levels
➤ Explain how an internal auditor evaluates the adequacy of the system of
internal controls
➤ Differentiate between the adequacy and the effectiveness of the control
structures

Broad Concepts of Control and Risk

‘“Control” comprises all the elements of an organization (including its resources, sys-
tems, processes, culture, structure and tasks) that, taken together, support people in
the achievement of the organization’s objectives. Control is “effective” to the extent
that it provides reasonable assurance that the organization will achieve its objectives
reliably. Leadership involves making choices in the face of uncertainty. “Risk” is the
possibility that one or more individuals or organizations will experience adverse conse-
quences from those choices. Risk is the mirror image of opportunity.’24

The Nature of Risk

All entities encounter risk, whatever their size, structure, nature or industry. In com-
mon with this, all business decisions involve elements of risk, including such ele-
ments as financing, product lines, and sources and methods of supply.
Risk may be defined as the possibility of loss. All businesses, products and pro-
cesses involve some degree of risk. Risk management involves assessing a product,
process or business by:
➤ identifying the processes;
➤ identifying the types of risks associated with each process;
➤ identifying the controls associated with each process;
➤ evaluating the adequacy of the system of control in mitigating risk;
➤ determining the key controls associated with each process; and
➤ determining the effectiveness of the key controls.

24. Bradshaw, W. & Willis, A. 1998. Learning about Risk: Choices, Connections and Competencies.
Toronto: Canadian Institute for Chartered Accountants.

Internal_Auditing.indb 47 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

There are three types of risk that are normally considered when using a risk-based
audit approach. They are inherent risk, control risk and detection risk, which is also
known as audit risk.

Inherent Risk
Inherent risk is the likelihood of a significant loss occurring before taking into account
any risk-reducing factors. In evaluating inherent risk, an auditor must consider what
the types and nature of risks are, as well as what factors indicate that a risk exists.
To achieve this, he/she must be familiar with the environment in which the entity
operates.

Control Risk
Control risk measures the likelihood that the control processes established to limit or
manage inherent risk are ineffective. In order to ensure that internal audit evaluates
the controls properly, an auditor must understand how to measure which controls
are effective. This will involve identifying those controls that provide the most assur-
ance that risks are being minimized within the business. Control effectiveness is
strongly affected by the quality of work and control supervision.
Controls in business operations provide the major defence against inherent risk.
In general, an auditor may assume that stronger controls reduce the amount of risk;
however, at some point, the cost of control may become prohibitive (in terms of both
financial and staff resources, as well as customer satisfaction).

Audit Risk
Audit risk is the risk that audit coverage will not address significant business expo-
sures. Pro forma audit programs can be developed in order to reduce audit risk.
These provide guidance as to which key controls should exist to address the risk,
and the recommended compliance and/or substantive test steps that should be
performed. These programs should be used with care and modified to reflect the
current business risk profile.

The Effect of Risk

In general, business risks can affect a business’ ability to successfully compete, its
ability to maintain financial strength, its positive public image and ultimately its
ability to survive. Risks will affect the overall quality of an organization’s products,
people or services. But risks cannot be eliminated – only managed.
Auditors have traditionally been tasked with gaining and confirming an under-
standing of the system of internal control set up by management as fundamental
to evaluating its adequacy and effectiveness. Internal control has been presumed
to be a response to business risk. In order to evaluate the effectiveness of risk
control measures, an auditor must comprehensively understand the underlying
business risks.

48

Internal_Auditing.indb 48 16/04/2015 11:12

 RISK ASSESSMENT

This has two prime components.

➤ A thorough understanding of the business process is needed to identify critical
processes where less than optimum performance could have serious conse-
quences.
➤ A risk model or risk framework is needed to describe and quantify the effects
and likelihood of possible negative consequences.

Such an in-depth understanding of the business process implies a collaborative

approach, since an internal auditor is rarely as knowledgeable about the process as
the manager who routinely controls it. In the same way, the managers involved in a
business process on a day-to-day basis will normally lack the independent perspec-
tive an internal auditor can bring to risk evaluation.
➤ A specific risk model uses a formula that models the total business risk in each
of the organization’s processes. Many internal auditors use a risk model to help
them plan their annual audit activities. These risk models, however, tend to be
too narrowly focused to be applied to general business risks.
➤ A risk framework is a logical view of the common business risks faced by an
organization. A framework is more generalized than specific models and more
easily applied to a variety of organizations and industries. The COSO’s Internal
Control: An Integrated Framework is an example of such a control framework
(see Chapter 7).

In 1999, McNamee25 defined a framework composed of three major domains of

business risk and a number of risk groups within each domain. He defined the three
domains of business risk as follows.
➤ Ownership risks are the risks associated with acquiring, maintaining and dispos-
ing of assets (except human assets).
➤ Process risks are the risks associated with putting assets to work to achieve
objectives.
➤ Behavioral risks are the risks associated with acquiring, maintaining and dispos-
ing of human assets.

Ownership Risks
MacNamee went on to define ownership risks as including external threats, ie
forces outside of the control of the organization that can affect the organization’s
business processes and goals.
➤ Custodial risks are the risks associated with owning and safeguarding assets.
Since human assets have different characteristics, they are covered under
behavioral risks. Examples of custodial risks include obsolescence, damage in
handling or storing the assets, and theft from storage.
➤ Hazards (shared with process risks) are the risks to assets associated with loss
or damage through fire, natural or human-made disasters, and accidental loss.
➤ Opportunity costs (shared with behavioral risks) are the cost of making less-
than-optimum decisions about asset acquisition and disposition. Examples
include buying the wrong asset, paying too much, selling the asset too soon
or too late, selling the asset too cheaply, and disposing of the wrong asset.

25. McNamee, D. 1999. Targeting Business Risk, available at http://www.mc2consulting.com

49

Internal_Auditing.indb 49 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Process Risks
Process risks include the following.
➤ Hazards (shared with custodial risks) are the risks to processes associated with
loss or impairment through fire, natural or human-made disasters, and acciden-
tal loss.
➤ Errors/omissions/delays are the risks to processes arising from random differ-
ences in human or machine activity in the process. Poor judgment in plans or
operations, inappropriate or outdated control mechanisms, and machine mal-
function are examples of these risks.
➤ Frauds are the risk to processes arising from intentional misrepresentation of
suppliers, employees and customers. Examples of these risks include theft, bid
rigging, bribery, kickback schemes and customer abuse.
➤ Productivity loss (shared with behavioral risks) includes the risks to the process
arising from poor design of the process or its control system. Examples include
scheduling conflicts, inappropriate work rules, missing controls, lack of monitor
ing control systems, underutilizing assets in the process, and goal conflicts.

Behavioral Risks
Behavioral risks include the following.
➤ Productivity loss (shared with process risks) include the risks arising from poor
management practices or poor worker commitment. Underutilizing human
assets, poor leadership, favoritism, lack of work structure and discipline, incon-
sistent management decisions, and personal/work goal conflicts are examples of
these risks.
➤ Dysfunctional workplaces include the risks to employees from a dysfunctional
work environment and the risks to the organization from employees working in
such an environment. Examples of these risks are gender/racial harassment, too
much pressure to meet objectives (without compensating relief valves), employ-
ee theft and sabotage, workplace injuries, employee lawsuits and work place
violence.
➤ Opportunity costs (shared with ownership risks) are the costs of making less-than-
optimum decisions about human asset (people, knowledge and skills) acquisition
and disposition. Hiring the wrong people or skills, a poor compensation system,
and letting the wrong people or skills leave the organization (through quitting,
firing or outsourcing) are examples of such risks.

Entity-wide Risk Identification

Identifying and quantifying risks will largely depend on each entity’s objectives. It
is an iterative process and must be carried out continuously. This is often done as
part of the planning process and may be done on a ‘zero-base’ or as incremental
to the last review.
Risks can arise from internal or external factors and the factors themselves may
be interrelated. Typical internal factors would include:
➤ the quality of personnel;
➤ training;
➤ motivation;
➤ integrity;

50

Internal_Auditing.indb 50 16/04/2015 11:12

 RISK ASSESSMENT

➤ changes in management responsibilities;

➤ management’s task maturity;
➤ span of control;
➤ the degree of dependence on information systems and their stability;
➤ the accessibility of assets; and
➤ the effectiveness of the board and audit committee.

Typical external factors would include:

➤ competition;
➤ regulations:
◗ new,
◗ changes;
➤ political changes;
➤ economic changes:
◗ for better, or worse;
➤ technological developments; and
➤ natural catastrophes.

Techniques to Identify Risks

Risk identification techniques are usually developed by internal and external audi-
tors and involve both quantitative and qualitative prioritization.
Other practices include periodic review of economic and industry factors, senior
management business-planning conferences and the use of industry analysts. The
way in which risk is determined is not particularly important, as long as it is done.
The factors that contribute to or increase risk must be identified.
Each major business unit or function, such as sales, production, marketing, tech-
nology development, or research and development, normally identifies and ranks
activity risks affecting the achievement of its objectives. Also, there may be many
subsidiary risks in the stated or implied objective. It is understood that not every risk
can be identified, but obvious risks must be considered.

Risk Analysis and Internal Auditing

Risk analysis involves the estimating of the significance of the risk and assessing the
likelihood or frequency of the risk. Management and auditors must consider how the
risk should be managed, what actions need to be taken and what controls need to
be affected. Should they be preventative procedures to reduce the significance or
likelihood of the risk occurring or displacement procedures to offset the impact if it
does occur? Risks are normally evaluated before considering the mitigating effects
of controls in order to establish inherent risk.

The Elements of Risk Analysis

Process analysis is the procedure that permits the identification of key dependen-
cies and control nodes and looks at the processes within a business entity. It iden-
tifies cross-organizational dependencies, such as where business data originates,
where it is stored, how it is converted to useful information and who uses the infor-
mation. Quality control programs can positively affect these business processes.

51

Internal_Auditing.indb 51 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Costs and benefits must be evaluated. Of these, costs are normally easier to quan-
tify. Theoretically, costs should be incurred until they exceed benefits, but in practice
this is a management decision and cost-benefit analysis usually results in some part
of the risk being managed and some part remaining. Given this and the fluctuating
nature of risk, management should review the residual risk regularly, assessing the
extent of the exposure.
Risk analysis is a far from foolproof technique and has inherent limitations, such
as poor judgment in decision-making, or access may not be available to data that is
complete, accurate or timely. People make wrong decisions or get tired and make
mistakes. Collusion (two or more people acting together) can occur. Management
override that bypasses the system of internal control may be possible.
Meaningful risk analysis can substantially increases the probability of achieving
objectives, since it alerts management to changes needed to control procedures and
links activity objectives to action. Risk analysis focuses effort on control procedures
and should become second nature. The process may be formal or informal; however,
it is the results, not the degree of formality, that matter.

Risk Factors to Consider

Among the risk factors to consider are:
➤ the date and results of the last audit;
➤ the financial exposure and potential loss and risk;
➤ requests by management to look at particular areas;
➤ major changes in operations, programs, systems and controls;
➤ the opportunities to achieve operating benefits;
➤ the quality of the internal control framework;
➤ management’s competence;
➤ the complexity of transactions;
➤ the liquidity of assets;
➤ the ethical climate; and
➤ employee morale.

In assessing these factors, an auditor may choose to use objective assessment,

which utilizes only quantitative attributes of auditable units, such as the value of
throughputs, the value of assets under control, the number of personnel or the vol-
ume of transactions. Risk factors are not weighted.
Using subjective assessment, each risk factor is weighted on a scale reflecting
degrees of concern. It allows an auditor to express his/her (or management’s) feel-
ings regarding the presence of possibility of risk.

Risk-based Auditing
Risk-based auditing involves an integrated approach, including the concepts of high-
level risk analysis and the overall audit plan. The audit plan itself may be differenti-
ated between:
➤ mandatory audit activities, ie those activities that must be carried out within
the time span of the audit plan because of legal or regulatory requirements or
to meet senior management requirements or external auditor liaison require-
ments; and

52

Internal_Auditing.indb 52 16/04/2015 11:12

 RISK ASSESSMENT

➤ discretionary audit activities, which use a small number of risk factors with
associated factor weights.

Detailed risk analysis involves the design of the audit steps. High-level risk analysis
is a broad-brush approach designed to arrive at an approximate evaluation of the
risks a business entity faces. This can define how often audits should occur, but not
necessarily depth or focus areas.
Mandatory audit activities will be given the greatest risk value to ensure that they
are automatically selected, but be careful that senior management requirements are
in fact requirements and not just nice-to-haves.
Discretionary audit activities should be chosen by limiting the risk factors to the
most important ten or less. These risk factors must apply to a variety of products
and services. Common risk factors could include:
➤ exposure (size and sensitivity of assets);
➤ the quality of internal controls;
➤ audit experience;
➤ accounting data;
➤ regulatory requirements;
➤ the value of transactions processed;
➤ the confidentiality of information;
➤ the potential for adverse publicity;
➤ the sensitivity of asset types (convertibility);
➤ the degree of automation in processing;
➤ the condition of suspense accounts:
◗ size,
◗ movements;
➤ the time since the last audit;
➤ the significance of findings at that time
➤ visibility and scope; and
➤ booking duration.

Visibility and scope

The scope of the entity would include the volume of transactions, the size of master
files, and the types of input and processing, while visibility would include the number
of users of services and degree of interface with other audit units.

Assessing the Risk

To be effective, evaluation must be kept simple and involves obtaining a brief under-
standing of each system’s scope, coverage, volumes and values. Each characteristic
is then scored and adding up the scores allows the ranking of the systems.

IIA Standards on Risk Assessment

The IIA Standards recognize the important role played by internal audit in help-
ing management to meet their risk management responsibilities effectively, as
indicated by the guidance contained in IIA Practice Advisory 2100-3: The Internal
Auditor’s Role in the Risk Management Process.

53

Internal_Auditing.indb 53 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

‘The definition of internal auditing calls for a disciplined approach to evaluate and
improve the effectiveness of risk management, control, and governance processes.
Internal auditors have a key role to play in an organization’s risk management process in
order to practise internal auditing in accordance with the Standards. This advisory seeks
to provide internal auditors with guidance for determining their role in an organization’s
risk management process and for complying with the Standards.’

The IIA recommends the use of seven factors, namely:

➤ the time and results of the last audit;
➤ financial exposure;
➤ potential loss and risk;
➤ requests by management;
➤ major changes in operations, programs, systems and controls;
➤ opportunities to achieve operating benefits; and
➤ changes to and capabilities of auditing staff.

Management Risk Factors

Management may themselves may be agents of risk, and risk factors in this area
may include:
➤ management’s inherent integrity (evaluated from the quality of management’s
➤ responses);
➤ areas of sole control;
➤ indications of past irregularities;
➤ evidence of conflicts of interest;
➤ situational integrity;
➤ remuneration not matching a manager’s standard of living;
➤ performance not matching budgets;
➤ threats to the continued existence of the business;
➤ the possible sale of the business; and
➤ the need to obtain extra finance.

Risk Identification by Analytical Review

Risk identification by analytical review is a common audit technique and may involve
any or all of:
➤ liquidity ratios;
➤ current ratio;
➤ acid test (quick) ratio;
➤ solvency;
➤ asset structure;
➤ capital structure;
➤ profitability ratios;
➤ ROA;
➤ profit as a percentage of sales;
➤ sales to total assets;
➤ sales to fixed assets; and
➤ sales to current assets.

54

Internal_Auditing.indb 54 16/04/2015 11:12

 RISK ASSESSMENT

Marketing a Risk-based Internal Audit Approach to Management

IIA Practice Advisory 2010-2: Linking the Audit Plan to Risk and Exposures guides
an internal auditor in linking the internal audit plan to the assessment of risk and
exposures that may affect the business.

‘The internal audit activity’s audit plan should be designed based on an assessment of
risk and exposures that may affect the organization. Ultimately, key audit objectives are
to provide management with information to mitigate the negative consequences
associated with accomplishing the organization’s objectives, as well as an assessment of
the effectiveness of management’s risk management activities. The degree or materiality
of exposure can be viewed as risk mitigated by establishing control activities.’

Selling the risk-based audit approach involves obtaining management buy-in to the
process. One effective way of achieving this is to ensure their participation in both
risk identification and risk evaluation.
It is operational management’s responsibility to identify, assess and manage risk.
It is internal audit’s responsibility to assist management in this process by identify-
ing and assessing risk and by assisting management to monitor how well risks are
actually being managed by the business.
Most organizations do not have the resources available to identify, analyze and
control all business risks. Implementing a formal risk assessment process helps by
providing a consistent method for choosing high-impact risks on which to focus audit
resources.
During the risk assessment, auditors must develop an understanding of the oper-
ation’s business in order to identify and assess significant risks. They then use this
assessment to allocate audit resources to areas within the organization that provide
executive management and the audit committee with the most efficient and effective
level of audit coverage. The output of the risk assessment is the primary basis for
allocating audit resources during the audit planning process.
An auditor must always bear in mind that individual managers have differing
attitudes to risk. Some managers or even organizations see the acceptance of risk
as fundamental to the making of profits, while others are highly risk-averse and
consider reducing risk a fundamental component of the business. This is called risk
tolerance. Unless the auditor understands this concept, it is likely that management
and auditors will talk at cross-purposes on risk and that management may consider
audit recommendations to be impractical or unacceptable.
Based on the individual risk positions adopted, companies will manage risk in a
number of ways, such as using insurance coverage, financial instruments, compli-
ance, and internal audit functions. Management must understand that internal audit
does not replace their responsibility to keep their own risk at acceptable levels.
Risks themselves can be categorized according to the organization’s response.
➤ Controllable risks are risks that exist within the processes of an organization
and can be managed by the organization.
➤ Uncontrollable risks are risks that arise outside the organization and cannot
be directly controlled or influenced, but which nevertheless call for a risk posi-
tion to be taken by the organization.
➤ Influenceable risks are risks that arise outside the organization, but can be
influenced by the organization.

55

Internal_Auditing.indb 55 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

While internal audit normally deals with all three risk types, owing to the limited
resources at its disposal, it normally prioritizes those areas where risk control is both
desirable and achievable. It then focuses on these areas.
Generally, auditors will have developed a basic understanding of the business and
control risks faced by the client before meeting the client. During initial client meet-
ings, the client’s expectations of internal audit services should have been clarified,
together with any significant risk and control issues that the client faces.
Risk analysis can be carried out in a variety of fashions. Qualitative analysis is
used to help identify both assets and resources at risk as well as those threats and
vulnerabilities to the assets and the safeguards already in place to mitigate the
threats. It can also be used to pick up on the controls which could be implemented
to reduce the risks to unacceptable level.
Qualitative analysis, as the name implies, does not attempt to quantify the finan-
cial value of assets at risk nor the frequency of the occurrence of the threats. In
addition the implementation costs of suggested controls is not usually included.
Quantitative analysis, on the other hand, attempts to identify potential losses in
value terms using objective criteria. Typically this will involve considerably greater
effort to put a value to specific threats but it does facilitate the evaluation of the
cost-effectiveness of suggested controls.
For most auditors a hybrid model combining the best of both quantitative and
qualitative analysis is probably the most appropriate.
In most organizations putting a value to assets is an everyday process where
tangible assets are concerned. Valuing intangible assets is a whole study area of its
own. Assets such as reputation, intellectual property, brand names and the like can
be valued in a variety of manners. Assessing the likelihood of damage to assets via
threats is also problematic since it is, in many cases, a subjective judgment and influ-
enced by the risk appetite of the person making the judgment call. Some managers
are risk averse while others will willingly accept risk as long as their perception of the
payback for accepting the risk is high. By the same token, the assets are not equally
vulnerable to every identified threat. Buildings are not commonly stolen and com-
pany vehicles do not suffer a loss of reputation. Anticipated losses must therefore
be calculated for individual assets and specific threats.
Internal controls can affect both the likelihood of an event having a detrimental
impact on the organization as well as the degree of impact which it can have. In
selecting internal controls the cost/benefit is normally one of the major measure-
ment criteria but it need not be the sole criteria. The ‘risk appetite’ is a measure-
ment of how much risk management is prepared to accept in exchange for a given
level of return.

Conducting a Risk Assessment

Objectives
The objectives of a risk assessment are to identify, assess and document the risks
and related risk management activities in an organization. These include risks in
the organization’s processes and across its business units, geographic locations or
product lines. The audit work should be properly aligned with the business objec-
tives and should be agreed to by management. This, in turn, allows audit resources
to be allocated in the audit planning process.

56

Internal_Auditing.indb 56 16/04/2015 11:12

 RISK ASSESSMENT

Planning a Risk Assessment

The aim of planning a risk assessment is to provide the auditors with a workable
structure so that the audit can be completed successfully and efficiently. The pro-
cess involves reviewing the audit objectives, the roles and responsibilities of those
involved, and timelines.

Preparing a preliminary plan

A team or individual auditor must be given the job of gathering existing knowledge
about the auditee area and engagement and to develop a preliminary work plan for
carrying out the risk assessment. Much of the background information concerning
industry trends, business objectives, internal audit focus, critical success factors,
etc, can be obtained from the working papers of previous audits or from the audit
department’s permanent files.
In addition, the auditee normally has a strategic business plan, which defines the
organization’s objectives, critical success factors and strategies.

Identifying a project team, agreeing on responsibilities and finalizing the risk

assessment work plan
Based on audit’s understanding of the client, the next stage is to identify the individu-
als required to complete the risk assessment. In cases where the audit requires skills
that are outside the core competencies of the engagement team, other resources
from within the organization can be called on. The specific responsibilities of all par-
ties involved should be agreed upon before starting the risk assessment. The results
of the risk assessment become the primary basis for allocating audit resources dur-
ing the audit planning process. The risk assessment enables us to understand and
analyze relevant characteristics of the organization’s more important business and
support processes.
In order to communicate the appropriate context for audit services, the audit
team should use a risk framework that clearly articulates the focus of audit services
as they relate to the risk universe. This is achieved by establishing the extent and
nature of risk that exists for the auditee.
Internal audit will base its evaluation of risk on management’s view of the accept-
ability of given risk levels. It will focus on the areas of higher business risk and the
areas of the business where risk control is both desirable and achievable.

Conducting the Assessment

Based upon the information gathered by the auditor during the preliminary survey,
a list of threats to the attainment of the major control objectives of the client should
now be available. These threats should be agreed with the auditee’s representative
in order to ensure that no significant threats have been omitted and no specific
threats have been over-emphasized. Based upon this list of threats, a preliminary
assessment of the inherent risk of a function or department may be derived.
The preliminary survey should also have produced a list of controls which man-
agement believed to be in place and effective to mitigate the threats. By matching
the controls against the threats which they are intended to address, the auditor
may come to a preliminary evaluation of the residual risk should all controls func-
tion as intended. At this stage the auditors now in a position to group the con-
trols into ‘control structures’ for specific threats and identify the critical controls

57

Internal_Auditing.indb 57 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

intended to address those threats. It should be noted that the auditor will normally
assume that there is no specific intent to bypass controls at this stage and that
those individuals responsible for implementing controls will normally be competent
to carry out those controls. Testing of the controls will indicate where incompeten-
cies are occurring or where controls are not functioning as intended.
Many auditors will use a graphical methodology, perhaps in the form of a matrix, to
present these threats and controls to management to confirm their understanding of the
controls structures which management intend to be in place. At this stage the auditor is
in a position to assess the adequacy of the control structures intended to mitigate specific
threats. Where the controls do not adequately address the concerns, recommendations
can be made to ‘plug the gap’, normally by introducing additional controls.
Even if the control structures do not fully address the specific threats, testing
will normally be carried out on the key controls, ie those controls which address
significant parts of the threat in order to determine their effectiveness.
This risk assessment then forms the basis for the development of the audit pro-
gram as outlined in Chapter 17.

The ‘Cube’ Approach to Risk Assessment

The ‘Cascarino Cube’
The following is a generic approach to risk identification and prioritization. Its use
needs to be tailored to the requirements of an individual organization. It is referred
to here as a ‘cube’ although it is, in actuality, a cuboid with the numbers of layers
dependent on the individual architecture, components and risks which the organization
is exposed to. Using IT as an example of a corporate function, in general, information
processing uses an architecture which can be shown graphically as:

Diagram 1

58

Internal_Auditing.indb 58 16/04/2015 11:12

 RISK ASSESSMENT

As can be seen, at the core is the Organization’s Data which is the major asset to
be protected. This exists within, and under the control of, the Mainframe computer itself.
In order to gain access to the Mainframe, Mainframe Communications channels are used.
This communication is typically conducted from Servers or intermediate processors. These in
turn, communicate via routers and cabling through Wide Area Networking communications.
The Workstations are the point from where users can enter the system. In addition there are
frequently users who will access the data via the Internet and Mobile computing. These rings,
then, make up the first layer of the cube.
The architecture itself will consist of a number of components including among
others, typically:
➤➤ data;
➤➤ software;
➤➤ people; and
➤➤ hardware.

Each of these architect layers and components will be exposed to risks in a variety of
forms. Commonly the risks may include:
➤➤ system non-availability;
➤➤ loss of confidentiality;
➤➤ loss of integrity;
➤➤ inaccuracy and incompleteness;
➤➤ lack of monitoring;
➤➤ lack of compliance; and
➤➤ under-performance.

Three dimensionally, these can be shown as in Diagram 2.

Diagram 2

59

Internal_Auditing.indb 59 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Based upon the discussions with Operational and Technical staff at the organization,
a Cube of Risks, Systems Components and Architectural Components can be identified
and risk-ranked. This will typically result in a cuboid such as that shown in Diagram 3.

Diagram 3

When prioritized and structured, the organization’s risk profile may be represented by
higher ranked risks to more critical components that form the upper left-hand corner
of each architectural slice. Each architectural slice may then be evaluated separately
and the Operational, Security and Technical controls identified and allocated to
the specific cell representing a risk (such as unavailability) to a system component
(such as data). At this stage, no attempt is made to determine whether the controls
believed to exist, actually do exist and function as intended.

Examples of the cells indicating specific controls are shown below.

Unavailability Confidentiality
Data T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T16, T17, T18, T22, T23, T24,
T11, T12, T13, T14, T15, T16, T17, T18, T25, T27, T28, T26, T31, T32, T33, T34,
T21, T22, T23, T26, T27, T28, T29, T30, T35, T40, T41, T44, T47, T58, T60 – O1,
T33, T34, T35, T36, T37, T39, T40, T41, O2, O3, O4, O5, O6, O7, O8, O9, O10,
T42, T43, TK45, TK46, T4K9, TK56, T57, O11, O12, O13, O14, O15, O16, O21,
T58, T60 – O1, O2, O3, O4, O5, O8, O9, O22, O33 – S1, S2, S3, S4, S5, S6, S7,
O11, O12, O14, O16, O19, O23, OK25, S8, S9, S10, S11
O26, O27, O28, O29, OK30, O31, – S3,
S4, S5, S6, S11, SK12
People T16, T17, T22, T21, T28, T30, T31, T32, T11, T12, T22, T23, T24, T31, T32, T33,
T34, T35, T36, T41, T43, T47, T49, T57, T34, T28, T35, T36, T39, T41, T42, T43,
T62 – O1, O5, O8, O11, O25, O27, O28, T47, T51, T58, T60 – O1, O2, O3, O4,
O30, – S1, S3, S11, S12, O5, O7, O8, O10, O11, O14, O15, O21,
O22, O26, O32, – S1, S3, S4, S5, S6, S7,
S8, S9,

60

Internal_Auditing.indb 60 16/04/2015 11:12

 RISK ASSESSMENT

Examples of controls identified may include terms such as:

Controls List (legend T = technology, S = security,

O=operations)
T1 – APC Power Monitoring S1 – Policies and Procedures
T2 – APC Cold Water Monitoring S3 – User Access Approval Review
T4 – APC UPS S4 – Reoccurring User Access Review

T5 – Generator – Natural Gas Powered S5 – Security Camera Monitoring

T6 – APC UPS Generator Monitor S6 – Key Fob Access Review
T7 – Multiple Power Paths (N+1 config) S7 – Shred Bin Monitoring
T8 – Air Conditioning (N+1 config) S8 – User Awareness Training

The objective of the exercise is to determine whether the accumulation of controls

intended to mitigate a particular risk to a particular component, would be adequate
to reduce the risk to acceptable levels if they function as intended. Inadequacy of
controls indicates a level of risk at too high a level even if all of the controls work as
intended and such a vulnerability must then be addressed.
Once all mitigating controls have been identified, they can be evaluated in order
to determine which controls can give management the most assurance (whether it be
from a preventative, detective or corrective perspective). These are designated the
Key Controls and form management’s most critical defenses against those specific
risks. From management’s perspective, these controls would be subject to the most
stringent monitoring in normal operations. From an audit perspective, these would
typically be the controls selected to be tested for effectiveness.
If these controls function as intended, management may gain the assurance that
risk is being controlled to the desired level in an adequate and effective manner.
Where such testing of controls determines that the Key Controls are not functioning
as intended, the cause of failure must be determined and rectified. In the meantime
the other controls in that particular cell can be evaluated to determine whether they
have sufficient cumulative impact to maintain the overall control at the desired level.
If so, then the effectiveness of these controls must also be tested.
Once Key Controls have been identified within each of the individual cells, they
may be traced three dimensionally into other cells within other system components
and architectural components. This then permits a three-dimensional map of the
impact that the failure of the Key Control could have across all system components
and architectural components facing a variety of risks.
Additionally, the three-dimensional nature of the cuboid enables the auditor to
examine control adequacy and effectiveness in vertical slices of system components
indicating all risks and architectural components affected, horizontal slices of risks to
all components indicating the system and architectural components affected or sliced
by architectural components showing all risks and system components affected.
By maintaining the Cube and associated controls as risk levels change with the
business, and by keeping the control list current and tested, the overall risk and
control architecture can be monitored in order to ensure that the overall residual
risk to the organization is maintained at acceptable levels. Below is an example of a
similar cube prepared for an organization’s fraud risk.

61

Internal_Auditing.indb 61 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

ERM and Internal Audit

Enterprise Risk Management is defined by COSO as ‘a process, effected by an
entity’s board of directors, management and other personnel, applied in strategy
setting and across the enterprise, designed to identify potential events that may
affect the entity, and manage risk to be within its risk appetite, to provide reasonable
assurance regarding the achievement of entity objectives’.26
All enterprises face a degree of some certainty and part of the role of management
is evaluation of the degree of uncertainty which is acceptable in the pursuit of its
overall corporate objectives. Enterprise risk management encompasses an array of
activities essential to achieving the organizational goals including:
➤➤ determining the organization's risk appetite alignment with the overall corporate
strategies;
➤➤ choosing among alternative risk responses including the avoidance of risk,
reduction through the implementation of appropriate internal controls;
➤➤ early identification of potential negative events and reduction of the impact;
➤➤ management of risk and cross-enterprise basis; and
➤➤ improved use of capital by understanding the environment and opportunities.

26. Enterprise Risk Management — Integrated Framework – Executive Summary, September 2004, are
available from: http://www.coso.org/documents/coso_erm_executivesummary.pdf

62

Internal_Auditing.indb 62 16/04/2015 11:12

 RISK ASSESSMENT

The net impact of an effective enterprise risk management includes the reduction
of the likelihood of negative consequences such as damage to reputation, failure to
comply with laws and regulations and financial damage while enhancing the likelihood
of the attainment of the overall objectives including:
➤➤ Strategic – high-level goals, aligned with and supporting its mission;
➤➤ Operations – effective and efficient use of its resources;
➤➤ Reporting – reliability of reporting; and
➤➤ Compliance – compliance with applicable laws and regulations.

Internal Audit Role

Within the overall sea of corporate governance, a critical element for the board is to
ensure that the enterprise risk management processes more open it in both effectively
and efficiently. To this end, internal audit has a vital part to play in providing the
assurance of their effectiveness and efficiency as well as identification of the ‘key’
risks and controls relied upon by management. In its role as an independent, objective
assurance and consulting activity, internal audit activities can be classified into core
internal audit roles which are part of the normal internal audit activities, those rules
which internal audit can undertake in the presence of appropriate safeguards and
those roles which internal audit should not undertake. These include:

Core internal audit roles

These roles are standard assurance roles falling within the normal remit of internal
audit:
➤➤ reviewing the management of key risks;
➤➤ evaluating the reporting of key risks;
➤➤ evaluating risk management processes;
➤➤ giving assurance that risks have been correctly evaluated; and
➤➤ giving assurance on the overall risk management processes.

Internal audit roles, given appropriate safeguards

These roles fall within the agreement of Consulting Services which may be provided in
order to improve the organization’s governance risk and control processes. Safeguards
in these areas are critical to ensure the role of internal audit as a consultant and not
as either an auditor or a manager is fully understood by all involved:
➤➤ assisting in the identification and evaluation of risks;
➤➤ consolidated reporting on risks;
➤➤ assisting in the development of the risk management framework for board
approval;
➤➤ assisting management develop responses to risk issues;
➤➤ assisting in the co-ordination of enterprise risk management activities;
➤➤ acting as a product champion for the establishment of enterprise risk management
within the organization; and
➤➤ assisting in the development of a risk management strategy for board approval.

Inappropriate roles for internal audit

As can be seen, these are all management functions and should not be undertaken
by internal audit even in a consultative role:
➤➤ accountability for risk management;

63

Internal_Auditing.indb 63 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

➤➤ setting the risk appetite of the organisation;

➤➤ implementing risk management processes;
➤➤ providing management assurance on risks; and
➤➤ making decisions on the appropriate responses to risk.

It must be stressed that overall risk management is a critical component of corporate

governance and falls within management’s overall responsibility. The internal auditor’s
primary role remains that to provide assurance to the board and management of the
efficiency and effectiveness of the internal control structures and processes. In its
role as a consultant, internal audit may extend this assurance to providing advice
and assistance to management but must be careful not to overstep its role to the
extent that its independence and objectivity may be compromised or assumed to be
compromised.

64

Internal_Auditing.indb 64 16/04/2015 11:12

 7
C HAPTER

Control Frameworks

Learning objectives
After studying this chapter, you should be able to:
➤ Outline briefly the major internationally recognized control models
➤ Explain their impact on the definition of control objectives
➤ Explain the use of control models in the internal audit process
➤ Explain the nature of controls
➤ Choose control types to achieve the desired impact on risks
➤ Explain the characteristics of an acceptable control structure
➤ Explain an internal auditor’s role in evaluating control structures
➤ Explain the major sources of threat to good control practices
➤ Explain the role of control self-assessment

Control Processes
A large part of the work of internal audit is involved with assessing and reporting on
control processes. This means an internal auditor must have a sound understanding
of the nature of business processes and control frameworks likely to be encountered
in a variety of organizations and be able to evaluate their effectiveness and, at times,
their efficiency and economy in achieving the objectives of a particular organization
in a variety of circumstances.
More detailed guidance as to an internal auditor’s responsibilities is provided in
IIA Standard 2120 and Practice Advisories 2120.A1-1 to A4-1. Practice Advisory
2120.A1-1: Assessing and Reporting on Control Processes recognizes the varying
responsibilities of management and the internal auditor for control processes in an
organization as follows.

‘1. One of the tasks of a board of directors is to establish and maintain the organiza-
tion’s governance processes and to obtain assurances concerning the effectiveness of
the risk management and control processes. Senior management’s role is to oversee
the establishment, administration, and assessment of that system of risk manage-
ment and control processes. The purpose of that multifaceted system of control pro-
cesses is to support people of the organization in the management of risks and the
achievement of the established and communicated objectives of the enterprise. More
specifically, those control processes are expected to ensure, among other things, that
the following conditions exist:
➤ Financial and operational information is reliable and possesses integrity.
➤ Operations are performed efficiently and achieve effective results.
➤ Assets are safeguarded.
➤ Actions and decisions of the organization are in compliance with laws, regulations,
and contracts.

65

Internal_Auditing.indb 65 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

2. Among the responsibilities of the organization’s managers is the assessment of the

control processes in their respective areas. Internal and external auditors provide
varying degrees of assurance about the state of effectiveness of the risk management
and control processes in select activities and functions of the organization.’

COSO’s Internal Control: An Integrated Framework

In 1992, the American Institute of Certified Public Accountants, the Institute of
Internal Auditors, the American Accounting Association, the Institute of Management
Accountants and the Financial Executives Institute, collectively referred to as the
Committee of Sponsoring Organizations or COSO, issued a jointly prepared study
entitled Internal Control: An Integrated Framework. This document identified the
fundamental objectives of any business or government entity. These included econ-
omy and efficiency of operations, safeguarding of assets, achievement of desired
outcomes, reliability of financial and management reports, and compliance with laws
and regulations.

Internal control was defined by COSO as a broadly defined process, effected by

people, designed to provide reasonable assurance regarding the achievement of the
three objectives of all businesses, namely:
➤ economy and efficiency of operations, including achieving performance goals
and safeguarding assets against loss;
➤ reliable financial and operational data and reports; and
➤ compliance with laws and regulations.

In order to achieve these objectives, COSO defined five components that would
assist management in achieving these objectives. These are discussed below.

A Sound Control Environment

A sound control environment requires the correct level of attention and direction
from senior management. This environment is created by employing managers and
employees who possess integrity, ethical values and competence. It is a function of
management’s philosophy and operating style. To be effective, it requires the proper
assignment of authority and responsibility coupled with the proper organization of
available resources. Staff must be trained and developed to the required standard
to ensure that they can competently exercise control.

A Sound Risk Assessment Process

A sound risk assessment process requires effective methods that allow management
to be aware of the risks and obstacles to the successful achievement of business
objectives and to be able to deal with them. As such, management must establish
a set of objectives that integrate all the organization’s resources so that the orga-
nization operates in unison. The risk assessment itself involves the identification,
analysis and management of the risks and obstacles to the successful achievement
of the three primary business objectives.

66

Internal_Auditing.indb 66 16/04/2015 11:12

 CONTROL FRAMEWORKS

Sound Operational Control Activities

Sound operational control activities involve the establishment and execution of
sound policies and procedures. These help to ensure that actions identified by
management as being needed to address risks and obstacles to the achievement of
business objectives are effectively implemented. These would include authorization,
reviews of operating performance, security of assets and segregation of duties.

Sound Information and Communications Systems

Information systems facilitate the running and control of a business by producing
reports containing financial, operational and compliance-related information. They
deal with both internally generated data and external activities, conditions and
events that management should be aware of when making decisions and report-
ing the company’s activities to the outside world. For this to happen, appropriate
information must be identified, captured and communicated in a way that enables
people to carry out their responsibilities.
Effective communication must flow down, up and across the organization. (This
includes a clear message from top management to all personnel that control respon-
sibilities must be taken seriously.) This means that all personnel must understand
their own roles in the internal control system, as well as how their individual activi-
ties relate to the work of others. Personnel also must be able to communicate signifi-
cant information upwards, as well as communicate with external parties.

Effective Monitoring
To ensure the effectiveness of the control process, the entire control system must be
monitored to assess the quality of the system’s performance over time. Deficiencies
must be reported, with serious matters reported directly to top management.
Also, there should be separate, independent evaluations of the internal control
system. The scope and frequency of these independent evaluations depend mainly
on the assessment of risks and obstacles, and the effectiveness of ongoing monitor-
ing procedures.

Internal Controls
People are often confused about what exactly a control is. A control is any action
taken by management to increase the likelihood that an organization’s objectives
and goals will be achieved. It results from management’s planning, organizing and
directing, and the many variants (eg management control, internal control, etc) can
be included in the generic term.
Management controls are intended to ensure that an organization is working
towards its stated objectives.
➤ Corporate objectives and goals are the statement of corporate intent (eg
‘Costs will be reduced by 20 per cent over the next year’).
➤ Management objectives define how the corporate objectives will be met (eg
‘Costs will be reduced by reducing material wastage by 10 per cent and stock
theft by 60 per cent’).

67

Internal_Auditing.indb 67 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

➤ Internal control ensures that programs to achieve management’s objectives

are properly planned and executed (eg ‘All waste must be written in a waste
book and supervisors will check excessive waste weekly’).

Control responsibility is clearly management’s job and encompasses planning, orga-

nizing and directing.
➤ Planning in this case is taken to mean establishing objectives and goals, as well
as choosing the best methods of using resources.
➤ Organizing involves the gathering of the required resources and arranging them
so that the objectives can be achieved.
➤ Directing includes the authorizing, instructing and monitoring of actual perfor-
mance as well as periodically comparing actual to planned performance.

Management decisions may be classified as strategic, tactical or operational.

Internal audit ensures that the system of internal control is effective and func-
tions as intended. The level of control needed will be affected by overall objectives.
Internal control ensures that programs to achieve management objectives are prop-
erly planned and executed.
Operating objectives direct the day-to-day activities and may, in themselves,
conflict, eg there may be a conflict between the need for control and the need for
timeliness. The way in which objectives are prioritized directs the development of
controls and will affect the final, overall system of controls that is implemented.
In a situation where the objectives are growth and providing service, in a dynamic
and rapid growth environment control systems may not keep pace, the risk is higher
and the need for frequent audits increases. If the objective is cost reduction, in a
stable environment control systems should be stabilized and risk is lower, so the
frequency of internal audits can be reduced.

Systems of Internal Control

The combinations of the various elements of control go to make up the systems of
internal control. These are, in turn, influenced by:
➤ the control environment, which establishes the conditions under which internal
controls will operate;
➤ the organizational structure; and
➤ the control framework, including the organizational policies and procedures and
external influences.

Control Environment
The control environment is the overall infrastructure within which the other control
elements will function. Primary elements within this infrastructure are the following.

Organizational Structure
This defines individual managers’ responsibilities, sets limits of authority and allows
the proper segregation of duties. If the organizational structure is problematic, with
excessive powers granted to individuals, or if poor segregation of duties exists, the
effectiveness of the individual controls may be weakened irreparably.

68

Internal_Auditing.indb 68 16/04/2015 11:12

 CONTROL FRAMEWORKS

Control Framework
The control framework includes the policies and procedures that describe the scope
of a function, its activities, its interrelationships with other departments, and the
external influences of laws and regulations, customs, union agreements and the com-
petitive environment within which an organization operates. The structures enforcing
controls may be complex or simple. Large organizations tend to have highly struc-
tured control frameworks, while smaller organizations often use personal contact
between employees.

Elements of Internal Control

The overall system of internal control is designed to ensure that:
➤ control is maintained over the integrity and accuracy of the operational and
financial information of the organization;
➤ control is adequate over the accounting for, and maintenance of, assets;
➤ there is adequate enforcement of compliance with the policies, plans and pro-
cedures of the organization, as well as compliance with the relevant laws and
regulations;
➤ functions are performed economically and efficiently; and
➤ there is a high probability of managerial objectives being achieved.

In order to achieve this control, frameworks are established that involve the primary
elements discussed below.

Segregation of Duties
These are the policies and control procedures to ensure that those who physically
handle assets are not the same people who record asset movements, who reconcile
those records, or who authorize transactions. Controls should allow for the proce-
dures performed by one person to effectively provide a check on the procedures
of another in the transaction process. The critical issue in the segregation of duties
is that duties performed by different people should not be incompatible and that
individuals are adequately qualified and trained to perform the relevant control
procedures.

Competence and Integrity of People

Underpinning the control system are the people who enforce it. In order for controls
to be effective, those who exercise control must be capable of doing so and honest
enough to consistently do so.

Appropriate Levels of Authority

A common mistake in control structures is the granting of too much authority within
control boundaries. Authority should only be granted on a need-to-have basis. If
there is no need for a particular individual to have specific authority, it should not
be granted.

69

Internal_Auditing.indb 69 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Accountability
For all decisions, transactions and actions taken, there must be controls that will
allow management to work out who did what with an acceptable degree of confi-
dence.

Adequate Resources
Controls that are inadequately resourced will generally fail whenever they come
under stress. Adequate resources include manpower, finance, equipment, materials
and methodologies.

Supervision and Review

Adequate supervision of the appropriate type is an essential for sound internal
control.

Control Self-assessment
Control self-assessment (CSA) uses techniques performed by management to
quantify the impact of business risks and effectiveness of control structures at an
operational level in a way similar to the assessment processes followed by internal
audit. Self-assessment tools can be used to improve business processes and so add
immense value to an organization. CSA goes beyond the bounds of internal audit by
making the organization as a whole responsible for management control and gover-
nance through embracing, planning and operating a CSA process.
Although none of the control frameworks specifically mentions control self-assess-
ment, there is a general feeling in the auditing community that CSA is a significant
tool in implementing COSO (in the USA and generally worldwide), CoCo27 (in Canada),
Cadbury (in the UK) or King (in South Africa). These frameworks all include monitoring
and risk assessment among the fundamentals of internal control.
One of the main reasons for introducing CSA was the constraint on internal
audit resources due to budget cuts, coupled with the increased demands caused
by the growing awareness of the need for good corporate governance. Under a
CSA model, management accept full responsibility for internal control, although
some implementations of CSA involve collaboration between internal audit and
management so that they take joint responsibility for evaluating the adequacy and
effectiveness of the system of internal control.

Internal auditors may choose to use CSA in several ways:

➤ as a tool to ascertain the state of the existing control process and evaluate
management’s understanding of risks in their business process;
➤ to gather information on the history of transactions processed and the actual
operation of controls as a substitute for extended testing by internal audit; and
➤ as a complete audit assessment in its own right by combining the first two uses.

27. Canadian Institute of Chartered Accountants. 1995. Guidance on Control (CoCo). Toronto: Canadian
Institute of Chartered Accountants.

70

Internal_Auditing.indb 70 16/04/2015 11:12

 CONTROL FRAMEWORKS

Resources
Budget and staff cuts have caused audit management to realize that changes must
be made. CSA puts the main responsibility for the design, operation and main-
tenance of internal control back on management, ie where the IIA Statement of
Responsibilities has always maintained that it belongs.

Collaboration
As we have seen, CSA can be a collaborative process, with internal audit and man-
agement working together to achieve common goals. This is a reversal of the old-
fashioned philosophy of adversarial auditing.

Empowerment
CSA facilitates empowerment. The process is owned overall by management.
Management accept responsibility for internal control and exercise that responsibil-
ity. Empowerment, more than collaboration, is probably the single most significant
aspect of CSA for management.

Implementing CSA
CSA generates data in erratic quantities, instead of evenly over the course of an
extended audit schedule. CSA practitioners must be prepared to handle large quan-
tities of data over brief periods of time.
There are several methods for implementing CSA. These range from the most
mechanistic type of audit using internal control questionnaires (ICQs) to group
workshops.

Internal Control Questionnaires

The ICQ is a set of questions used by an auditor as a checklist to determine the
existence of expected controls. External auditors documenting their understanding
of internal control generally use ICQs. An internal auditor completes the ICQs dur-
ing the preliminary survey phase of the audit using observation and interviews. The
ICQ helps establish the level of theoretical control activity and affects the level of
substantive testing that is needed.
Under CSA, management can be asked to complete an ICQ as a form of self-audit.
This may be used as a risk assessment tool before actually conducting an audit. If
management is to complete the ICQ independently, they must be supplied with
documentation to explain internal control concepts, the purpose of the instrument
and instructions on how to complete it.

Customized Questionnaires
One improvement on the normal ICQ approach is the use of customized structured
questionnaires. One form that this process may take is the internal control sign-
off on a folder of questions about various control activities. This usually contains
a description of the control activity and a schedule of when the activity must be

71

Internal_Auditing.indb 71 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

performed (daily, weekly, etc). These are normally permanent customized question-
naires. They can be verified by upper management and the internal auditor at any
time.
Folders such as this are often found in extremely high-risk areas such as nuclear
power generation or bank cash handling, or in highly regimented control environ-
ments such as military establishments.
The questions must be carefully considered and the answers must reflect the true
state of affairs. One weakness in the ICQ approach lies in the customized forms of
questionnaire, as well as in the fact that it is usually obvious that the ‘correct’ to
answer to many questions is ‘yes’.

Control Guides
Control guides are computerized folders containing a description of the expected
set of internal controls for the operations covered. They are still often used by
internal auditors who specialize in financial audits. In the CSA version, these con-
trol folders become internal control workbooks. The workbook is used to facilitate
discussion regarding operations, risks and controls. Internal auditors and manage-
ment discuss the completion of the workbook, and internal audit uses it as part
of its preliminary survey. One application is based on a series of interviews with
senior management.

Interview Techniques
Many internal audit departments interview senior management about issues, plans
and concerns as part of the annual planning cycle. The CSA approach using inter-
view techniques is a more structured tool than the use of ICQs or control guides.
Interviews allow for interaction between the information provider and information
gatherer. Using structured interviews to gather management’s input to the assess-
ment process ensures that the same questions are addressed in each session.

Workshops
A popular method of conducting CSA is to use the work group session model, which
derived from the original research at Gulf Resources (Canada) conducted by Bruce
McCuaig, Paul Makosz and Tim Leech at the end of the 1980s. They developed two
distinct versions of the workshop model.

Control model workshops

These involve training seminars that focus on developing the knowledge and capabil-
ity of management and staff to handle assessing, managing and reporting on internal
control by using control design models.
These workshops have a central premise that the facilitator must transfer knowl-
edge to the work group in order for the work group to assess the controls and
risks. This approach increases the assessor’s understanding of the assessment risk
and improves the design of internal control systems.

72

Internal_Auditing.indb 72 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH CONTROL FRAMEWORKS

One control framework often used in control model workshops has major cat-
egories that include:
➤ the definition and communication to participants of organizational goals and
objectives;
➤ the definition of commitment controls (derived from the Canadian Institute of
Chartered Accountants 1995 report referred to above), which are soft controls
that involve and unite the people in the organization and could include the cor-
porate vision, mission and purpose statements;
➤ planning and risk assessment processes;
➤ competence, training and continuous learning, involving the acquisition and
maintenance of the skills required to attain the organization’s goals;
➤ direct control activities and mechanisms;
➤ indicator controls, which are performance indicators of control problems; and
➤ monitoring/feedback, which is the process of gathering and using information to
adjust the control system.

Alternatively, the COSO Integrated Framework may be used directly.

Interactive workshops
These are process consultation workshops in which management and staff evaluate
the state of internal controls. In this model, the underlying philosophy is that man-
agement owns the concept of internal control, and management continues to own
the problem throughout the workshop. The facilitator then introduces the informa-
tion during the workshop. Interactive workshops differ from control model workshops
in that they require more facilitation skills, especially during the process consultation
phase. Interactive workshops have the advantage that they take less time, because
they do not emphasize the training element as control model workshops do.
Both workshop approaches use control frameworks to ensure that the relevant
issues are comprehensively covered. Some feel that control model workshops are
a substitute for traditional internal audit, while interactive workshops are normally
seen as another tool of the internal auditing function, ie they are a supplement to
traditional auditing approaches.
Workshops last a day or two, and each is facilitated by members of the internal
audit staff. To be successfully, participants must feel that they can express them-
selves freely on any subject; and there must be a strong commitment by all con-
cerned to the objectives of the process.
The workshop consists of analysis by the group of the strengths and weaknesses
of the internal control systems relied on by the department to help it achieve its
objectives.
Because of the high potential for conflict, facilitation skills are critical in these
sessions. It takes a great deal of effort to discuss and capture strengths and improve-
ments in internal control during interactive workshops. Once they have identified a
risk, the team must formulate an action plan.

Other Control Frameworks

Other control frameworks are used in specialized cases such as banking or IT.

73

Internal_Auditing.indb 73 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Banking
The ‘Framework for Internal Control Systems in Banking Organisations’ produced
by the Basel Committee on Banking Supervision was produced as a response to
the Basel Accord (Basel II) which forces banks to renew their focus on risk. Banks
are required to measure, monitor, mitigate and disclose risk. Basel II Introduced the
concept of the ‘three pillars’ for effective control in banking, namely maintenance of
a minimum capital, an appropriate supervisory review process, and effective market
discipline. From an audit perspective, obviously the supervisory review process is of
primary importance. This is intended to focus the bank on internal risk management
capabilities via internal control reviews of residual risk relative to the risk ‘appetite’
of the bank and reviewing of the risks strategies and monitoring capabilities of the
bank. One of the critical aspects of the new accord includes a new and separate risk
activity termed ‘operational risk’.
To assist in controlling risk, the committee also produced a document named
‘Framework For Internal Control Systems in Banking Organizations’.28 This docu-
ment clearly defines the principles for the assessment of internal control systems
within banks and defines the types of control breakdowns in this environment into:
➤ ‘Lack of adequate management oversight and accountability, and failure to
develop a strong control culture within the bank.
➤ Inadequate recognition and assessment of the risk of certain banking activities,
whether on- or off-balance sheet.
➤ The absence or failure of key control structures and activities, such as segrega-
tion of duties, approvals, verifications, reconciliations, and reviews of operating
performance.
➤ Inadequate communication of information between levels of management within
the bank, especially in the upward communication of problems.
➤ Inadequate or ineffective audit programs and monitoring activities.’

It also differentiates among performance objectives, information objectives and com-

pliance objectives and splits internal control into:
➤ management oversight and the control culture;
➤ risk recognition and assessment;
➤ control activities and segregation of duties;
➤ information and communication; and
➤ monitoring activities and correcting deficiencies.

IT
Control Objectives for Information and related Technology (COBIT®), produced by
the Information Systems Audit and Control Association (ISACA), is one of the most
widely accepted models of IT governance and control utilized to manage risks and
implement controls within an IT environment in order to achieve business objec-
tives.
COBIT was introduced in order to integrate existing IT standards and best prac-
tices into one cohesive structure designed to achieve international accepted gover-
nance standards. COBIT works from the strategic requirements of the organization,

28. http//www.bis.org/publ/bcbs40.pdf

74

Internal_Auditing.indb 74 16/04/2015 11:12

 CONTROL FRAMEWORKS

and encompasses the full range of IT activities. It focuses on the achievement of

control objectives rather than the implementation of specific controls and, as such,
it integrates and aligns IT practices with organizational governance and strategic
requirements. It is not the only set of standards in common use, but it integrates
with other standards to achieve defined levels of control.
Standards themselves do not achieve best practice, and what may be classed as
best practice for an organization must be appropriate to that organization. Specific
controls require careful selection, interpretation and implementation in order to
achieve an adequacy of control structures. COBIT presents a framework for overall
control based upon a model of IT processes intended to be used as a generic model
upon which specific controls can be overlaid. This creates a unique system of internal
controls specifically tailored to the business needs of the organization.
COBIT is designed to be utilized at different levels of management. Executive man-
agement require evidence that value is being obtained on an ongoing basis from the
significant investment in information technology and must ensure that risk and con-
trol investment is appropriately balanced. Operational management utilize COBIT to
facilitate the gaining of assurance that the management and control of information
technology services is appropriate. IT management use COBIT as an operational
tool to ensure the business strategy is supported in a controlled and appropriately
managed manner in providing IT services. IS auditors can evaluate the adequacy of
controls against COBIT standards, design appropriate tests to determine the effec-
tiveness of controls and provide management with appropriate advice on the system
of internal controls.
Because of its close alignment with COSO and other international accepted prin-
ciples of good corporate governance, it is intrinsically acceptable to multiple layers
of management as well as regulators.

CobIT®
Control Objectives for Information and related Technology (CobIT®) was originally
created by ISACA in 1996 as a framework for business managers, IT managers and
auditors. Since then, the CobIT framework has evolved to become an internationally
accepted approach for IT governance, management and assurance.
Following the increased focus on the enterprise governance of IT and the introduction
of legislation codes of practices such as KING III in South Africa, which was the
first national corporate governance code to specifically mandate IT governance as a
critical component, CobIT was extended until, in 2012, CobIT 5 was introduced to be
a comprehensive framework of globally accepted principles, practices, analytical tools
and models to assist an enterprise in the governance and management of information
and technology. The fifth edition brought together the concepts contained in CobIT,
ValIT and RiskIT into one integrated framework.
CobIT is designed to be utilized at different levels of management.
➤➤ Executive management can utilize it to ensure value is obtained from its significant
investment in information technology and to ensure that risk and control investment
is appropriately balanced.
➤➤ From an operational management perspective, CobIT facilitates the gaining of
assurance that the management and control of information technology services,
whether insourced or outsourced, is appropriate.

75

Internal_Auditing.indb 75 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

➤➤ IT management can use it as an operational tool to ensure the business strategy

is supported in a controlled and appropriately managed manner in providing IT
services.
➤➤ IT auditors can utilize CobIT to evaluate the adequacy of controls, design appropriate
tests to determine the effectiveness of controls and provide management with
appropriate advice on the system of internal controls.

CobIT utilizes a framework of principles and enablers in order to create a logical

structure of IT activities in a manner which can be easily subject to managerial controls.
The integration of ValIT and Risk IT require the introduction of new Governance of
Enterprise IT (GEIT) principles. The framework now divides IT into five CobIT principles
and seven CobIT enablers.

The principles cover:

1. Meeting stakeholder needs
2. Covering the enterprise end-to-end
3. Applying a single integrated framework
4. Establishing an holistic approach
5. Separating governance from management.

CobIT enablers are defined as:

1. Principles, policies and frameworks
2. Processes
3. Organizational structures
4. Culture, ethics and behavior
5. Information
6. Services, infrastructure and applications
7. People, skills and competencies.

Processes now cover Evaluating, Directing and Monitoring; Aligning, Planning and
Organizing; Building, Acquiring and Implementing; Delivery, Service and Support;
Monitoring, Evaluating and Assessing.

Evaluate, Direct and Monitor (EDM)

Overall governance is designed to ensure that the enterprise objectives are met and
involves five high-level IT control objectives namely:
EDM01   Ensure Governance Framework Setting and Maintenance
EDM01   Ensure Benefits Delivery
EDM03   Ensure Risk Optimisation
EDM04   Ensure Resource Optimisation
EDM05   Ensure Stakeholder Transparency.

Align, Plan and Organize (APO)

This domain covers all of the processes undertaken by management in order to
ensure that the IT function is properly aligned with corporate objectives and planned
and controlled to provide assurance that corporate IT objectives will be achieved.
Detailed processes include:

76

Internal_Auditing.indb 76 16/04/2015 11:12

 CONTROL FRAMEWORKS

APO01   Manage the IT Management Framework

APO02   Manage Strategy
APO03   Manage Enterprise Architecture
APO04   Manage Innovation
APO05   Manage Portfolio
APO06   Manage Budget and Costs
APO07   Manage Human Relations
APO08   Manage Relationships
APO09   Manage Service Agreements
APO10   Manage Suppliers
APO11   Manage Quality
APO12   Manage Risk
APO13   Manage Security.

Build, Acquire and implement (BAI)

This domain covers the processes involved in identifying IT requirements and choosing
solutions through to installation and accreditation of solutions and changes. Detailed
processes include:
BAI01 Manage Programs and Projects
BAI02 Manage Requirements Definition
BAI03 Manage Solutions Identification and Build
BAI04 Manage Availability and Capacity
BAI05 Manage Organizational Change Enablement
BAI06 Manage Changes
BAI07 Manage Changes Acceptance and Transitioning
BAI08 Manage Knowledge
BAI09 Manage Assets
BAI10 Manage Configuration.

Deliver, Service and Support (DSS)

This domain includes all of the processes required to deliver the appropriate service
levels, manage information and operations and ensure appropriate performance.
Detailed processes include:
DSS01 Manage Operations
DSS02 Manage Service Requests and Incidents
DSS03 Manage Problems
DSS04 Manage Continuity
DSS05 Manage Security Services
DSS06 Manage Business Process Controls.

Monitor, Evaluate and Assess (MEA)

This domain includes the processes required to monitor overall IT performance and
ensure effective IT governance. Detailed processes include:
MEA01 Monitor, Evaluate and Assess Performance and Conformance
MEA02 Monitor, Evaluate and Assess the System of Internal Control
MEA03 Monitor, Evaluate and Assess Compliance with External Requirements.

77

Internal_Auditing.indb 77 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Auditors familiar with CobIT 4.1, RiskIT and ValIT are generally familiar with the
process maturity models included in those frameworks. These models are used to
measure the current maturity of an enterprise’s IT-related processes, to define a
required future desired state of maturity, and to determine the gap between them
and how to improve the process to achieve the desired maturity level.
The CobIT 5 product set includes a process capability model, based on the
internationally recognised ISO/IEC 15504 Software Engineering–Process Assessment
standard.
This model is designed to achieve the same overall objectives of process assessment
and process improvement support and allows areas for improvement to be identified.

Further Information
Further information is available from the ISACA (www.isaca.org). Details of direct
interest to the IS auditor include the CobIT:
➤➤ Frameworks
➤➤ Enabler & Professional Guides
➤➤ Practical Guides
➤➤ IT Audit/Assurance Programs.

Other Self-assessment Methods

Another methodology is self-review. Originating in New Zealand, self-review includes
a process in which the management of each enterprise prepare a report on their
review of their processes, including controls. The review may be accomplished
by performance monitoring, corporate planning, process improvement, policy
evaluation, peer review, quality management, ad hoc projects, and management by
walking around (MBWA), as well as by both internal and external audit. Whichever
method is used, the essential requirement is that the review must be documented
and verifiable.

78

Internal_Auditing.indb 78 16/04/2015 11:12

 8
C HAPTER

Audit Evidence

Learning objectives
After studying this chapter, you should be able to:
➤ Outline briefly the major types of audit evidence
➤ Differentiate between audit and legal evidence
➤ Choose the testing techniques needed to obtain the evidence you are looking
for
➤ Document the evidence in a quality working paper

The Nature of Audit Evidence

As internal auditors, we are often required to express our opinion on the adequa­cy
and effectiveness of internal controls. For this, we must gather audit evidence to sup-
port our opinion. Evidence is something intended to prove or support a belief. Each
individual piece may be flawed by a personal bias or by a potential error of measure-
ment, and each piece may be less competent than desirable, so we must look at the
total ‘body of evidence’, which should provide a factual basis for audit opinions.

An internal auditor usually obtains audit evidence by:

➤ observing conditions;
➤ interviewing people; and
➤ examining records.

IIA Practice Advisory 2310-1: Identifying Information provides guidance as to the

quality of the evidence that an internal auditor looks for.

‘Information should be sufficient, competent, relevant, and useful to provide a sound

basis for engagement observations and recommendations. Sufficient information is factu-
al, adequate, and convincing so that a prudent, informed person would reach the same
conclusions as the auditor. Competent information is reliable and the best attainable
through the use of appropriate engagement techniques. Relevant information sup­ports
engagement observations and recommendations and is consistent with the objectives for
the engagement. Useful information helps the organization meet its goals.’

IIA Practice Advisory 2240-1: Engagement Work Program gives the procedures that
an internal auditor uses to gather audit evidence.

‘Engagement procedures, including the testing and sampling techniques employed,

should be selected in advance, where practicable, and expanded or altered if circum­
stances warrant.’

Internal_Auditing.indb 79 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

There are various types of evidence.

➤ Physical evidence is generally obtained by observing people, property or
events and may take the form of photographs, maps, etc. Where the evidence
is from observation, it should be supported by documented examples or, if not
possible, by corroborating observation.
➤ Testimonial evidence may take the form of letters, statements in response to
enquiries or interviews and is not conclusive, since these documents are only
someone’s opinion. It should be supported by documentation where possible.
➤ Documentary evidence is the usual form of audit evidence and includes letters,
agreements, contracts, directives, memoranda and other business documents.
The source of the document will affect its reliability and the trust we place in it.
The quality of internal control procedures will also be taken into account.
➤ Analytical evidence is usually derived from computations, comparisons to stan­
dards, past operations and similar operations. Regulations and common reason­
ing will also produce evidence of this kind.

Reliability of Audit Evidence

All audit evidence should be:
➤ Sufficient:
‘... factual, adequate, and convincing so that a prudent, informed person would
reach the same conclusions as the auditor’;
➤ Reliable:
‘... reliable and the best attainable through the use of appropriate engagement
techniques’;
➤ Relevant:
‘... supports engagement observations and recommendations and is consistent
with the objectives for the engagement’; and
➤ Useful:
‘... helps the organization meet its goals’ (IIA Practice Advisory 2310-1:
Identifying Information).

Audit Evidence Procedures

As you can see, an auditor relies heavily on gathering evidence. This is done in var­
ious ways and follows the audit program. The audit program is a set of detailed steps
that an auditor will follow in order to acquire the appropriate evidence.
Evidence is gathered in order to facilitate the expression of an opinion on the
degree of control exercised over the business activity. It indicates the manner in
which the examination and evaluation of those controls will be carried out and
provides the factual basis for the expression of the opinion thus providing the link
between the audit fieldwork and the audit report.
The audit program is formulated based upon the results of the preliminary sur-
vey where it has been determined what risk, if any, is indicated, the nature of the
controls intended to best manage those risks and what, if any, evidence the auditor
would seek regarding the ongoing effectiveness of those controls. Based upon this
the auditor will determine the appropriate tests required to obtain the evidence.
Like any map, the audit program must meet the requirements of the person
utilizing the map. A good audit program will indicate what tests need to be carried

80

Internal_Auditing.indb 80 16/04/2015 11:12

 AUDIT EVIDENCE

out, who will carry out the tests, how they will be carried out, when they will be
done and how long they will take. As a planning tool, the audit program therefore
assists the auditor by providing a measurement tool regarding the scheduling and
budgeting as well as a measurement of the sufficiency of the evidence gathered.
Any audit program should be looked on as provisional and may be modified
based upon the evidence gathered during the audit itself. Many audit departments
use a standardized audit program based on the presumption of risk to be found
within the auditee area. These are very useful in carrying out a standard audit over
a variety of similar auditees such as geographically spread retail operations. Even
within such standardized programs, modification may be required where abnormal
conditions are found. New standardized audit programs should be prepared well in
advance of the audit since programs which are prepared late have a tendency to
omit critical evidence gathering steps.
The auditor must always remember that the evidence focus should be on cor-
porate risk and the gathering of the evidence should be designed to indicate the
degree to which the risk is acceptably mitigated.
The audit supervisor will typically review the audit program prior to implemen-
tation in order to ensure that the evidence it is intended to gather will satisfy the
objectives of the audit. This is a standard procedure and would be carried out as
part of normal project management techniques as indicated within chapter 16.
Overall, the audit supervisor must be satisfied with:
➤ the audit objectives;
➤ the audit scope;
➤ the degree of planning carried out prior to the audit;
➤ the accuracy of the control objectives agreed with the auditee;
➤ the evidence sought;
➤ the selection of the audit procedures for gathering the evidence;
➤ the appropriateness of the procedures for evaluation of the evidence gathered ;
➤ the procedures for communicating the results;
➤ the report preparation; and
➤ the follow-up procedures.

The actual program used will vary from audit to audit, depending on what you are
looking for. For example, if you want to check whether all purchase orders were
properly authorized, you might:
➤ interview the staff to find out who is supposed to authorize purchase orders;
➤ inspect the purchase orders themselves to check for signatures; and
➤ compare the signatures to a master copy of the signatures of the list of people
with signing powers.

Procedures that an auditor may use in gathering evidence include:

➤ conducting interviews, where testimonial evidence is particularly important;
➤ comparing evidence to some standard;
➤ recomputation of results, such as adding up money owed, which tends to be
very narrow in scope;
➤ detailed testing, such as vouching, which involves testing balances by examin­
ing supporting documentation; or
➤ tracing, which follows original documents through the processing cycle;
➤ observation and inspection, where an auditor observes activities or inspect assets;

81

Internal_Auditing.indb 81 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

➤ scanning, in which a less-detailed examination is carried out to detect unusual

patterns, which may be combined with statistical sampling to obtain evidence;
➤ confirmation, in the form of written confirmation completed by a third party
and returned directly to the auditor (such as a debtors certification); and
➤ analytical reviews comparing performance for this week to last week’s perfor-
mance or budget­ed spending to actual spending.

After the audit program, the auditor selects and examines the evidence. This
involves the following processes.

Observation
Observation involves both seeing and noticing. It is visual examination with a pur­pose
and includes mental (or cognitive) comparison with standards and established criteria.
It is an evaluative viewing and is generally preliminary to other evaluation techniques.
Observations should ideally be confirmed through investigation and analysis and, while
these may be a factor of questioning, they may not tell the whole story.
An auditor may observe an operation such as placing a purchase order to check
whether the correct procedures are followed.

Questioning
This is perhaps the most common information-gathering technique. Questioning
may be oral or written and will continue throughout the assessment process.
It is not an easy technique to use effectively, particularly for a manager, since
answers often simply contain what the answerer believes the auditor wants to hear.
Questions should be open-ended and not directive (ie they should take the form
of ‘Tell me how orders are placed’ rather than ‘Do you sign all orders yourself?’),
and answers should, where possible, be confirmed independently.

Analyzing
Analyzing involves examining a complex thing or process in detail by dividing it into sim-
pler parts with the aim of discovering qualities, significance, etc. It may involve determin-
ing interrelationships, causes and effects; observing trends; and making comparisons.
For example, you could analyze absenteeism in August 2004 by measuring it
against TV coverage of the Athens Olympics to see whether there is any correlation.

Verifying
Verifying is the process of confirming truth, accuracy or validity of assertions. It is a delib­
erate effort to establish truth by comparing something to known facts or standards.
A reported wrongdoing may be verified by examining supporting documentation.

Investigating
This management technique involves an enquiry to uncover hidden facts and a sys­tematic
tracking down. Audits imply objectivity, but investigations generally look for evidence of
wrongdoing. In such circumstances, be careful not to go out of your depth and be mindful
of the legalities. Suspected fraud would typically result in an investigation.

82

Internal_Auditing.indb 82 16/04/2015 11:12

 AUDIT EVIDENCE

Evaluating
Evaluation is a major management task involving the estimation of worth in order
to arrive at a judgment. Management must draw conclusions based on the facts
that have been accumulated and require auditors to exercise their professional
judgment to help them in this process.
An evaluative measurement usually involves comparing something to a standard,
such as the time taken for a task or rejection rates in manufacturing. If there are no
published and accepted standards, an auditor will have to develop them based on
the operation objective and the evaluator’s experience. If necessary, these stan­dards
may be verified with a qualified expert or with executive management before any
evaluation is carried out.

Documenting the Evidence

As proof of the planning, gathering and analysis of audit evidence, it must be sum­
marized, together with its interpretation, in working papers.
Working papers are intended to support the information contained in the audit
reports and should contain explanations of how risks were evaluated, any cost/ben­
efit considerations the auditors have taken into account, the correlation of evidence
gathered with audit objectives and the correlation of evidence gathered with the
audit report.
Working papers should be able to stand alone and should be understandable,
which means they must present the evidence in a logical way. As highly confidential
documents, they should be properly protected and should not leave the control
of the internal auditor. They will usually be retained for future reference (this may
be required by law). A full description of the use and contents of working papers
is detailed in Appendix B.

Gathering Computerized Evidence

Computers are essential for the gathering of information, its storage, manipulation
and retrieval in virtually every business sector. With the undoubted advantages this
brings comes the associated danger of computer abuse resulting in the need for
evidence to be extracted from computer systems in a forensically acceptable manner.
Information stored on a computer can normally be viewed or analyzed with
permission of the owner but, on occasion, permission of the court may be required.
Acquiring evidence from a computer system may not be as simple as requesting
a printout. In the event that such information will be required as part of a fraud
investigation, care must be taken as covered in Chapter 35 on Forensic Evidence.
Even where fraud is not suspected evidence handling is, nevertheless, critical in
the course of any auditee involving computer evidence. Digital evidence may be
defined as all evidence in a digital form and can consist of the data contents itself,
as well as the metadata (ie data about the data such as file names, date of creation,
owner of the document, etc).
Digital evidence gathering and analysis is becoming an important source of
auditee evidence regarding operational issues as well as control implications. In
today’s business environment organizations depend to a lesser extent on hard-copy
documents so the traditional audit trail has now become an electronic audit trail in
many circumstances. In addition, even where hard-copy exists the information which

83

Internal_Auditing.indb 83 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

the auditor can derive may be limited to the contents of the document itself, while
digital files may contain information which was not fully produced on the printout.
To make best use of the availability of such evidence, the auditor needs the
appropriate data interrogation software as well as the appropriate skills and
knowledge to implement such software. This is covered more extensively in
Chapter 29 dealing with The Use of CAATs in Auditing Computerized Systems.

84

Internal_Auditing.indb 84 16/04/2015 11:12

 2
S ECTION

The Environment of
Business

Internal_Auditing.indb 85 16/04/2015 11:12

Internal_Auditing.indb 86 16/04/2015 11:12
 9
C HAPTER

Communication

Learning objectives
After studying this chapter, you should be able to:
➤ Explain briefly why an internal auditor needs good communication skills
➤ Define the major components of any act of communication
➤ Explain the types and structures of communications at work
➤ Explain the barriers to effective communication and adopt overcoming strategies
➤ Explain the role of the listener and how to overcome bad listening habits
➤ Explain the importance and types of written communication used by an
internal auditor
➤ Outline briefly the steps in preparing and presenting an audit presentation

The Elements of Communication

The importance of communication skills for internal auditors, whether employed in
an organization or in professional practice providing outsourced internal auditing or
management assurance services, cannot be stressed too strongly, as is indicated in
the following extract from IIA Practice Advisory 1210-1: Proficiency.

‘Internal auditors should be skilled in dealing with people and in communicating effec-
tively. Internal auditors should understand human relations and maintain satisfactory
relationships with engagement clients ….
Internal auditors should be skilled in oral and written communications so that they
can clearly and effectively convey such matters as engagement objectives, evaluations,
conclusions, and recommendations.’

Communication is the process of imparting or exchanging information and consists

of several discrete components.

These components are discussed below.

Sender
The sender is responsible for the success or failure of an act of communication. He/
she chooses the message to be sent and the system and language to be used. The
sender’s message often may not be beneficial to the receiver, eg in order to carry
out an auditor’s duty, you may have to give bad news to management. In some
circumstances, the sender of a message may be the ultimate receiver, eg when an
auditor prepares working papers.
An important aspect of audit communications is how the receiver perceives the
status of the sender, which may affect the acceptability of the message. When deal-
ing with managers who are superior in the chain of command, you may encounter
resistance, because the manager perceives the situation as one in which a junior

Internal_Auditing.indb 87 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

member of staff is issuing instructions to a senior member. In dealing with junior

staff, you may find that they simply tell you whatever they think you want to hear.

Message
The message itself may be either a statement or a question. In either case, it must
make sense to both parties. Messages may be welcome or unwelcome, expected or
unexpected, or interesting or boring. Even silence may give a message (‘I know more
than I’m prepared to say’).

Emotions and Messages

Few messages are without an emotional content or effect. In bargaining, giving or
receiving of orders, criticizing or praising, human nature can raise emotional blocks to
negative communication, resulting in the message being rejected. Misunderstanding
of the reasons why the message was delivered often results, or the message may be
misheard. Indeed, the receiver may even take an instant dislike to the messenger.

System
A communication system includes the finding, transmitting, storing and retrieving of
information. The human communication system includes:
➤ touch – from handshakes to pats on the back;
➤ vision – including gestures, nods, smiles, frowns, body language, pictures and
graphics;
➤ sound – including speech, tone, volume and music;
➤ smell – which may be offensive, seductive, etc; and
➤ taste – including sour, sweet, etc.

The technology systems for communicating messages have ranged from papyrus to
EDI, and from smoke signals and drums to multimedia and satellites.

Formal and Informal Communications

Formal communications include the use of letters, formal reports and ‘normal chan-
nels’. Informal communications include rumor, gossip and hearsay. The office grape-
vine and a person’s reputation both reflect the power of informal communications.

Language
Language includes the symbols and sounds used to convey a message. Music,
sign language and pictograms have been used for centuries to convey messages.
Corporate logos may be the modern equivalent of the cavepeople’s pictograms. It is
believed that thought is primarily non-verbal and, as such, messages may be more
easily accepted if they are non-verbal. This means that using symbols, pictures,
graphs and charts in audit reports may increase their acceptability.
Verbal language is still the most important form of communication and its effec-
tive use involves knowledge of words, their meaning and spelling, and the ways they
combine according to the rules of grammar and syntax. In addition to reading and

88

Internal_Auditing.indb 88 16/04/2015 11:12

 COMMUNICATION

writing, speaking and listening are key tasks of an auditor. In South Africa, in com-
mon with many other countries, the ability to speak several languages is a distinct
advantage. Language problems cause a great deal of miscommunication.

Receiver
The receiver is a badly neglected role that involves rebuilding the message, under-
standing it and accepting it. This requires time, patience and intelligence. Receivers
may have their own objectives, which can result in a type of selective hearing. The
message may be affected by his/her expectations, resulting in the receiver seeing
only items that interest him/her. The interpretations of messages may vary depend-
ing on the receiver’s perceptions. A manager telling his/her staff of a decision he/she
has arrived at and asking for feedback may be perceived by one listener as making
a statement reflecting his/her willingness to listen to advice. Another listener may
hear the same statement and understand it as reflecting an unbending manager
dictating to his/her staff.

Context
The context of the message includes the physical context, including distractions and
interference. The psychological context includes the relationship between receiver
and sender, and could include acceptance of a message, aggression aroused by an
unacceptable message or simply wariness inspired by an ambiguous message.

Steps in the Process

Steps in the communication process include gaining and holding the receiver’s atten-
tion. While the message is being delivered, it is the responsibility of the sender to
ensure that the receiver is assimilating, comprehending and accepting it. If you can
do this, you will probably get what you want.

Communication at Work
Both formal and informal communications take place at work. People talk to each
other informally more or less continuously. An auditor must be aware of this and
make it work in his/her favor. Formal business structures normally follow a tree
structure. In this structure, a manager may have various spans of control. In a narrow
span, there will be many managers and few subordinates, and therefore very formal
communications will be required. In a wider span, there are usually few managers,
many subordinates and more informal communications. Spans of control vary by
industry, company and even department. When communicating formally, you should
understand the role of different types of authority.

Formal Authorities
➤ Hierarchical authority is a nominal status that is passed down through the chain
of command. It is the authority a manager possesses by right of his/her posi-
tion and status.

89

Internal_Auditing.indb 89 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

➤ Accepted authority is granted by subordinates based on their perception of the

status of the manager. Where superiors have granted a manager hierarchical
authority and subordinates are unwilling to accept the authority level,
communication problems will exist and can have a very bad effect on unit
performance.
➤ The authority of knowledge is granted to someone based on the perception
that he/she possesses expert knowledge. In many cases, as an auditor, your
authority to make recommendations and have them accepted is based on the
perception that you are an expert in your field and are therefore able to give
correct advice.
➤ Situational authority is the authority granted to the person who assumes it in a
particular situation. So, as an auditor, in a situation where controls are lacking,
you must be aware that giving information may be taken as issuing instructions or
orders, which may be put into effect without the appropriate managerial author-
ity.

In all cases, effective communication requires the recognition of the respective

authorities of the sender and receiver.

Types of Communication at Work

➤ Within a formal authority structure, vertical communication normally involves
passing information downward. In this way, management will give instructions,
provide information and explain tasks to their subordinates. Such communica-
tion may be oral or written and is essentially authoritative. In such a structure,
upward communication giving feedback to an auditee about early warnings of
potential problems may make a subordinate apprehensive. When this happens,
an auditor may be the bridging communicator overcoming the apprehension
and bringing the essential information to the attention of the work superior.
➤ It is normally found that horizontal communications, ie communications among
people on the same hierarchical level, can encourage good teamwork. Team
members and management groups have found that such communications
break down rivalries and jealousies, and create unity of purpose. This type of
communication may be internal to a department or involve external resources,
and is frequently used in problem solving, since it avoids time being wasted
by communicating through a third party.
➤ Probably the most common form of communication you will take part in as
an auditor is diagonal communications. This involves communication between
employees who are not on the same hierarchical level. Here, you must use your
authority of knowledge when dealing with hierarchical superiors, while recogniz-
ing that superiors may themselves have knowledge. This is a potentially explo-
sive communications structure requiring tact and diplomacy. You may similarly
become involved in diagonal communications with employees who are on a
hierarchically lower level. Here, you should be aware of the danger that these
employees may provide you only with information they think you want to hear.
➤ The most effective form of communication at work is usually networking,
ie communicating, generally informally, across all levels in order to gain
or distribute knowledge. Unfortunately, this is not commonly encouraged

90

Internal_Auditing.indb 90 16/04/2015 11:12

 COMMUNICATION

in business, since management often sees it as a threat to its hierarchical

authority or its authority of knowledge.
➤ Within a business, external communications include communication with cus-
tomers, suppliers, competition or external agencies. Here we often find com-
munications aimed at projecting an image or fostering a belief.

Barriers to Communications
Although communication is required at all levels in business and in our personal
lives, there are many barriers that stand in the way of effectively getting a message
across.
➤ Noise is any interference or disturbance that confuses the message or competes
against communication. This could include physical noise distracting either the
sender or receiver. Competing demands for attention based on personal or work
priorities may also interfere with the reception and acceptance of messages. If an
employee has work or personal problems on his/her mind, his/her concentration
may slip and the content of a message may be distorted. Feelings of insecurity
and unwillingness to accept the message, together with emotion caused by the
content of the message, can further disrupt the communication process and dis-
tort the meaning of a message. If the sender of a message lacks credibility, the
interference this causes can also be classified as noise.
➤ It is understandable that employees coming from different backgrounds all with
different experiences in the workplace may have differing perceptions of the
meaning of messages. A word of encouragement may be interpreted as giving
positive feedback to encourage future good behavior, or as fawning and curry-
ing favor. Positive criticism given to encourage an employee’s or manager’s per-
formance may be seen simply as criticism, which few people like. An auditor’s
opinion may be seen either as pointing out an unacceptable business practice
or as a direct criticism of management. Given that this is a factor of individual
sensitivities and that circumstances alter cases, there is no invariable rule to
help you in this area. You should also be aware that what may be acceptable
in a face-to-face meeting may be unacceptable in formal communication. An
employee may accept direct criticism if it is given unofficially and informally,
but if this criticism is repeated in a formal report, the employee may well
strongly resist or repudiate the opinion. Internally this may be a discussion, but
externally this may be viewed as criticism.
➤ Language problems are often a barrier to communication. The use of jargon in
specialized fields such as computers, financial accountancy, engineering or even
auditing can cause complications in that the speaker may be under the impres-
sion that he/she has expressed him-/herself clearly. In reality, common English
words may be used for subtly different meanings within specialist disciplines.
Expressions such as ‘unacceptable’ or ‘system of internal control’ may have
different meanings outside of the specialized discipline and may confuse the
message. Sometimes, the use of jargon can make a message totally incompre-
hensible to an uninitiated listener.
➤ Distrust and suspicion can cause major problems for auditor-to-auditee com-
munication. If the audit function has a track record of broken promises or loss
of confidentiality leading to a general lack of credibility, co-operation will be
limited and communication will inevitably break down.

91

Internal_Auditing.indb 91 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

➤ As previously stated, differences in status can cause problems. The receiver will
inevitably assess the status of the sender, and the importance and credibility
of the message may be increased or reduced by the perceived status. Should
you, as an auditor, find that it is difficult to communicate a message to a senior
auditee, it is probably better to get one of your superiors in the auditing team
to pass on the message, so that two equals are talking to each other, not a
superior and a subordinate. Where an auditor has a low self-image, resentment
may occur and recommendations may be seen as orders from someone with no
positional authority. Because of this, communications can break down for a long
time.
➤ Many people see change as a threat. Resistance to change and apathy are much
easier than confronting the need to change, and negative reactions such as avoid-
ing the issue, rejecting the message or even undermining the credibility of the
person recommending change may result. This can become a self-fulfilling
prophecy, as the resistance to change is translated into efforts to ensure that the
recommendations fail. Where audit can demonstrate a successful track record as
a facilitator of change, and where such change can be shown to have been good
for all concerned, resistance can disappear. Apathy, or a general lack of enthusi-
asm, can significantly distort messages, as can overenthusiasm.
➤ One of the most difficult obstacles for communication to overcome is emotion
on the part of either the receiver or the sender. Such emotion can be construc-
tive, but is more generally destructive. You can control the emotional content of
an act of communication by controlling the setting for the communications and
its tone, by making sure everyone is physically comfortable during presentations
and generally by avoiding minor irritations. Where the auditee is expecting posi-
tive feedback and receives negative feedback, this shock can generate negative
emotions. If auditees think that their methods or systems are being attacked, this
can trigger a defense mechanism involving a counter-attack on the credibility and
veracity of the audit communication and the auditors themselves.

Overcoming the Barriers

Although these barriers may seem daunting, they can be overcome. Generally, as an
auditor, you should try to be supportive where possible. In any act of communica-
tion, you should use clear, direct and unambiguous language. In all communication,
there is a temptation to presume that people understand what you are saying. You
should always test communication, and this may involve you in a great deal of face-
to-face communication, even when you are going through a written report. You can
normally improve communication by repeating and reinforcing your message.

Written Communications
While the end product of internal auditing is to help management improve their busi-
ness, the major immediate output is normally an audit report. Audit results are usually
reported in both interim and final reports. Interim reports may be verbal or written,
and draw management’s attention to items requiring urgent action or provide timely
feedback during an extended audit. A final written report will normally come at the
end of the audit process. Such reports should be objective, clear, concise, complete,
constructive and timely. Written reports are covered fully in Chapter 20.

92

Internal_Auditing.indb 92 16/04/2015 11:12

 COMMUNICATION

Verbal and Non-verbal Communications

As an auditor, you will be involved in many different types of communications in
many different circumstances. Ranging from normal conversations through conduct-
ing of meetings and the presentation of audit findings, you must, in all cases, know
your audience. You will often find that in many situations there is too much informa-
tion at first, and organizing the information will make life a lot easier and facilitate
its transfer. Having chosen the communication medium, you may be required to give
a presentation. In this case, it is often a good idea to rehearse both the content and
the timing of the presentation. You should also remember that perhaps the most
difficult part of presenting an audit report is handling the questions afterwards.
Making a presentation involves a preliminary assessment of who the audience
will be. The numbers in the audience, their organizational status, their knowledge
background, their attitude to audit and their personal agendas will all be factors to
consider. Knowing who the key figures are and what their hot topics could be may be
crucial for effective communication. Obtaining this information may involve research
with other auditors and examining a few previous audit working papers in order to
decide on the most effective method of selling your recommendations.
Your information must be logically structured to get across the points you are
trying to communicate. You should select and reject, revise and restructure for
acceptability and clarity, in order to communicate effectively the objectives, scope,
findings, evidence and conclusions of your presentation to the audience.
Once you have organized and structured the information into an appropriate
form, you can then select the communication media. Auditors traditionally use face-
to-face speech, telephones and group meetings, but recently Internet communica-
tion, videoconferencing or even mass meetings have been required.
Visual aids can be very helpful, since they can attract and hold the attention of an
audience and help understanding by presenting the evidence in a visual form. Where
the message is well understood, visual aids will reinforce it. Thirty-five millimeter
slides can help you deliver a polished performance. However, they are expensive
to produce, and if the projector fails, you are left floundering. This is true of many
common mechanical aids: if they don’t work, you’re in trouble. For this reason, some
auditors prefer simpler devices such as either prepared or blank flipcharts. Even the
bulbs of the old standby overhead projector may fail at the wrong time. So, gener-
ally, keep aids simple and familiar. If you are planning to use unfamiliar equipment,
it would be sensible to get into the presentation venue early and familiarize yourself
with its layout and functioning. There are few things more embarrassing when mak-
ing a presentation to senior management than having to ask where the ‘on’ switch is
located. So practice using equipment beforehand until you can do it properly.
If you expect serious resistance to your ideas, a rehearsal with other auditors is
a good idea. This helps you to check that your message is getting across, as well
as the timing of the presentation and the handling of awkward questions. Although
preparation is important, do not over-rehearse. This can lead to your having a fixed
idea of how the presentation should progress, and then you may be completely
thrown by unexpected questions, etc.
When it comes to the presentation itself, it is vital to try to control your nerves.
You will feel more relaxed if you are comfortable with your starting phrases, the
content of the presentation and the closing phrase. When you are unsure of exactly
how you will start, you are more likely to freeze, stammer and lose continuity.

93

Internal_Auditing.indb 93 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Remember that much of communication is visual rather than simply verbal, and
that using body language and eye contact combined with appropriate use of your
voice can make the difference between a memorable presentation and an instantly
forgettable one.
The handling of questions is partly a matter of technique and partly one of per-
sonal preference. When you are faced with an awkward question, one possible solu-
tion is to pass it on to another member at the meeting or in the audience: ‘That’s
a good question; maybe John can help us answer it’ can work extremely well. It
may be possible to get questioners to answer their own questions by asking for fur-
ther information to clarify the question and leading the questioners to the correct
answers. If questions are interrupting the smooth flow of the meeting or presenta-
tion, say you will answer them later – but remember to do so. If you don’t know
the answer, the safest bet may be to admit you don’t know and promise to find out.
An unacceptable technique is to use the old politicians’ trick of answering a differ-
ent question altogether – one that you do know the answer to – and ignoring the
request for information.

Non-verbal communication often involves the deliberate use of kinesics, including

the gestures and expressions you use, body posture and eye contact. Proxemics
(the study or awareness of socially conditioned spatial factors in ordinary human
relations) may help you get the point across effectively in important meetings. It is
generally acknowledged that there are three types of space involved in conducting
business.
➤ Body space is normally taken to be approximately within arm’s reach of some-
one. This is their personal space, and you should not enter it unless you have a
particular effect in mind, as it will generally cause stress of some kind in some-
one with whom you are not intimate.
➤ The area from one to two meters away from someone is their home space and
it is at about that distance that personal business normally takes place.
➤ Distances more than two or three meters away are taken to be neutral space
and this is the distance at which business meetings normally take place.

Another aspect of non-verbal communication is the field of paralinguistics. This

includes the non-verbal noises we make as we talk. The ‘ums’ and the ‘ers’, the tone
of our voice, the groans and laughs are all examples of paralinguistics.
In general, communications can be friendly, polite, informative, instructive and
persuasive. They can also be aggressive, condescending, dull and boring. Human
communication is perhaps your most difficult job as an internal auditor.

94

Internal_Auditing.indb 94 16/04/2015 11:12

 10
CHAPTER

Strategic Management

Learning objectives
After studying this chapter, you should be able to:
➤ Outline briefly the steps involved in a comprehensive strategic management
model and understand the relevance of such a model to an internal auditor
➤ Explain the impact of organizational culture on strategic management
➤ Explain the impact of the forces acting on an organization in a competitive
environment
➤ Define the strategic management phases and relate these to conventional
management activity
➤ Structure an audit plan of management’s strategic processes

The Nature of Strategic Management

Internal auditors, whether employed in an organization or in professional practice
and providing outsourced internal auditing or management assurance services, need
to understand strategic management principles. This is recognized in the guidance
contained in IIA Practice Advisory 1210-1: Proficiency as follows:

‘An understanding of management principles is required to recognize and evaluate the

materiality and significance of deviations from good business practices. An understand-
ing means the ability to apply broad knowledge to situations likely to be encountered,
to recognize significant deviations, and to be able to carry out the research necessary to
arrive at reasonable solutions.’

The strategic management process attempts to organize quantitative and qualitative

information under conditions of uncertainty. It involves integrating both intuition and
analysis. Intuition is based on past experiences, feelings and judgment and is useful
for decision making in conditions of great uncertainty or where there is little prece-
dent. Management exercises intuition and judgment daily at all levels of its activities,
and this influences its interpretation of analyses and affects the strategic decisions it
takes. Thus analytical thinking and intuitive thinking complement each other.
A key part of a modern organization’s strategic management process is adapta-
tion to change. Organizations must monitor events continuously in order to adapt
to them in time.
Over the last 20 years, the magnitude and rate of change in information technology,
greater access to the global marketplace, increased regulation in all spheres affecting
business nationally and globally, and the move to adopt international standards in
accounting and auditing have increased pressures on management exponentially.

Internal_Auditing.indb 95 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Factors such as globalization, e-commerce, Internet technology and the rapid

changes in global market demographics make adaptability to change a key factor
affecting corporate survival.
External opportunities and threats (economic, social and cultural) may signifi-
cantly benefit or harm organizations in the future. A basic principle when formulating
strategic management strategy is to take advantage of external opportunities while
avoiding or reducing the impact of external threats.
Strategies are the means by which long-term objectives are achieved and may
include geographic expansion or diversification, product development, acquisition of
other organizations, divestitures, retrenchments or, ultimately, liquidation.
Implemented appropriately, strategic management can help an organization
identify opportunities to vastly improve its performance. Even at a minimum level, it
facilitates an objective view of management problems, which in turn allows improved
co-ordination and control. By focusing on the minimization of adverse conditions
and concentrating on decisions to better support the organization’s objectives, man-
agement can more effectively allocate time and resources. The clear communication
of strategic objectives to staff greatly improves internal communications in an orga-
nization. This in turn allows staff to work together towards a common goal. It clarifies
the responsibilities of individual employees and encourages thinking towards future
goals, adaptability and change.
In many cases, however, little if any strategic management takes place within an
organization. Organizations may have outdated reward structures, which punish
innovation and reward stagnation. Too much effort may be expended in fire-fighting
just to maintain the status quo, let alone move forward. Where the organization has
a track record of conducting planning sessions without actually implementing the
plans, planning may eventually be seen as too expensive and a waste of time. In
extreme cases, planning may not take place simply because of management laziness
or because of a feeling of complacency that has developed because a company has
been very successful in the past. Fear of failure can be as dangerous as overconfi-
dence and a bad prior experience of strategic planning can be as detrimental to the
process as self-interest.
Strategic management differs from conventional management in that it works
according to a longer planning horizon. In the past, this has meant that strategic
formulation has been considered a senior management task. Today, however, stra-
tegic management is seen as the primary job of all employees and stakeholders. By
looking to the future, stakeholders have a better understanding of and commitment
to the overall objectives and goals of an organization. Today’s management theorists
stress the role of teamwork, participation and joint problem solving as a means of
achieving business objectives.
Strategic management involves the development of an overall mission for the
organization that defines its future position and role. From this, an overall strategy
can be formulated as a basis for fulfilling the mission.
Strategic planning involves the identification of specific and quantifiable objec-
tives and plans. This involves determining the strength of each business unit with
respect to its own market, the positioning of businesses within their markets, and
the creation of a unique strategy for each business.
Businesses need to be segmented in the markets they address. In real terms,
this means businesses must be very clear about who their actual and potential
customers are. While a strategy may be defined in broad terms such as ‘overall

96

Internal_Auditing.indb 96 16/04/2015 11:12

 STRATEGIC MANAGEMENT

transportation’, in marketing terminology a target market could be passenger

transportation.
Most large firms operate in multiple environments. As such, they may not be able
to address their strategic directions as single entities. This has led to the concept of
the SBU (strategic business unit). By seeing the organization as a collection of inde-
pendent SBUs, organizations can plan separately for each SBU up to strategic level.
An SBU may then be defined as a part of a business for which separate strategic
planning is possible.
Strategic management is an attempt to forecast the outcomes of events, and the
degree to which they can be influenced by current management actions. Each action
takes effort and managers usually seek synergy. Synergy occurs when the impact of
interventions has a greater effect than the sum of their individual effects.

Business Ethics and Strategic Management

Business ethics may be defined as the principles of conduct within organizations that
guide decision making and behavior. They provide a basis for policies and should
guide daily behavior and decisions in the workplace.
As was discussed in Chapter 4, there are many classes of ethics. It is generally
accepted, however, that certain actions by business can be classified as unethical.
Unethical behavior is normally taken to be behavior that harms a business’s custom-
ers or staff. Misleading advertising, guarantees that are not honored, misleading
labeling or poor product or safety standards would all be classified as unethical
behavior. Corporate behavior with a negative impact on the environment or the sell-
ing of defective products or services would also be seen as unacceptable corporate
behavior. Poor personal ethics within business could include such negative behavior
as falsification of expense claims, individual cheating of customers or even simply
taking sick leave for no reason.

Implementing Strategic Management

In today’s global market, strategic management is no longer optional and has now
become an imperative for survival. Integrating the various aspects of the manage-
ment of an organization can help it succeed by optimizing the co-ordination of the
efforts of everyone in the organization.

An effective strategic management process involves:

➤ strategy formulation;
➤ strategy implementation; and
➤ strategy evaluation.

Strategy Formulation
The strategy formulation phase involves clarifying the overall vision and mission of
the company. The mission is a statement of the ultimate purpose and direction of
the firm. It helps in the identification of its SBUs, and forms a basis for the allocation
of resources.

97

Internal_Auditing.indb 97 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

A mission statement should express the objectives of the firm based on its under-
lying values. These values should underpin an organization’s mission statement and
quantify the system of beliefs and ethics on which the business is based. The mission
statement should also state the primary markets within which the organization will
transact business.
Although it would appear obvious, this can be one of the most difficult phases to
accomplish and communicate effectively to all staff.
A common approach in this area is to conduct a SWOT analysis. This normally
involves staff at all levels coming together in a brainstorming session to identify the
strengths and weaknesses of the organization, together with the opportunities and
threats it faces. Strengths and weaknesses are usually identified by evaluating the
firm's capabilities and resources.
Once these are agreed upon, various strategies can be designed that capitalize
on the strengths, strengthen the weaknesses, take advantage of the opportunities
and defend against the threats in order to achieve the long-term objectives of the
organization. What the organization needs to do well or to have in great abundance
is known as core competencies. Core competencies build on the organization’s
strengths and are its primary source of competitive advantage.
Opportunities and threats can be identified by assessing the competitive fac-
tors in the industry within which the organization operates. The factors that can
be controlled by the company, such as suppliers, competitors and customers, are
known collectively as micro-environment factors, while purely external factors such
as social, cultural, demographic, political, legal and economic factors are known as
macro-environment factors.
Once the various strategies have been designed, those that seem most likely to
achieve the organization’s objectives need to be selected and then translated into
tactics, working objectives and action plans. At the corporate level, this could involve
decisions regarding the expansion of goods and services, the elimination of non-per-
forming parts of the business and the allocation of resources to achieve optimum
performance. Choices regarding diversification of the business and entering local
markets would be aggressive moves, while putting measures in place to protect the
business against global competition would be defensive strategies.

Strategy Implementation
One of the most difficult parts of strategic management is to move from planning
to implementation of the strategic decisions. The formulation of annual objectives,
amendments to corporate policies and procedures, and transformation of existing
control structures are all complex processes that have to be correctly and effec-
tively carried out. It is in this stage that management’s interpersonal skills are vital
in motivating employees to carry out change. Many people see change as a threat
to their comfort zone and the status quo. Change involves the unknown, and people
fear the unknown. It is at this stage that internal audit can delay or even prevent the
implementation of corporate strategy by insisting on maintaining the status quo and
previous internal control structures, and by fighting innovation.
Strategic plans must filter down through the organizational structure. This process
is more likely to be successful if the organizational structure encourages good com-
munications and if personnel have the necessary skills and abilities.

98

Internal_Auditing.indb 98 16/04/2015 11:12

 STRATEGIC MANAGEMENT

Implementation of strategic plans will be effective only if the right measure-

ment criteria have been established and measurement is taking place. At each
level of the organization, control measures must be implemented to continuously
determine how far the strategic plans have been implemented. The usual measure-
ment criterion for strategic planning is operational effectiveness. At the SBU level,
measurement criteria are usually concerned with competitive performance in the
marketplace. Measurement of market share and customer satisfaction is also often
used.

A common failing in identifying these criteria is confusion of effectiveness measures

with efficiency measures. In many cases, management measures efficiency and
assumes that it has therefore achieved effectiveness:
➤ effectiveness is concerned with achieving desired objectives; while
➤ efficiency measures the consumption of resources in achieving those objectives.

Strategy Evaluation
The final stage of strategic management is strategy evaluation. Strategic manage-
ment is a highly dynamic function in which today’s success creates new problems
for tomorrow and success today is no guarantee of survival tomorrow. As such, all
strategies developed today will almost certainly have to be modified some time in
the future, since stagnation leads inevitably to failure.

The Strategic Analysis of Industries

Michael E. Porter29 has developed one of the most widely recognized methods
for analyzing the competitive structure of industries. Porter’s five forces model
attempts to determine long-term profitability by measuring long-term return on
investment and thus the attractiveness of an industry.

The five forces are:

➤ rivalry among existing firms;
➤ threats of and barriers to entry;
➤ the threat of substitutes;
➤ buyers’ (customers’) bargaining power; and
➤ suppliers' bargaining power.

Rivalry among Existing Firms

When an industry has many strong competitors, rivalry will usually be intense. This will
commonly spark responses such as competitive price-cutting, frequent introduction of
‘new’ products and intense marketing efforts. During the early stages in the industrial
lifecycle, growth may come from product or service innovation and the creation of new
business opportunities. In stable, dominated or declining industries, an organization’s
growth can only come from taking business away from its competition.
Where an organization can offer a product or service that people want and can-
not obtain elsewhere, it dominates the market. Where this is not possible, price may

29. Porter, M.E. 1985. Competitive Strategy. New York: Free Press.

99

Internal_Auditing.indb 99 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

be the only factor that determines whether customers buy a particular product. In
these circumstances, price-cutting is rife and an overall decline in profitability will
probably occur. One defense against the substitution of a competitor’s product or
service is to raise the cost of switching suppliers. Customer loyalty programs reward
customers who do not switch to a competitor’s products and services. By the same
token, a competitor’s customers may be lured away by reducing the cost of trans-
ferring. In an industry where there is no dominant market leader, competition is
normally aggressive, as each firm tries to outdo its rivals.
Costs, too, can affect the rivalry among firms. Where participation in a market
sector requires a large fixed investment, a firm is pressured to operate as close
to full capacity as possible. In these circumstances, variable costs will normally be
squeezed down to permit aggressive competition in order to achieve volumes of
business. This applies also to industries where increased volumes of business come
at the cost of large increases in fixed investments. With all the players in the industry
trying to gain a price differential based on the economies of scale, overcapacity in
the market will result and the number of competitors will ultimately fall as unsuc-
cessful competitors either fail or merge with more successful rivals.
In highly competitive industries, rivals must constantly consider whether it is still
desirable to remain in the industry. As profitability in the sector declines, competi-
tors are less willing to accept the risks inherent in such rivalry. Under these circum-
stances, an organization may decide to exit a market sector. It will do this if the cost
of leaving the sector is low. A high exit cost may result in organizations remaining as
active players in a market sector long after it is desirable. Conversely, if exit costs
are known to be low, the market may be more desirable for new rivals to enter, since
failure in the sector will not lead to major losses. As such, many organizations try
to defend their markets against new entrants by making the price of market exit as
expensive as possible.

Threats of and Barriers to Entry

The most attractive market sector to operate in is one in which entry barriers are
high (new competitor entry is difficult) and exit barriers are low (the cost of withdraw-
ing in the event of poor performance is minimal).
Entry barriers to new competition are high where the capital needed to enter is
high. This reduces the number of competitors who have the financial strength to
enter. Barriers are low where there is little capital required and many competitors
can enter with little investment. This reduces sector profitability, since many firms
can enter the sector and reduce the market share of existing participants.
Combined with the requirement for initial investment is the impact of economies
of scale. Entry may be possible at a low cost, but if a current participant has a sig-
nificant price advantage because of the size of its current investment, a competitor
may have to match the investment in order to compete successfully.
Companies try to deter new rivals by differentiating their products, creating a
strong brand identity and making the costs of switching suppliers high. New com-
petitors may try to prove that there is no difference between products, that the ‘old’
brand is inferior and that consumers may switch to a new loyalty at no cost or risk.

100

Internal_Auditing.indb 100 16/04/2015 11:12

 STRATEGIC MANAGEMENT

Rivals may be fought by using an organization’s existing market muscle in pres-

suring suppliers or distribution channels to isolate a new competitor by denying it
access to markets or materials.
In some countries, government policy may be to defend local industry by discour-
aging international entrants. Conversely, governments may seek to increase fixed
investment by international companies by reducing the barriers to entry by provid-
ing start-up grants and tax incentives.
Occasionally, a firm may remain in an industry in the face of poor (or even nega-
tive) results. Where the cost of entry has been high and little residual value remains
in the capital asset, a firm may choose to squeeze the last bit of value out of the
asset before withdrawing. Government regulations may make pulling out an expen-
sive option. With a range of legislation covering obligations to employees, customers
and creditors, governments can discourage organizations that skim fast, short-term
profits from a sector.
Common reasons for organizations to remain in a sector when logic dictates they
should have exited are their traditions and history. A firm may retain an unprofit-
able product because it is heavily branded and identified with the firm, while not
being a significant loss maker. Alternatively, the product may be retained for purely
sentimental reasons.

The Threat of Substitutes

Substitutes are goods and services that serve the same purposes. These are not
simply alternative brands, but products that deliver the same customer satisfaction
in different ways. An alternative to long-distance business travel, for example, may
be teleconferencing. An alternative to postal services may be electronic communi-
cation. Price increases in one type of product or other factors reducing its desir-
ability may prompt a search for a substitute. Increases in the costs of fossil fuel, for
example, have prompted large-scale investment in the search for alternative energy
sources. Price increases and profit margins may therefore be limited by the threat
of substitutes. This may be gauged by measuring the ratio of the percentage change
in the quantity of a product or service demanded to the percentage change in the
price causing the change. This is known as the price elasticity of demand.
➤ Demand is considered elastic when the ratio exceeds 1.0. For example, an
increase in price may result in lowering volumes of sales to the extent that the
organization’s total revenues will actually decrease.
➤ Demand is considered inelastic when the price impact on total revenue is great-
er than the quantity impact. Thus, a firm could increase total revenue by raising
its prices, even though the volume of business decreases.

In the case of substitutes for a product or service, the more readily available an
acceptable substitute is, the more likely that demand will be elastic. An organiza-
tion concerned for the demand elasticity of its products and services will seriously
consider:
➤ its relative prices;
➤ the costs of switching to a substitute; and
➤ customers' inclination or willingness to substitute.

101

Internal_Auditing.indb 101 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Customers’ (Buyers’) Bargaining Power

Where buyers use their buying power to obtain better terms, the appeal of an indus-
try to potential entrants decreases. Buyers generally look for lower prices, better
quality and improved services.
In markets where purchasing power is concentrated in the hands of a few buy-
ers, their bargaining power is greater. This effect is increased when sellers have high
capital costs with corresponding pressures to achieve full production. Buyers may
increase their power by the threat of acquiring their own supply capacity. This is an
example of upstream or backwards vertical integration. Buyers’ bargaining power
may be reduced in a monopolistic supply situation where the cost of a buyer switch-
ing supplier is exorbitant, or a product or service is vital to the buyer’s welfare. If the
supplier’s product or service can be easily substituted or cannot be differentiated
from its rivals’, buyers’ bargaining power is increased.
Where profit margins are low and a supplier's product or service accounts for a
large proportion of its costs, a buyer will have little option but to bargain aggres-
sively.
Many suppliers recognize buyers’ bargaining power and respond to it by making
offers that are difficult to reject. Alternatively, a supplier may actively target buyers
with the least ability to bargain or switch to other suppliers.

Suppliers’ Bargaining Power

Suppliers affect competition through their pricing and control over the quantity
supplied. Where suppliers provide something that is a significant input to the value
added by your company, their bargaining power is correspondingly greater. It is also
greater when the prices of substitutes are high and the cost of switching suppliers
is high. If suppliers can organize for themselves a virtual monopolistic control over
a marketplace, they are in a position to dictate terms to the rest of the industry,
eg the major parastatals in South Africa. A common response to a high degree of
suppliers’ bargaining power is to establish mutually beneficial relationships with sup-
pliers (win/win) or to look for alternative sources of supply.
As can be seen from Figure 10.1, the vertical axis measures the attractiveness of a
market. High barriers that keep new competition out combined with difficulty in find-
ing a substitute product indicate that this is a desirable market to participate in.
The horizontal axis indicates the market profitability, ie in an attractive market,
who makes the most profit – the supplier, the customer or your organization?

Competitive Strategies
Although profitability is normally a characteristic of the industry in which an orga-
nization participates, a critical factor is also its competitive position within that
industry. As noted above, organizations seek to differentiate themselves within an
industry by either product differentiation or price differentiation. In other words, ‘buy
from us because our product is the best/our product is the cheapest’. Porter has also
categorized the competitive scope within which strategies are formulated.
➤ A narrow scope will focus on a market segment or even a single product.
➤ A broad scope, on the other hand, can extend to attempts to influence an
entire industry.

102

Internal_Auditing.indb 102 16/04/2015 11:12

 STRATEGIC MANAGEMENT

Market
Competitor New Attractiveness
Rivalry Entrants

Suppliers Your
Customers
Company

Substitute Market
Products Profitability

Figure 10.1: The relationship between market attractiveness and market

profitability

Some organizations try to gain competitive advantage through their own lower
costs. Such firms can decide to charge a lower price to increase their market share
or, by retaining the industry average price, they may earn higher profits than their
competitors. This strategy is known as cost leadership. Cost advantages may be
gained by their domination of a raw material supply or through economies of scale.
Vertical integration (taking over key suppliers or customers) may also lead to a cost
advantage. In a cost leadership strategy, a company usually operates on high vol-
ume turnover and low profit margins. Here, control over operational efficiencies is
paramount, and reducing or eliminating waste becomes a major management objec-
tive. Management control usually involves monitoring costs in detail and reports are
provided regularly. Reward structures usually involve the achievement of numerical
performance goals.
Such strategies expose organizations to the potential risk that a competitor may
use superior methods, technology or even cloning of products to wipe out the price
differential. Also, a competitor who simply manages its cost better can also gain
additional advantages. A cost leadership strategy may also be vulnerable should a
competitor try to compete on a product differentiation basis.
Product differentiation is a strategy frequently favored by organizations that try
to achieve competitive advantage by providing a product or service that is obviously
different from those of its competitors. If the product or service is unique or close to
unique, or consumers think that few, if any, substitutes are available, the organiza-
tion may earn higher profits because consumers are willing to pay a price premium
for that uniqueness. The perception of uniqueness may be real and based on design
excellence or technical superiority. Alternatively, it may exist only in the mind of the

103

Internal_Auditing.indb 103 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

consumer as a result of aggressive marketing or strong brand identification. Care

must, however, be taken to ensure that the additional cost of differentiation does not
price the product or service out of the market altogether and that using a product
differentiation strategy does not mean that cost controls are ignored.
To achieve effective product differentiation, an organization must have a strong
marketing function, which creates awareness in the minds of the mass market of the
uniqueness of the product or service. This is frequently based on the organization’s
or brand’s reputation for quality or technical leadership. An effective research func-
tion combined with creative product development can ensure that reality matches
the perception.
Where an organization has chosen product differentiation as its competitive strat-
egy, a new range of threats will appear. Successful differentiation breeds imitation
by competitors who want to succeed by using the same method. At the same time,
overspecialized products and services suffer from rapid obsolescence as consumer
tastes change. Even without complete obsolescence, enough may have changed in
the marketplace to cause the differentiation to be insufficient to justify the higher
price and this can, over a period of time, erode consumer brand loyalty.
Organizations that try to achieve competitive advantage through lower costs
and simultaneously have a narrow competitive scope, justify this approach on the
grounds that such focus improves their ability to serve the narrower market. They
can frequently achieve very strong customer loyalty, which may prove a disincentive
to potential competitors. The downside of this approach is the loss of purchasing
volume and therefore a weaker position relative to suppliers. Also, servicing a narrow
target can put the organization at a cost disadvantage compared to more broad-tar-
get competitors. Once again, only a slight change in a more specialized market can
make the product obsolete.
One variation on this theme is focused differentiation, whereby organizations may
try to gain or retain competitive advantage through providing a unique product that
has a narrow competitive scope. Microbreweries are a typical example of focused
differentiation catering for specific local tastes.
There may be a temptation to mix strategies in an attempt to be ‘all things to
all men’. This can result in appealing to nobody at all, since the adoption of mixed
strategies may result in conflicting and self-canceling activities. One way of resolv-
ing such conflicts is the creation of multiple self-empowered strategic business units
or SBUs, which can then adopt a variety of strategies to meet the needs of a variety
of markets.

Market Positioning – Leaders

Competitive strategies may also have to vary according to an organization’s relative
dominance in a marketplace. The market leader may find it difficult to significantly
improve its already dominant market share and should try to increase the total
demand in the market.
This will involve a number of strategies designed to attract new users by focusing
on customers who have never used the product or service (market penetration) or
who might use the product or service (new market segment). In addition a geograph-
ical expansion strategy may be used to target users in previously unserviced areas.
At the same time, a market leader has to defend its current market share. This may
be done offensively by constant innovation designed to improve products and services,

104

Internal_Auditing.indb 104 16/04/2015 11:12

 STRATEGIC MANAGEMENT

increase distribution effectiveness or control costs. A more negative aspect of this is the
use of planned obsolescence, resulting in new varieties of products being constantly
demanded by consumers. Alternatively, a company may seek new uses for an existing
product or service to attract consumers with no desire for the current use.
Kotler and Singh30 have defined the following defensive strategies:
➤ A position defense is designed to defend a position by strengthening the firm's
brand power.
➤ A pre-emptive defense is an attempt to anticipate a competitive attack. This may
involve covering every segment and niche within a market and flooding the mar-
ket with products, targeting specific competitors before they can attack or indi-
cating to the market the ways in which the leader intends to defend itself.
➤ A flank defense creates interventions in order to protect the leader's position. For
example, a competitor's price attack on a firm’s brand may be responded to by
introducing two new brands, one designed to be sold at the same price as the com-
petitor’s brand, and the second at a lower price in order to outflank the competitor.
➤ A mobile defense involves market broadening. This usually involves an attempt
to shift the emphasis from a specific product to the underlying need. An exam-
ple is the repositioning of television companies as multimedia companies. An
alternative to market broadening is market diversification, which involves the
mergers of firms in wholly different industries into conglomerates.
➤ An alternative defense involves concentrating corporate resources in the areas
of its greatest strength rather than defending all of the firm's positions.
➤ A contraction defense involves a strategic withdrawal from specific areas of
lesser strength.
➤ A counteroffensive defense may lead the organization to respond to a competi-
tor’s price cuts in one market sector by slashing prices in another market sector
considered to be more important to the competitor.

Market Positioning – Trailers

Where a competitor already dominates a market, a market challenger strategy may
be the right one for a firm trying to enter the market. For this to be successful, the
trailing firm must be absolutely clear about its own strategic intention, whether this
is to develop an increased market share or even to challenge the market leader’s
dominant position.
Attacking a leader may take several forms. A challenger may try to grow by absorb-
ing other small firms to achieve a competitive size rapidly. Alternatively, a challenger
may try to service the market in a superior manner or with superior products.

Kotler31 has defined five general attack strategies by a challenger.

➤ A frontal attack involves a head-to-head challenge to the leading firm's prod-
ucts, methods of distribution and marketing.
➤ An encirclement attack is used to attack on multiple marketing fronts, but, to
be effective, a challenger requires an overall advantage in resources.

30. Kotler, P. & Singh R. 1981. ‘Marketing warfare in the 1980s’. Journal of Business Strategy, Winter,
30–40.
31. Kotler, P. 1994. Marketing Management, Analysis, Planning, Implementation and Control. 8th ed.
New York: Prentice Hall. pp. 382–405.

105

Internal_Auditing.indb 105 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

➤ A flank attack may be directed at a perceived weakness of the target in either

geographic or segmental terms or at an unmet need. This is most commonly
successful when market segments shift, leading to the creation of a gap in cus-
tomer satisfaction that the challenger can attack.
➤ Guerrilla warfare involves several small attacks designed to sap the strength of
the target, followed up by a stronger type of attack.
➤ A bypass attack avoids confrontation in markets where the competitive target
is strong. It may involve moving the competition to an environment where the
challenger is in a stronger position because of product innovation or technical
development.

More specific strategies for the market challenger could include the following:
➤ Price discounting tends to succeed if buyers are price-sensitive, the product and
service are similar to the market leaders’, and discounts are not matched.
➤ Lower-priced goods of average quality may substantially outsell higher-quality
goods if the price is much lower.
➤ Prestige goods are high-quality items sold at a high price.
➤ Product proliferation is a strategy based on greater product variety.
➤ Other specific strategies emphasize improving service, developing a new distri-
bution channel, increasing the marketing budget, or improving manufacturing
efficiencies.

Market Positioning – Followers

Many firms participate in markets where they have no wish to challenge the leader.
They may become a follower in order to avoid the retaliation of a dominant leader if
the leader feels challenged. Alternatively, they may simply try to avoid the expenses
of innovation in favor of imitation. Imitation may take several forms, not all of which
are legal.
➤ A counterfeiter operates illegally by selling virtually identical copies of a product.
➤ A cloner sells cheap variations of a product with just enough differentiation to
avoid the illegality of counterfeiting.
➤ An adapter operates by improving the products and services of the leader and
may choose to operate in different markets. Adapters frequently develop into
market challengers.
➤ An imitator markets a product or service that differs insignificantly from existing
products and services.

Even a market follower will face competition from other followers and will need strate-
gies to maintain its current customers, attract new ones, fend off challengers, protect
its advantages, lower its costs, and improve the quality of its products and services.
➤ Market niche strategies are adopted by small or medium-sized firms that
choose to compete in small markets. These markets are often ignored by larger
firms because they are not cost-effective to enter. Niches frequently specialize,
offer high-quality products and services at premium prices, and have low overall
costs. They substitute high profit margins for the high volumes of mass
marketers. One of the dangers of success in a niche market is the growth of the
market itself until it is no longer a niche and attracts larger competitors who
have better economies of scale.

106

Internal_Auditing.indb 106 16/04/2015 11:12

 11
CHAPTER

Global Business Environments

Learning objectives
After studying this chapter, you should be able to:
➤ Outline briefly what we mean by the term ‘globalization’
➤ Explain the effect of cultural issues in international business
➤ Explain the primary drivers of global expansion
➤ Recognize and explain how supply and demand conditions influence the global
business environment
➤ Describe how a firm’s global organization affects its organizational and control
structures
➤ Evaluate whether there are performance-compromising influences in an
organization’s structures
➤ Explain the impact of corruption and political instability on control concepts in
international trading

Business Globalizaton
In recent years, companies have increasingly competed in a global environment. This
has brought undeniable opportunities with the potential to expand on a massive scale.
At the same time, the domestic market becomes less important to the firms involved
as the percentage of business done overseas increases. Of course, the reverse is also
true, in that overseas competition may now attack the domestic market.
Competing in larger markets gives organizations greater access to all the resources
needed to do so successfully; however, the larger market also means that organiza-
tions face competition from the best of the best. International competition normally
means attacking an already established market where the home team advantage lies
with organizations that are already competitive in both technology and management
structures.
Companies face a variety of pressures to go global. A recessional economy in
their own domestic market can force them to expand into international markets.
Many Western countries are experiencing demographic changes such as ageing
populations and declining birthrates, which can force companies to go abroad to
find fresh markets. Some organizations use international trade to extend a product’s
lifecycle and dispose of inventory by exporting technology to underdeveloped or
less-developed nations. Many countries offer tax incentives to incoming investors,
which makes the overseas market more attractive economically.
At the national level of globalization, governments must now try to create a
business environment that can both attract fixed investment from overseas firms
while simultaneously facilitating the opportunities for domestic firms to compete
in overseas markets. In order to achieve this, governments must come to grips

Internal_Auditing.indb 107 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

with the underlying fundamentals of market economies. They may face significant
resistance from internal pressure groups concerned with defending their local
market share in the face of increasing foreign competition. In order to avoid an
international economic trade war, unprecedented levels of international co-opera-
tion are required.

The History of Globalization

At the start of the sixteenth century, nationalism and expansionism became consum-
ing interests to several European powers. Spain, Portugal, the Netherlands and the
United Kingdom all sought to increase their dominance through trade. Initially, this
took the form of imperialism and plundering the natural resources of overseas acqui-
sitions. These activities were extremely costly and were normally affordable only
by the crown. In order for this to become sustainable, however, individual investors
came together as companies to fund and finance the highly profitable international
trade in rare commodities and expensive spices.
By the eighteenth century, economists were investigating the effects of global
trade and national economies. The Scottish economist Adam Smith proposed a
theory of absolute advantage. This theory argued that certain countries have a
natural advantage in the production of certain goods, because they possess natural
resources or climatic advantages that their competitors do not have. This theory
indicated that both trading partners could gain by exchanging goods and services
that were more efficiently produced in one or other of the partners. Problems arose
when one of the trading partners could more efficiently produce goods and services
on both sides of the trading process.
This led to Ricardo’s theory of comparative advantage. This states that, even
when one country can produce both goods more efficiently than its trading partner,
it still makes better economic sense to focus in areas in which it has a comparative
advantage over its trading partner. If the country produces and exports both goods
without importing in return, it will ultimately run out of partners to trade with, since
no partners will be left with enough money to pay for its exports. Using compara-
tive advantage for marketing leverage permits both parties to maintain a balance of
trade for the sustainable benefit of both.
Complications arise in the implementation of this theory, since in reality we are
dealing with multiple countries exchanging multiple goods and services. Where one
side of the trade has a cost advantage in transportation of the goods, imbalances
will occur. In addition, there is no recognition of fluctuations in efficiencies of produc-
tion. The economies of scale on one side and diminishing returns on the other can
distort the balance. The theory also assumes a static global economy. Economies
are, in reality, dynamic in nature. At a particular time, the Western economies may
be expanding while the Far East economies are contracting and the Middle East
economies may be stagnant. Twenty years later, this position could be totally trans-
formed. As well as the trade in finished goods, a country may be importing technical
capability and may transform its economy into the self-production and export of
those same goods. Local competition from international companies may prompt a
reaction by local firms, leading to increased efficiencies and cost competitiveness.
By the late twentieth century, economic theory suggested that the product life-
cycle approach might be more realistic. Under this theory, a product may be devel-
oped initially within the UK, manufactured in the USA, spread to other developed

108

Internal_Auditing.indb 108 16/04/2015 11:12

 GLOBAL BUSINESS ENVIRONMENTS

nations, and finally produced in developing nations with much lower labor costs and
re-exported back to the developed nations.
Once again, a theory may have been true and valid at that time, but the world
moves on. For the past 30 years, the increasing spread of internationalism in busi-
ness has meant that many products are now introduced at the same time in all world
markets.

Porter32 has theorized that a nation’s international success is affected by four

specific factors.
➤ Factor endowments include at a basic level the fundamental wherewithal to
compete. This would include such elements as the country’s climate and loca-
tion, as well as its access to specific natural resources. Competitive advantage
can be gained using advanced elements, which would include the technological
level of the country, its communications structures, economic infrastructure and
the availability of skilled labor.
➤ Demand conditions quantify the degree of pressure placed on firms to be com-
petitive within their home economy by their local customers.
➤ Related and supporting industries that are internationally competitive can
cause a knock-on effect, boosting the international competitiveness of other
firms within their market sector.
➤ The firm strategy structure and the degree of domestic rivalry experienced with-
in the local economy can also have an effect. Strong local competition can drive
individual companies to be more fiercely competitive with better structures
and management techniques, and this prepares them to compete in the global
economy.

Porter also acknowledges the roles played by both government and chance. Labor
laws, monopoly legislation and the implementation of internationally recognized
standards legislation can have a positive or negative impact on national competi-
tiveness. Chance, in the form of natural disasters or unexpected windfalls, can also
play a role.

Problems of Globalization
When an organization embarks on a policy of globalization, the complexity of its
management processes takes a quantum leap. Globalization involves competing in
a variety of political, economic, legal and cultural systems.

Political structures internationally are resolving into two main philosophies:

➤ Individualism seeks to facilitate the individual’s freedom to act in his/her own
self-interest.
➤ Collectivism seeks to achieve the greatest benefit for the greatest number of
individuals, and subordinates self-interest to group benefit.

Within these overall structures, differing political systems also add complexity.
Totalitarianism, whether left- or right-wing, can be contrasted with the democratic
process, also potentially left- or right-wing.

32. Porter, M.E. 1990. ‘The Competitiveness of Nations’. Harvard Business Review, April/May.

109

Internal_Auditing.indb 109 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Legal environments create their own complexities, even within similar political
structures. Activities that are acceptable – even the norm – in one country may be
socially unacceptable or even illegal in another country. Laws differ immensely from
country to country, even where there are generally accepted views on ethical and
moral principles. A country’s copyright law may attempt to comply with interna-
tional standards and agreements and nevertheless have local variations. Definitions
of fraud and theft, while generally agreed, differ in law from country to country and
must be complied with in international trading. Electronic trading complicates the
issues further, with some countries having clear and strict electronic trading laws,
while others have none or, at best, vague and confusing legislation. Laws over physi-
cal and intellectual property rights are similarly unique. In some countries, bribery
of public officials is seen as a minor offense, while others would view it as totally
unacceptable. Individual countries also differ in their views on ownership, with some
believing strongly in state ownership and nationalization, while others advocate pri-
vate ownership and deregulation.

Cultural Issues in Globalization

One aspect of globalization that a firm ignores at its peril is the diversity of cultures
within international businesses.
Culture has been defined as a system of values particular to one group and
not others. It is passed down from one generation to the next and influences the
behavior of group members in predictable ways. Local cultures are based on values,
which are the societal norms and assumptions regarding how things ought to be.
Values are normally recognized as operating at the subconscious level, as opposed
to beliefs, which are the conscious certainties of attributes of society, such as the
belief in some cultures that age equals wisdom. Values and beliefs may sometimes
clash and cause cognitive dissonance in an individual where a conscious belief is
at odds with a subconscious value acquired as an infant. Culture is learned most
intensively during the early years of life. By about the age of five, an individual has
already developed values associated with gaining rewards and avoiding punish-
ments, avoiding conflict or causing it, and the role models within the family. By the
same age, a child may also have become a sophisticated negotiator for what he/
she wants. Other members of the family and culture group inculcate these values.
Parents, teachers, the extended family and peer pressure all combine to influence
behavior.
One advantage to the influence of culture is the way in which it makes members
of a specific group behave in uniform, predictable ways. Such uniformity can help the
manager predict behavior of typical individuals under normal circumstances
Because culture is specific to one group and not to others, this means that differ-
ent groups may respond to the same stimulus in different ways and react differently
in similar situations. This makes management of multicultural groups more difficult,
since the stimulus to achieve management’s objectives may be different for the dif-
ferent groups. It is further complicated by the fact that individuals may be members
of several unofficial groups. An employee may be a financial manager and a member
of that group while simultaneously coming from a non-European ethnic group and
being a member of the middle-class social and economic group.
In Britain, working hours are conventionally nine to five, while in South Africa
many companies operate on a 8.00 a.m. to 4.30 p.m. working day. Holidays in

110

Internal_Auditing.indb 110 16/04/2015 11:12

 GLOBAL BUSINESS ENVIRONMENTS

South Africa range from four to seven weeks a year while in America three weeks is
the norm. Similarly, Europeans and Americans would see drinking alcohol as normal,
while strict Muslims would find it totally unacceptable.
It should not be taken that culture is the only influencing factor causing members
of groups to act in uniform, predictable ways. Each individual is also influenced by
other factors, such as social class, age and gender stereotypes.
The managing of cultural diversity creates opportunities within organizations to
create a synergy, because of the wider range of cultural experiences and educational
and professional backgrounds than in a single culture group. If properly managed,
long-term goodwill can be generated; if badly managed, negative stereotypes will
be reinforced.
Generally, people tend to handle new situations by making generalized assump-
tions based on past experiences. Thus, a manager handling an unknown group will
automatically make assumptions about the capacities of its members based on his/
her experience with similar groups. One way of generalizing about other people is
to stereotype them on the basis of their sex, age and racial background or culture.
This can lead to a rigidity in dealing with people, since inflexible stereotyping does
not allow for exceptions to the norm. Similarly, change as a result of transformation
may not be recognized, as old stereotypes tend to resist changes for considerable
periods of time.
For generalizations to be effective within management, a process of cultural analysis
will be required. This involves identification of behavior that seems unusual or unex-
pected in terms of the local culture. The manager must then collect data regarding the
unusual behavior and try to develop hypotheses (a set of alternative explanations) to
explain the behavior. Evaluating each alternative in terms of what is already known
about the other culture must then test these hypotheses. Those alternatives that
cannot be substantiated should be discarded. The most likely hypothesis would then
be selected to give a working generalization. As and when new data and examples of
behavior are recorded, the hypothesis would then be modified.
Many managers try to ignore cultural diversity or downplay the significance of
cultural differences within the workforce. This may be because they lack the skills
and resources to handle diversity appropriately or because they believe that the
negative effects of multiculture outweigh the positive ones.

Organizational Culture
Many definitions of the term organizational culture may be found in current manage-
ment literature. For our purposes, the term is taken to refer to the sum of percep-
tions that develop within an organization. This includes both perceptions developed
deliberately by top management and those based on the employees’ own experi-
ences. Organizational cultures benefit the individual member by providing a sense
of identity and act as a framework for interpreting reality. Each organization has its
own culture, and members of the organization have to learn that culture. For those
employees whose needs are met by such a culture, long careers of service will nor-
mally be the result. Where new recruits discover that the culture does not suit their
tastes, a high dropout rate will occur.
Periodically, management may wish to change the organizational culture and such
change is often painful, particularly where the culture has been well established.
Cultures can be made stronger by creating more efficient communication among

111

Internal_Auditing.indb 111 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

members, which creates conditions for greater cohesion. Cultures can be made more
positive by improving systems so that members see gains and losses to be shared
favorably, thus increasing their stakes in official outcomes.
Cross-cultural managers whose interaction with members of the other culture is
limited to the workplace will experience the values of the other culture only as they
appear in the workplace. This can cause problems for any attempt to implement
appropriate incentives to motivate workers. There can be major dangers in assuming
that what works as a motivator in one culture will have the same effect in a different
culture. Motivators must reflect the values held within a particular culture. Incentives
are more likely to succeed where they both reflect real needs and take practicalities
into account. Further details on motivational techniques can be found in the next
chapter.

Culture and Ethics

Broad ethical values are shared around the world, but the practical implementation
of ethical norms is far more problematic. Decisions regarding what is or is not ethi-
cal can also vary over time as people’s values change. Because of the extensive list
of scandals in business since the mid-1980s, interest in business ethics has grown
enormously. Ethics have already been discussed in Chapter 4, but in a multicultural
environment, behavior that one culture considers virtuous may be interpreted dif-
ferently in another. For example, members of totalitarian or highly authoritarian
cultures find the jury system confusing, since it seems to challenge the authority of
the judge.

When creating value statements in a global business environment, organizations

must appreciate the difference between cultural relativism and cultural sensitivity.
➤ Cultural relativism indicates that if a different culture does not agree with a par-
ticular ethical standard, then that standard should not be applied in that culture.
➤ Cultural sensitivity involves understanding that different cultures have different
perspectives on what is proper and respected.

In a cross-cultural environment, corruption may, like beauty, lie in the eye of the
beholder. Definitions and descriptions of corruption in dictionaries define corrup-
tion as the ‘impairment of integrity, virtue or moral principles’, ‘the perversion or
destruction of integrity in the discharge of public duties by bribery or favour’ and
‘moral deterioration or use of corrupt or tainted practices’. Words like ‘integrity’ and
‘moral principles’ may not only signify different things to different people, but are
also to a large extent culture-bound. What is officially defined as ‘corruption’ in one
society or organization may be the customary way of doing things, the accepted cost
of business transactions, or a traditional favor-for-favor exchange in others. Even the
sense of what constitutes ‘corrupt conduct’ can differ within a single organization.
What one group of managers may see as corrupt, another group may dismiss as ‘the
way in which things get done around here’.
In the landmark report of the Treadway Commission,33 the commission stated
that the control environment sets the tone of an organization, influencing the con-
trol conscientiousness of its people. It is the foundation for all other components

33. Treadway et al. 1987. pp. 69–78.

112

Internal_Auditing.indb 112 16/04/2015 11:12

 GLOBAL BUSINESS ENVIRONMENTS

of internal control, providing discipline and structure. Effectively controlled entities

strive to have competent people, instil an organization-wide attitude of integrity
and control consciousness, and set a positive ‘tone at the top’. The effectiveness
of internal controls is dependent on the integrity and ethical values of the people
who create, administer and monitor them.

The Nature of Industries

Industries vary in nature and the more globalization and internationalization occur,
the more these varieties are apparent.

Fragmented Industries
Firms that have an insignificant market share and are not in a position to exert great
influence on industry outcomes are said to exist in a fragmented industry. This is par-
ticularly true where the industry has many small-to-medium-sized firms with no obvi-
ous market leader, and products that may or may not be significantly differentiated.
Economists would normally refer to such an industry as pure competition. Industries
can fragment for a variety of reasons. Low barriers to entry permit easy access to an
industry, which can under certain circumstances lead to fragmentation.
Some industries are fragmented for purely historical reasons, while for others,
economic causes for fragmentation exist. Small, flexible firms may have a market
advantage when quick responses are required to changes or customization of a
product line to the unique requirements of individual customers is needed. Even the
newness of an industry may be a reason for fragmentation. New firms may not have
the resources and abilities to achieve concentration for some time. When the cell-
phone industry started in South Africa, there was an abundance of small cellphone
providers associated with large cellphone infrastructure providers. Over a period of
time, through mergers and acquisitions, and the bankruptcies of some companies, a
more concentrated market has emerged.
Overcoming fragmentation can have significant strategic effects if the factors
preventing consolidation can be eliminated. It may be possible to use technology
to create economies of scale that ought to isolate the factor that is responsible for
fragmentation from the rest of the business. Another common approach is for a
single firm to use multiple brand names to appeal to the varying tastes of differing
customers. Recognizing the factors that can remove the cause of fragmentation can
provide a competitive advantage to an organization, which can influence those fac-
tors ahead of the competition.
Strategies to defeat fragmentation will be dependent on the situation in which an
organization finds itself. Where personal service or local control is critical to success-
ful operations, management may decide that tightly controlled decentralization may
be the right strategy. If the cause of fragmentation was the inability to differentiate
products or services, an appropriate strategy may be to add value to the product or
service in order to create the differentiation.
Obviously, management can adopt strategies that will make the situation worse.
Attempting to dominate a fragmented industry may be disastrous if no attempt is
made to change the basic industry structure. In fragmented industries, speed of
response and local knowledge may be critical to success. If this is the case, central-
izing the organizational structure could be disastrous.

113

Internal_Auditing.indb 113 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Before selecting a strategy, management must identify the basis for fragmentation
and analyze what the right interventions would be to prevent it.

Emerging Industries
An industry is classed as emerging if it is new and small in size. Such industries may
result from new customer needs, innovation or changes in environmental factors.
Such industries are typified by uncertainties over products and production (tech-
nological uncertainty) or production and marketing (strategic uncertainty). Within
emerging industries, there will be many newly formed companies to begin with and
spin-offs from existing firms are common. Initial costs are usually high during set-
up, but they decrease rapidly. Marketing in such industries is problematic, since
customers have to be convinced that the risk of using the new product or service is
not high and that the benefits are there to be gained. Many such industries, based
on new technology, attract government subsidy or grants. While initially these may
be beneficial, in the long term they create market instability.
Due to the lack of standardization, product quality may be erratic and customer
confusion may arise because of the number of variations on the market. Such con-
fusion makes buying these products seem more risky to customers and may be
counterproductive.

Declining Industries
Industries are classed as being in decline when they have sustained a permanent
decrease in activity for some time. If an industry is in decline, a company within the
industry must make strategic choices to deal with the decline without overcapac-
ity and massive losses. During industry decline, the reality is that business activity
is decreasing and that too much competition will only accelerate the decline by
decreasing profits. In seasonal industries, it may be difficult to differentiate between
genuine decline and the normal seasonal variability of sales and thus it may be dif-
ficult for an organization to respond appropriately. The rate of decline will not be a
constant, but will increase as lower volumes increase the impact of variable costs.
Industry decline can be caused by a variety of factors, including product innovation
or the introduction of product substitutes. Customer demographics change over a
period of time because of economic factors, population age or even political change.
In specialized industries, it may be difficult for an organization to develop an exit
strategy, despite low returns, without affecting the image or financial standing of the
firm.

114

Internal_Auditing.indb 114 16/04/2015 11:12

 12
CHAPTER

Organizational Behavior

Learning objectives
After studying this chapter, you should be able to:
➤ Outline briefly what managers do in the context of organizational behavior
➤ Explain the contingency approach to organizational behavior and its importance
to an internal auditor
➤ Explain the primary causes of conflict within an organization and provide
appropriate coping strategies
➤ Explain the fundamental concepts in group and individual decision making

The Organizational Behavior of Managers

When examining organizational behavior, it is important to be clear about the role
and functions of managers. Managers are individuals who achieve corporate goals
through other people. In 1916, Henri Fayol34 defined the management functions as
planning, organizing, commanding, co-ordination and control. Later management
scientists condensed these into planning, organizing, leading and controlling. The
Institute of Internal Auditors defines management’s role as the planning, leading
and directing of individuals to align with corporate objectives.

Henry Mintzberg35 classified management’s roles into three broad categories,

namely interpersonal, informational and decisional.
➤ Interpersonal roles include those roles undertaken by a manager in dealing with
insiders and outsiders in business and social environments. These can include
the role of figurehead, where the manager may be required to form a number
of routine duties of a social or legal nature. In carrying out the responsibility for
the motivation and direction of subordinates, the manager is said to be acting
in a leadership role. The third role within this grouping is that of
liaison, which Mintzberg described as communicating with outsiders who pro-
vide the manager with information.
➤ Informational roles include the receiving of information from a wide variety
of internal and external sources. This is the role of monitor. Having received
this information, the manager must then transmit it to other members of the
organization in a disseminator role. Managers may also be required to act as
a spokesperson in transmitting an organization’s plans, policies, actions and
results to outsiders.

34. Fayol, H. 1916. Industrial and General Administration. Paris: Dunrod.

35. Mintzberg, H. 1973. The Nature of Managerial Work. New York: Harper & Row.

Internal_Auditing.indb 115 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

➤ Decisional roles are roles that involve the making of choices. The entrepreneur
searches for opportunities and innovations, and will initiate new projects to
improve the organization’s performance levels. From time to time, management
will face unforeseen problems and be forced to act in the role of disturbance
handler. The manager’s role is also to choose his/her preferred method of allo-
cating resources in order to achieve these goals. Managers have at their dispos-
al a variety of resources, which are commonly grouped into the five Ms, namely:
◗ manpower
◗ money;
◗ materials;
◗ machinery; and
◗ methods.

This places management in the role of resource allocator. Finally, management will
periodically perform a negotiator role in which it bargains with other business units
to gain advantages for its own area of responsibility.
In the context of organizational behavior, management operates within an envi-
ronment characterized by the interactions of individuals, groups and structures
within organizations. Management is responsible for the application of such knowl-
edge with the aim of improving the organization’s effectiveness.

Groups within Organizations

An organization can become so large that individuals do not know most of the other
people in it. Groups are collections of people that are small and immediate enough
to affect both the feelings and self-images of their members. People tend to be more
committed to groups to which they belong, and certain psychological needs are bet-
ter satisfied by such groups.

A group may be defined as two or more individuals who have chosen to come togeth-
er and interact to achieve specific objectives. Groups may be formal or informal.
➤ Formal groups are those defined within the organization structure that have
been allocated specific work assignments. Behavior within those groups is regu-
lated to the extent that the achievement of the organizational objectives is of
paramount importance.
➤ Informal groups are those that have come together spontaneously and are nei-
ther formally structured nor controlled by the organization. They are primarily
socially driven and appear as a response to social needs.

Within these overall groupings, further subdivisions are possible:

➤ Formal groups may include command groups, as laid down by the organization
chart, or task groups brought together to achieve a specific objective.
➤ Informal groups may include interest groups, who may or may not be part of
the same formal group, which have come together to achieve a specific objec-
tive in which they all have a common interest. Sub-groups may also develop
within informal groups, simply because of social alliances, which may extend
beyond the working environment. These are known as friendship groups.

116

Internal_Auditing.indb 116 16/04/2015 11:12

 ORGANIZATIONAL BEHAVIOR

People join groups for many reasons. For some individuals, joining a group can
reduce the feeling of vulnerability involved in being on their own. If the group has
a positive reputation, membership may give a degree of status to an individual.
This can improve his/her self-esteem and sense of self-worth. In collective bargain-
ing, membership of a group may contribute to the power of the individual. Power
may also be achieved by using group membership to achieve supraordinate goals
(ie goals not achieved by working alone but that are possible for the group).
Several concepts must be understood with regard to groups.

Group Development
The traditional view of group development was based on Tuckman’s36 work in
1965. His five-stage model characterized groups as progressing through a stan-
dard sequence of forming, storming, norming, performing and adjourning.
➤ Forming, the first stage in group development, is characterized by uncertainty
about why the group exists, who will lead it and how it will be structured.
➤ The second stage is known as the storming stage, since it is at this stage that
conflict may arise over the control of the group. At the end of the stage, lead-
ership has normally been clarified and the way in which the group functions is
relatively clear.
➤ During the third stage, norming, the group comes together as a cohesive whole
and close relationships usually develop. At this stage, a strong sense of group
identity will exist.
➤ By the fourth stage, performing, the group is functioning efficiently and
becomes highly task-oriented. Under normal circumstances, this is the desirable
final stage for groups.
➤ For temporary groups, the final stage would be adjourning when the task has
been achieved and the group structure is no longer required.

In 1998, work by Gersick37 suggested that groups do not develop in a universal

sequence of stages. He noted, however, that the timing of group formation and
change is highly consistent. This is known as the punctuated-equilibrium model. In
this model, it is suggested that the first meeting will set the group’s direction, and
the first phase of activity is inertia. At the end of the first phase, a transition takes
place, which occurs exactly when the group has used half of its allotted time. This
transition initiates major changes and is then followed by a second phase of inertia.
The group’s last meeting is characterized by a markedly accelerated activity. This
appears to be in line with Parkinson’s Law that ‘work expands so as to fill the time
available for its completion’.

Group Size
Another major factor in the functioning of groups is the group size. There is
evidence that smaller groups complete tasks faster than larger ones, but larger

36. Tuckman, B.W. 1965. ‘Developmental sequences in small groups’. Psychological Bulletin. June,
pp. 384–99.
37. Gersick, C.J.G. 1988. ‘Time and transition in work teams: Towards a new model of group devel-
opment’. Academy of Management Journal. March, pp. 9–41.

117

Internal_Auditing.indb 117 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

groups are significantly better at problem solving than smaller groups. In larger
groups, there appears to be a tendency for individuals to do less than they are
capable of if they were operating as individuals. This tendency is known as social
loafing and may be responsible for inefficiencies and ineffectiveness within larger
groups. It is believed to occur when individuals see other members underperform-
ing and reduce their own efforts in order to achieve equity (‘Why should I work
hard if he’s loafing?’). For management, this means that in addition to setting goal
objectives for the group, individual measurement criteria are required so that indi-
vidual efforts can be recognized and rewarded.

Group Roles
In any given group, individuals undertake different roles at different times. A number
of factors are involved here:
➤ How individuals react within groups is partly due to their role perception. This is
the individual’s interpretation of how he/she is supposed to behave and act in a
particular role.
➤ Role identity involves specific attitudes and behaviors consistent with the role
being played, and individuals will shift roles as circumstances change.
➤ Role expectations, on the other hand, define how others believe the individual
should act in a given situation and may lead to role stereotypes.
➤ When an individual is required to adopt multiple roles in a given situation, role
conflict may occur, eg a manager may have to discipline a personal friend.

Group Norms
All groups have established acceptable standards of behavior, which are shared
by the group’s members. These are known collectively as group norms. In a formal
group, these are laid down in policies and procedure manuals, but most of the norms
within organizations are informal. Common norms would include the appropriate
dress, norms regarding social interactions such as who eats lunch with whom, perfor-
mance-related norms regarding how hard individuals should work, and even norms
regarding who gets the latest equipment when it arrives.

Group Cohesion
Although management generally seeks group cohesion in order to achieve corporate
objectives, a highly cohesive but unskilled team is still an unskilled team. But even
if the skills are present, a cohesive group may develop its own goals and objectives
that are out of line with those of the organization or even contradictory to them. In
some highly cohesive groups, it becomes more critical that no one disagrees than
that objective appraisal takes place. This phenomenon, known as groupthink, can be
deadly to the decision-making process. In a strongly led group, overzealous group
members may perform unauthorized or even illegal activities because they believe
that the leaders of the group and the group as a whole will be pleased. This phe-
nomenon is known as ‘Ollieism’.

118

Internal_Auditing.indb 118 16/04/2015 11:12

 ORGANIZATIONAL BEHAVIOR

Conflict
Conflict has as many definitions as there are parties to the conflict. One generally
recognized definition is that there must be a perception that conflict exists. It is
commonly agreed that if no one is aware of the conflict, then no conflict actually
exists. Conflict can be seen as a process that begins when one party perceives that
another party is, or is about to be, in conflict with the first party.
There are further disagreements about the role of conflicts in organizations and
groups. Some management scientists argue that conflict is counterproductive, indi-
cates a problem within the group and must be avoided at all costs. Others argue
that conflict is natural within any group and can be a positive force in achieving high
performance by the group. Current thinking indicates that not only is it possible that
conflict can be positive, but that the group will stagnate and die without it and that
therefore conflict is an absolute necessity for effective performance.
Even with this opinion, the interactionist view is perceived as good. This view
differentiates between functional conflict, which is constructive, and dysfunctional
conflict, which is destructive.

The Conflict Process

The conflict process is generally recognized as comprising five main stages:
➤ The first stage is the existence of circumstances within which conflict can arise.
This does not mean that conflict will definitely occur, however, but without
these preconditions, conflict is unlikely. The circumstances may arise from com-
munication difficulties leading to misunderstanding of people’s attitudes, needs
and perceptions. Conflict circumstances may also result from imbalances and
misinterpretations within power structures or even from personal factors, includ-
ing individuals’ value systems and personal characteristics.
➤ Once the preconditions for conflict exist, the possibility exists that the potential
for conflict will be perceived and ultimately personalized. It is at this stage that
individuals become emotionally involved and that the parties involved decide
what the conflict is about.
➤ The third stage involves the formation of intentions. Even at this stage, overt
conflict may not occur, since many intentions are never translated into action.
Human behavior does not always accurately reflect an individual’s intentions.
➤ The fourth, or action phase of conflict involves human behavior. This is where
conflicts become externalized and visible. Conflict, in this stage, may evolve and
escalate so that a minor problem that could have been cleared up easily at an
earlier stage becomes a major source of conflict, with entrenched positions and
power struggles emerging.
➤ The final stage of conflict is the outcomes phase, which again may be functional
or dysfunctional.

Conflict Resolution
Conflict resolution will depend on the individual parties involved, but various options
can be identified.
➤ Collaborating involves each party seeking to resolve the situation by fully
meeting the needs of the other.

119

Internal_Auditing.indb 119 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

➤ Through avoidance, one party, recognizing the potential for conflict, may with-
draw from the situation.
➤ Accommodating refers to the intention of one party to place the opponent’s
interests above their own in order to appease the opponent.
➤ Compromise is the state when each party agrees to give up some of their
requirements in order to meet some of the requirements of the other party.

Group Decision-making
Advantages of Group Decision-making
It is common within organizations to use groups to help in the making of decisions.
Groups can offer the advantage of more complete information and more extensive
knowledge by bringing a variety of experiences and skills into the decision-making
process. This means that a variety of alternatives can be considered. Once the deci-
sion has been made, a greater commitment from individuals can be gained if the
individuals feel that they were part of the decision-making process. This commit-
ment can significantly increase the chances of success of any activity decided on. In
many cases within the South African context, group involvement increases the legiti-
macy of any decision arrived at. Because of this country’s history of a substantial
proportion of the population being denied any participation in the decision-making
process, involvement of this very large group has become essential.

Disadvantages of Group Decision-making

Although there are significant advantages to the involvement of groups in the deci-
sion-making process, there are also disadvantages. Groups, by their nature, create
the desire within members to be accepted as an asset to the group. This can cause
individual members to suppress disagreement and can result in a kind of groupthink.
It is expensive and time-consuming to bring groups together to make routine deci-
sions and therefore group decision making should be reserved for non-routine deci-
sions or those with a critical impact on individual members of the group.
With goodwill on all sides, it is still possible for an individual member of the group
to dominate, particularly if the group is structurally imbalanced, with senior execu-
tives and junior members of staff combining together. A further disadvantage to
group decisions is the disappearance of allocatable responsibility. Although mem-
bers of the group share the responsibility, it may be difficult to establish account-
ability.

Group Techniques
Most group decision-making takes place on a face-to-face basis, although increas-
ingly the use of technology can allow a group to reach consensus without ever
meeting.
In order to achieve effective group decision making without the disadvantages
noted above, specific techniques are required to ensure the effectiveness of the
decision-making process, eg brainstorming is a technique used to generate ideas
in a group discussion session by noting ideas expressed in an unstructured fashion
without ranking or criticizing either them or the people who propose them during
the idea-generation.

120

Internal_Auditing.indb 120 16/04/2015 11:12

 13
CHAPTER

Management Skills

Learning objectives
After studying this chapter, you should be able to:
➤ Define the evolution of managerial practice
➤ Outline briefly the skills required of a modern manager
➤ Explain the challenges for managers in dealing with increasing business uncertainty
➤ Explain the role of management in problem solving
➤ Contrast the types of decisions a manager will be required to make
➤ Explain the impact on employees of values and job satisfaction
➤ Describe the major leadership theories and the impact of different leadership
styles on internal control
➤ Explain the basic concepts behind motivational theory and behavior modification
➤ Define work stress and explain potential remedies
➤ Explain the role of the manager in building staff competencies

The Evolution of Management Practices

The guidance given in IIA Practice Advisory 2100-1: Nature of Work stresses the
importance of management responsibilities and practices that affect the organiza-
tion and the work of internal audit.

‘Management plans, organizes, and directs the performance of sufficient actions to

provide reasonable assurance that objectives and goals will be achieved. Management
periodically reviews its objectives and goals and modifies its processes to accommodate
changes in internal and external conditions. Management also establishes and maintains
an organizational culture, including an ethical climate that understands risk exposures
and implements effective risk strategies for managing them.’

The term management has been used in a number of different ways. It may be used
to refer to the group of people running an organization or to identify the processes
by which managers direct and control business activities.

The Early Pioneers

Three of the earliest pioneers of management thinking were James Watt, Robert
Owen and Charles Babbage.
➤ James Watt (1769–1848) patented the first efficient steam engine and in 1795
set up a factory in Birmingham to manufacture it. This factory became famous for
its efficiency and employed many of the techniques associated with management
thinkers of a hundred years later. The firm was the first to use market research
when first establishing the business. The factory site and layout were preplanned.
Planning included production planning factors such as the division of labor, the
use of standard components, and the development of operating standards and

Internal_Auditing.indb 121 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

procedures. Payment by results was instituted based on work study, and exten-
sive financial and operating records were maintained. Watt was also an innovator
in developing training schemes for both workers and management.
➤ Robert Owen (1771–1858) believed strongly in the need for a meaning-
ful understanding between employer and worker. He tried to implement this
through improvements in factory working conditions. A revolutionary in his time,
he believed that young children should not be employed in factories and that
working conditions for factory workers should be improved. He operated in the
textiles industry, where he introduced innovations in both social and working
conditions. He raised the minimum working age from 10 to 12, reduced the daily
working hours to 103/4 and provided education facilities and better housing.
➤ Charles Babbage (1792–1871) was a mathematician who is credited with the
creation of the world’s first computer by developing a ‘calculating machine’. In
the course of his research, he became interested in the economics of manufac-
turing processes, particularly in the virtues of division of labor. He argued that
specializing the production of a shoe reduced the time needed for learning the
job and the waste of materials during the learning stage. He also believed it
allowed for improvement in skill levels and allowed the matching of employees’
skills and abilities with specific tasks required. He also suggested that special-
ization was as relevant to mental work as it was to physical labor.

Management theory is generally considered in terms of the main schools of manage-

ment thought. It must be emphasized that there is no ‘correct’ school. They devel-
oped in parallel with changes taking place in society.

The Classical/Scientific School

The classical school was popular during the first 30 years of the twentieth century
and it was during this period that today’s general theories of management evolved.
➤ F. W. Taylor (1856–1917) is generally considered to have invented modern
management theory when he laid down the concepts that make up ‘scientific
management’.
With the Industrial Revolution, ownership and control moved from the hands of
individual entrepreneurs due to the separation of ownership and control caused
by the development of the limited liability company.
Taylor, who was an engineer by profession, believed that management should
be based on ‘well-recognized, clearly defined and fixed principles, instead of
depending on more or less hazy ideas’. Taylor believed that management’s objec-
tive should be to secure maximum prosperity for both employers and employees
in both the short and long term. He studied the causes of hostility and inefficiency
in the workplace, and attributed this to the belief among workers that increases in
output would naturally result in unemployment, that traditional practice created
inefficient methods of work and that workers restricted their outputs in order to
protect their interests.
Taylor tried to overcome these problems by studying each job to discover the
best way of doing it. He combined this with a similar study of management prac-
tices to identify the best means of control.
Taylor identified the four ‘principles of management’:

122

Internal_Auditing.indb 122 16/04/2015 11:12

 MANAGEMENT SKILLS

◗ the development of a science of work intended to determine what constitut-

ed a ‘fair day’s work’ for a ‘first class man(/woman)’ for which he/she would
receive a ‘high rate of pay’;
◗ the selection, training and development of the worker to ensure that he/she
was enabled to do the ‘highest, most interesting and most profitable class of
work’ of which he/she was capable;
◗ the bringing together of the science of work and the scientifically selected
and trained person to cause the mental revolution in management that
Taylor wanted; and
◗ the close co-operation of management and workers to show that management
decisions are not arbitrary, and thereby reduce the likelihood of conflict.

Taylor believed in detailed observations leading to the design of standards and that
workers should be paid on piece rates related to scientifically determined standards,
with reduction in pay for those who did not reach the standard. He also believed in
specialization of both management and workers, and pioneered what is now known
as industrial engineering. His approach is still widely used today and underlies many
management techniques, from work study to standard costing.
➤ F. B. Gilbreth38 (1868–1924) was an American manager and consultant. His
belief in the one best way of doing a job led him to develop time and motion
studies, assisted by his wife, who was a trained psychologist. Gilbreth laid
down rules for finding out which of the motions used in doing a job were nec-
essary and which were ‘wasted motions’: he called these the ‘rules for motion
economy and efficiency’.
➤ Henry Gantt (1861–1919) was a teacher and then a draughtsman before
becoming an assistant to F. W. Taylor. Gantt developed a variety of graphical
tools in the course of his work, the best known being the horizontal bar chart,
which bears his name (the Gantt chart).
➤ Max Weber (1864–1920) was a German sociologist whose main contribution
to management thought was his theory of authority structures. Weber distin-
guished three typical bases of authority, namely:
◗ charismatic, based upon the exceptional powers of the leader;
◗ traditional, based on precedent and usage; and
◗ rational, based on scientific principles and the rule of law.
Weber is credited with coining the word ‘bureaucracy’, meaning ‘rule by the
office’, without the later overtones of red tape and inefficiency, and considered
bureaucracy to be the dominant system in modern society and to be techni-
cally the most efficient.
➤ Henri Fayol (1841–1925) was a French manager who set out his own principles of
management, which became known as administrative theory. Fayol suggested that
all managers perform five principal functions (as briefly mentioned in Chapter 12,
above): planning, organizing, commanding, co-ordinating and controlling.
Fayol developed 14 principles of management:
◗ division of work, to increase efficiency through specialization;
◗ authority combined with responsibility, to authorize managers to give orders;
◗ discipline, resulting from effective leadership and a clear understanding of
the organization’s rules and the penalties for infringing those rules;

38. Gilbreth, F.B. 1911. Motion Study. New York: Van Nostrand.

123

Internal_Auditing.indb 123 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

◗ unity of command, such that each employee receives instructions from only
one superior;
◗ unity of direction, to ensure that one manager, using one plan, directs the
business affairs of each group;
◗ subordination of individual interests to the general interests, in order to
ensure that the interests of the organization as a whole take precedence
over the interests of employees or groups of employees;
◗ remuneration in the form of a fair wage;
◗ centralization in respect of involvement in decision making. A centralized
environment leaves decision-making in the hands of management, but the
decentralized environment involves subordinates in the process;
◗ a scalar chain of authority from top management to the most junior employ-
ees, which facilitates communication;
◗ order, to ensure that resources are in the right place at the right time;
◗ equity, so that managers are fair to their subordinates;
◗ stability of tenure, because of the inefficiencies involved in high employee
turnover. Effective personnel planning reduces employee turnover and
ensures that vacancies can be filled by available replacements;
◗ initiative, enabling managers and employees to initiate and implement their
own plans and so gain commitment from the employees; and
◗ esprit de corps, promoting harmony and unity within the group.

The Human Relations School

After World War I, people were reluctant to go back to pre-war conditions and had
increased expectations from work. The human relations school of thought involved
looking at the behavior of people as a group. It was believed that the key to employ-
ee productivity was finding ways to increase employee satisfaction.
One of the first pioneers in this area was Elton Mayo (1880–1949). Mayo was
an Australian who carried out many research projects at the Harvard Business
School. His most famous project was his five-year investigation of the Western
Electric Company’s Hawthorne Works in Chicago, which resulted in his conclusions
that group influences significantly affected individual behaviors and that a group’s
standards laid down the norm for individual worker output. He also proposed that
money was less a factor in controlling the levels of output and workgroup sentiments
than security within the group and group standards. The impact of Mayo and the
Hawthorne experiments on today’s management thinking has been enormous and
they have led to a greater understanding of the human aspects of management.
➤ Abraham Maslow (1908–1970) argued that human needs are arranged in a
hierarchy so that as each need or group of needs is satisfied, it ceases to act
as a motivator and is replaced by the need on the next level. Maslow’s theories
are discussed later in this chapter.
➤ Frederick Hertzberg (1923–2000), an American, developed motivation-
hygiene theory. Hertzberg postulated that humans are motivated by the need
to avoid pain and discomfort, as well as the need to grow and develop. His
theories suggest an implied neutral point between dissatisfaction and satisfac-
tion and that there are associated maintenance factors that help maintain the
status quo. These are discussed below.

124

Internal_Auditing.indb 124 16/04/2015 11:12

 MANAGEMENT SKILLS

➤ Douglas McGregor (1906–1964) formulated two models, which he called

Theory X and Theory Y. The basic definitions of each model are as follows:
◗ Theory X assumes that people are lazy and do not like work and must be
driven.
◗ Theory Y assumes that people have a psychological need to work and can
be led.

The Systems/Contingency Approach

Systems theory
Systems theory involves looking at various branches of knowledge as collections of
systems. A system may be:
➤ open, ie responsive to external influences; or
➤ closed, ie isolated from its environment.

Decision theory is a derivation of systems theory that combines natural and behav-
ioral scientific approaches into a quantitative or mathematical systems approach.

Contingency or situational theory

Contingency theory views a business firm as an open system and stresses the impor-
tance of the environment in determining how situations should be dealt with. In
other words, there is no ‘one best way’ of management and the approach adopted
by managers must be contingent on the prevailing circumstances.

Current Management Theory

Management and Culture
In the past, organizations survived because they had improved control over physical
resources. In today’s world, the competitive edge now lies with organizations that
manage their resources most effectively to meet the demands of the market.
➤ W. Ouchi (1943– ) compared Japanese and American management approaches
to determine his ideal management/culture system, which he calls Theory Z. This
model adopts many aspects of Japanese management practices, but retains one
important aspect of Western management theory – individual responsibility.
➤ Peter Drucker (1909– ) defined the key to a productive and profitable orga-
nization as the effectiveness of managers. He believed it particularly important
that they make good use of their human resources, and is considered to be the
father of management by objectives (MBO).

The Quality Concept

It is widely acknowledged that, in today's competitive world, survival rests on the
delivery of quality in goods and services.
➤ W. Edwards Deming (1900–1993) is believed by many to be the founding
father of the quality movement. He regarded the customer as the most
important part of the production line and advocated keeping ahead of the cus-
tomer and anticipating his/her future needs.
➤ Dr Kaoru Ishikawa (1915–1989) helped develop the notion of company-wide
quality control (CWQC) in Japan. This requires company-wide participation from
top management to lower-ranking employees across all business functions.

125

Internal_Auditing.indb 125 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

➤ Dr Genichi Taguchi’s (1924– ) methodology relates to optimizing the product

and process before it is produced.
➤ Kenichi Ohmae (1943– ) maintains that customers must form the basis for any
business strategy.

In the 1970s and 1980s, the so-called New Westerners increased our general aware-
ness of quality issues through publishing them widely. Two of the best-known writers
in this group are Crosby and Peters.
➤ Philip C. Crosby (1926– ) believed that traditional quality control procedures
and tolerance limits for quality are, in fact, failures and that the system for
ensuring quality should focus on prevention and not detection (ie the aim
should be zero defects). This does not imply that no one will ever make a mis-
take, but rather that the company does not begin by expecting mistakes.
➤ Tom Peters (1944– ) suggested that excellent firms were those that believed in
continuous improvement. He identified leadership as being central to the qual-
ity improvement process and he coined the phrase ‘managing by wandering
around’ (MBWA).

Skills Required of a Modern Manager

To be effective, today’s manager needs a variety of skills to adapt to a variety of
situations. There has been a change of emphasis in many organizations towards
a facilitation model of leadership to replace the old command and control struc-
tures. Coupled with this has been recognition of the importance of aligning the
work objectives to the strategic and long-term goals of the organization, and mea-
suring employee performance in terms of contribution towards these goals. The
employee’s objectives are derived from those of their departments, which are in
turn derived from the mission and goals of the organization as a whole. As a result,
managers are being forced to step outside of their traditional job descriptions and
become supporters of team objectives and goals.

Today’s manager is more of a facilitator or a mentor, who supports his/her staff by

enabling them to operate at optimum levels. Managers, and indeed their staff, must
gain the abilities to:
➤ adapt to change;
➤ communicate effectively with different groups at varying levels within the orga-
nization; and
➤ solve problems creatively.

Management must develop the skills to lead others to comply, not because they are
forced to, but because they want to.
The traditional view of managers has been of administrators who operate from a
short-term viewpoint to maintain control and generally work within existing norms.
Today’s managers must become innovators who take a long-term view and chal-
lenge the status quo through innovation and development.

The Challenges of Increasing Business Uncertainty

Business today operates within an environment comprising a complex set of rela-
tionships characterized by extreme fluidity and uncertainty. No single manager or
126

Internal_Auditing.indb 126 16/04/2015 11:12

 MANAGEMENT SKILLS

group of managers can either completely envisage the environment and all of its
possible changes, or completely control and influence these changes.
Attempting to guess future directions is becoming increasingly hazardous to orga-
nizations. An alternative approach is therefore required to minimize the risk of com-
mitting significant corporate resources to the wrong plans or policies. By building in
flexibility, an organization can significantly improve its ability to survive changes in
the operational environment. A global perspective has ceased to be optional and
must now be viewed as a strategy for survival. Along with globalization has come
the threat or opportunity of advanced technology. Once again, the use of advanced
technology to gain competitive advantage is no longer an option. The business
imperative now is to use advanced technology to prevent competitive disadvantage.
That is to say, if you are not doing it, your competitors certainly are.
One of the most complex issues facing management is the development of prob-
lem-solving abilities.

Types of Managerial Decisions

Managers have to make choices continuously from among several alternatives. At
the executive level, this involves identifying the organization’s goals and objectives,
deciding on the services of products to be offered by the organization and deciding
how best to achieve these objectives. Middle management operate at a more tacti-
cal level and make the day-to-day decisions on how the business operates.
Decision making is a process that occurs in reaction to an existing problem.
The gap between the current situation and the future desired state requires the
evaluation of alternative actions. In many cases within the business environment,
disagreement may occur on the nature of the problem or even, the fact that there
is a problem in the first place. To make a decision, management must interpret and
evaluate information derived from a variety of sources.

Harrison39 developed a six-step process for making a decision:

➤ Ascertaining the need for a decision involves recognizing the existence of a gap
between the desired and actual conditions.
➤ Identifying the decision criteria to be used in making the decision is important
in order to eliminate the irrelevant factors.
➤ Allocating weights to the criteria is required, since all criteria are not equally
important.
➤ Developing the alternatives is achieved by listing all viable alternatives that
could possibly resolve the problem.
➤ Evaluating the alternatives in a critical manner is necessary to identify the
strengths and weaknesses within each alternative.
➤ Selecting the best alternative is the final stage in the optimizing decision model
and involves selecting the best alternative from among those evaluated.

Although this model has gained wide acceptance, other decision-making models
exist.

39. Harrison, E.F. 1981. The Managerial Decision-making Process. 2nd ed. Boston: Houghton Mifflin.
pp. 53–7 and 81–93.

127

Internal_Auditing.indb 127 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

➤ The so-called satisficing model is used by decision-makers faced with a complex

problem and involves selecting the first solution that is good enough to satisfy
the requirements although not necessarily the optimum solution.
➤ When faced with a complex problem with too many variables to consider fully,
the concept of bounded rationality may be used to identify the critical factors
without having to understand all the factors involved fully.
➤ One common method of making decisions is called the implicit favorite model.
This involves the subconscious selection of an alternative as an implicit favorite
early in the decision-making process, with the rest of the process effectively
acting as a confirmation that the favorite is in fact the correct choice.
➤ Many experienced managers use intuitive decision making, which is an uncon-
scious process based on the individual manager’s experience.

Once again, culture may have an impact on the decision-making process. In many
Western countries, the implicit favorite model is used because, although a manager
may make an important decision intuitively, it is understood that it must appear to
have been reached in a rational and quantitative manner. In many Eastern coun-
tries, only very senior managers are empowered to make decisions, while in many
European countries, lower-ranking employees make operational decisions.

Values and Job Satisfaction

Values have been defined as representing basic convictions that ‘a specific code
of conduct or state of existence is personally or socially preferable to an opposite
or converse mode of conduct or end-state of existence’.40 Implicit within our value
system is an element of judgment of what is right and good.
Values have been classified into six specific types41: theoretical, economic, aes-
thetic, social, political and religious. This means that in the same situations differ-
ent people holding different values would react in different ways.
Values affect job satisfaction and an individual’s general attitude towards his/her
job, since people whose value systems are in line with their chosen vocations are
more likely to be successful in those vocations and therefore have a greater prob-
ability of achieving high job satisfaction. Knowledge of an individual’s values can
therefore help management to ensure employee job satisfaction by aligning tasks
with individuals’ value systems. Satisfied employees tend to remain in a job, and high
satisfaction can reduce both employee turnover and absenteeism.

Leadership Styles
The difference between a manager and a leader is one of motivational ability
coupled with the ability to adapt situations rather than simply optimize the group’s
performance within a given situation. Subordinates must become followers and
managers must be clear articulators of the visions that can permit their followers to
attain their goals. Measuring the performance of leaders is, in itself, problematic.
Performance indices may be related to task outcome, but will also include the rat-
ings of operational effectiveness made by superiors, and the ratings of motivation
and satisfaction made by subordinates.
40. Rokeach, M. 1973. The Nature of Human Values. New York: Free Press. p. 5.
41. Alport, G.W., Vernon, P.E. & Lindzey, G. 1951. Study of Values, Boston: Houghton Mifflin.

128

Internal_Auditing.indb 128 16/04/2015 11:12

 MANAGEMENT SKILLS

Motivation
Motivational Theory
It is possible to draw direct links among the quality of leadership, job satisfaction
and overall unit or team performance. Leadership behavior using the proper moti-
vational techniques can improve performance, which in turn improves customer sat-
isfaction and loyalty, and can create high levels of unit performance. By motivating
his/her followers, a leader can improve follower job satisfaction, which in turn will
reduce staff turnover. Many of today’s motivational theories of leadership owe their
origins to the human relationship school of thought (see above).

Maslow
Maslow’s hierarchy of needs included:
➤ basic needs;
➤ security needs;
➤ social needs;
➤ esteem needs; and
➤ self-actualization needs.

➤ Basic needs
Individuals who are mainly preoccupied with basic needs are motivated by fulfilling
the desire for food, shelter, etc. In business, such individuals would respond to moti-
vators such as salary increases, pleasant working conditions, more luxury or more
leisure time.

➤ Security needs
Fulfilling the desire for assurance of continuity and continued fulfillment of basic
needs motivates individuals who are mainly preoccupied with security needs. In
business, such individuals would respond to fringe benefits, protective rules and
regulations, pension schemes and tenure protection.

➤ Social (belonging) needs

Fulfilling the desire for a sense of belonging and group membership motivates indi-
viduals who are mainly preoccupied with social needs. In business, such individuals
would respond to organizations that encourage good interpersonal relationships,
friendliness of colleagues, acceptance by others and good teamwork.

➤ Esteem needs
Fulfilling the desire for recognition and praise motivates individuals who are mainly
preoccupied with esteem needs. Such individuals would respond to motivators such
as opportunities for advancement, recognition based on their merits, assignments
allowing them to display their skills, and inclusion in planning activities.

➤ Self-actualization needs
Individuals who are mainly preoccupied with self-actualization needs are motivated
by the desire for the freedom to be what they are. Such individuals would respond
to motivators such as being able to prove themselves to themselves, the merits of
the work itself, and the freedom to experiment and take risks.

129

Internal_Auditing.indb 129 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Hertzberg
Hertzberg’s theory suggested the existence of both motivational and maintenance
factors.

Motivational factors are those that, if improved, could have a major impact on moti-
vation and performance. These include:
➤ opportunities for achievement;
➤ recognition for personal efforts;
➤ the nature of the work;
➤ opportunities for advancement; and
➤ opportunities to exercise responsibility.

Maintenance factors are those that, if they are acceptable, do not in themselves
motivate; but if they are not acceptable, could significantly demotivate. They
include:
➤ company policies and administration;
➤ supervision;
➤ interpersonal relationships;
➤ working conditions; and
➤ salary, status and security.

Expectancy Theory
Expectancy theory suggests that a person’s willingness to be influenced is primar-
ily control by his/her motivational strength, ie ‘How much effort is it worth making
to achieve the results?’ This in turn is influenced by three major factors, namely:
➤ the perceived value of rewards, or ‘Do I really value the reward on offer?’;
➤ the perceived effort-performance probability, or ‘What is the likelihood I will
achieve my objective if I put in the required effort?’; and
➤ the perceived performance-reward probability, or ‘What are the chances of my
obtaining the reward I want if I satisfactorily complete the job?’.

Job Enrichment
Job enrichment has been shown to increase staff motivation and therefore work
effectiveness by focusing on achieving specific critical psychological states.

Job Enlargement
Job enlargement involves improving motivation by ensuring that all jobs lead to
significant, identifiable results. This is normally achieved by taking a job that only
involves a small part of a process and enlarging it so that a more observable result
is achieved.

Work Stress
Stress can be defined as a condition in which an individual is confronted with an
opportunity, constraint or demand related to what is desired and an outcome that
is perceived to be important but uncertain.

130

Internal_Auditing.indb 130 16/04/2015 11:12

 MANAGEMENT SKILLS

Core Job Critical

Outcomes
Characteristics Psychological States

Skill Variety High Internal Work

Motivation

Feeling that work is

Task Identity
meaningful
High ‘Growth’
Satisfaction
Task Significance

High General Job

Feeling of responsibility
Autonomy Satisfaction
for outcome of work

Knowledge of the actual

Feedback from Job High Work Effectiveness
results of the work

Infuencing Factors:
1. Knowledge and Skill
2. Desire for Personal Growth
3. ‘Context’ Satisfactions

Figure 13.1: Job enrichment

Stress is most commonly linked to constraints preventing the individual from doing
what is desired and demands for the loss of something that is desired. Sources of
stress exist within the business environment and include such threats as economic,
political or technological uncertainty. At the organizational level, stress may be
caused by the demands of the task to be carried out or pressure from the role an
individual undertakes. The nature of the organizational structure and leadership
can also increase stress levels. Each individual must also face his/her own personal
stress factors, which are dependent on his/her personality and economic situation,
and also on family problems.
The effects of stress range from physiological symptoms such as high blood
pressure and headaches through to psychological symptoms such as depression
and anxiety, and may eventually result in behavioral symptoms such as reduced
productivity, absenteeism or high staff turnover.
High levels of stress over a period of time can severely affect job productivity and
is therefore seen by senior management as a significant risk factor. Management
can reduce overall stress levels for employees by providing training in realistic
goal-setting, introducing participative decision making, improving the alignment of
individuals to jobs, and generally focusing on the employees’ physical and mental
condition.
Individuals have their own role to play in reducing stress levels. A major cause
of individual stress is poor time management, and improvements in this area can
significantly reduce stress levels. Physical exercise can raise endorphin levels,

131

Internal_Auditing.indb 131 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

increase heart and lung capacity, and improve overall fitness, all of which help an
individual deal with stress. Social support can also reduce the likelihood that high
levels of work stress can be damaging to employees.

Building Staff Competencies

One of the fundamental roles of management is to increase employees’ levels of
competency. Skills fall into three broad categories, namely:
➤ technical skills, which involve someone’s ability to carry out tasks assigned;
➤ interpersonal skills, which allow someone to effectively interact with co-workers
and superiors; and
➤ problem-solving skills, where someone has to handle non-routine tasks and
solve problems as part of the job.

Competencies are usually developed or expanded through appropriate training. In

most cases, training takes place on the job and includes such techniques as men-
toring, job rotation or possibly even an apprenticeship. Formal, off-the-job training
includes classroom lectures and simulation exercises such as case studies.
In a developing environment such as that faced by many Third World countries,
capacity building and the building of specific staff competencies is essential to
achieve sustained growth.

Performance Management
Performance management can be defined as an ongoing communication process
involving both management and employees in:
➤ identifying and defining essential job functions and relating them to the mission
and goals of the organization (key performance areas);
➤ developing appropriate performance standards and measurement criteria (key
performance indicators);
➤ giving and receiving feedback about performance; and
➤ planning education and development opportunities to sustain, improve or build
on employee work performance.

The performance management process therefore provides an opportunity for an

employee and a performance manager to discuss development goals and jointly
create a plan for achieving them. Development plans should contribute to both
organizational goals and the professional growth of the employee.
Performance auditing, then, involves firstly determining management’s objectives,
followed by establishing which management controls exist, leading to effectiveness,
efficiency and economy. An auditor must determine which key performance
indicators are in use and are appropriate, as well as whether control objectives are
being achieved. This is discussed in greater detail in Chapter 18.

132

Internal_Auditing.indb 132 16/04/2015 11:12

 14
CHAPTER

Auditing Business Process

Cycles

Learning objectives
After studying this chapter, you should be able to:
➤ Identify the various types of business cycle
➤ Identify the functional interrelationships within the supply chain
➤ Identify risks within the supply chain
➤ Recognize red flags which may indicate fraudulent practices within the supply
chain
➤ Structure supply chain audits
➤ Identify the components of payroll and human resource cycles
➤ Structure audits within the human resources function
➤ Identify risks and structure audits within the R&D cycle
➤ Structure audits for the awarding of contracts
➤ Understand the problems inherent in conducting audits of corporate strategic
planning

Auditing Business Process Cycles

Each business process follows its own unique cycle within the overall cycle of business
operations. Internal auditors must adapt their own processes to meet the needs of
these specific business processes. This chapter will examine the differences in the
types of audit required within the business processes.

Revenue and Receivable Business Cycles

Receivables and revenue represents significant business risks because of the
complexity of certain business processes and accounting rules as well as their
accessibility for the commission of fraud.
Internal auditing in this area may include audit of the accounting system and
control activities as well as audits of the monitoring policies and procedures. Critically,
management needs assurance of the reliability of revenues reported as well as
outstanding receivables in order to make most effective use of operational planning.
The overall revenue cycle includes the receiving of orders from customers as
well as the delivery of goods and services and the subsequent billing followed by
the collection of accounts receivable. In all cases, accuracy and completeness of
information are critical to the process. Primary controls sought by auditors in this area
include segregation of duties as well as supervisory controls to ensure the accuracy
of financial statement assertions. The nature, timing and extent of substantive
tests in this area will be dependent upon the auditors’ assessment of inherent and
control risks based upon their valuation of the operating effectiveness of the internal
controls. One of the more onerous areas for audit substantive testing lies in the
area of substantiating the assertions of the existence and valuation of receivables

Internal_Auditing.indb 133 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

due. This normally takes the form of acknowledgement of debt by customers and an
assessment of the adequacy of the provision for uncollectible accounts.

Supply Chain Management

The supply chain has a major impact on any organization’s business strategy since it
directly affects its operation costs. A sustainable supply chain is normally vital to the
organization’s ability to survive and prosper. This has become notably more critical
due to the nature of today’s competitive environment, with a corresponding need for
internal audit to review supply chain performance from an holistic perspective rather
than treating the audit as an integrated process. The aim of the internal audit in this
IIA is to assist management improve the efficiency and effectiveness of operations
in order to achieve the projected business goals. The auditor must be careful not
to confuse the difference between cost savings and risk reduction since these are
objectives which may compete with each other.
The auditor must therefore become familiar with the interconnection of the
functions existing within the corporate supply chain in order to review the policies
and procedures which should be evident within the procurement function. These
processes identified by The Global Supply Chain Forum are:
➤➤ Customer relations management
➤➤ Supplier relations management
➤➤ Customer service management
➤➤ Demand management
➤➤ Order fulfillment
➤➤ Manufacturing flow management
➤➤ Product development and commercialization
➤➤ Returns management.42

Internal audit’s role may take the form of reviewing supply chains including the
strengths and weaknesses in order to validate the corporate monitoring programs.
Additionally, audit may be called on to assist management identifying critical suppliers,
aid with compliance monitoring and improve the strength of risk control procedures.
Among the risks to supply chains are:
➤➤ Supply disruptions
➤➤ Supply delays
➤➤ Inaccurate requirement forecasts
➤➤ Poor inventory holding and accounting procedures
➤➤ Fraud.

The procurement process is by its nature a competitive activity which can operate
effectively only when competitors price independently and honestly. In many
organizations, procurement begins with a tender process which may itself be open to
such fraudulent techniques as price fixing, bid rigging, product substitution and cost
or labor mischarging.

42. Douglas, M.L. (2008), An Executive Summary of Supply Chain Management: Processes, Partnerships,
Performance. Sarasota, FL: Supply Chain Management Institute.

134

Internal_Auditing.indb 134 16/04/2015 11:12

 AUDITING BUSINESS PROCESS CYCLES

Where there is collaboration between an employee working with an outside vendor

through the authorization of bogus or inflated payments for services or products that
are delivered or work that is never done, the auditor must always be alert for red
flags as warnings of suspicious activities.
Such indicators may include:
➤➤ the elimination of discounts in markets where discounts traditionally have been
given;
➤➤ price increases that are disproportional to other cost increases;
➤➤ prices remaining fixed for long periods of time;
➤➤ one or more bidding companies continuing to submit unsuccessful bids with a
single company winning most contracts;
➤➤ a group of companies consistently bidding for the same contracts with rotation of
the lowest bidder;
➤➤ consistent sub-contracting by winning bidders to one or more unsuccessful
competitors in the bidding process;
➤➤ large movement in labor costs;
➤➤ reclassification of costs from indirect to direct or vice versa;
➤➤ distinctive patterns of charging for labor or materials; and
➤➤ general laxity in the system of internal controls.

Audits of supply chain management must include a review of management processes

to ensure functional and process integration within the organization as well as
maximizing supply chain flexibility in order to facilitate rapid changes in customer
demands to meet customer needs for innovative products and services. To achieve
this, the auditor will need to identify the key objectives of the supply chain management
from a strategic and operational perspective as well as develop the appropriate
criteria to evaluate the effectiveness of the configuration of the organization’s supply
chain and the matrix to evaluate its operational performance.

Inventory and Production Cycles

Inventory is normally seen to be a major item on the accounting of the working capital
and the statement of financial position of an organization. For many organizations the
inventory might lie in different locations leading to problems in performing physical
controls auditing. As a generic, the cycle consists of:
➤➤ process purchase orders;
➤➤ receive raw materials;
➤➤ store raw materials;
➤➤ process the goods;
➤➤ store the finished goods; and
➤➤ ship the finished goods.

Information sought by the auditor in this area will therefore include records of the
requisition and ordering of goods or raw materials to be matched against records
of receipts of the goods or raw materials. Proof will also be sought of the controls
over the issuance of goods or raw materials from inventory as well as store-keeping
procedures to ensure the safety and condition of materials and finished goods held
in store. Inventory records also retain an inherent risk of material misstatement for

135

Internal_Auditing.indb 135 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

valuation and this would also be examined by internal audit. Tests of controls within
this area would include:
➤➤ Existence – observation and evaluation of proper segregation of duties and test
procedures for transfer and issuance of inventory;
➤➤ Rights and obligations – checking recorded inventory against both supplies
invoices and goods received notes;
➤➤ Completeness – checking the existence of all purchase orders through sequence
checking as well as their match to receiving reports and vouchers;
➤➤ Accuracy – examining testing procedures for ensuring physical inventory accuracy
as well as the development of cost information;
➤➤ Valuation – testing procedures for the identification of obsolete or slow-moving
inventory items; and
➤➤ Item classification – reviewing inventory classification to ensure compliance with
corporate accounting policies and international standards.

Inventory controls sought by the auditor would include physical controls over
inventory, the use of perpetual inventory records and the proper maintenance and
integration of unit and standard cost records.
The production cycle relates to the processes involved in conversion of raw materials
into finished goods. This includes production planning as well as control of the types and
quantities of goods to be manufactured, maintenance of appropriate inventory levels and
the events and transactions pertaining to the manufacturing process.
The production cycle differs from industry to industry and organization to
organization and the auditor must design an audit program suitable to the needs of
the company. In planning the audit, the auditor will typically take into consideration
the materiality of likely findings, the degree of inherent risk, and the use of analytical
procedures such as inventory turnover days or inventory growth in relation to cost-
of-sales growth. Other ratios produced could include finished goods produced to raw
material used, finished goods produced to direct labor or the percentage of product
defects. Once again, these are management measures but internal audit may do
time-series analysis in order to evaluate changes in control achievement.

Payroll and Human Resource Cycles

The overall human resources (HR) and payroll cycles involve the events and activities
pertaining to compensation of employees including salaries, hourly wages, bonuses,
commissions, employee benefits as well as stock or share options.
Human resource services can vary in importance across industries where some,
such as mining, may be highly labor intensive while others, such as Financial Services,
may be less so. As such it is important for the auditor to become familiar with the
criticality of human resources services to the entity as a whole as well as the varying
types of remuneration package in use within the organization.
For most organizations, regardless of the degree of labor intensity, the importance
of human capital to the value of the organization makes human resource services
a material audit area. The overall purpose of the audit of HR is to identify areas of
strength and weakness where improvements may be needed. This involves reviewing
the current HR practices, policies and procedures in relation to the role HR plays in
the achievement of the overall strategic objectives of the organization. Areas which
would form part of a conventional audit program would include:

136

Internal_Auditing.indb 136 16/04/2015 11:12

 AUDITING BUSINESS PROCESS CYCLES

➤➤ compliance with legal statutes;

➤➤ accuracy and completeness of record-keeping;
➤➤ maintenance of confidentiality;
➤➤ employee relations;
➤➤ performance appraisal systems;
➤➤ termination procedures;
➤➤ health, safety and security in the workplace; and
➤➤ compensation structures.

Auditing within HR can take the forms of compliance auditing to determine the
degree of compliance with external laws and regulations as well as internal policies,
procedures and plans, program-results audits to determine the effectiveness of HR
procedures in areas such as health, employee relations, and performance appraisal
systems through to operational audits in terms of accuracy and completeness of
record-keeping, confidentiality, termination procedures and compensation structures.
It is unusual for all of these audit programs to be performed in one single audit.
Depending on the nature and risk inherent in the corporate use of HR, the audit
would normally be a compliance audit, an operational audit or a program-results
audit and the scope set accordingly.
In examining payroll activities the auditor may use analytical procedures such as
calculating:
➤➤ the average payroll cost per employee classification;
➤➤ the revenue per employee;
➤➤ payroll tax expenses as a percentage of gross payroll;
➤➤ time-series analysis of payroll expenses; and
➤➤ employee benefit expenses as a percentage of gross payroll.

in order to determine the accuracy and completeness of payroll information, in

addition, the auditor may examine the records regarding:
➤➤ hiring of employees;
➤➤ authorization of payroll changes;
➤➤ preparing and recording of the payroll information;
➤➤ disbursement of the payroll and protection of unclaimed wages;
➤➤ filing of taxation documentation; and
➤➤ detective mechanisms to identify ‘ghost’ employees.

Fraud within the payroll takes a form of payments to fictitious or ‘ghost’ employees,
payments to genuine employees for hours not worked or payments to employees at
rates higher than those authorized. Once again, typical controls the auditor would
look for would include:
➤➤ segregation of duties between the preparation and payment of the payroll;
➤➤ employee authentication on collection of cash sums;
➤➤ proper control and disposition of unclaimed payments; and
➤➤ controls to prevent duplicate payments.

Research and Development Cycles

Auditing of the R&D cycle includes ensuring that the results of corporate expenditures
are appropriately safeguarded as well as ensuring the company gets value-for-

137

Internal_Auditing.indb 137 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

money for expenditure in this area. Ensuring that expenditures have been made for
documented and authorized projects would involve reviews of:
➤➤ corporate R&D objectives;
➤➤ budgets;
➤➤ expenditures;
➤➤ documentation; and
➤➤ policies and procedures.

It should be noted that audits in this area are notoriously difficult and that auditors
must restrain themselves from ‘second guessing’ the R&D section and confine
themselves to examining the policies and procedures governing the section and their
compliance. Overall, the auditor seeks to answer the questions:
➤➤ What are the objectives?
➤➤ Are they being achieved?
➤➤ If not, what corrective actions are being taken?
➤➤ What procedures are in place?
➤➤ Are the procedures complied with?
➤➤ Is appropriate project management in place?
➤➤ What controls exist to ensure the intended purpose of the department is being
achieved?
➤➤ Is security maintained on all work-in-progress as well as results?

Contract Auditing
Conducted effectively, improvements in controls around the awarding of contracts
represent an opportunity to reduce risk and save money. As such, a contract audit is
taken to involve the evaluation and verification of the accuracy as well as propriety of
a contractor’s controls, policies and systems.
In order to achieve effective contract audits, certain critical elements need to be
in place including:
➤➤ appropriate executive-level support;
➤➤ the co-operation of both contractor and operational management;
➤➤ inclusion of a ‘right-to-audit’ clause in the contract; and
➤➤ clearly defined and understood audit objectives.

This type of audit is normally done through inspection of account books, transaction
records and operational logs. Over and above the awarding of contracts as noted in
supply chain above, a critical element for the auditor involves ensuring that all terms
and conditions within the contract have been complied with. The most common
reason for conducting a contract audit is to ensure that the contractor has complied
with the pricing structure since contract audits have a history of uncovering clerical
errors, overpayments and credits and debits which have been omitted. In addition to
these financial and administrative issues, the auditor will typically face the scope of
the audit around the perceived risk profile of the contractor and the contract itself.
Risk factors to be considered would include ensuring that:
➤➤ sub-contracted activity is appropriately authorized, effectively managed and
accurately reported;
➤➤ adequate control exists for the protection of customer-owned assets;
➤➤ reconciliations of supplies and materials are carried out in an appropriate manner;

138

Internal_Auditing.indb 138 16/04/2015 11:12

 AUDITING BUSINESS PROCESS CYCLES

➤➤ the contractor has adequate insurance to limit customers’ exposure;

➤➤ appropriate statutes are complied with in terms of health and safety, environmental
protection, labor legislation, employment equity, taxation requirements, etc; and
➤➤ appropriately qualified staff are employed for work undertaken.

Given the nature and size of expenditure covered in contracts within larger
organizations, the Enterprise Risk Management strategy should include contract
auditing as part of the devaluation of compliance with the overall organizational risk
appetite. The size and nature of specific contracts can prioritize them from an audit
perspective. The impact of a contract failure on corporate reputation may raise the
inherent risk factors to unacceptable levels requiring audit acceleration of the risk
to a priority level. Reputational risk can be drastically impacted either positively or
negatively by the perceived:
➤➤ safety of products or services;
➤➤ general quality of products and services;
➤➤ environmental impacts; and
➤➤ viability of strategic sourcing partners.

Contracts which have been evaluated and with a high enough risk rating to warrant
audit intervention should then be analyzed in order to develop the scope of the
audit in terms of potential exposures and areas requiring substantive testing. As with
any other audit, a blend of skills with appropriate knowledge levels of the contract
objectives will typically be required. Where insufficient skills exist in-house, internal
audit may draw upon external sources to supplement the audit team. The sources
could include operational areas within the organization, external audit service
providers or consultants or, where the need for such expertise will be ongoing,
recruitment or development of additional audit skills.

Auditing Corporate Strategy

An audit of corporate strategy may be the most sensitive type of audit undertaken
by the internal audit function given that its nature involves the potential to be seen
as ‘second guessing’ management. The overall objective is to assist management by
reviewing the corporate vision and objectives and a business plan designed to ensure
successful attainment of those objectives. The audit is not intended to review the
appropriateness of the vision and objectives but the nature of the business plan, the
manner in which the plan was developed and the likelihood of the plan moving the
company to where it desires to be.
In general, the business plan must be seen to be complete, in line with the
corporate vision and business strategies, and manageable. To carry out this
audit, the auditor must first develop a clear and objective picture of the business
environment within which the organization operates. This includes an analysis
of the market arena, competitive analysis and an understanding of the financial
realities under which the organization functions. Much of this information will
already be available to the auditor although not necessarily structured in a form
suitable for audit purposes. Reviews would include examination of the existing
business plan and any other strategic planning documents as well as interviews
with the executive and operational management teams to ensure knowledge of

139

Internal_Auditing.indb 139 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

the business plan, alignment with the corporate objectives and to establish the
probabilities of the existing plan succeeding.
Business processes can then be mapped against the plan in order to determine
their strategic importance as well as resource requirements and measurement criteria
in respect of specific milestones as the plan progresses. Deficiencies identified in
the plan itself may point to deficiencies in the planning process. Over-optimism
regarding timescales and abilities, under-estimation of resource requirements and
guesswork in terms of the industry environment can result in a plan which looks ideal
on paper but where the probability of attainment is very low. Recommendations
under these circumstances would normally take the form of improvements to the
planning process and a recommendation that management revisit the plan using the
approved planning process.

140

Internal_Auditing.indb 140 16/04/2015 11:12

 15
CHAPTER

Negotiation Skills

Learning objectives
After studying this chapter, you should be able to:
➤ Outline briefly the negotiating process
➤ Explain the conflict process and differentiate between functional and dysfunc-
tional conflict
➤ Explain the role of trust in effective negotiation
➤ Define the structure of negotiations from an internal audit perspective
➤ Identify the steps involved in carrying out a successful negotiation
➤ Explain potential roles of an internal auditor in acting as a third party during
organizational negotiations

Negotiation
Negotiation has been defined as ‘a process of interaction between parties directed
at achieving some form of agreement that will hold and that is based upon common
interests, the purpose of resolving conflict, despite widely dividing differences’.43
This involves an exchange of information in order to establish common ground and
create alternatives.

Negotiation may be classified into distinct types.

➤ In interrogative negotiation, both parties have an overriding objective to leave
the negotiation feeling that they have gained more than they could have by
other means.
➤ In distributive negotiation, each party goes into a negotiation with the objective
of winning, regardless of the effect on the other party.
➤ Destructive negotiation is, as its name suggests, a highly negative form of nego-
tiation in which one party is negotiating in order to inflict damage on the other
party, regardless of the impact on themselves. This is normally motivated by
the desire for revenge and retribution.
➤ In an ongoing relationship, continuous negotiation is necessary. An employee/
employer relationship or a supplier/customer relationship would be examples of
continuous negotiation.
➤ Alternatively, there may come a time when previous good relations are threat-
ened by a current problem and intermittent negotiation must take place.
➤ In a worst-case scenario where confrontation between parties has occurred, a
crisis negotiation takes place, but unlike previous forms of negotiation, the two
parties operate from totally different power bases.

43. Spoelstra, M. & Pienaar, W. 1996. Negotiation Theories, Strategies & Skills. 2nd ed.
Cape Town: Juta. p. 3.

Internal_Auditing.indb 141 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Effective negotiations require adequate preparation. This is critical to the success

of the negotiations and falls into clearly defined phases.
➤ The initial phase involves the defining of objectives to be achieved within the
negotiation and prioritizing them. These objectives can be prioritized into
essential, realistic and nice to have. Essential objectives make up the minimum
acceptable solution, while realistic objectives are those that can reasonably be
expected in a compromise situation. ‘Nice to have’ objectives will be used as
bargaining chips in achieving the essential and realistic ones.
➤ Preparation for the negotiation involves a careful analysis of the situation. The
negotiator must establish the nature of the negotiation as defined above, and
whether an ongoing relationship is important to both sides. The alternatives,
should the negotiations fail to achieve their objectives, must also be considered,
and the minimum believed to be sought by the opposition must be identified
(obviously this will be an intelligent guess).
➤ In seeking to identify the opposition’s objectives, many issues will be involved
and issue identification forms the next step in the process. Identifying the issues
from both the negotiator’s and opponent’s perspectives and prioritizing the
issues may identify areas of overlap.
➤ An essential part of the preparation is to gain and analyze information on the
opposition’s negotiators. By determining their needs and personalities, the
negotiators may gain insight into both the opposition’s negotiating and personal
goals. Different cultural backgrounds can confuse negotiations if the negotiator
is unaware of the objectives and values of the opposing party.
➤ In some negotiations, the legal implications may be a key component. Where
the negotiations involve compliance with the law, legal opinion should be
sought before the negotiations start.
➤ Most negotiations will have some financial consequences and adequate finan-
cial preparation should be carried out to identify the indirect or direct financial
effects of potential agreements.
➤ Having established the ground rules for the negotiations, as above, the negotia-
tors must then decide on the tactics they will employ during the process of the
negotiation. This may include such factors as the location, the composition of
the team, the particular roles individual team members will play, the agenda,
the perceived common ground or even the very layout of the room.

Once all preparations have been completed, negotiations can take place.

The Climate for Negotiations

One of the strongest factors influencing the success or failure of negotiations is
the climate within which they take place. Previous relationships and the degree of
trust or lack of trust between negotiating parties may influence this. Negotiations
normally begin with the initial contact between the negotiators and in the first few
seconds, the initial climate is established by how polite negotiators are to each
other and the way they greet each other. A poor start can put many barriers in the
way of successful negotiation and unnecessarily delay the finding of the solution.
Once the initial climate has been established, common ground is sought regarding
the objectives of the negotiation, the agenda and the protocols to be followed.
Consensus must be reached on the definition of the problem being negotiated and

142

Internal_Auditing.indb 142 16/04/2015 11:12

 NEGOTIATION SKILLS

it is at this stage that the negotiating group may achieve cohesion and begin work-
ing as ‘we’ rather than ‘I’. When cohesion is achieved, constructive negotiation
and problem resolution can follow. The final stage of negotiation is closure – an
agreement is reached and future progress is approved.

Negotiating Common Ground

It is essential that some common ground be found before the actual negotiations
take place. If no common ground can be found, then probably no negotiation is
possible. If the negotiators cannot even agree on the nature of the problem, there is
really nothing left to negotiate!
If common ground has been found, differences and conflicts can be resolved by
co-operation instead of confrontation. Issues can then be defined in terms of areas
of possible consensus rather than issues of dispute.
If common ground is not found – or at least looked for – negotiations start from
polarized positions, with each party operating from a ‘win or lose’ position.
Achieving common ground is a process in its own right. Most common techniques
used in this process involve the use of key questions. Agreement can only be reached
once everyone involved in the negotiation has had the opportunity to consider the
question and respond. The most common initial question to be answered is: ‘Why
are we negotiating?’ Instead of stating the objectives of one side of the negotia-
tion, consensus is sought as to the objectives of negotiating in the first place. In the
process of questioning, it is vital that negotiators listen to the other side instead of
trying to dominate by ignoring it and its position.
By the same token, when questions are asked, answers must follow. Questions
must be answered in a way that makes a constructive outcome possible. Questions
may be answered by making statements, asking for suggestions, offering alterna-
tives or in some cases remaining silent. A common – and not very constructive
– tactic when questioned is to respond with another question.
Once common ground has been established, it is possible if disagreements arise
to return to the area of common ground to re-establish the negotiation.

Power
The outcome of negotiations will be strongly affected by the perception of the rela-
tive power of the negotiating parties. Where both parties perceive parity in power,
constructive negotiation is more likely to follow. Where there is a disparity, the pos-
sibility exists that the more powerful party will attempt to dominate the weaker one.
Power itself takes many forms.
➤ Legitimate power stems from someone’s ability to influence the negotiations
because of his/her authoritative position. Organizational rank is obviously
important here.
➤ Reward power stems from someone’s ability to reward compliance by another.
This may be a factor of legitimate power in that an organizational superior may
have the ability to promote, provide resources or offer financial inducement.
Reward power may take the form of intangible rewards such as praise, compli-
ments, eye contact, visible indications of agreement or praise for past perfor-
mance. Flattery is an example of the use of reward power.
➤ Coercive power is someone’s ability to punish another for non-compliance. It

143

Internal_Auditing.indb 143 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

is the opposite of reward power. This power is based on the fear by the vic-
tim that negative sanctions will be imposed. Coercive power can be an effec-
tive tool for short-term gains; however, reward power is more likely to deliver
long-term and sustainable results.
➤ Expert power is the power of someone who possesses expertise that is highly
valued by another. When someone is believed to be an expert in a particular
field, argument is less likely. If someone displays a lack of confidence in his/her
own opinion, disagreement and argument often follow. Expert power is the
power base from which auditors normally operate.
➤ Referent power involves the desire to be associated with someone or with their
opinions because of their personality or charisma. Parties to negotiation may
be strongly influenced by referent power when strong personalities are involved.
➤ It may seem like a contradiction in terms, but there can also be power in weak-
ness. Situations can be manipulated by invoking sympathy or feelings of guilt
within the other party. Children exploit their own vulnerability in negotiations
with parents about bedtimes or the buying of gifts and treats. In business nego-
tiations, this can also be an effective tactic on the basis that ‘You are so big,
you can afford it’ or ‘You have exploited us in the past’.

Power can be countered by trying to achieve parity with the other party. An effec-
tive way of achieving this may be to collapse your own power base. This involves
one party intentionally assuming the inferior position in order to prevent the other
side escalating their power base further. By simply apologizing for an acknowledged
wrongdoing, one party may be able to defuse the situation and prevent further
escalation.
It is important for negotiators to understand power, the use of power, sources of
power and how power may be countered.

Persuasion
Given that common ground has been found but that differences still exist, the
opposing party in a negotiation must be influenced so that the common ground is
increased because, very clearly, an amicable agreement has to be achieved before
negotiations can be completed. Negotiators will often encounter an opposing side
with strong attitudes about the issues under discussion. Under such circumstances,
a negotiator will have to start building a case with arguments that no one strongly
disagrees with, and continue to build it piece by piece until it has been made. This
is basically what persuasion is all about. Starting the negotiation with radical state-
ments is a high-risk tactic, even if the statements are true for you.

Negotiating Conflict
Himes44 defines social conflict as ‘purposeful struggles between collective actors
who use social power to defeat or remove opponents and to gain status, power
resources and other scarce values’.
Some conflict can be healthy in any relationship. Without conflict there can be
no negotiation. However, conflict can be dysfunctional and significantly hinder the

44. Himes, J.S. 1980. Conflict and Conflict Management. Athens: University of Georgia Press. p. 14.

144

Internal_Auditing.indb 144 16/04/2015 11:12

 NEGOTIATION SKILLS

achievement of the goals of both parties. The point where co-operation breaks
down and the generation of alternative solutions ceases is normally taken to be
that at which dysfunctional conflict has begun. In dysfunctional conflict, escalation
will result in mutual attacks and efforts to destroy the other party. Misjudgments
and misperceptions are magnified and the ability to survive may be jeopardized.
The probability of successfully achieving the participants’ goals will certainly be
compromised.
Conflict originates in differing goals, scarce resources, imbalances in power or
ambiguity. Such conflict can be moderated or aggravated by the tactics employed
within the negotiation. Individuals’ aspirations and perceptions, coupled with the
history of their relations (which can be good or bad), can increase or decrease the
potential for conflict. Conflict behavior may range from termination of relationships
through coercion to physical violence.

Interviewing
For an auditor, interviewing is a critical communications process. Often, you will
be in a position of receiving information in an interview, and therefore have a
responsibility to listen carefully. This is not as easy as it sounds. When dealing with
a series of interviews, it is difficult to maintain your focus. Listening is an active
function and it is an acquired skill. And, generally, we have a lifetime of bad habits
to overcome. Poor listening habits include losing your concentration by becom-
ing impatient with speakers, or simply allowing minor annoyances to distort their
message. This usually results in your interrupting the speaker in order to make
your point, instead of listening as a good receiver should. Boredom can lead to
‘scanning’ what is being said. In effect, you stop listening unless you hear a key
word that interests you. You may also allow yourself to be distracted by personal
priorities, prejudging of anticipated information or even taking dictation (ie writing
down every word heard, without trying to understand what is being said).
It is difficult to develop good listening habits, and, in particular, to maintain
interest in an otherwise boring information transfer. Nevertheless, you can learn
to encourage the person you are speaking to with non-verbal support (nods of the
head, paralinguistics, etc). In addition to giving non-verbal support, you can also
be alert to non-verbal behavior such as body language, gestures, etc. Summarizing
and recapping what has just been said gives the sender the message ‘I am listening
and I understand’. You must learn to be sensitive to the clues in the message the
sender is broadcasting and to be non-critical when you are evaluating the informa-
tion you are listening to.
In preparing for an interview, you must clarify in your own mind the aims and
objectives of the interview. The interview may be taking place for you to gain
knowledge or confirm facts. It may be intended to impart knowledge, to persuade
or to assist an auditee to make a decision.

Deciding whom to interview will be dependent on the objectives of the audit or

negotiation. In all cases, you must ensure that the interview is properly organized.
This includes the time schedule (be on time), the place (ensure that it will be appro-
priate and free of distractions), travel and reception (if you are going to them,
know how to get there; if they are coming to you, ensure that they are expected at
reception). Preparing for the interview involves your doing some homework or

145

Internal_Auditing.indb 145 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

research on the interviewee. By doing this, you can be aware of any of the inter-
viewee’s special requirements or priorities before the interview actually starts.
➤ The first phase of the interview is the introduction. During this phase, you
should try to relax the interviewee by establishing a rapport and removing, as
far as possible, any fears that the interviewee may be suffering from. For exam-
ple, by smoothing the status fears during diagonal communication, you may be
able to relax the other party and improve the discussion.
➤ When the interview is actually under way, you should set the scene. During this
phase, the interviewer may do most of the talking. The background, goals and
objectives of the audit or interview need to be explained. However, this phase
should not dominate the interview. Some auditors find visual aids such as dia-
grams, charts or even photographs may help here.
➤ Questioning may be structured or unstructured. A structured interview may
adopt the checklist approach, in which the interview follows the structure of
‘what happens next’. An alternative to sequential checklists is the less struc-
tured objective-based approach where questions are sequenced by business or
control objectives. This can keep the interview focused on the key perspectives
from your point of view, but can be disjointed in attempting to ensure that all
stages of a process have been covered.
The questions themselves should be open-ended, which basically lets the
interviewee set the direction the interview will take. This normally happens
when you have no background knowledge. Open-ended questions typically
begin: ‘Tell me about...’; or ‘Explain to me how…’. ‘Yes or no’ questions may be
conversation stoppers and eventually cause the interview to grind to a halt.
A useful technique is the hypothetical question. This would be along the lines
of: ‘What would happen if you were sick and a relief manager was brought in
to replace you?’ You should be aware that multiple choice questions may well
result in the answer the interviewee thinks you would like to hear.
Often in everyday conversation we anticipate the answer to a question and
start to formulate the next question before the first one is fully answered. In
an extreme case, this can make it obvious to the interviewee that you are not
listening. You must learn to listen, evaluate and perhaps modify your approach
based on the answers given. Paraphrasing or summarizing can leave the inter-
viewee with the impression that you have listened and understood.
➤ At the end of the interview, you should conclude by answering any final ques-
tions the interviewee might ask, explaining what will happen next and allowing
the interviewee to make any final statements. Common courtesy dictates that
you should thank the interviewee and make your farewells. Remember that,
even at this stage, a parting word from you, taken out of context, could be mis-
interpreted.
➤ Once the interview is concluded, you must document any salient points that
arose. Decisions taken or comments by the interviewee leading to new knowl-
edge must be recorded. If the interview involves a team of auditors, one of
them should be designated as the minute-taker to ensure that the permanent
written record of the meeting documents the facts as the team understands
them.

146

Internal_Auditing.indb 146 16/04/2015 11:12

 NEGOTIATION SKILLS

Negotiating/Interviewing as a Consultant
In some cases, auditors may find themselves negotiating in the role of a consultant.
There is an old saying: ‘Those who can, do; those who can't, consult’. So when you
are acting as a consultant, establishing credibility up front is critical. Consulting is
not simply a matter of offering advice. You can be a highly effective consultant sim-
ply by listening and permitting the auditees to talk through their problems and find
their own solutions. Above all, consultancy requires a non-judgmental approach.
As a consultant, you can be a supporter of management or a recommender of
action. This is probably the most common audit role in consulting. To carry it out
successfully requires you to be very confident about your abilities, since acting as
a catalyst for change will require the breaking of old bad habits. You are then in the
position of trying to move the auditee out of a comfort zone and may encounter a
great deal of resistance. Allowing the auditee to find his/her own solution if agree-
ment can be achieved on the problem may be more effective and less stressful for
both parties. From time to time, you may have to take the role of instructor or edu-
cator on good business practices. If this necessary, you must be sensitive to the fact
that you may not always be right and that the management team itself may have
some thoughts on what is good business practice for its particular business.

147

Internal_Auditing.indb 147 16/04/2015 11:12

Internal_Auditing.indb 148 16/04/2015 11:12
 3
S ECTION

The Practice of Internal

Auditing

Internal_Auditing.indb 149 16/04/2015 11:12

Internal_Auditing.indb 150 16/04/2015 11:12
 16
CHAPTER

Types of Internal Audit

Learning objectives
After studying this chapter, you should be able to:
➤ Outline briefly and differentiate the nature and type of internal audits that
may be requested:
◗ Compliance audits
◗ Performance and operational audits
◗ Environmental audits
◗ Financial audits
◗ Fraud audits
◗ Quality audits
◗ Program results audits
◗ IT audits
◗ Audits of significant balances and classes of transactions
➤ Explain the effect of the nature of the audit on the skill mix required and the
timing of the audit

Compliance Audits
Compliance audits are carried out in order to determine whether a business entity
has complied with specific policies, plans, procedures, laws, regulations or contracts
that affect the organization. In order to successfully complete a compliance audit,
there must be established criteria against which the compliance can be measured.

Financial Audits
During a financial audit, an auditor looks for evidence relating to the reliability and
integrity of financial information. Within a financial audit, the normal measurement
criteria against which historical financial information is evaluated are recognised
financial reporting frameworks (the IFRS). When such audits are conducted by an
internal auditor, the infor­mation is normally intended to be used by management
for internal decision-mak­ing purposes. Under these circumstances, the audit may
include both operating and financial data. Financial audits normally include both a
review of the accuracy and completeness of the numbers themselves and an evalu-
ation of the adequacy and effectiveness of the controls that management have
implemented to safeguard assets.
These could include controls to ensure that the organization receives all funds to
which it is entitled, that the funds are adequately secured and maintained, and that
they are appropriately spent for authorized purposes.
Auditing of financial statements is directed at assessing the accuracy of financial
reports relating to financial conditions and operating performance. This form of

Internal_Auditing.indb 151 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

auditing is usually associated with external audit and includes ensuring the fairness
of financial reporting.

Performance and Operational Audits

Performance auditing involves firstly determining management’s objectives, fol­lowed
by establishing whether the management controls that exist lead to effec­tiveness,
efficiency and economy. An auditor must determine:
➤ which key performance indicators are in use;
➤ whether they are appropriate; and
➤ whether control objectives have been achieved

The term ‘operational audit’ is commonly used to cover a variety of audit types. An
operational audit may cover the evaluation of some or all of:
➤ internal controls;
➤ compliance with laws, regulations and company policies;
➤ the reliability and integrity of financial and operating information; and
➤ the effective and efficient use of resources.

Environmental Audits
Environmental auditing emerged as a compliance management tool in the USA in
the late 1970s. This was an era of rapidly expanding environmental regulation and
a number of highly publicized incidents of environmental pollution. While there is no
single, universally accepted definition of environmental auditing, there is broad con­
sensus on what environmental auditing consists of and what it tries to accomplish.
Environmental auditing has been defined as a systematic, documented, periodic and
objective review by regulated entities of facility operations and practices relat­ed
to meeting environmental requirements. The development of environmental audit-
ing was further spurred by actions of the US Securities and Exchange Commission,
which in the early 1970s began to require companies to disclose sig­nificant costs of
complying with environmental standards.
During a typical environmental audit, a team of qualified inspectors conducts a
comprehensive examination of a plant or other facility to determine whether it is
complying with environmental laws and regulations. The team systematically verifies
compliance with applicable requirements using professional judgment and evalua­
tions of on-site conditions. The team may also evaluate the effectiveness of systems
in place to manage compliance and assess the environmental risks associated with
the facility’s operations.
Effective environmental audit programs have a number of characteristics in com­
mon. They require the strong support of their organization’s management. They
also require adequate allocation of resources to hire and train audit personnel. In
addi­tion, to be effective, audit programs must operate with freedom from internal or
external pressure and employ quality assurance procedures to ensure the accuracy
and thoroughness of audits.

152

Internal_Auditing.indb 152 16/04/2015 11:12

 TYPES OF INTERNAL AUDIT

Fraud Audits
Fraud auditing involves assisting management in the creation of an environment that
encourages the detection and prevention of fraud in commercial transactions. This
may involve assisting in setting the standard for the organization with an appropriate
code of conduct and conflict-of-interest policy.

A fraud auditor must know:

➤ the realm of fraud possibilities (How can it happen?);
➤ the sources of information and evidence (Where do I look?);
➤ whether the environment is conducive to fraud (Is fraud likely?);
➤ the areas of fraud opportunity (Where can it happen?); and
➤ the laws of evidence (How can I prove it?).

A fraud auditor must be capable of conducting a review of internal controls, assess­

ing the strengths and weaknesses of those controls, identifying abnormal transac­
tions and distinguishing between errors and fraudulent entries. This may involve
fol­lowing a computerized audit trail.
Fraud auditing is less a methodology and more an attitude, with the focus on
identifying exceptions, oddities, accounting irregularities and patterns of conduct.
Most common schemes perpetrated by lower-level employees involve payments
(such as invoices for suppliers who do not exist or paying ‘ghost’ employees), while
most higher-level frauds involve such items as hiding expenses to make the fraud­ster
look like a good manager, showing income that did not occur or showing favoritism
in awarding government contracts.
A fraud auditor’s job is to determine whether a fraud, theft or embezzlement
has occurred and, if so, whether there is a criminal law dealing with the matter and
whether there is an apparent breach of that law, since not all frauds are able to be
prosecuted under criminal law. If so, who was the perpetrator, who was the victim
and how can it be proved?
An auditor must be alert for red flags and indicators, such as personal behavior
pattern changes or substantial departmental growth or decline beyond the norms.

Knowledge that an official:

➤ is undergoing emotional trauma;
➤ is betting heavily;
➤ is drinking heavily or using drugs;
➤ is sexually promiscuous;
➤ is heavily in debt;
➤ is overambitious; or
➤ enjoys a lifestyle beyond the means of his/her remuneration,
should alert an auditor to the possibility of fraud.

Fraud detection approaches may be reactive, where an auditor reacts to allegations

and complaints, suspicions and management’s intuition.
Proactive auditing involves ensuring adequate internal controls through periodic
audits, intelligence gathering, reviewing of variances or logging of exceptions.

153

Internal_Auditing.indb 153 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Quality Audits
Quality auditing may be defined as a systematic and independent examination to
determine quality-related activities are implemented effectively and comply with the
quality systems and/or quality standards.
Quality assurance (QA) is usually an ideology or set of aspirations that put quality
at the center of an organization. Unfortunately, the implementation of QA systems
sel­dom attains the ideal of achieving a quality-based corporate culture. In practice,
QA is normally left to managers to impose on employees by a new class of super-
visory regulators. In ineffective installations of QA programs, a throwback can be
seen to the early days of management science with the creation of bureaucratic
controls.
As seen by auditors, QA cannot be directly equated to assuring ‘quality’ in the
normal sense of the word synonymous with ‘excellence’. Quality auditing is a tech­
nical term for auditing that is focused on systems and processes rather than out­
comes. This follows the corporate governance concept that the properly constitut­
ed organization should be based around a system of well-controlled systems and
processes.
Quality auditing has become associated with older forms of management of qual­
ity such as TQM. As such, quality auditing is associated with quality enhancement
strategies rather than the traditional quality control inspections. Quality enhance­
ment focuses on creating a corporate culture centered on quality, as opposed to
quality control, which was a reactive process after the event, and involved rejecting
sub-standard products and services.
If quality is viewed in terms of the appropriateness of systems and processes
rather than the more traditional achievement of the correct outcomes, auditing
moves from the necessity of having to define best practice and desirable outcomes
to evaluating the quality of the processes themselves. Defining the key performance
indicators has always been a contentious point in negotiating with management for
the audit. Reaching agreement on standard systems of practice is normally consid­
erably easier, since little interpretation is required. From this, it follows that a prop­
er organizational structure is comprehensively systemized and documented, and is
therefore fully auditable.

Program Results Audits

Program results auditing is auditing of the accomplishment of established goals
and objectives for operations and programs. In practical terms, this means audits
that determine whether the desired results are being achieved, as well as whether
man­agement has considered alternatives to achieve the same results at a lower
cost. Conducting such audits involves:
➤ ascertaining whether a specific objective or goal has been clearly defined for a
particular function;
➤ ascertaining whether the objective or goal is relevant and consistent with man­
agement’s intent; and
➤ evaluating any variance between the results and their original stated goals and
objectives.

154

Internal_Auditing.indb 154 16/04/2015 11:12

 TYPES OF INTERNAL AUDIT

In addition, the cost-effectiveness of a given program is evaluated, as is the cost

benefit of continuing a program.
Typically, in the private sector, efficiency and effectiveness are measured in terms
of profitability. In the public sector, efficiency and effectiveness are generally meas­
ured in terms of service delivery. This itself involves quantifying the benefits received
and the effects both to the beneficiaries of a program and the community at large.
Many auditors make extensive use of statistical analysis over a period of time,
drawing inferences from the results of the statistics. Complaint records may give
a good indication of the extent to which given operations or programs satisfy the
needs of the target market. Management themselves may well be able to give advice
on the appropriateness of the programs and the measurement criteria.

IT Audits
IT audits come in a variety of forms that are fully covered in Section 5. Furthermore,
any of the above types of internal audit could involve the use of computers or, for
that matter, the audit of computer systems.

Application Audits
Application audits such as the auditing of inventory, payroll, procurement, sales,
treasury and other specific business functions have their own specific characteris-
tics and the audit program will typically involve a certain degree of standard audit
tests, as in the examples below.

Audits of Significant Balances and Classes of Transactions

Inventory Audits
The first step in any imminent reorder is normally to determine the existence of
the inventory, usually by observation. This would include finished stock, raw materi-
als and work-in-progress and Nielsen Clinton evaluation of management’s controls
regarding stocktaking or cycle inventory. The policies and procedures regarding cus-
tody of inventory, receipt of inventory to ensure its completeness, quality and appro-
priateness and issuance of inventory to ensure its authorization and completeness
would also be evaluated to determine their adequacy. Procedures for writing-off
inventory would also be examined, as would the corporate policies on slow-moving
and obsolete stock. Inventory handling controls to prevent damage to stock would
additionally be tested. Depending on the nature of the audit, the auditor may also
investigate the appropriateness of stock levels, buffer stocks, frequency of stock out-
ages and economic order quantities.

Payroll Audits
With payroll processing involving the disbursement of corporate assets, control
within this area is normally seen to be critical. As such, the auditor would examine
the current payroll procedures in order to ensure the proper separation of duties
exists and a proper supervisory control is exerted. Payroll records would be veri-
fied against original authorized transactions, for example overtime claimed, and the
accuracy of calculations determined by re-computing totals. The adequacy and fre-

155

Internal_Auditing.indb 155 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

quency of bank reconciliations would be determined and the error procedures for
handling discrepancies examined. The auditor would usually also seek to determine
whether duplicate checks had been cleared of whether checks were still outstanding
on the bank account.

Procurement Audits
Procurement audits usually seek to determine that corporate procedures for pro-
curement have been complied with in the areas of procurement procedures and
related documentation, authorization, purchase orders, receiving and inspection
and to ensure that the items procured are authorized, of appropriate quality, at
an agreed price, delivered to the correct place at the correct time and have been
procured from an authorized supplier. They may also seek to determine that the
purchasing function adequately addresses the needs of corporate users. Where
procurement involves a competitive bidding process, further audit tests may be
required to evaluate the process itself in order to ensure that no bias is introduced
into the contract awarding process. It should be noted that most organizations have
a separate procedure for the acquisition of minor items permitting the bypassing of
normal procurement procedures but this should be the exception rather than the
rule. arget achievement can also be reviewed, as can the degree to which achieve-
ment is successful.
Where commission payments are made based upon achievement of sales targets,
the auditor may further seek to determine that all payments are entitled to by the
person receiving them, payments have been accurately calculated and paid in a
timely and appropriate manner.
Control over sales based on credit may additionally involve the auditor in determin-
ing the procedures used to determine credit limits and creditworthiness of a customer
as well as those controls in place to recover debt in an acceptable time scale.

Treasury Audits
Audits of the treasury function involve three main areas: the front office, the back
office and general management. The front office, where the deals are made, nor-
mally requires that security be maintained over the dealing area and that all deals
are properly authorized to organizational standards and are within dealings limits.
Deals themselves must be recorded accurately and completely and proper controls
over the accounting for deals must be maintained. Within the back office, where the
recording of deals takes place, the processing of deals is of paramount importance
as is the recording of payments and reconciliation of deals to accounting records.
General management must ensure the appropriate segregation of duties between
front and back office and over incompatible duties within each.

Impact on the Skill Mix

The skills requirements of the individual auditor and the internal audit function as a
whole will be largely dependent on the nature and scope of the internal audits that
they undertake. While no auditor is expected to be an expert in all fields, the skill
mix must be appropriate to ensure the adequacy of audit coverage of all planned
audits to a professional standard.

156

Internal_Auditing.indb 156 16/04/2015 11:12

 17
CHAPTER

The Internal Audit Process and

Documentation
Learning objectives
After studying this chapter, you should be able to:
➤ Outline briefly the processes involved in conducting an audit
➤ Describe in detail the steps necessary to undertake each of these processes
➤ Identify critical success factors for each stage of the process
➤ Describe the appropriate internal audit measurement criteria for ensuring an
effective audit
➤ Explain the role of quality working papers in ensuring audit success
➤ Design an appropriate structure of working papers for the organization
➤ Design an appropriate preliminary outline audit program based on the nature
of the audit

Objectives of Audit Service Delivery

The primary objectives of the audit service delivery process are to:
➤ align the internal audit resources with the business objectives of the
organization;
➤ effectively and efficiently identify risks directly related to the business
objectives;
➤ deliver value to the audit clients; and
➤ ensure efficiencies throughout the audit process.

Planning
Internal auditors must gain a thorough understanding of the client’s business objec-
tives and co-develop the expectations regarding internal audit’s alignment with
these business objectives. A mutual understanding is required of the scope of the
internal audit services among internal audit management, executive management,
the audit committee or board of directors, and the operational management of the
organization.

Risk Assessment
Once the business objectives have been clarified, there must be an assessment of
risks that potentially limit the achievement of the organization’s business objectives.
Many audit departments prefer to accentuate the positive aspects rather than stress
the negative effects of risks. As such, they may prefer to look on this phase as the
establishment of control objectives. The implication here is that if, for example, the
loss of confidentiality of client records is a major business risk, then the maintenance
of confidentiality would be a prime control objective. This will probably involve the

Internal_Auditing.indb 157 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

internal audit function in developing a risk assessment of the more important pro-
cesses and organizational components.
This risk assessment process establishes inherent risk (ie the risk level if there
were no controlling elements). Risk priorities for the auditable units form the pri-
mary, but not, only, basis for the allocation of audit frequencies in the audit plan.
Such a risk assessment would be reviewed and approved at least annually by the
client’s executive management and the audit committee.
Based on this, the functional area to be audited can be selected and the individual
audit process can start.

The Macroprocesses of the Internal Audit Process

A brief discussion of each stage of the generic audit process, as reflected in Figure
17.1, is first set out in this section. These stages are then discussed in greater
detail.

Business Objectives Selection of Auditee

Control Objectives PLANNING Audit Preparation

Audit Objectives Preliminary Survey

Evidence Control Analysis

EXECUTION
Technique
Audit Programme
Preparation
Tool

Test Expanded Test

Evaluate Develop Findings

REPORTING
Report Report

Follow-up Follow-up

EVALUATION
Evaluate Audit Evaluate Audit
Process Process

Figure 17.1: The generic audit process

158

Internal_Auditing.indb 158 16/04/2015 11:12

 THE INTERNAL AUDIT PROCESS AND DOCUMENTATION

Audit Planning
In order to ensure a quantifiable probability of being able to achieve the audit
objectives, proper planning must take place to optimize the use of the scarce and
expensive internal audit resources. The audit plan identifies the individual audits to
be carried out during the period, the skills and resources required to execute the
audits, and their timing and duration.

In developing the plan, the internal auditor must consider:

➤ the total available hours for the overall engagement;
➤ the need for management discretionary projects; and
➤ the depth of audit required in each area.

Of these, the depth of audit is normally the most difficult to assess.

The depth of the audit assignment is dependent on the auditor’s assessment of
the residual risk within the assignment area. This is arrived at largely on the basis of
the auditor’s expectation of the effectiveness of the existing internal control struc-
ture.
Where internal control is expected to be good (after reviews of previous working
papers, discussions with management, etc), the audit may only need to confine
itself to a confirmation that the controls are still functioning as they are meant to.
Where internal control is suspected to be sub-standard, the extent of substantive
testing will usually have to be extended and therefore the audit will last longer.
Obviously, such planning is based on expectations and will have to be modified in
the light of reality as the audit progresses.
The audit plan must be reviewed and approved by the client’s executive manage-
ment and the audit committee. It needs to be updated when necessary to reflect
significant changes in the client’s risk profile that may result from changes in the
organization’s structure, business operations, and/or new products and services.

Execution
Internal auditors carry out the audits of auditable units as set forth in the audit
plan. They may focus on the specific risks to the control objectives for that audit-
able unit. Even the agreed control objectives, however, may have to change as the
audit progresses.
Controls to manage the risks (preventative, detective, corrective and directive)
are identified and evaluated on the assumption that all controls function as intend-
ed. This permits an auditor to evaluate the theoretical adequacy of the system of
internal controls, ie if the controls function as intended, and if there is sufficient
control to reduce risk to a level acceptable by management.
Once the adequacy of control has been evaluated, the auditor proceeds to select
those control elements that are especially critical to adequacy of control. These key con-
trols are then tested to determine the effectiveness of the system of internal control.
It should be noted that the source of evidence of the effectiveness of a control might
not lie in the control itself. A lock and key on a door does not provide evidence as to
whether anyone ever turns the key or how many keys there are. A proper focus on
the objective of the control (a lock to keep people in, or a lock to keep people out)
can direct an auditor to other sources of evidence regarding the effectiveness of the
control. Is any record kept of strangers found in areas they are not allowed to be in,

159

Internal_Auditing.indb 159 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

for example? Typically, these sources of evidence will provide information about the
effectiveness of several controls simultaneously (locks, walls, bars, etc).

Reporting the Results

Auditors report the results of their work to the appropriate levels of management
responsible for the area audited, executive management and the audit commit-
tee. The primary audience for the report is the first level of management able and
empowered to take effective action on any findings. Once management has imple-
mented its chosen actions to achieve the control objectives, a follow-up review must
be carried out.

Evaluation
The final stage of the process is the evaluation phase, in which the auditors conduct
a quality assessment on their process in order to refine the audit process for future
audits. The objective is to determine what went right, what went wrong and what
lessons can be learned for the future.
These steps will now be discussed in greater detail.

The Management Process

The management process begins with an understanding of the organization’s busi-
ness. Until this is achieved, any attempt to determine organizational needs will be
at best misleading and at worst disastrous. Once the overall objectives and envi-
ronment of the business have been established, establishing the needs becomes a
comparatively easy task.
Identifying and examining the key activities whose effective performance can
make or break an organization will determine the organization’s needs. These key
activities must themselves be monitored and therefore ambitious performance
objectives must be established early in the planning process.
For every performance objective, there will be a range of threats, which, if fulfilled,
will either reduce the effectiveness or totally negate the objective. These must be
assessed in a formal risk assessment to determine the appropriate corporate coping
strategy. Management must determine the coping or control strategies, and then the
appropriate controls to address the risks identified must be selected.
The actual controls must be implemented and monitored, and controls should
exist to ensure that this happens. Controls, once implemented, must perform effec-
tively, and periodically management must evaluate and review performance with this
in mind.

Understanding the Organization’s Business

This is a combination of a theoretical approach using literature searches on the orga-
nization and its functions in the business press, combined with a reading of annual
reports in order to obtain the whole picture.
This theory will be combined with a more practical approach involving interview-
ing members of staff in order to both evaluate their understanding of the business
and to confirm the auditor’s understanding. Site visits to observe the operation

160

Internal_Auditing.indb 160 16/04/2015 11:12

 THE INTERNAL AUDIT PROCESS AND DOCUMENTATION

of specific business functions will also help. Further information and confirmation
may be derived by comparing the current understanding of the controls to those
identified and in operation during previous reviews.

Establishing the Needs

Once the overall objectives and environment of the business have been established,
the overall needs must be determined. A study of the organization’s mission state-
ment will indicate its general performance objectives. Management should have
established strategic plans and objectives in order to ensure that these are achieved.
By interviewing executive management, employees and perhaps even customers
and suppliers, the business needs for the successful accomplishment of the objec-
tives can usually be determined.

Identifying Key Activities

The major products and services that are the key activities involved in meeting the
business objectives must be identified. Once again, this will involve determining the
level of management's understanding of:
➤ customer needs and sizes;
➤ the competition and their probable response patterns; and
➤ which are their own key performance areas (KPAs).

The KPAs are those activities that will make or break the organization.

Establishing Performance Objectives

For each KPA, performance objectives must be established. This involves seeking
core activity targets that are both achievable and, at the same time, stretching. Key
performance indicators (KPIs) must be identified that will enable the performance
to be measured appropriately. The risks and threats that could lead to non-achieve-
ment, underachievement or even failure must then be assessed. Both external and
internal threats must be considered.
➤ Internal threats are those over which management has complete control, such
as choice of vendor.
➤ External threats are those that management cannot directly control, but for
which it must nevertheless develop a coping strategy, such as interest rate fluc-
tuations or actions by competitors.

Deciding on the Control Strategies

Once the full risk analysis is complete, management is in a position to decide what
activities must be ensured, as well as which risks must be managed and which trans-
ferred. This, in turn, will dictate which risks can be cost-effectively prevented, which
must be detected and how a materialized risk can be corrected.
Business risks need to be prioritized and trade-offs will be required, since con-
trol measures are often contradictory. For example, the need for process efficiency
may trade off against the effectiveness of that process. Once again, it is manage-
ment’s role to establish business priorities, including control strategy priorities.

161

Internal_Auditing.indb 161 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Implementing and Monitoring the Controls

For controls to be effective, they must be monitored, and wishing them into exis-
tence will not accomplish this. Controls result from the planned and thoughtful
intervention of management to achieve a specific end.

Monitoring may take several forms, including:

➤ self-assessment;
➤ the use of regular audits; and
➤ the introduction of continuous improvement programs.

Controls have to be frequently reviewed for ongoing relevance and for their effective-
ness, and must be modified and adapted where required.

Evaluating and Reviewing Performance

The auditing process is designed to determine where to audit as well as what to
audit, and may use any and all of:
➤ control strategy assessment;
➤ control adequacy and effectiveness;
➤ performance quality assessment;
➤ unit performance reporting; and
➤ follow-up.

Overall, the standards of audit performance must be at a professional level. This

typically means to a level laid down in the IIA’s Standards for the Professional
Practice of Internal Auditing.

Implementation of the Generic Audit Process

1. The audit process flows from the business process in that the primary require-
ments for any audit are to establish firstly the business objectives and then the
control objectives of a particular audit area. For example, the overall business
objective of the purchasing department may be to buy raw materials. The con-
trol objectives would include buying the right materials, in the right quantities
and of the right quality, at the right prices, in an authorized manner, for delivery
to the right places at the right times.
2. The audit objectives are typically, but not always, to determine if one or more
control objectives have been achieved, are being achieved and will continue to
be achieved.
3. In order to determine this, an auditor will have to look for evidence of the
achievement or non-achievement of these objectives. Since many of the con-
trols that management will have implemented will be preventative ones, an
auditor will have to look for detective controls to establish whether or not the
control objectives have been achieved.
4. After identifying the source of the evidence, the appropriate audit techniques
may be selected. These techniques may include any of the standard ones such
as observation, analysis, computer interrogation, questioning, etc.

162

Internal_Auditing.indb 162 16/04/2015 11:12

 THE INTERNAL AUDIT PROCESS AND DOCUMENTATION

5. The auditor, after deciding on the techniques, will select the appropriate meth-
odology or tool, such as interviewing, use of generalized audit software, use of
questionnaires, etc.
6. When the auditor has selected all the techniques and tools he/she will use, he/
she will conduct the tests in a structured format.
7. The evidence gathered would be evaluated against the standard of the evi-
dence sought in step 3, above. Depending on what has been found, the auditor
is in a position to decide whether the control objective has or has not been
achieved, and will or will not continue to be achieved.
8. The results of the evaluation, together with the substantiating evidence, the
auditor’s opinion and conclusions, and the appropriate recommendations will
be presented to management in the form of a formal audit report.
9. Agreed actions will be followed up to ensure they have been implemented or
that the risk of non-implementation has been accepted by the appropriate level
of management.
10. The audit process is concluded by an evaluation of the audit process itself in
order to refine it for future audits.

The Audit Process Structure

The audit process can be formalized into a stylized structure in order to implement
it as a standardized program. In this case, the individual steps would map onto the
generic audit process as follows.

Planning
This phase consist of three main activities, namely:
➤ selection of the auditee;
➤ audit preparation; and
➤ the preliminary survey.

Selection of the auditee

Selection of the auditee is generally based on an organization impact evaluation.
This is a broad-brush approach, designed to arrive at an approximate risk evaluation
of a business entity. It gives the frequency of audit, but not necessarily its depth or
focus areas. This can be simplified into mandatory and discretionary audit activities
based on a small number of risk factors, which may or may not be weighted to allow
an auditor to reflect management’s overall concerns.
This is normally done on an annual basis in preparing the overall audit plan for
approval by the audit committee. From time to time, it may be necessary to vary the
audit plan because of unexpected risk elements arising or changes in management
priorities.

Audit preparation
Once the audit area has been selected, audit preparation must be carried out to
clarify:
➤ the overall business objectives of the area;

163

Internal_Auditing.indb 163 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

➤ any significant secondary objectives;

➤ any interrelational objectives with other business areas; and
➤ any deviations from the business objectives.

For each area, an auditor must determine the key performance areas, which are the
areas whose performance can make or break the operation, as well as the associ-
ated control objectives for each KPA. These could involve any of the general control
objectives, such as:
➤ control over assets;
➤ the reliability and safeguarding of information;
➤ compliance with policies, etc; and
➤ the effectiveness and efficiency of operations.

An auditor can usually determine the business and control objectives by reviewing
past working papers, talking to other auditors, determining the existence of corpo-
rate guidelines and standards, and verifying against industry norms where possible.

Preliminary survey
The preliminary survey enables the auditor to confirm the understanding he/she has
gained within the audit preparation section. In the event of this being the first audit
of an area, the two sections can be combined. In any event, the auditor should use
this opportunity to identify sources of information and contact personnel for the
detailed testing stage. At this stage, also, the auditor should start to gain a prelimi-
nary feel for the expected level of internal control.
Also, the detailed audit objectives, timing, reporting schedule, etc, will be con-
firmed with the client.

Execution
The execution phase contains three activities, namely:
➤ control description and analysis;
➤ preparation of the audit program; and
➤ expanded tests of control systems.

Internal control description and analysis

The control analysis activity requires that an auditor determine the key performance
indicators, how the organization ensures that its control objective is attained, and if
the controls are adequate.
➤ Internal control description and analysis involves the identification and descrip-
tion of controls, on many occasions a transaction or operation ‘walk-through’,
and sometimes even a limited testing of controls. While the object is not to test
the functional effectiveness of controls, evaluation of internal controls will allow
the controls to be assessed as if fully functional. At this stage, the auditor may
be able to determine with a minimal testing that the control structure, even if
fully functional, is nevertheless inadequate for a given level of risk. This means
that risk reassessment must already have taken place.
➤ The scope of control identifies what is being audited. Internal auditors are
required to evaluate the adequacy and effectiveness of the overall system of
internal control and the quality of performance. ‘Adequacy’ in this respect

164

Internal_Auditing.indb 164 16/04/2015 11:12

 THE INTERNAL AUDIT PROCESS AND DOCUMENTATION

refers to the design of the system of internal control, ie how it is supposed

to operate, while ‘effectiveness’ refers to the ‘degree of compliance with key
control procedures’. Is the system functioning in accordance with manage-
ment's intentions?
In determining scope, the auditor takes into account the objectives of internal
control systems, which are to:
◗ ensure the reliability and integrity of information;
◗ promote compliance with policies, plans, procedures, laws and regulations;
◗ ensure the safeguarding of assets; and
◗ promote the effective and efficient use of resources.

Often all four control objectives will form part of the audit, while limited audits such
as a fraud investigation usually result from a specific complaint.
➤ Controls may be designated as preventative, detective, corrective and direc-
tive, and a combination of all four types is usually required. Their adequacy is
determined by taking each control objective and determining which controls are
believed to assist in the attainment of the control objective. Such information
may be derived from discussions with auditees and management, and reviews
of standards and procedures to establish what is supposed to happen.
➤ Assuming the controls function as intended, the auditor must determine wheth-
er there is sufficient control to bring the level of the risk of non-achievement of
the control objective to that specified by management. If this is not the case,
recommendations will normally be made to increase the level of internal control
by either adding additional controls or by transferring the risk.
➤ Once the control structure has been found to be adequate, the auditor must then
determine where the evidence can be found that the controls actually function as
intended: which records, which personnel and which computers. From this, he/she
can establish how the evidence can be obtained: by examination, analysis, inter-
views or data interrogation. A detailed schedule of which controls will be tested,
how, and seeking what evidence, makes up the detailed audit program. It should
be noted that the audit program is always preliminary and may be changed,
depending on what is found when testing actually gets under way.

Preparation of the audit program

The audit program is a detailed series of expanded tests designed to obtain evi-
dence regarding the achievement of control objectives. A common mistake made
by auditors is to simply list the questions to be answered instead of developing a
roadmap of what steps must be taken to answer these questions.

Expanded tests of control systems

The expanded tests of control systems are the heart of the audit. They become part
of the audit program and may involve changes to audit scope and/or objectives.
They may, in turn, affect both the audit team and timing.
These tests involve an in-depth examination of the auditee in order to provide
the basis for audit conclusions. They may utilize any or all of an auditor’s tools and
techniques. They basically involve the execution of the audit program. This nor-
mally takes up most auditor time and effort, and can be optimized if the previous
steps have been carried out correctly.

165

Internal_Auditing.indb 165 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Audit fieldwork is a systematic process involving planned audit steps designed to

meet audit objectives. The process is designed to be unbiased and obtains proof
based on the body of evidence. Care should be taken to ensure that each test is
actually telling you what you believe it is.
The overall purpose is to gain additional information so that auditors can have
more confidence in their conclusions, which result from the gathering of evidence
for measurement and evaluation. Audit measurement is a means of reaching an
objective conclusion.

Audit Testing
Audit testing for purposes of gathering audit evidence may take many forms, as
discussed in detail in Chapter 19, to which the reader is referred.

Evaluating
Evaluating is the estimation of worth and arriving at a judgment. It involves conclu-
sions drawn from facts accumulated and is the basis for professional judgment.
Audit measurement is normally for comparison to a standard such as time taken
for a task or rejection rates in manufacturing. If there are no published standards,
an auditor may have to develop them. In these cases, the standard should be
based on the operation objective and the auditor's experience. Such standards
should be verified with a qualified expert before any evaluations are carried out.

Developing and Reporting Findings and Recommendations

Findings
There are four elements that combine to make a good audit finding:
➤ condition: what is;
➤ criteria: what should be;
➤ cause: why the condition exists; and
➤ effect: risk inherent in the condition.

Recommendations
Recommendations come in four forms:
➤ Make no changes.
➤ Increase internal control.
➤ Transfer risk.
➤ Change the required rate of return for a given risk level.

The recommendations selected may be made in conjunction with the auditee; how-
ever, the recommendation is ultimately the auditor's.

Reporting
This phase of the audit contains three activities, namely:
➤ the development of findings;
➤ reporting; and
➤ follow-up.

166

Internal_Auditing.indb 166 16/04/2015 11:12

 THE INTERNAL AUDIT PROCESS AND DOCUMENTATION

These activities map to steps 7, 8 and 9 of the generic audit process, given above.

The development of findings

The development of findings involves determining the degree to which control objec-
tives have been achieved, which can be:
➤ fully and consistently;
➤ mostly or frequently;
➤ partially or seldom; or
➤ never.

Findings should be made up of four specific elements, namely:

➤ criteria: that which should be;
➤ condition: that which the auditor found;
➤ cause: the weakness in or failure of internal control that permitted the condi-
tion; and
➤ effect: the impact on the business.

Reporting
Reporting includes documenting and communicating results, and the reputation of
both the auditor and the internal audit function rests largely on the final report. As
a general rule, audit reports should contain:
➤ audit objectives;
➤ scope;
➤ questions;
➤ general procedures;
➤ findings; and
➤ recommendations.

The report of findings and recommendations should be signed by the head of

internal audit, as evidence of his/her commitment to the contents. The names of
the internal auditors working on the engagement may be included in the report.
Increasingly, audit reports are being accompanied by a personal presentation. In
either event, they should include auditees' comments in order to present an objec-
tive appearance, and may be discussed in preliminary form at a closing conference
with the auditees. An auditor should never forget that the audit report is the output
from the audit process, and the last word on management’s comments remains with
the auditor. The reports themselves should be:
➤ objective;
➤ clear;
➤ complete;
➤ concise;
➤ constructive; and
➤ presented on time.

Follow-up
If nothing happens as a result of the audit, the whole exercise was a waste of time. A
follow-up must be done to investigate, evaluate and report the effect of the audit. This
follow-up may be performed by executive management, in conjunction with auditees,
by another auditor, or the original team may do it, but it MUST be done.

167

Internal_Auditing.indb 167 16/04/2015 11:12

 INTERNAL AUDITING: AN INTEGRATED APPROACH

There are two phases involved. Management chooses either to:

➤ take appropriate action on the audit findings; or
➤ accept the risk of not taking action.

The auditors must find out what action was taken and whether it was appropriate.
Follow-up reports are normally directed to those who received the original report,
and the key focus must be on the attainment of the control objectives, not neces-
sarily on the implementation of audit recommendations.

Audit Evaluation
The final phase is the same in both the generic audit process and the audit process
structure, namely audit evaluation.
This involves the auditors evaluating the audit process itself in the light of what
went wrong, what went right and what can be learned to improve future audits.

168

Internal_Auditing.indb 168 16/04/2015 11:12

 18
CHAPTER

Control and Performance

Evaluation

Learning objectives
After studying this chapter, you should be able to:
➤ Outline briefly the types of internal control an auditor is liable to encounter,
together with their strengths and weaknesses
➤ Differentiate between control objectives and the controls policies and
procedures intended to assist management in achieving them
➤ Design an appropriate detailed audit program to evaluate both the adequacy
and effectiveness of the internal control structures to an appropriate level
➤ Identify and select the critical controls for testing and select appropriate
testing methods

The Nature of Internal Controls

Controls are virtually an automatic function of our daily lives. Whether we are aware
of it or not, we all perform several control functions daily. Some require careful fore­
thought, while others are performed as a matter of habit.
Individuals learn at an early age that in a family, certain rules are laid down by
the parents regarding how their children will behave and who will undertake which
tasks. These rules become the guiding principles of family life and are enforced by
the family as a whole.
Rules exist in every area of our lives to ensure that one person’s desires do not
conflict with another’s liberties.
Without such rules, there can be no order and no assurance of how things will
happen. In order for such rules to be effective, we need means of:
➤ enforcing the rules;
➤ detecting when they are broken; and
➤ reducing the impact if they are broken.

These means are known as controls.

In business, we can say that we carry out these control procedures as a reaction to
possible financial loss, error or irregularity that may take place.

Internal Controls
While it is clearly management’s responsibility to design and implement internal
controls in an organization, the role of the internal auditor is one of assessing and
reporting on internal controls for a variety of different purposes. This responsibil-
ity is captured in the guidance in IIA Practice Advisory 2120.A1-1: Assessing and
Reporting on Control Processes.

Internal_Auditing.indb 169 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

‘Three key considerations in reaching an evaluation of the overall effectiveness of the

organization’s risk management and control processes are:
➤ Were significant discrepancies or weaknesses discovered from the audit work per­
formed and other assessment information gathered?
➤ If so, were corrections or improvements made after the discoveries?
➤ Do the discoveries and their consequences lead to the conclusion that a pervasive
condition exists resulting in an unacceptable level of business risk?’

A control is any action taken by management to increase the likelihood that the
objectives and goals they have established are achieved. It results from manage­
ment’s planning, organizing and directing and the many variants (eg management
control, internal control, etc) can be included in the generic term.
Management controls are intended to ensure that an organization is working
towards its stated objectives.
Control responsibility is clearly management’s job and encompasses planning,
organizing and directing.
➤ Planning in this case is taken to mean the establishing of objectives and goals
as well as choosing the preferred methods of using resources.
➤ Organizing involves the gathering of the required resources and arranging them
so that the objectives may be attained.
➤ Directing includes the authorizing, instructing and monitoring of performance,
as well as periodically comparing actual to planned performance.

Management decisions may be classified as strategic, tactical or operational. Internal

audit ensures that the system of internal control will be effective and functions as
intended. The level of control needed will be affected by overall objectives.
➤ Corporate objectives are statements of corporate intent (‘Costs will be reduced
by 20 per cent over the next year’).
➤ Management objectives define how the corporate objectives will be met (‘Costs
will be reduced by reducing material wastage by 10 per cent and reducing
stock theft by 60 per cent’).
➤ Operating objectives are aimed at ensuring that programs to achieve manage­
ment objectives are properly planned and executed in detail (‘All waste must
be written in a waste book and excessive waste will be checked by supervisors
weekly’).

If we take operating objectives, for example, these direct the day-to-day activities
and may, in themselves, conflict, so that we find a conflict between the need for
con­trol and the need for timeliness, ie there is a clash between efficiency and effec­
tiveness. The overall prioritization of objectives directs the development of controls
and will affect the final, overall system of controls.
If the overall objectives are growth and providing service, in a dynamic and rapid
growth environment control systems may not keep pace and the risk is higher. As
such, the need for frequent audits is increased. If the objective is cost reduction, in
a stable environment control systems should be stabilized and risk is lower so the
frequency of audit would be reduced.
In practical terms, it is impossible to evaluate the adequacy of an internal con­trol
or a set of internal controls unless the control objective has been clearly defined.
Unless it is known whether the lock on the door is designed to keep peo­ple in or to

170

Internal_Auditing.indb 170 16/04/2015 11:13

 CONTROL AND PERFORMANCE EVALUATION

keep people out, no valuation can be made of which side the key should be on. A
control objective is therefore a statement of intent, which controls are designed to
assure. Another way to look at this is to see control as the other side of the coin to
risk. If there is a risk of theft of assets, the control objective is then to ensure that
assets remain safe.

Cost/Benefit Considerations
Objectives must take into consideration the cost of trying to achieve them. ‘As quick-
ly as possible’ implies zero controls other than for speed, while ‘No rejects’ implies
strong internal controls covering all aspects of quality. Controls must be practical,
useful, achievable and compatible with both operating and control goals, and there
is always a trade-off between cost and benefit, since all controls cost money (is it
worth spending R200 to prevent a possible loss of R100?).
A control cycle is set out diagrammatically in Figure 18.1.

Setting Defending Measuring Comparing

standards of performance actual actual with
performance measurement measurements standards

Taking corrective action

if necessary

Figure 18.1: A typical control cycle

Defining Performance Measurements

Before measurement can take place, standards must be defined. Measurement
standards must be relevant to the task in hand and accepted by both the control-
ler and those being controlled. The measurement indicators themselves should be
comparatively inexpensive but effective.
Many measurement criteria are based on financial data, but this is not always
appropriate. For example, the performance measurement for a salesperson may
be a financial indicator – achieving a sales target – but for a factory the number of
rejected parts may be more appropriate and for a service firm the degree of cus­
tomer satisfaction may have to be measured.

Measuring Actual Performance

After the performance measurements have been agreed, the actual performance
can be measured. In a continuous flow process, measurement may involve samples
being taken for evaluation. In other types of process, external monitoring or obser­
vation for comparison to the standard may be required.
The simple process of measuring is, in its own right, insufficient. It is only by
com­parison to an appropriate standard that you can judge whether actual perfor-
mance is effective and efficient. Any deviations from the standard must be followed
up in order to determine whether the deviation is as a result of poor performance
or because the standard itself was wrong. If the deviation was caused by poor per­
formance, a further examination will be required to determine the cause of the

171

Internal_Auditing.indb 171 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

poor performance. Where a deviation indicates problems, corrective action will be

required, but a favorable deviation is also possible and this can give significant clues
regarding areas where overall performance may be improved across the organiza­tion.
One drawback to this type of measurement is the wastage of valuable man­agement
time in the search for explanations for trivial deviations from the standard. Degrees
of tolerance must be set to avoid excess of reporting of insignificant devia­tions.
Should corrective action be necessary, action must be taken to implement the
appropriate control structures to remedy the situation. This could involve closer
supervision of operations or improved detective controls. Alternatively, the control
cycle may need to be revisited in order to redefine standards or introduce revised
performance measurement criteria.

Administrative vs Accounting Controls

Administrative controls typically focus on how operations take place and may have
no directly visible impact on the numbers involved in operating an organization
(turnover, profitability, etc), while accounting controls address completeness, valid­
ity, authorization and accuracy of information and show up quickly in operating
numbers. Ultimately, administrative controls will have a long-term impact on how
departments run themselves and whether their objectives are achieved.
Financial evaluations typically emphasize accounting controls while operational
evaluations emphasize administrative controls.
When these are related to the objectives of internal control, we can see at a
detailed level that they encompass the following.

Reliability and integrity of information

➤ financial accounting information:
◗ budgets;
◗ cost reports; and
➤ operating information:
◗ activity levels;
◗ functional responsibilities.

Compliance with policies, plans, procedures, laws and regulations

➤ ensure compliance with laws and regulations imposed externally;
➤ ensure planned, systematic and orderly operation; and
➤ may require the manager to evaluate the adequacy of policies, plans and pro­-
cedures.

Safeguarding of assets
Normally the most visible controls include:
➤ locks on doors;
➤ safes; and
➤ security guards.

172

Internal_Auditing.indb 172 16/04/2015 11:13

 CONTROL AND PERFORMANCE EVALUATION

They may include non-tangibles, such as:

➤ dual custody; and
➤ computer passwords.

Effectiveness and efficiency of operations

➤ Effectiveness involves the achievement of established objectives and should be
the ultimate focus of all operations and controls. It may be assessed by exam­
ining and evaluating the overall system of internal control.
➤ Efficiency reflects whether ‘scarce resources’ are optimally used and includes
waste reduction and reducing the underutilization of resources.

Types of internal controls

➤ Preventative controls occur before the fact but are never 100 per cent effective.
➤ Detective controls detect irregularities after their occurrence and may be
cheaper than checking every transaction with a preventative control.
➤ Corrective controls ensure the correction of problems identified by detective
controls and normally require human intervention. They are themselves highly
error prone since they occur in unusual circumstances.
➤ Directive controls are designed to produce positive results and encourage
acceptable behavior. They do not in themselves prevent undesirable behavior
and are normally used where there is human discretion in a situation.
➤ Compensating controls exist where weaknesses in a control may be
compensat­ed for by a control elsewhere. They are used to limit risk exposure
and may trap the unwary evaluator.

Under-control is cheap to implement but may cost you the organization, while over-
control is expensive and paralyzing.

Internal Control Structures

The internal control structure is a combination of the control environment itself, the
accounting system and specific control procedures policies and security measures
undertaken by the organization to protect its assets.
The control environment establishes the tone of the organization and establishes
the framework within which the employees will or will not implement good internal
controls. It is normally taken to comprise seven specific components, namely man-
agement’s operating style; the quality of the board of directors and audit commit-
tee; the ethical values espoused by the organization, the organizational structure,
the organization’s human resources policies and practices; the design of the orga-
nizational structure itself; and the assignment of authorities and responsibilities.
The accounting system involves both the safeguarding of assets as well as the
ensuring of the reliability and accuracy of financial and operational information.
As far as the specific control procedures themselves are concerned, the elements
making up an effective internal control framework include:
➤ A good audit trail whereby transactions can be traced to their recording in the
accounting information system and the recorded information can be traced
back to the originating transaction documentation.

173

Internal_Auditing.indb 173 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

➤ Safeguarding of assets to minimize the risks of damage to assets as well as

theft.
➤ Management reviews of control procedures to ensure, on an ongoing basis, their
ability to mitigate risk to an acceptable level.
➤ Competent and ethical employees to ensure that the individuals responsible for
implementing internal control are both capable and honest.
➤ Segregation of inappropriate organizational responsibilities to ensure asset cus-
tody, transaction authorization and reconciliations are performed by separate
individuals.

Testing of Internal Controls

Not all controls are created equal in achieving a specific control objective. For
every control objective there will be a series of controls designed and implemented
in order to achieve the desired goal. Some of these controls will have a minimal
impact on that specific control objective, while others will be key controls with-
out which the control objective cannot be achieved. A further complication arises
in that many of the key controls will be preventative controls leaving behind no
evidence to check. An auditor may have to look elsewhere to find appropriate evi-
dence on which to base conclusions as to the effectiveness of the internal controls.
The design of a comprehensive audit program is covered in Chapter 17.

174

Internal_Auditing.indb 174 16/04/2015 11:13

 19
CHAPTER

Engagement Planning

Learning objectives
After studying this chapter, you should be able to:
➤ Describe the planning procedures that should be followed for each audit and
the fac­tors that affect planning decisions
➤ Describe the procedures conducted in the preliminary survey of operations
➤ Explain how an internal auditor develops findings and recommendations from
the audit work performed
➤ Outline briefly the tasks of an audit supervisor in planning an individual audit
engage­ment
➤ Explain the techniques the supervisor may use to ensure the audit
engagement is pro­ceeding to plan
➤ Define and explain the control techniques available to the audit supervisor in
control­ling the engagement project
➤ Explain the ongoing nature and role of internal audit quality evaluation in
ensuring an effective service delivery

Engagement Planning
IIA Practice Advisory 2200-1: Engagement Planning sets out clearly the responsi­
bilities of an internal auditor as follows.

‘The internal auditor is responsible for planning and conducting the engagement assign-
ment, subject to supervisory review and approval. The engagement program should:
➤ Document the internal auditor’s procedures for collecting, analyzing, interpreting,
and documenting information during the engagement.
➤ State the objectives of the engagement.
➤ Set forth the scope and degree of testing required to achieve the engagement
objec­tives in each phase of the engagement.
➤ Identify technical aspects, activity objectives, risks, processes, and transactions
that should be examined.
➤ State the nature and extent of testing required.
➤ Be prepared prior to the commencement of engagement work and modified, as
appropriate, during the course of the engagement.’

Planning
Planning is the cornerstone of successful auditing. Poor planning will result in fail-
ure to achieve audit objectives, as well as audits that are insufficient in scope with
unidentified risks and that make inefficient use of resources.

Internal_Auditing.indb 175 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

The planning process involves:

➤ identifying those tasks to be performed in the course of an audit;
➤ allocating the tasks to individual auditors;
➤ deciding when a task should take place; and
➤ quantifying how long it should take to execute.

Basing planning on the nature and scope of the work to be performed ensures the
efficient and effective use of audit resources. A structured, documented audit plan
is essential to establish the criteria against which an audit will be measured and to
identify the measurement criteria. The extent and division of the planning process
will be dependent on the nature and complexity of the audit envisaged. If it is the
first time a specific area has been audited, more time will be required in the plan­
ning process to handle a greater variety of unknown elements. If the area has been
audited in the past, time must be set aside to ensure that there have been no major
changes to structures or controls in the interim.
Such planning helps to establish the objectives and scope of the audit, anticipate
problems and achieve flexibility in identifying the control objectives and risks, as
well as the controls designed to achieve the objectives and manage the risks. The
planning process will typically follow the structure provided in Chapter 17 and
should cover all of the steps in the process. At any time up to the completion of
the audit, the plan should be looked on as provisional and subject to amendment,
depending on what is found. If a straightforward compliance audit uncovers red
flags of fraudulent activity, a choice must be made as to whether to continue with
the original audit or redesign it as a fraud investigation.
Where planning has been inadequate, it is much less likely that the full scope of
the audit will be achieved in a cost-effective manner.
It is very unwise to underestimate the time it takes to carry out comprehensive
planning. It should be done early enough in the process to ensure that the appro­
priate resources can be made available and that the techniques of testing envisaged
are fully understood by all concerned. Once again, planning should be viewed as a
continuous process, with elements covering both the annual planning for the audit
function as a whole and the planning of the individual audit.
The annual audit plan is normally based on the overall risk assessment of the
organization, coupled with an inventory of the available audit resources. Any meth-
odology used to allocate audit resources must be applicable to a variety of lines of
business and services that firms offer.

The allocation itself can be simplified into mandatory audit activities and discre­
tionary audit activities:
➤ Mandatory audit activities are those activities that must be carried out within the
time span of the audit plan. These activities could be to ensure compliance with
legal or regulatory requirements, senior management requirements or external
auditor liaison requirements. Usually these activities are assigned the greatest
risk values and are therefore automatically selected. Make sure that senior man­
agement requirements are in fact requirements and not simply nice to have.
➤ Discretionary audit activities must then be allocated within the time remaining.
This is normally done within predefined risk limits.

176

Internal_Auditing.indb 176 16/04/2015 11:13

 ENGAGEMENT PLANNING

Many audit departments maintain a five-year rolling plan of audit coverage reflect­ing
the complete audit universe. This plan is updated annually as part of the over-all
planning process and is maintained throughout the year to reflect ongoing changes
within the organization and its risk environment.
Detailed planning for each audit assignment is also carried out annually. Each
auditable entity scheduled for audit in the forthcoming year is analyzed so that any
component of the audit that requires advanced planning may be dealt with. Items
such as special support, access to information systems, co-ordination with other
audits and advanced training may then be planned as need requires. The actual
audit itself will be planned and conducted in the way given in Chapter 17.
The individual tasks that must be scheduled as part of the audit process will
involve notifying management of the audit prior to the starting date and obtaining
any information required to complete the audit planning. This information, togeth­er
with any records required as part of the planning process, should be delivered to
the supervising auditor before the start of the work. As part of the planning, con­
sideration may be given to whether any records should remain under the control of
internal audit once management have been notified of the impending audit.
A key part of the planning process is to ascertain those records and individuals
that will enable an auditor to identify key controls and procedures that could have a
significant impact on the focus of the audit and the key controls to be audited. This
would involve the auditor reviewing previous working papers and any perma­nent
files maintained by internal audit in order to find relevant information. If the area
has been audited by the independent external auditors, they may be consult­ed to
give their input to the planning process.
An initial meeting with a client will be planned to confirm the auditors’ under­
standing of the business and control objectives of the auditee entity, and the cur­
rent operating environment. At that meeting, the auditor should ask about any
cur­rent business and operational plans that will affect the audit or the time period
to be commented on within the audit. Scrutiny of the operating objectives and
forth­coming budget for the area under review may help. The auditor may also look
for any external factors such as unique legal or regulatory requirements that could
influence the timing, extent or nature of the audit.
Although nominally part of the annual plan, in practice the general risk assess­
ment is performed during both the annual audit planning process and during the
preliminary survey phase of the audit. The auditor in charge should review the annu­
al planning documentation to familiarize him-/herself with the information contained
in that document and integrate it into the present audit plan.
Based on an agreed understanding of the auditee’s business, the next stage to
be planned is the identification of those controls that the auditee believes can be
relied on to mitigate the business risks. Key internal controls must be identified
and meth­ods of deriving evidence as to the adequacy of these controls must be
designed. At this stage, an auditor must always bear in mind that assessing their
adequacy involves evaluating the controls as if all were working fully. It is only after
the ade­quacy has been evaluated that the key internal controls can be selected
for testing. If the system of internal controls itself is inadequate, ie it does not
adequately reduce the risk to an acceptable level, recommendations will be made
at this stage to improve the control situation. This normally involves the design of
new controls to plug the gap not currently covered.

177

Internal_Auditing.indb 177 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Once the adequacy of the system of internal control has been determined, the
planning will proceed to those tests needed to assess the effectiveness of the cho­sen
controls. In addition to testing the controls as they currently operate, the auditor
may need to schedule time to test the consistency with which the controls were
applied throughout the time period under review. Planning this stage is a critical
element, which provides a transition into the fieldwork phase of the audit. Once the
methodology for testing the key controls has been established, the audi­tor must
assess the need for the use of specialized audit tools and information tech­nology.
If the tools are not currently available, enough time must be given to acquire and
become familiar with them.
The final stage in the planning process for the audit assignment is the issuing of an
engagement letter to the auditee management. Spelled out in this letter are the:
➤ participants;
➤ timescales;
➤ requirements for auditee participation;
➤ areas to be covered; and
➤ areas to be excluded.

It is important that this letter documents the risks, major controls and control
objec­tives that will be audited.

Unplanned Work
It is always necessary to allocate a percentage of the internal audit budget for dis­
cretionary or ad hoc projects. Such projects can include fraud investigation or other
specific investigations in areas where management have concerns. Many auditors fall
into the trap of budgeting an optimistically low percentage of their resources for this
category. If the audit function’s track record over previous years indicates that 20
per cent of resources have been used for ad hoc work, then budgeting 10 per cent
for the forthcoming year is an exercise in hope rather than good judgment.
Internal audit must also budget a percentage of the resources to cover time that is
not directly related to internal auditing. This could include training, leave, sick leave
and work that is not a part of internal auditing, such as liaison requirements for the
external independent auditors.

Project Management
A project may be defined as a temporary endeavor undertaken in order to create
a specific result. It is temporary in that it has a specific beginning and a finite end
and is brought into being in order to accomplish a temporary objective. It should be
noted that it is the project itself which is temporary and not necessarily the results
of the project. An audit project may last only a few days but its impact on the orga-
nization may endure for many years. Indeed, the intent is that the impact of an audit
project will be long lasting.
As with any other business endeavor, audit projects involve a degree of risk
including the risk of not achieving the audit objectives, achieving them in an unac-
ceptable time scale or achieving them at an unacceptable cost.

178

Internal_Auditing.indb 178 16/04/2015 11:13

 ENGAGEMENT PLANNING

In order for the project to achieve its desired objectives, appropriate project
management will be required, utilizing a variety of management skills and disci-
plines as well as the implementation of appropriate tools and techniques. Project
management is generally accepted as comprising six specific elements:
➤ Project initiation
➤ Project planning
➤ Project execution
➤ Project monitoring
➤ Project controlling
➤ Project closing.

Project initiation involves scoping the audit based on the criteria established in
conjunction with the auditee, encompassing the control objectives of the auditee,
potential risks and exposures, and a selection of the appropriate forms the audit
should take (compliance, operational or any other form). From this an approxima-
tion of the size and composition of the project team may be established.

Project planning involves the breaking down of the audit into specific tasks to be
achieved, allocating work to individuals, and determining the timing and overlaps
of specific audit phases. Planning techniques such as the use of the Gantt charts,
CPM and the like may come into play, and scheduling of the work. At this stage
budget and cost estimates can be prepared, taking into consideration the logistics
of the audit, including travel and accommodation if appropriate. Planning will also
involve the selection of the appropriate monitoring techniques to be enacted dur-
ing the audit.

Project execution will involve the audit team leader in ensuring that the whole
audit process is directed towards achievement of the scope and objectives initially
established. This normally involves monitoring progress against the plan and,
where deviations occur, modifying the plan in order to put the project back online.

Project monitoring is traditionally done by monitoring time spent against plan,

although this may not be the most effective way of project management. Rather,
monitoring against predetermined key indicators established at the end of critical
audit components may be more appropriate.

Project controlling involves the lead auditor maintaining the group focus, control
and quality of work done and ensuring that unforeseen circumstances or risks do
not inadvertently obstruct completion of the audit.

Project closing can be as difficult for audit as for any other project. The tempta-
tion exists to ‘just check one more thing’, resulting in a significant deviation from
the scope, timing, costing and quality of the overall audit. It is part of the role
of the lead auditor to bring the project to a successful conclusion, evaluate and
discuss with the team the successes, failures and learning points of the audit,
and determine which conclusions and evidence will be communicated onwards
via the audit report.

179

Internal_Auditing.indb 179 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

The lead auditor’s role is to ensure that, ultimately, the audit project achieves its
objective. This involves establishing clear objectives for the audit project and orga-
nizing resources to provide adequate assurance that the objectives will be achieved
within acceptable quality, cost and time constraints. Periodically, unforeseen circum-
stances will place competing demands on resource availability for the audit project,
and this will then involve adjustments to the audit approach, timing, and possibly
even the scope of the audit.

Project Plan
An audit project plan which delivers the desired impact on the business, to the scope
specified in the original audit engagement, at the time promised to the auditees and
within the cost constraints originally planned, would be classed as a high-quality
audit. The reality of the situation, however, is that few audit projects actually achieve
all of those desired deliverables specified above. Audit supervision will be required
to make decisions involving balancing those deliverables within the constraints of the
audit scope, time and resources available. In addition, all audit planning is carried
out based upon a supposition of what will be found. This uncertainty can result in
drastic changes to an audit plan if the control environment found does not match the
expectation. The changes can be positive as well as negative since, once the audit
has started, it may be discovered that the internal control structures are more robust
and effective than anticipated and the degree of direct testing may be reduced from
that originally planned. More commonly it will be found that internal control is not
at the level suggested by management during the preliminary survey and that audit
testing will have to be extended, resulting in changes to the cost and duration of the
audit. This uncertainty may be defined as project risk.

Corporate Environment and Cultural Climate

Audit projects, perhaps more than any other, must be seen to operate within a
corporate environment and cultural climate, since the auditors are looking at the
internal control, which ultimately is exercised by individuals within the organization.
Audit findings and recommendations as a result of audit findings will impact those
individuals and sensitivity to the ethnic, educational, religious and economic charac-
teristics of the auditees must be considered throughout the audit process. Previous
experience with audit and perceptions of the role and authority of audit will similarly
require consideration.
In the audit of international organizations, custom as well as legal implications will
also impact the effectiveness of the audit process across cultural divides. National
holidays, time zones and local political conditions may also affect project communi-
cation and the use of advanced technology within audits.
The perceived role of internal audit can impact on both the effective interchange
of information as well as the ability to influence management to implement appropri-
ate control remedies, should deficiencies be found. Even negotiation can degenerate
into squabbles based upon cross-cultural misinterpretation of both verbal and visual
communications, and motivation becomes problematic.
Project management will involve the lead auditor in utilization of a variety of problem-
solving initiatives in order to adapt plans so that the overall project objectives can be met
and the needs of the auditee, management and the organization can be achieved.

180

Internal_Auditing.indb 180 16/04/2015 11:13

 ENGAGEMENT PLANNING

Managing the scope itself is essential to ensure that all of the work required to
complete the project, but only that work is fully undertaken and completed effec-
tively. A common problem that this stage is allowing ‘scope creep’ to occur, resulting
in considerably more work being undertaken than was required.
Once the scope has been agreed the processes to be undertaken to complete
the project can be defined and allocated against individual auditors, based on skill
requirements and availability. This work breakdown is essential, since the scheduling
of time is based upon the quantity of work that a specific individual can achieve at
a given task. The sequencing of these activities to ensure a smooth workflow is also
important because certain activities may be able to overlap, while others may be
dependent upon the successful completion of the preceding operation.
Once this breakdown has been done, the lead auditor can compare the overall
project plan to the resource constraints within which the project must occur so that
any modifications required to fine-tune the project plan can be made. Even at this
stage a project plan can be modified based on what is found in the course of the
audit activities.
For an audit project, cost management largely boils down to time management,
since the bulk of audit costs are the costs of human resources. To this end the plan-
ning, budgeting and estimating of time scales will largely dictate the project budget.
As the project is executed, time and cost resources expended can be monitored
against the planned budget and variations analyzed to determine whether they are
plan-related (ie the plan underestimated the amount of work to be carried out)
or performance-related (ie the people did not perform as planned). Variations will
occur in even the best planned projects and subsequent phases of the project may
need to be re-planned based upon known performance levels.
The management of the human resources making up the project team is critical
to the success of the overall audit project. Early involvement of team members in
the planning of the project as a whole and their role in particular can dramatically
strengthen the commitment of individuals to the accomplishment and success of the
audit project. For example, in an extended audit covering a capital project of long
duration, the individuals involved in the project may change, and new team mem-
bers must be accommodated within the overall framework of the plan. It is the lead
auditor’s responsibility to ensure that the appropriate knowledge, skills and compe-
tencies are available to the project team in order to ensure effective completion and
achievement of planned time and cost budgets.
In addition, team members must be developed to improve the overall competency
of the audit function and this involves the team leader as a mentor and a guide to
provide direction, offer feedback and advice, and resolve any issues of conflict within
the team.
As with any endeavor, the management of quality of work produced is of critical
importance to the ongoing reputation of the audit function. The appropriate poli-
cies and procedures must be implemented to ensure that all activities fall within the
ambit of the Standards for the Professional Practice of Internal Auditing. Once again,
the Standards should be seen as a living document to guide the auditor towards
acceptable levels of quality rather than a sterile set of instructions to be looked at
once a year. Quality control within the audit will involve the identification of key
indicators to be monitored as a measurement of quality achieved, the execution
of that monitoring, and the identification of improvements to address any areas of
unacceptable performance quality.

181

Internal_Auditing.indb 181 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

One of the main reasons for introducing project management is the commu-
nication of the status of the audit project at any given point in time. Auditing
within an organization should be seen as a continuous flow from project to proj-
ect and this means that any delay in a particular audit can cause a domino effect
in subsequent audits, since specific skills and personnel may not be available at
the time originally planned. In addition, auditees and management also require
knowledge of where an audit is in terms of its progress against the agreed plan.
Communicating in this manner facilitates the management of client expectations
as to deliverables, costs and timings for the audit. Obviously, this is more critical
in audits of longer duration.

182

Internal_Auditing.indb 182 16/04/2015 11:13

 20
CHAPTER

Audit Reporting and

Follow-up

Learning objectives
After studying this chapter, you should be able to:
➤ Outline briefly the uses and importance of internal audit reports to the various
users of audit services
➤ Outline in detail the basic structure of an internal audit report
➤ Use effective writing techniques for maximum impact
➤ Formulate and express an appropriate audit opinion
➤ Describe the use of auditee responses in the audit report
➤ Polish and edit your own or another auditor’s report
➤ Distribute the audit report for maximum impact
➤ Follow up on findings in an appropriate manner

Reporting
IIA Practice Advisory 2440-1: Recipients of Engagement Results provides guidance
for internal auditors with respect to their reporting responsibilities as follows.

‘Final engagement communication should be distributed to those members of the orga-

nization who are able to ensure that engagement results are given due consideration.
This means that the report should go to those who are in a position to take corrective
action or ensure that corrective action is taken. The final engagement communication
should be distributed to management of the activity under review. Higher-level members
in the organization may receive only a summary communication. Communications may
also be distributed to other interested or affected parties such as external auditors and
the board.’

Audit Reporting
Results of the audit are usually reported orally in the form of interim reports and
closing conferences, as well as in writing. At least a written report should be pro-
duced at the end of an audit, and other types of reporting should occur if necessary.
Reports generally should be:
➤ accurate;
➤ objective;
➤ clear;
➤ concise;
➤ complete;
➤ constructive; and
➤ on time.

Internal_Auditing.indb 183 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Written reports should include:

➤ a statement of the purpose of the audit;
➤ the audit scope;
➤ the audit results;
➤ the auditor’s opinion;
➤ recommendations for potential improvements;
➤ an acknowledgement of satisfactory performance; and
➤ the auditee’s reply to the auditor’s opinions and recommendations.

Reports should be reviewed and approved by the internal audit manager before they
are issued.
The issued audit report is a reflection of the competence and professional image
of the whole internal audit department and internal auditing as a profession. In
many cases, this is the only exposure to internal auditing that senior management
will get. This image will be reflected not only in the report’s technical soundness but
also in its clarity, tone, organization and style. The message must be unambiguous
and questions raised in the reader’s mind must be anticipated and answered. Any
desired mood must be created by words alone.

Clear Writing Techniques

The objectives of any writing are to inform and influence. To do this effectively and
efficiently, you must gather the necessary information before starting. This avoids
reorganization and rewriting at a later stage when you remember forgotten facts.
Readers tend to retain material better if it is written in a conversational style, but
this requires anticipation of the type of feedback one would receive during a normal
conversation. Conversational-style reports build mental images, which tend to be
assimilated and remembered more easily. When deficiencies are reported, avoid
personal references. The audit report should criticize practices, not people.
Keep sentences short and simple, trying to average 15 to 20 words. This does not
mean that you should count every word and artificially chop long sentences in two.
Nevertheless, one idea per sentence can make the report clearer. Long sentences
tend to be foggy, awkward, dull and boring.
Use active voice verbs, since these are usually shorter, livelier and more conver-
sational. ‘The manager asked for ...’ instead of ‘... were asked for by the manager’.
Passive voice verbs tend to be dull, formal and unclear. They can appear less
emphatic and vague. Passive verbs are frequently to be found in highly formal and
structured reports such as fraud audit reports, where the auditor is deliberately
emphasizing the impartial and impersonal nature of the report.
Use clear, familiar words and avoid the use of ‘impressive’ words, which the reader
may not understand or may misinterpret. In producing the report, you should be
specific and precise, but should never sacrifice clarity for brevity. Some audit reports
are so abbreviated that the reader has to guess at the meaning. You should recog-
nize that readers of the report will come from a variety of backgrounds and you
should therefore avoid jargon where possible. Where it is essential for clarity, the
report should explain things in a way a layperson would understand. Always bear in
mind that the burden of communication is on the writer, not the reader.
Use appropriate headings, as they break up the monotony of long sections and
help readers to locate specific information. This speeds up the reading process

184

Internal_Auditing.indb 184 16/04/2015 11:13

 AUDIT REPORTING AND FOLLOW-UP

by allowing a reader to scan for specific information. Many auditors feel that they
should discourage readers from scanning the report, but the alternative may be that
the report is not opened or read at all.
Other techniques for easing the reading of reports involve keeping the paragraphs
short, as well as the use of emphasis, white space, graphics and color. Remember
always that this is a working audit report, not a Christmas card, and do not make it
over-fancy. The report should not be padded for the sake of size, nor should there
be criticism just for something to say.

Preparing to Write
Preparing to write starts at the beginning of the audit. From the moment the scope
and objectives are approved, all audit work is done with the audit report in mind.
At the start of the audit, you should already have a mental picture of the report in
your mind. You know the anticipated audience, the subject matter, and the scope
and objectives of the report.
When the actual process of committing the report to paper starts, free writing
may help to loosen up your mental muscles. This technique involves the writing of
unrelated texts such as a letter before you start work on the report. The theory is
that this starts the brain moving in logical communication mode.
Usually an audit report will involve the co-ordination of several writers’ efforts. In
such cases is may be wise to read the report aloud in order to recognize the differ-
ences in the styles and methods of individual contributors. Reports should follow the
same methods and be written in the same style throughout.

The Basic Audit Report

A cover is almost always desirable since it sets a professional tone from the start. It
should include the report title, the name and location of the auditee, and the date
of audit coverage.
The formalities section normally consists of an introduction and is usually one to
three pages in length. It includes the date of the report; the addressee (get it right);
and the background, scope and objectives of the audit. A brief opinion and the gen-
eral nature of the findings together with the reply expectations and a signature are
required here. The names of participating auditors, a distribution list and contents of
the body of the report are also a normal part of the formalities section.

The Executive Summary

The executive summary consists of a list of the most important issues and findings.
It provides a preliminary perspective to the whole report and focuses on risks to the
organization and the specific effect of control weaknesses. It may be all that is read
and, in many cases, it is all that should be read.
Two approaches are possible in the executive summary, depending on the nature
of the executive audience.
A ‘condense and eliminate’ approach, which involves abbreviated explanations
of major audit findings, ordered by importance and cross-referenced, may be used
when you are writing for a knowledgeable executive. A ‘briefings’ approach, which

185

Internal_Auditing.indb 185 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

informs, advises and interprets, may be more appropriate in a specialized audit

where the executives may not be fully conversant with the implications of findings.

Detailed Findings
Detailed findings usually constitute the body of the report. A finding comprises
four distinct parts:

Condition This details what the auditor found, ie what the evidence showed

Criteria This details what management intended should happen

Cause This indicates whether the condition was caused by the absence of an
internal control or the failure of one and, if so, which

Effect This indicates the impact on the business of the condition

The detailed findings should include enough information for the reader to under-
stand the findings. Exhibits and attachments are usually placed within the report,
but may be placed in an appendix if they are very long. All graphics, charts and
financial tabulations should be clearly labeled and, if in an appendix, should be
cross-referenced to the report.
Management will often want an internal audit opinion, as it provides an overall
perspective to the rest of the report and forces the auditors concerned to commit
themselves. However, it can cause a management overreaction, resulting in important
parts of the report being ignored, since audit results are normally mixed in nature.
At the discretion of the auditor, auditee responses may be included in the final
report. This can help provide balance and can lend credibility to the report, resulting
in less ‘sniping’ from the sidelines. Where such comments are included, they must
be reviewed with and agreed to by the auditee.

Polishing the Report

Polishing the report involves a rigorous review before it is issued. This is commonly
done in a peer group and should involve one person with no knowledge of the spe-
cific audit area, who is better able to challenge the assumptions on which the report
is based. Many organizations use checklists or computerized grammar and style
checkers to help make the report more readable. Ultimately, the head of internal
audit or a designated deputy will sign the report. Since many reports are issued late,
which is often a major auditee complaint, it is important that you do not build in
unnecessary delays to the issuing of the report.

Distributing the Report

The report should be distributed to the first authority level able to take appropri-
ate action. The full distribution list may be determined early in the audit process,
although auditee chains of command can cause political ramifications. The delivery
method should take into account both the confidentiality of the reported informa-
tion and the remoteness of the recipient. Couriering or hand delivery is best.

186

Internal_Auditing.indb 186 16/04/2015 11:13

 AUDIT REPORTING AND FOLLOW-UP

If the contents of the report are highly confidential, detective controls can be
implemented to trace individual copies should a leak occur. The most obvious of
these techniques is copy numbering, but intentional misspellings or rewording of
critical areas may also be used.

Interim Reporting
Interim reports are those prepared and issued while the audit is in progress. They
are usually used to either report progress on an extended audit or to notify the
auditee of a finding that warrants immediate attention. They may be either written
or verbal, although a written report in memo form can be a useful way of report-
ing a finding. The main advantages of interim reports are that the auditee receives
timely feedback, which in turn makes immediate action more likely. This can, in turn,
result in a more favorable final report if appropriate action is taken. Interim reports
effectively provide a follow-up opportunity during the audit itself.

Closing Conferences
Before the final audit report is issued, a closing conference is common. This permits
an overall review of the audit objectives and findings, and is the final opportunity to
clear up any misunderstandings or omissions before the report is issued. It ensures
a fair and balanced presentation and allows auditees to express their opinion. It
also gives the auditors concerned feedback on the way the audit was handled from
a client’s perspective

Follow-up Reporting
IIA Standard 2500-A1 states that:

‘The chief audit executive should establish a follow-up process to monitor and
ensure that management actions have been effectively implemented or that senior
management has accepted the risk of not taking action.’

There are two phases involved. Management chooses either to:

➤ take appropriate action on the audit findings; or
➤ accept the risk of not taking action.

The auditors must find out what action was taken and whether it was appropriate.
They would usually follow up on reports normally directed to the recipients of the
original report and they should focus on attainment of the control objectives, not
necessarily on audit recommendations.
The participants in the audit process all have distinct roles to play in the follow-up
process.

Auditors
It is the duty of the auditors to:
➤ perform follow-up reviews to ensure appropriate action was taken; and

187

Internal_Auditing.indb 187 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

➤ inform the auditee, executive management, board and audit committee in writ-
ing of the outcome of the follow-up review.

Internal auditors should make management aware of actual and potential risks, but
have no further responsibility if management decides to accept the risk. Auditors
must not interfere with the auditee’s operation during the follow-up review.

The Auditee
The auditee is expected to do the following:
➤ provide timely, complete responses to the audit report;
➤ help auditors with follow-up reviews;
➤ keep auditors and management informed of corrective actions;
➤ inform auditors and management of any major disagreements; and
➤ assess the cost-effectiveness of alternative corrective measure and choose an
appropriate alternative.

Executive Management
The role of executive management is to:
➤ monitor the follow-up process;
➤ assess the adequacy and cost-effectiveness of the auditee’s corrective action;
➤ not interfere with auditors’ follow-up reviews; and
➤ avoid compromising the auditors’ objectivity and independence.

Types of Follow-up Action

An auditor will usually review auditee responses and corrective actions, evaluate
their adequacy and report follow-up findings. Follow-up actions will vary significantly
for differing audits in terms of the breadth, degree of focus, depth and extent of
follow-up examination. Practical considerations such as the time available must be
taken into consideration. Auditors tend to be optimists as far as time is concerned
and often take shortcuts in follow-ups as a result. In many cases, they completely
omit follow-ups. In order to reduce the time required for follow-ups, an auditor
should:
➤ follow up as much as possible during the audit itself;
➤ review written responses before the follow-up review;
➤ review only the documentation of corrective action for less critical findings;
➤ not perform audit work at all on minor items; and
➤ limit follow-up tests to only the problems noted.

Audit Follow-up Policies

Typical audit policy provisions would state that audit follow-ups are required for all
audits where exceptions are reported. Internal auditors must be given the author-
ity and responsibility to evaluate the effectiveness of corrective action. Follow-ups
should be adequately documented, and the roles and responsibilities of those who
will carry out the follow-ups should be documented and followed. The follow-up
policy should state executive management’s commitment and should be addressed

188

Internal_Auditing.indb 188 16/04/2015 11:13

 AUDIT REPORTING AND FOLLOW-UP

to all managers. Such a statement should be clearly shown as coming from the
organization’s highest level of authority. The policy should specify to whom auditee
responses should be directed and must itself be in writing.
Additional success factors for ensuring that the actions taken are appropriate and
followed up would include the auditor discriminating between symptoms and causes
in the original report. The auditee action must address the cause, not the effect.
The follow-up findings should be attached to working papers and the follow-up
report attached to the original report. The auditor will need guidelines for rejecting
the auditee's corrective measures should this be necessary, but do not try to force
audit preferences on management.
The audit focus should be on control objectives and principles; management
focus should be on the controls themselves. To do otherwise is to risk becoming
the approver of the controls. Management must decide, not the auditor. Where you
reject a management action, never attack the individuals concerned. You must avoid
becoming emotionally involved in disagreements. State specifically in rejections why
the rejection has occurred and which control objectives are still threatened.

189

Internal_Auditing.indb 189 16/04/2015 11:13

 21
Audit Engagement Tools,
CHAPTER

Statistics and Quantitative

Methods

Learning objectives
After studying this chapter, you should be able to:
➤ Outline briefly the difference between statistical and non-statistical concepts
➤ Explain the differing sampling methods in common audit use and the factors
affecting sample size
➤ Choose from among the parametric and non-parametric techniques, depending
on the needs of the audit
➤ Design and administer surveys and questionnaires
➤ Conduct structured, semi-structured and unstructured interviews
➤ Explain the usage of financial analysis from an internal auditor's perspective
➤ Describe briefly the internal audit use of:
◗ Analytical techniques for sharper insight
◗ Operations research and models
◗ Analytical review procedures
◗ Linear programming
◗ Charting, queuing and game theory
◗ Simulations

Audit Engagement Tools, Statistics and Quantitative Methods

IIA Practice Advisory 1210-1: Proficiency provides guidance as to an auditor’s
responsibility to understand the accounting, legal, tax or finance issues arising that
require the use of specific engagement tools, statistics and quantitative techniques
when particular problems or potential problems are identified, in order to conduct
further research and evaluate the results.

‘An appreciation is required of the fundamentals of subjects such as accounting,

economics, commercial law, taxation, finance, quantitative methods, and information
technology. An appreciation means the ability to recognize the existence of problems
or potential problems and to determine the further research to be undertaken or the
assistance to be obtained.’

What is Sampling?
Sampling is the process of testing a portion of a group of items in order to evaluate
and draw conclusions about the population as a whole.

Internal_Auditing.indb 190 16/04/2015 11:13

 AUDIT ENGAGEMENT TOOLS, STATISTICS AND QUANTITATIVE METHODS

The process of sampling may be broken down into the following sub-processes:
➤ An auditor is performing either a compliance test (test of controls), or a sub-
stantive test
➤ of either documented internal accounting controls or accounting source records
by applying procedures
➤ to less than 100 per cent of the items in the class of transactions or account
balance
➤ for the purpose of forming a conclusion about some characteristic of the class
or balance.

Why Do We Sample?
The underlying assumption of sampling is that the results of a sample yield accu-
rate information about the population from which the sample was taken. Sampling,
therefore, is an effective method of gathering audit evidence.
If auditors did not use sampling, every item comprising an account balance or
every transaction occurring within a class of transaction would need to be reviewed.
The cost of such an examination would (a) be prohibitive, because of the amount
of time required to perform such an examination and (b) far outweigh the benefit
obtained. Sampling provides an auditor with a means of obtaining almost identical
information, but at a much lower cost. Thus, sampling is also an efficient method of
gathering information.

There are two basic sampling approaches:

➤ judgmental/non-mathematical; and
➤ statistical.

Each approach represents a different way of handling audit risk. Therefore, each may
be appropriate for some populations but not for others. Choosing the right approach
involves answering some critical questions about risk, population characteristics and
the objectives of our testing. The answers lead us to the best approach and the most
efficient audit plan.

Judgmental (or Non-mathematical) Sampling

In judgmental sampling, an auditor relies solely on his/her professional judgment to
assess the risk of sampling error when evaluating a population. The sample is not
intended to be representative of the whole population and therefore sample results
cannot be extrapolated to the whole population. This approach is normally used
where an auditor intends to use the sample for limited purposes.
Where an auditor is aware that a section of the population is a higher risk, he/she
may choose to direct the sampling process to that particular area. Here, he/she has
exercised professional judgment in selecting the population to be reviewed, and any
conclusions drawn must be carefully judged to ensure their validity.
Judgmental sampling should not be used as a primary audit procedure if the audi-
tors have no special knowledge about which items in the population are more likely
to contain misstatements.
Again, judgmental sampling may be used for limited purposes (ie when sam-
pling is not the primary audit procedure), such as corroboration of the outcome

191

Internal_Auditing.indb 191 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

of other analysis, by examining a few detailed transactions to check the validity of

forecasts.

Statistical Approach
In statistical sampling, the sample is selected in such a way that it can be expected
to be representative of the population. By doing so, an auditor intends that the
relevant characteristics of the sample, such as the sizes or rates or errors, should
be mathematically proportional to those of the population. For this to be valid, an
appropriate sample selection technique, such as random selection, and an adequate
sample size must be chosen. The sample results may then be used to project to the
population (extrapolate) in order to estimate a specific value for the population. The
more representative a sample is, the more accurate the extrapolation. This effec-
tively means the larger the sample size, the more accurate the extrapolation.
Obviously, statistical sampling is less than 100 per cent reliable, and an auditor
must take into consideration the effect of sampling risk.

Sampling Risk
All auditing involves a certain amount of risk or uncertainty. The risk that mate-
rial irregularities or errors will not be detected either by internal control or by
the use of the appropriate auditing procedures is always present. The uncertainty
that exists in applying the audit procedures is called audit risk. When an auditor
chooses to use statistical sampling, he/she faces the possibility that, due to the
fact that there is less than 100 per cent certainty, the conclusions drawn about the
population may contain some material error. This audit risk comprises two specific
sub-sets.
➤ Sampling risk is the risk that the sample chosen may not appropriately reflect
the population as a whole.
➤ Non-sampling risk is the risk that, having obtained a representative sample, the
auditor still misses a significant error.

In the case of statistical sampling, as opposed to judgmental sampling, an attempt

is made to control the risk of sampling error. Because the auditor has accepted
that 100 per cent certainty is either not desirable or not possible, by working at a
95 per cent certainty level he/she has accepted a 5 per cent chance that the sample
drawn does not accurately or completely reflect the population. This risk exists
because of the nature of sampling certainty.
In a normal distribution, a 95 per cent certainty indicates that, should the auditor
draw a sample of 20, 100 times, 95 of those times the full sample would be drawn
from a representative part of the population. In five of those times, the sample would
include one or more items that are not representative of the population.
When this happens, caused by the random chance in the selection of the sample,
it is classed as the risk of sampling error. This risk always exists, regardless of how
the sample is selected. The auditor’s justification for accepting this risk involves a
judgment call regarding the level of assurance that the chosen combination of sub-
stantive testing and reliance and internal control give a reasonable probability of
detection. By choosing the appropriate sampling technique and by applying his/her
professional judgment after consultation with auditee management, the auditor

192

Internal_Auditing.indb 192 16/04/2015 11:13

 AUDIT ENGAGEMENT TOOLS, STATISTICS AND QUANTITATIVE METHODS

attempts to minimize the risk of sampling error. In addition, by choosing an appro-

priate statistical model and by following the correct sampling selection methodol-
ogy, the auditor can quantify the likelihood of sampling error in order to determine
that it is within acceptable limits.
In the case of judgmental sampling, the risk of sampling error still exists, but,
because the auditor does not explicitly state a confidence level, the risk is not
quantifiable. This means that, in this case, the risk of sampling error is dependent
on the experience, skill and judgment of the individual auditor and that his/her
evaluation cannot be substantiated.

Whether the sample chosen is based on statistical methods or an auditor’s judg-

ment, every use of sampling is also subject to the risk of non-sampling error. This
type of error is caused by other uncertainties that are not caused by the sampling
process. Causes of this type of error could include:
➤ mistakes in selecting the sample;
➤ the use of incorrect audit procedures for a given objective;
➤ failure to recognize misstatements or irregularities included in the sample items;
and
➤ an improper definition of the population.

Non-sampling error therefore includes any misjudgments or mistakes by the audi-

tor that may lead him/her to an incorrect conclusion based on the tests carried out
on the sample. These errors would have occurred even if sampling had not been
chosen as a technique and the full population examined. By careful planning and
by using the appropriate audit techniques, non-sampling risk can be minimized, but
not eliminated.

Assessing Sampling Risk

IIA Standards state that auditors should use their professional judgment in assessing
sampling risk. The two main aspects of sampling risk in compliance tests of internal
controls are:
➤ the risk of overreliance on controls, which is the risk that the sample leads an
auditor to place reliance on the control when it is not justified (beta risk); and
➤ the risk of underreliance on controls, which is the risk that the sample leads the
auditor to wrongly evaluate the population as falling beyond tolerance levels
(alpha risk).

The auditor should also be concerned with sampling risk when performing substan-
tive tests. Here the risks are classified as follows:
➤ The risk of incorrect acceptance (beta risk) is the risk that the sample supports
the auditor's conclusion that the amount or quantity is not materially misstated
when in fact it is.
➤ The risk of incorrect rejection (alpha risk) is the risk that the sample leads the
auditor to believe that the amount or quantity is materially misstated when in
fact it is not.

Alpha characteristics of the population relate to the efficiency of the audit, while beta
risks relate to the effectiveness of the audit in the detection of material errors.

193

Internal_Auditing.indb 193 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Planning a Sampling Application

Once an auditor has made the decision to use sampling, he/she should consider
both the audit objectives and the characteristics of the population.

Audit Objectives
As with any audit, the auditor starts off by considering the control objectives of
the area under review. From this can be derived the source of audit evidence and
the nature of the audit testing required to evaluate that evidence. Where the audit
testing needs to be done using sampling techniques, the auditor may focus on the
specific objectives to be achieved by the tests that will be carried out on the sample
selected.
The sampling technique chosen will be dependent on the nature of the opinion
the auditor wishes to express. An opinion on error rates within the population would
normally dictate the use of attributes sampling techniques, while expressing an opin-
ion on the probable values of the population may call for the use of monetary unit
sampling or variable sampling.

Population Characteristics
The second stage of planning is to define the population about which an opinion will
be expressed in terms of its characteristics. For example, the auditor may choose to
express an opinion about high-value items, low-value items or all items. Any opin-
ions expressed based on a sample can only be in terms of the population that was
sampled in the first place. Should the auditor sample invoices within the previous six
months, any opinion expressed can only be valid in terms of the previous six months’
invoices. Any conclusions drawn about invoices beyond this period would be invalid.
Again, if the auditor wishes to express an opinion regarding customers exceed-
ing their credit limit, the appropriate population to examine would be the credi-
tors’ records and not the invoices. In testing to ensure that all orders have been
invoiced, the sample would be drawn from the orders and checked forward against
the invoices. If the auditor wishes to express an opinion regarding the authorization
of payments, the sample must be drawn from payments and checked backwards
against the authorized input documents.
In any population, a common evaluation technique is to determine the average
value of the population. Three averages are possible: the mean, the median and the
mode. In statistical sampling, the most commonly used average is the mean.
The mean, or arithmetic average value of a data set, is calculated as the sum of
all values, divided by the number of data points. For example, if three selections
are made by the auditor of invoices with values of R100, R140 and R180, then the
average value would be (100 + 140 + 180) ÷ 3, or R140.
The median represents the middle value in a population range. The mode repre-
sents the most frequently occurring value in a population.
In a census of a population, for example, there may be individuals with ages rang-
ing from 10 to 80 with a predominantly young population and an arithmetic average
age of 35. In such a population, the median may be found to be 45, the mean is 35
and the mode may be as low as 20 because of the population being skewed towards
younger people.

194

Internal_Auditing.indb 194 16/04/2015 11:13

 AUDIT ENGAGEMENT TOOLS, STATISTICS AND QUANTITATIVE METHODS

Deviations from the Mean

The amount of variability in the population defines the spread of values. One meth-
od of determining the variability of a population is to examine its variability from
the mean. Standard deviations measure dispersion around the mean. The standard
deviation can be calculated as the square root of the average of squared deviations
of each member of the population from the mean. In the case of our invoices, this
would involve:

100 – 140 = (40)2 = 1 600

140 – 140 = (0)2 = 0
180 – 140 = (40)2 = 1 600
1 600 ÷ 3 = 1 066.67
√ 1 066.67 = 32.66

The main use from an audit perspective is the statistical fact that in a normal
(unskewed) population, 68 per cent of the population will lie within 1 standard
deviation from the mean, and 95 per cent of a population will lie within 1.96 stan-
dard deviations from the mean. In other words, when an auditor samples such a
population, there is a 95 per cent probability that all items selected will be drawn
from within ±1.96 standard deviations from the mean.
The skewness of a distribution refers to its lack of symmetry. A perfectly sym-
metrical distribution will result in a normal bell curve with a skewness of zero. Most
distributions have some degree of skew. A population with the majority of the popu-
lation distributed to the right of the mean is said to be negatively skewed, and a
distribution with the majority of the population distributed to the left of the mean is
said to be positively skewed.
The computation of skewness involves taking the deviations from the mean,
dividing them by the standard deviation, and raising them to the third power. These
figures are then added together and divided by the number of data points.

Calculating Sample Size

For any sample design, deciding upon the appropriate sample size will depend on
certain key factors, which must be considered together in order to ensure that the
sample objectives are met. As previously stated, the amount of variability in the
population defines the spread of values. This will also affect accuracy and conse-
quently the size of sample required when estimating a value. The greater the vari-
ability, the larger the sample size required.
The confidence level represents the likelihood that the results obtained from the
sample lie within the associated precision. The higher the confidence level you want,
the larger the sample size you need. Auditors normally operate at a 95 per cent
confidence level, but where a situation is evaluated as low risk, a lower level, such as
90 per cent, is acceptable. Conversely, in a higher risk situation, they may operate
at a 99 per cent confidence level.
Contrary to popular belief, the population size does not normally affect sample
size. Statistically, the larger the population size, the greater the likelihood that the
sample will be representative. Where the population to be sampled is less than
5 000, the population size begins to have an impact on the sample size. The effect
is to increase slightly the sample size needed. Where population size is very low,

195

Internal_Auditing.indb 195 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

standard sampling techniques may be invalid and non-parametric sampling tech-

niques may be needed. Some audit software does not take this into consideration
in calculating sample size, and auditors must be aware that such sampling will only
be appropriate in larger populations.
Differing methods of sampling are appropriate in different circumstances, and
an auditor must be aware of the advantages and disadvantages of each so that the
appropriate sampling method can be selected.

Table 21.1: Comparison of various sampling methods

Sampling Method Definition Advantages Disadvantages

Judgmental Based on deliber- ➤ Normal applica- ➤ The sample is

sampling ate choice of the tion is for small typically small
auditor samples from a and can be
population that misleading
is well under- ➤ It is prone to
stood and there bias
is a clear method ➤ Sample results
for picking the cannot be
sample extrapolated to
➤ Is used to pro- give population
vide illustrative results
examples or to
check forecasts

Attribute Used to determine ➤ Results in the ➤ Valid only for

sampling error rates in the minimum sample populations
population size needed to >5 000
express an opin- ➤ May result in a
ion at a given larger sample
confidence level size than judg-
mental sampling
➤ Requires
random selection
to remain valid

Variable sampling Used to estimate ➤ Results in the ➤ Valid only for

values of a popula- minimum sample populations
tion size needed to >5 000
express an opin- ➤ May result in a
ion at a given larger sample
confidence level size than judg-
mental sampling
➤ Requires
random selection
to remain valid

196

Internal_Auditing.indb 196 16/04/2015 11:13

 AUDIT ENGAGEMENT TOOLS, STATISTICS AND QUANTITATIVE METHODS

Table 21.1: Comparison of various sampling methods (continued)

Sampling Method Definition Advantages Disadvantages

Cluster sampling Units in the popula- ➤ Quicker, easier ➤ Works best when
tion can often be and cheaper each cluster can
found in geographi- than other forms be regarded as a
cal groups or clus- of random sam- microcosm of the
ters, eg schools, pling population
households, etc. ➤ Does not require ➤ Larger sampling
A random sample complete popu- error than other
of clusters is taken, lation informa- forms of random
and then all units tion sampling
within those clus- ➤ Useful for face- ➤ If clusters are
ters are examined to-face interviews not small, it can
become expen-
sive
➤ A larger sample
size may be
needed to com-
pensate for
greater sampling
error

Probability Samples are drawn ➤ Unit to be ➤ Can be expensive

proportional to in proportion to selected is a to get the infor-
size (PPS) or their size, giving single monetary mation to draw
monetary unit a higher chance unit, eg a dollar the sample
sampling (MUS) of selection to the ➤ Used where you ➤ Appropriate only
larger items (ie the want each ele- if you are
chance of being ment to have an interested in the
selected is propor- equal chance of elements
tional to the indi- selection rather ➤ Not appropriate
vidual item’s size) than each sam- if elements are
pling unit underexaggerated
➤ Can easily iden-
tify exaggeration

The population is ➤ Ensures units ➤ Selecting the

Stratified subdivided into from each sample is more
sampling mutually exclusive main group are complex and
layers included and requires good
The strata can may therefore population infor-
have equal sizes be more reliably mation
or you may want a representative ➤ The estimates
higher proportion in ➤ Should reduce involve complex
certain strata the error owing calculations
to sampling
➤ Typically results
in lower sample
sizes

197

Internal_Auditing.indb 197 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Table 21.1: Comparison of various sampling methods (continued)

Sampling Method Definition Advantages Disadvantages

Simple random Ensures each mem- ➤ Produces defen- ➤ Needs complete

selection ber of the popula- sible estimates and accurate
tion has an equal of the population population listing
chance of selection and sampling ➤ May not be
error possible in an
➤ Simple sample unnumbered
design and inter- population
pretation ➤ May not be prac-
tical if remote
items are select-
ed for sampling

Systematic After randomly ➤ Easier to extract ➤ Can be costly

selection selecting a starting the sample than and time-con-
point in the popula- simple random suming if the
tion between 1 and selection sample is not
n, every nth unit is ➤ Ensures cases conveniently
selected, where n are spread located
equals the popula- across the popu- ➤ Cannot be used
tion size divided by lation where there is
the sample size a pattern to the
population distri-
bution

Quantitative Methods
In addition to statistical analysis, an auditor can use a variety of quantitative meth-
ods. These mathematical tools are commonly used to obtain an understanding of
operations, and permit the drawing of conclusions in a variety of circumstances
through analyzing the complexities of situations. Of the many quantitative methods,
the section examines the most commonly used.

Trend Analysis
Trend analysis is used to evaluate the behavior of a variable, such as the turnover
in a period of time. Such analyses can serve as evaluation criteria to determine the
reasonableness of fluctuations over an extended period. Comparisons of this year’s
turnover to last year’s or, alternatively, this month’s turnover to the same month last
year, are popular.

Chi-square Tests
Chi-square analyses are non-parametric tests capable of analyzing relationships
between qualitative data. For example, do operating units in the South have particu-
lar patterns of operation different from those in the North?

198

Internal_Auditing.indb 198 16/04/2015 11:13

 AUDIT ENGAGEMENT TOOLS, STATISTICS AND QUANTITATIVE METHODS

Chi-square tests can check for the independence of normal classifications and
ordinal data, and require no particular distributional pattern for the data.

Correlation Analysis
Correlation analysis is the measurement of the extent of association of one variable
with another. Two variables are said to be correlated when they move together in a
detectable pattern. A direct correlation is said to exist when both variables increase
or decrease in the same time, although not necessarily by the same amount. For
example, one would expect inventory to decrease as sales increase.
Correlation analysis is used by internal auditors to identify those factors that
appear to be related. An operational auditor, for example, may use correlation
analysis to determine whether corporate performance is in line with industry
standards by comparing the correlation of company costs of imported parts with
exchange rate fluctuations. Problems with how these statistics are computed,
shortcomings in an internal auditor’s understanding of auditees’ operations, or real
inefficiencies or misstatements can be pinpointed through correlation analysis.

Graphical Analysis
Graphical analysis can be useful to an internal auditor in identifying interrelation-
ships in data, anomalies and simple data errors.
A common form of graphical representation is a scatter diagram, which refers to
any graph of data points. The more discernible a pattern appears in the graph, the
more likely one variable is related to another and therefore can be used to predict
the other’s value. Where no pattern can be noted, there would appear to be a little,
if any, correlation between the two variables.
Where a strong correlation insists, either positive or negative, the correlation value
will approach 1. Where little correlation exists, the correlation value will approach
0. Unfortunately, correlation values only measure linear patterns. Where there is a
non-linear relationship, correlation statistics will not disclose this. Occasionally a
single data point, not conforming to the general pattern, can distort the correlation
value. While this can be readily seen on the graph, it is usually less obvious when
examining the correlation value.

Learning Curves
In conducting operational audits of the quality of training of new staff, a learning
curve will normally be expected and observed in performance levels. In other words,
as employees gain experience with the new procedures or as a new employee
becomes more experienced, the length of time taken to perform the task should
decrease.
Learning curves are evaluated by computing the time required per unit of produc-
tion each time that the cumulative output is doubled. A decrease in production time
per unit of 25 per cent would result in a 75 per cent curve. A 60 per cent curve
would result if the production time were reduced by 40 per cent.
By measuring this curve, an auditor can determine how quickly a new procedure
or employee becomes productive. When a new procedure is recommended, calcu-
lating the initial time per unit under the old system and comparing it to a series of

199

Internal_Auditing.indb 199 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

observations over time using the new procedures can objectively determine whether
the new procedure is an improvement over the old.

Ratio and Regression Analysis

Ratio analysis assumes a given proportional relationship between two numbers and
is normally used for comparisons over time.
A more advanced form of ratio analysis attempts to quantify the interrelationship
in order to facilitate predictions in a regression analysis. Regression analysis is used
to estimate the effect that a movement in one variable (the independent variable)
has on an other variable (dependent variable). In other words if the sun shines, more
cooldrinks will be sold: but how many more? By performing the regression analysis,
the relationship, if any, can be identified and quantified, and sales levels can be
predicted.
Regression analysis can help an auditor understand and quantify data interre-
lationships. Unusual variations between expectations and recorded values may be
noted for further investigation.
Using software, the auditor can also conduct a multiple discriminant regression
analysis relating the independent variable to a number of dependent variables
simultaneously. By determining the comparative strength of the relationships, an
auditor can choose the area that will best improve performance. Such analysis can
also been used to predict bankruptcy.
As with most statistical tools, regression analysis is based on a set of underlying
assumptions that must be met for its use and interpretations to be valid.

Linear Programming
Linear programming is an operations research tool used to allocate scarce resources
or to determine optimal blends of raw materials. The constraints applicable are
reduced to algebraic formulae, which are then solved by simultaneous equations. For
example, in a production environment, machining may be capable of processing 100
units per machine while finishing can handle 35 units per machine. The question of
how many machines of each type should be used for optimum production can be
solved using linear programming.

Project Scheduling Techniques

Accurate project scheduling techniques have long been a goal in project manage-
ment. Internal auditing frequently works in project teams, which often suffer from
poor project scheduling.

Program Evaluation Review Technique (PERT)

This technique is used to identify diagrammatically dependent and independent
activities. By showing graphically which activities cannot be started until the pre-
vious activities have been completed and, at the same time, which activities can
proceed simultaneously, the planner can allocate resources to those tasks having
most impact on the final completion deadline. This technique also takes into account
operational constraints placed on the resources needed to carry out the tasks.

200

Internal_Auditing.indb 200 16/04/2015 11:13

 AUDIT ENGAGEMENT TOOLS, STATISTICS AND QUANTITATIVE METHODS

B 2 Days C
2 Days 3 Days
1 Day 1 Day D
A 3 Days 1 Day
E
F G
2 Days 3 Days

H 4 Days I

The shortest time to get from A to E while completing all tasks is determined by
calculating the longest path.
➤ Path A-B-C-D-E takes 8 days.
➤ Path A-F-G-D-E takes 6 days.
➤ Path A-H-I-E takes 9 days.

This means that the bottom path would be the most critical. The reason for this is
that any delay in this path will postpone the final completion date. Any delay in the
middle path that does not exceed four days will have no effect on the final comple-
tion date. Should the top path experience a delay in any of the processes of, for
example, three days, then the top path will now take eleven days to complete and
will become the critical path. If, by the same token, the time taken for the critical
path can be reduced, then the final completion date can be brought forward.

Critical Path Method (CPM)

The critical path method (CPM) is a scheduling tool that was developed indepen-
dently of PERT but uses a similar diagram. However, CPM uses two time estimates,
one for normal effort and one for ‘crash’ effort. ‘Crash’ time is the time required for
completion if all available resources were committed to the task.

Gantt or Bar Charts

One of the simplest planning tools requiring no mathematical calculations is the
Gantt chart. It is commonly used in organizing work and monitoring progress through
the various stages of a simple project and involves the production of bar charts
showing the start and completion times of individual project activities. The major
drawback to these charts is the poorer representation of interdependencies.

Simulations
Monte Carlo Simulations
Computers can be used to accelerate timescales by carrying out activities over and
over again very rapidly. By combining this with the probability of events occurring,
a sophisticated model can be built.
One such approach is referred to as the Monte Carlo method. It uses the com-
puter to simulate uncertainty via random behavior based upon the probabilities
entered and then iterates specified models several times to determine average
performance.

201

Internal_Auditing.indb 201 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Game Theory
The term game theory refers to mathematical models of optimal strategies under
various incentive schemes. This is used in competitive environments to explore ‘what
if’ scenarios.
A non-zero-sum game is said to exist when a profit is generated in which it is
possible for both participants to share. A zero-sum game denotes a situation where
a profit simply transfers from a loser to a winner. Game theory is used to help an
internal auditor in understanding the reasons particular strategies are pursued in
negotiation sessions or competitive price setting.

Queuing Theory
Businesses often have queues at service points. Elimination of these queues by
increasing the number of service points would result in service points often being
unused and costs increasing. Management must be able to decide how many service
points should be provided.
Queuing theory facilitates the use of mathematical models to minimize the total
cost for a given rate of arrivals. The minimized cost includes both service costs (facil-
ity and operating costs) and waiting costs (the idle resources involved in waiting in
line or having service points idle).

202

Internal_Auditing.indb 202 16/04/2015 11:13

 4
S ECTION

Business Analysis

Internal_Auditing.indb 203 16/04/2015 11:13

Internal_Auditing.indb 204 16/04/2015 11:13
 22
CHAPTER

Corporate Governance

Learning objectives
After studying this chapter, you should be able to:
➤ Outline the corporate governance developments nationally and internationally
affecting organizations
➤ Discuss the different corporate structures encountered in business organizations
➤ Outline briefly the nature and roles of the following stakeholders in achieving
sound corporate governance practices:
◗ Investors or owners
◗ Boards of directors and management
◗ The audit committee
◗ External audit
◗ Internal audit
➤ Explain the impact of a risk-based approach in prioritizing the internal audit plan
➤ Determine the resource requirement in terms of staff competencies and avail-
ability to carry out the audit plan
➤ Explain the implications of outsourcing internal audit

International Corporate Governance Developments

The importance of good governance is widely recognized internationally and is driv-
en by the requirements of the global economy for transparency, accountability and a
shareholder-inclusive approach to economic, social and environmental stewardship.
Following the Treadway Commission report on fraudulent financial reporting in the
US in 1987, the past 17 years have seen a number of commissions established in
various countries to investigate corporate governance practices and make recom-
mendations regarding, among other things:
➤ changes to legislation;
➤ corporate codes of ‘ethical’ conduct; and
➤ criteria for evaluating and reporting on corporate governance practices worldwide.

These include the Cadbury Report on corporate governance in the UK (1992),45

the Hampel Report in the UK (1998), the King Report in South Africa (1994),46
the Blue Ribbon Report in the US (1998),47 the King II Report in South Africa

45. Cadbury Commission. 1992. Report on the Financial Aspects of Corporate Governance. London.
46. Institute of Directors (IOD). 1995. The King Report on Corporate Governance for South Africa.
Johannesburg: IOD.
47. Blue Ribbon Committee. 1998. Report and Recommendations of the Blue Ribbon Committee on
Improving the Effectiveness of Corporate Audit Committees. New York: New York Stock Exchange.
(New York Stock Exchange Listed Company Manual 303.01: Audit Committees.)

Internal_Auditing.indb 205 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

(2002), and in the UK, the recent Smith Report (2003)48 entitled Audit Committees
Combined Code Guidance, dealing with the role and responsibilities of ‘effective’
audit committees, and the Higgs Report (2003)49, entitled Review of the Role and
Effectiveness of Non-executive Directors. In Europe there has similarly been much
activity to strengthen corporate governance and company law standards. These
include the Cromme Code50 in Germany and the Bouton Report51 in France in
September 2002.
The Cadbury Commission was commissioned to report specifically on the financial
aspects of corporate governance in response to some spectacular company col-
lapses in the UK, such as BCCI Plc, Polypeck Plc and Barings Bank.
The Cadbury Report called for a strengthening of the board’s conformance and
compliance role. The report advocated the strengthening of the role of independent
non-executive directors, the creation of compliance committees using these non-
executive, independent directors in audit committees, remuneration committees to
oversee directors’ remuneration, and nomination committees concerned with the
nomination of new directors to the board.
Cadbury also recommended greater transparency on board matters and the
separation of the roles of the chairman of the board from the chief executive officer
(CEO) of the business.

In 1998, the Hampel Committee in the UK consolidated these ideas into a set of
Principles of Good Governance, and a Code of Best Practice for unitary boards
of listed companies was incorporated into the listing rules of the London Stock
Exchange, known as the City Code. The report recommended the following:
➤ Good corporate governance needs broad principles, not prescriptive rules.
Compliance with sound governance practices, such as the separation of board
chairmanship and the CEO function, should be flexible and relevant to each
company’s individual circumstances and not reduced to what the report calls a
‘box-ticking’ exercise. Self-regulation is the preferred approach: no additional
company legislation was considered necessary.
➤ The board is accountable to the company’s shareholders. There is no case for
reassigning directors’ responsibilities to other stakeholder groups.
➤ The unitary board is totally accepted in the UK. There is no interest in alterna-
tive governance structures or processes such as two-tier boards.

These recommendations led to similar corporate governance initiatives in other

countries including the first King Commission Report on Corporate Governance in
South Africa (1994), following the corporate collapses of the Masterbond group,
Tollgate Holdings and the Supreme group in the late 1980s. More recently in South

48. Smith, Sir R. et al. 2003. Audit Committees Combined Code Guidance, a report and proposed
guidance by a group appointed by the Financial Reporting Council chaired by Sir Robert Smith.
London. January.
49. Higgs, D. 2003. Review of the Role and Effectiveness of Non-executive Directors, a report and
recommendations to the Secretary of State for Trade and Industry. London. January.
50. Cromme, G. et al. 2002. Corporate Governance Report: Vortrag und Diskussionen der Konferenz
Deutscher and Corporate Governance Code. Germany.
51. Bouton, D. et al. 2002. Promoting Better Corporate Governance in Listed Companies, Paris:
Association Française des Enterprises Privées et Association des Grandes Entreprises Françaises
and Mouvement des Entreprises der France.

206

Internal_Auditing.indb 206 16/04/2015 11:13

 CORPORATE GOVERNANCE

Africa, there have been the collapses of MacMed Medical Aid, Cape Trust Bank
and Regal Treasury Bank.
Corporate governance is affected by the relationships among participants in the
governance system. Controlling shareholders, who may be individuals, family hold-
ings, bloc alliances, or other corporations acting through a holding company or cross
shareholdings, can significantly influence corporate behavior. As owners of equity,
institutional investors are increasingly demanding a voice in corporate governance
in some markets. Individual shareholders usually do not try to exercise governance
rights, but may be highly concerned about obtaining fair treatment from controlling
shareholders and management.
Suppliers also play an important role in some governance systems and have the
potential to serve as external monitors over corporate performance. Employees and
other stakeholders play an important role in contributing to the long-term success
and performance of the corporation, while governments and securities exchanges
establish the overall institutional and legal framework for corporate governance.
The various reports all contain recommendations for enhancing corporate gover-
nance practices, some of which have subsequently been incorporated into changes
in corporate legislation and the listing requirements of stock exchanges.
The far-reaching Sarbanes-Oxley Act in the US provides stringent legal require-
ments to enforce sound corporate governance requirements on all US SEC reg-
istrants, as well as their subsidiaries and associated entities, wherever they are
operating in the world. All contain references to the important role of audit commit-
tees and internal audit in assisting management to ensure the effectiveness of the
corporate governance processes.
Corporate governance can be defined in a variety of ways, but generally it involves
the mechanisms by which a business enterprise is directed and controlled. It con-
cerns the mechanisms through which corporate management is held accountable for
corporate conduct and performance.
Corporate governance, in general, provides the framework within which the objec-
tives of a company are set and the means of attaining those objectives and monitor-
ing performance are determined. Good corporate governance requires the board
and management to pursue objectives that are in the interests of the company and
shareholders and therefore facilitate effective monitoring, which in turn encourages
firms to use resources more efficiently.
The corporate governance framework rests on the legal, regulatory and institu-
tional environment. Factors such as business ethics and corporate awareness of the
environmental and societal interests of the communities within which an organiza-
tion operates can also have an impact on the reputation and the long-term sustain-
ability of the organization.
Corporate governance is based on the belief that corporate officers operate best
when they are held to account for what they do. This involves holding the manage-
ment of an organization responsible for its performance. It entails evaluation of the
proper use of executive power such that individuals with responsibilities are account-
able for and must be prepared to defend their decisions.

In public companies and financial institutions, the practical application of corporate

governance involves the following aspects:
➤ separation of the roles of chairman and chief executive;
➤ a majority of non-executive directors on the board;

207

Internal_Auditing.indb 207 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

➤ the establishment of an audit committee with non-executive membership;

➤ the protection of the independence of external auditors;
➤ maintaining standards of financial reporting;
➤ the adoption of a company code of ethics;
➤ guidelines for the conduct of directors, in particular, requiring avoidance of con-
flicts of interest and disclosure of benefits; and
➤ the identification of risk and risk management.

Within public sector (government) structures, the term ‘corporate governance’ rep-
resents a collection of practices aimed at ensuring management accountability and
service delivery. Many of these are drawn from the private sector practices, such as:
➤ risk management;
➤ financial reporting;
➤ a code of ethics;
➤ internal audit; and
➤ audit committees.

The South African Public Finance Management Act No. 1 of 1999 regulates financial
management in the national and provincial governments and provides for the respon-
sibility of people entrusted with financial management in these governments. A key
responsibility is placed on the ‘accounting officer’ who is the head of the relevant pub-
lic enterprise or department. The act clarifies the division of responsibilities between
the accounting officer and the political head (called the ‘executive authority’ – either a
minister or MEC). The Guide for Accounting Officers, issued by the National Treasury
in 2000, formally requires an accounting officer, among other things, to establish an
internal audit function and audit committee. Chapter 6 of this publication, entitled
‘Corporate Management and Internal Controls’, indicates the structure, role and man-
date to be embodied in an internal audit charter and the operation of the internal
audit function. In addition, it provides for the composition of the audit committee, its
role and duties, terms of reference and timing of meetings.

Corporate Stakeholders and Governance

The King II Report on Corporate Governance for South Africa (2002) identifies the
following seven primary characteristics of sound governance for listed companies,
financial institutions and public entities.

King II recommends that these guiding principles be infused in the code of corporate
practices and conduct of the organizations affected, and are indeed valid principles
for all organizations, albeit that their implementation by different companies and
public sector entities may differ greatly. The report groups the key aspects of gover-
nance under the following headings:
➤ the constitution and operation of the board and its committees;
➤ performance evaluation and reward;
➤ risk management and internal control;
➤ sustainability;
➤ business ethics and organizational integrity;
➤ accounting and auditing; and
➤ disclosure practices.

208

Internal_Auditing.indb 208 16/04/2015 11:13

 CORPORATE GOVERNANCE

Table 22.1: Characteristics of sound governance

Characteristic Nature
Discipline Commitment by the organization’s senior management to widely
accepted standards of correct and proper behavior

Transparency The ease with which an outsider can analyse the organization’s actions
and performance

Independence The extent to which conflicts of interest are avoided, such that the
organization’s best interests prevail at all times

Accountability Addressing shareowners’ rights to receive, and if necessary to query,

information relating to the stewardship of the organization’s assets and
its performance

Responsibility Acceptance of all consequences for the organization’s behavior and

actions, including a commitment to improvements where required

Fairness Acknowledgement of, respect for and balance between the rights
and interests of the organization’s various stakeholders

Social The organization’s demonstrable commitment to ethical

responsibility standards and its appreciation of the social, environmental
and economic impact of its activities on the communities in which it
operates (the so-called triple bottom line)

Every company has key stakeholders that bring it to life and influence its activities
for better or worse during its existence.
An ongoing debate is the extent to which corporate governance practices should
be incorporated into legislation and policed, as opposed to relying on individuals
and corporate structures to ‘do the right thing’ and allowing stakeholders and the
capital markets to self-monitor and regulate the actions of the corporate leader-
ship.

This chapter discusses the roles of the following key players in ensuring sound cor-
porate governance practices are implemented:
➤ investors, qua owners;
➤ boards of directors and senior management;
➤ audit committees; and
➤ internal and external audit.

The roles of other corporate stakeholders such as employees, suppliers, customers

and government are dealt with elsewhere in this book.

Investors, qua Owners

In the eighteenth century, when the concept of the joint stock corporation began to
develop rapidly, the governance of corporations was dominated by the wishes of the
dominant shareholders and democracy between shareholders. Shareholders were
relatively few in number, frequently held the majority of the shares, and were often

209

Internal_Auditing.indb 209 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

appointed as executive directors. In this way, they were able to exercise a consider-
able degree of control and influence over day-to-day operations. In millions of smaller
and owner-managed companies around the world, this is still the situation today.
But for major corporations, particularly those that have their shares listed on a
stock exchange, and who may trade globally, the governance situation has changed
significantly and their activities are subject to close scrutiny by the public, gov-
ernment agencies, ‘ethics monitoring groups’ and the media. In many countries,
the shares of public listed companies are now held by thousands of very diverse
shareholders – some are private individuals; a significant portion are institutional
investors such as banks, pension funds, insurance companies and asset managers
managing unit trust portfolios; and the remaining shares are held by other group
companies, who might have strategic business relationships with the company.
Nowadays, ownership structures of major public companies around the world are
often complex. Consequently, the first step in understanding the reality of corporate
governance in any company is to understand the ownership structure and hence
identify who has the potential to exercise power and influence over that company. In
the past, most institutional investors failed to actively exercise their rights as share-
holders, preferring to sell their shares rather than getting involved in challenging
poor corporate performance. However, this trend has reversed in recent years, with
some institutional investors, particularly in the US, the UK and Australia, becoming
proactive, calling for boards to produce better corporate performance, questioning
levels of directors’ remuneration, and calling for greater transparency on company
finances and greater accountability from directors.

Board Structure, Roles and Responsibilities

The board of directors is the ultimate decision-making body in a company. The role
of management is to run the enterprise; the role of the board of directors is to see
that it is being managed responsibly and is able to meet its long- and short-term
objectives.
Generally, management operates as a hierarchy. Although the organization may
not be a neat pyramid, there is an ordering of responsibility, with authority delegat-
ed downwards through the organization and accountability upwards to the CEO. By
contrast, the board should not operate as a hierarchy. The members need to work
together as equals, reaching agreement by consensus or, if necessary, by voting. In
almost all legal jurisdictions, each director on the board bears the same fiduciary
responsibilities under the law.

Governance structures for organizations vary around the world, but three broad ver-
sions are generally recognized.
➤ In the unitary board model, all directors participate in a single board compris-
ing both executive and non-executive directors in varying proportions. This
approach to governance is generally shareholder-orientated. It is also called the
Anglo-Saxon approach to corporate governance, and is the basis of corporate
governance in the US, the UK, Canada, Australia and other Commonwealth
countries, including South Africa.
➤ In the two-tier board model, corporate governance is exercised through two
separate boards. The upper board supervises the executive board on behalf of
stakeholders. This approach to governance is usually more society-orientated

210

Internal_Auditing.indb 210 16/04/2015 11:13

 CORPORATE GOVERNANCE

and is commonly referred to as the Continental European approach. It is gen-

erally the basis of corporate governance adopted in Germany, Holland and, to
some extent, France.
➤ The business network model reflects the cultural relationships seen in the
Japanese keiretsu network, in which boards tend to be large, predominantly
executive and often ritualistic. The power in an enterprise lies in the relation-
ships between top management in the companies in such a network.

Notwithstanding structural differences between two-tier and unitary board systems,

the actual board responsibilities and practices are similar. Both recognize a super-
visory, or non-executive, function and a managerial, or executive, function, although
the distinctions between the two functions tend to be more formalized in the two-tier
structure.
Generally, both the unitary board of directors and the supervisory board (in
the two-tier structure) are elected by shareholders, although, in some countries,
employees may elect some supervisory body members as well. Typically, both the
unitary board and the supervisory board appoint the members of the managerial
body – either the management board in the two-tier system or a group of managers
to whom the unitary board delegates authority in the unitary system. In addition,
both the unitary board and the supervisory board have a responsibility for ensuring
that financial reporting and control systems are functioning appropriately and that
the company is in compliance with laws and regulations essential for the continuing
survival and operation of the organization.
Each board system has been perceived to offer unique benefits. The one-tier
system may result in a closer relationship and better information flow between the
supervisory and managerial members; however, the two-tier system encompasses
a clearer, formal separation between the supervisory body and those being ‘super-
vised’. With the influence of the corporate governance best practice movement,
the distinct perceived benefits traditionally attributed to each system appear to be
lessening as practices converge.
As described below, the corporate codes, recommended by the various corporate
governance commissions appointed in different countries, express remarkable con-
sensus on issues relating to board structure, and the roles and responsibilities of the
board members. Many suggest practices designed to enhance the distinction between
the roles of the supervisory and managerial members of the boards, including supervi-
sory body independence, separation of the chairman and CEO roles, and reliance on
board committees comprising a majority of non-executive members.
These expectations are often challenged on the grounds that non-executive direc-
tors cannot know as much about the business operations as the executive directors
do and that, being part-time, and often with managerial responsibilities in other
companies, they cannot devote sufficient time to the company’s affairs. In fact,
non-executive directors do not need to know as much about the business as the
executive directors. They do, however, need to know enough to make their contribu-
tions unique and critical within their particular experience and expertise, in order
to challenge the activities of the board of directors and hold them accountable for
good governance.
Most, if not all, of the corporate codes place significant emphasis on the need
for a supervisory body that is distinct from management in its decisional capac-
ity for objectivity to ensure accountability and provide strategic guidance. Codes

211

Internal_Auditing.indb 211 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

that relate to unitary boards emphasize the need for some compositional dis-
tinction between the members of the unitary board and members of the senior
management team. These codes invariably urge companies to appoint outside (or
non-executive) directors, and King II introduces the concept of ‘independent’ non-
executive directors being appointed to the board.
‘Independence’ in this context generally involves an absence of close fam-
ily ties or business relationships with company management and the controlling
shareholder(s). Codes that relate to unitary boards also frequently call for the posi-
tions of the chairman of the board and the CEO (or managing director) to be held
by different individuals. (This is already usually the case in two-tier board systems.)
Codes that relate to two-tier boards also emphasize the need for independence
between the supervisory and managerial bodies. For example, like the unitary board
codes, they tend to warn against the practice of naming (more than one or two)
retired managers to the supervisory board, because it may undermine supervisory
board independence.
The JSE listing requirements include a condition that the chairperson and CEO
positions be occupied by different people for listed companies. Failure to do so will
result in a penalty of R1 million being imposed on the company. Instances have been
encountered in the US and the UK, where the ‘independent directors’ appointed
have often been hand-picked ‘cronies’ of the CEO or chairperson or president of the
corporation willing to do the bidding of the CEO, and anything but ‘independent’.
This led directly to recent recommendations for an independent nominations com-
mittee to be established by the board.

Board Committees
Another interesting feature that has developed in the current demands for increased
responsibility and accountability is for boards of directors of public companies to
appoint greater numbers of non-executive, or independent non-executive directors
to the board. These do not have executive responsibilities and are expected to pro-
vide a means of ensuring that the executive directors are held accountable for their
management of the company. The codes reflect a trend toward reliance on board
committees to assist the board of directors to discharge their responsibilities, par-
ticularly in areas where the interests of management and the interests of the com-
pany may come into conflict, such as in areas of audit, executive remuneration and
nomination. All such committees should have formal terms of reference approved
by the board of directors.

Most corporate governance recommendations look for non-executive directors to be

appointed as chairpersons of these committees and to comprise the majority of the
members. The board committees recommended by King II include:
➤ a risk committee, with responsibility for the total process of risk management
in the organization at a strategic and operational level, including ensuring the
implementation of appropriate risk management and internal control frame-
works; annual risk assessments and controls to manage significant risks identi-
fied; monitoring processes; and regular reporting of key risks to the board;
➤ a remuneration committee, with responsibility for performance evaluation,
determining the remuneration of executive directors and service contract
arrangements for executive directors;

212

Internal_Auditing.indb 212 16/04/2015 11:13

 CORPORATE GOVERNANCE

➤ a nominations committee, for identifying suitable candidates and screening

nominations to the board of directors; and
➤ an audit committee, with oversight responsibility for internal controls; approving
of accounting policies; monitoring of internal audit functions; and the appoint-
ment and fee budget of the external auditors.

While recommendations concerning the appropriate composition of these commit-

tees may vary, the codes generally recognize that non-executive and, in particular,
independent non-executive directors have a special role to play on these commit-
tees to monitor the activities of management and the board of directors.
All companies listed on the JSE are required to appoint an audit committee. A
similar requirement is contained in the Public Finance Management Act applicable
to public entities. King II recommends that the audit committee should comprise a
majority of financially literate, independent directors.

Where appointed, the terms of reference of any such board committees must be
clear and should include at least:
➤ the extent of its powers;
➤ an indication of the responsibilities delegated to it;
➤ its lifespan;
➤ its role and functions;
➤ its reporting procedures; and
➤ its authority.

These should be approved by the board of directors. Disclosures by each committee

as to its activities should be made in the annual report.

The Role of Audit Committees

An effective audit committee is seen as assisting management in the following areas:
➤ improving communication and increasing contact and understanding between
management and internal and external auditors;
➤ reviewing the performance of internal and external auditors, thus increasing
accountability;
➤ facilitating the imposition of discipline and control, thus reducing the opportu-
nity for fraud; and
➤ strengthening the objectivity and credibility of financial reporting.

Concerns have been expressed that the constantly increased expectations of mem-
bers of audit committees have become unrealistic and have greatly increased the risk
exposure of the individuals involved. The available pool of people ‘qualified’ to serve
on audit committees is limited and many are executive directors of other companies
who, whilst they may have experience, have limited time to spend on any one audit
committee’s affairs. In times of increased accountability demands on directors, the
non-executive directors serving on audit committees are finding their personal risk
exposure is greatly increased. It is likely that remuneration of non-executive directors
will be increased to take account of the higher risks they face. It is notable that in the
case of the recent major corporate collapses, all had functioning audit committees who
did not seem able to prevent the collapse and in some instances, undoubtedly having

213

Internal_Auditing.indb 213 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

inside information of the parlous state of affairs, were party to unethical actions and
conduct in order to protect their personal interests in the company. An example of an
audit committee charter is contained in Appendix B.

Audit Committee Responsibility for Internal Audit

The audit committee plays an important role in ensuring the independence of the
internal audit function. The most recent recommendations in this regard are found
in the Smith Report,52 which recommends a direct reporting responsibility for an
internal auditor to the audit committee and suggests in paragraphs 5.10 to 5.13
that the audit committee should carry the responsibility for monitoring and review-
ing the internal audit process, as follows:
➤ ‘The audit committee should monitor and review the internal audit activities.
Where there is no internal audit function, the audit committee should consid-
er annually whether there is a need for an internal audit function and make
a recommendation to the board, and the reasons for the absence of such a
function should be explained in the relevant section of the annual report.
➤ The audit committee should review and approve the internal audit function’s
remit, having regard to the complementary roles of the internal and exter-
nal audit functions. The audit committee should ensure that the function has
the necessary resources and access to information to enable it to fulfill its
mandate, and is equipped to perform in accordance with appropriate pro-
fessional standards for internal auditors.53
➤ The audit committee should approve the appointment or termination of
appointment of the head of internal audit.
➤ In its review of the work of the internal audit function, the audit committee
should, inter alia:
◗ Ensure that the internal auditor has direct access to the board chairman
and to the audit committee and is accountable to the audit committee;
◗ Review and assess the annual internal audit work plan;
◗ Receive a report on the results of the internal auditors’ work on a periodic
basis;
◗ Review and monitor management’s responsiveness to the internal auditor’s
findings and recommendations;
◗ Meet with the head of internal audit at least once a year without the pres-
ence of management; and
◗ Monitor and assess the role and effectiveness of the internal audit function
in the overall context of the company’s risk management system.’

The requirement for the appointment of an audit committee for South African
companies is presently contained in the JSE listing requirements and thus applies
to listed companies only. The Public Finance Management Act requires all public
entities regulated by the Act to appoint an audit committee, and the legislation
regulating the various types of financial institutions similarly requires the appoint-
ment of an audit committee.

52. Smith et al. 2003. pp. 11–12.

53. Further guidance can be found in the IIA’s Code of Ethics and the International Standards for the
Professional Practice on Internal Auditing (see Appendix A).

214

Internal_Auditing.indb 214 16/04/2015 11:13

 CORPORATE GOVERNANCE

External Audit
In South Africa, external auditors are required by statute to be appointed for
every company to report on the company’s annual financial statements, prepared
in accordance with a generally accepted accounting framework. Previously, this
framework was the South African Standards of Generally Accepted Accounting
Practice, but with effect from January 2005 is now in terms of International
Financial Reporting Standards (IFRS). In South Africa, the external auditor’s audit
responsibilities are governed by the relevant company legislation, the Public
Accountants’ and Auditors’ Act, and the regulatory requirements for particular
industry sectors, such as the Banks Act, the Insurance Act and the Pension Funds
Act, to mention a few. In addition, the client engagement letter should set out
additional services to be provided.
Following the publication of the new IFAC Code of Conduct for Professional
Accountants and the Sarbanes-Oxley Act in the US, the nature of additional ser-
vices provided to audit clients is restricted, and care should be taken to ensure
that any threats to the external auditors’ independence are dealt with and that
their independence is not compromised in any way. The South African Auditing
Standards (SAAS) are issued by the Public Accountants’ and Auditors’ Board and
set out requirements for the performance of the audit and review of financial state-
ments, as well as other assurance engagements. From 1 January 2005, South Africa
adopted the full set of the IAASB’s International Engagement Standards including
the International Standards on Auditing (ISA’s), International Standards on Review
Engagements (ISREI’s), International Standards on Assurance Engagements (ISAE’s)
and International Standards on Related Services Engagements (ISRS’s).
From the perspective of the audit of financial statements, external audit does not
report specifically on the corporate governance practices of the entity; however,
the increased corporate governance disclosures in the published audited financial
statements of listed entities required by securities exchanges around the world
has resulted in changes to auditing standards internationally, including imposing
additional requirements on auditors for fraud detection and communication of
significant weaknesses in internal controls to those responsible for organizational
governance. The Sarbanes-Oxley Act requires an independent external audit of the
effectiveness of internal controls affecting the financial reporting of all US-listed
entities.

Internal Audit
So how do these corporate governance developments nationally and internationally
affect what an internal auditor does? The IIA Standards and Code of Ethics (see
Appendix A), define the objective of internal auditing as follows:

‘Internal auditing is an independent, objective assurance and consulting activity

designed to add value and improve an organization's operations. It helps an organization
accomplish its objectives by bringing a systematic, disciplined approach to evaluate and
improve the effectiveness of risk management, control, and governance processes.’

King II contains the same definition of internal audit, as does the Public Finance
Management Act. Consequently, in order to perform the internal audit function,

215

Internal_Auditing.indb 215 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

internal auditors have to be aware of corporate governance developments and the

implications for their work in the organizations in which they are employed, or to
which they provide management assurance services.

The IIA Standards also recognize the following:

‘Internal audit activities are performed in diverse legal and cultural environments; within
organizations that vary in purpose, size, and structure; and by persons within or outside
the organization. These differences may affect the practice of internal auditing in each
environment.’

And, in dealing with the responsibility of internal audit for governance matters, IIA
Standard 2130: Governance indicates the following:

‘The internal audit activity should contribute to the organization's governance process by
evaluating and improving the process through which (1) values and goals are established
and communicated, (2) the accomplishment of goals is monitored, (3) accountability is
ensured, and (4) values are preserved.’

The worldwide demands for improved governance processes and accountability

have significantly changed the role and standing of internal auditors within an orga-
nization over the past ten years, moving their focus from primarily auditing controls
over transactions to playing a key role in supporting management’s self-assessments
in order to manage business risks more effectively and so ensure the sustainability
of the organization.

Figure 22.1 reflects the changes in the role of internal audit that have occurred
during the past ten years in listed companies and public entities. What will quickly
become apparent from this figure is that as the focus of internal audit has changed,
the skills needed by internal audit personnel have had to adapt and change:
➤ Reactive: The initial focus was on auditing transactions in order to provide
assurance regarding financial risks within an organization.
➤ Proactive: This role developed into one of participating with management in
identifying risks that could lead to losses through weak or ineffective controls.
➤ Strategic: The role developed still further into the current one of supporting the
risk committees of the board to identify and assess strategic and operational
risks, and to provide cost-effective methods of dealing with them.

Not least has been the need for internal auditors to make greater use of sophisticated
technology and knowledge management systems in order to develop key performance
indicators and benchmark performance targets to assess the strategic and business
process risks critical for the sustainability of often complex and global organizations.
In addition, the importance of technology and systems and business continu-
ity plans must be recognized, and accordingly internal staff must develop the
necessary technological skills to assess an organization’s controls and business
processes. This is necessary to enable an internal auditor to present focused, high-
level and concise reports to the risk committee and board of directors regarding
risk management issues, so that they in turn can make better-informed decisions
for managing the organization.

216

Internal_Auditing.indb 216 16/04/2015 11:13

 CORPORATE GOVERNANCE

Figure 22.1: The developing role of internal audit

We wish to thank PriceWaterhouseCoopers Inc. for permission to use this diagram.

King II recommendations for internal audit may be summarized as follows:

➤ An effective internal audit function should be established, or outsourced, as an
independent and objective provider of assurance and advice.
➤ Internal audit should implement a systematic, disciplined approach focusing on
evaluating and improving the effectiveness of:
◗ risk management,
◗ control, and
◗ governance.
➤ Internal audit should have the respect of and co-operation from the board of
directors and executive management. To this end, the audit committee should
concur in the appointment/dismissal of the head of the internal audit function
or professional service provider.
➤ Internal audit should have an internal audit charter defining its role, responsi-
bility and authority (an example of which appears in Appendix C).
➤ Internal audit should report findings to an appropriate level in the organization
– the CEO or audit committee – and should report at each audit committee
meeting on the internal audit risk assessments and consequent activities and
internal audit plans. Internal audit should have direct and regular access to the
chairperson of the board of directors and the chairperson of the audit commit-
tee.
➤ Internal audit should adopt a risk-based approach to its audit plans and co-
ordinate its activities with external audit and other assurance providers.

217

Internal_Auditing.indb 217 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

A Risk-based Approach to Internal Audit

The principles to be followed when developing any internal audit plan are set out in
IIA Standard 2210: Engagement Objectives as follows:

➤ ‘The engagement’s objectives should address the risks, controls, and governance pro-
cesses associated with the activities under review.’
➤ ‘When planning the engagement, the internal auditor should identify and assess risks
relevant to the activity under review. The engagement objectives should reflect the
results of the risk assessment’ (IIA Standard 2210.A1).
➤ ‘The internal auditor should consider the probability of significant errors, irregulari-
ties, non-compliance, and other exposures when developing the engagement objec-
tives’ (IIA Standard 2210.A2).

These standards are in line with the principles of corporate governance discussed
earlier in this chapter. Readers are referred to Practice Advisory 2210.A1-1, which
provides further guidance in this regard, and to Chapter 6 for a detailed discussion
of the risk-based approach to internal audit.

Resourcing Internal Audit

IIA Standard 2230: Engagement Resource Allocation states the following:

‘Internal auditors should determine appropriate resources to achieve engagement

objectives. Staffing should be based on an evaluation of the nature and complexity of
each engagement, time constraints, and available resources.’

Clearly, this will involve an evaluation of the following aspects:

➤ the number and experience level of internal audit staff required based on
the nature and complexity of the engagement, time constraints and available
resources;
➤ the knowledge skills and other competencies of the internal auditing staff;
➤ the opportunity provided on the engagement for training needs for the develop-
ment of internal audit staff and the internal audit activity being performed; and
➤ the use of outsourced resources where the organization does not have or is
unable to develop particular expertise required, eg where a forensic audit is
required for a fraud investigation.

As with any other department or function in an organization, internal audit will prob-
ably experience a turnover in staff with ongoing recruitment and training implica-
tions. Many organizations use internal audit as a means of exposing staff that show
potential for growth to the operation’s risks, controls and business processes, before
moving them into middle management positions in the organization. This staff move-
ment will also mean that at times the internal audit function may lack particular
skills needed to perform particular engagements. In such circumstances, the exper-
tise may be sought from professional firms offering internal audit or management
assurance services to clients.

218

Internal_Auditing.indb 218 16/04/2015 11:13

 CORPORATE GOVERNANCE

Outsourcing Internal Audit

The internal audit standards recognize that management may decide that internal
audit functions should be outsourced to an independent external management
assurance provider. In such cases, the IIA Standard 2210.C1 states the following:

‘Consulting engagement objectives should address risks, controls, and governance pro-
cesses to the extent agreed upon with the client.’

As the demands for improved corporate governance increased, the existing internal
audit functions in organizations failed to anticipate the changing role of internal
audit and remained in a reactive role focusing on transaction auditing. In addition,
the requirements of the Public Finance Management Act requiring the appointment
of internal audit functions at all public entities in South Africa found the internal
audit profession very short of suitably qualified persons to be appointed.
The large professional firms of accountants and auditors recognized this marketing
opportunity and moved aggressively into the gap to offer internal audit or manage-
ment assurance services to organizations, drawing on established firm reputations
and often offering better technologies to provide strategic and business process risk
assessments and more streamlined internal audit engagements.
The collapse of Enron, where the external auditors, Arthur Andersen, had been
heavily involved in providing both external and internal audit services, as well as
other consultation services, sounded alarm bells through the profession and resulted
in the Sarbanes-Oxley Act preventing external auditors of US-listed corporations
from offering, among other things, internal audit services to their external audit
clients. Such services are regarded as a threat to external auditor independence.
Consequently, different professional firms will generally become involved in provid-
ing external and internal audit services to a client where the latter are outsourced.
The scope of outsourced internal audit services must be agreed with management.
These services may involve a full internal audit service or, where the organization
also employs internal auditors in-house, may involve the external service providers
in specific areas of internal audit. Confidentiality and auditor liability issues arise for
outsourced internal audit engagements, as do issues around access by the external
auditors to working papers prepared for the outsourced internal audit engagement,
and consultation with external auditors of the organization. These should be dealt
with in the engagement letter appointing the external assurance providers.

219

Internal_Auditing.indb 219 16/04/2015 11:13

 23
CHAPTER

Financial Accounting and

Finance

Learning objectives
After studying this chapter, you should be able to:
➤ Discuss briefly current developments in international financial reporting stan-
dards Explain the role of internal audit in the financial reporting process
➤ Discuss the role and responsibilities of internal audit in the appointment of
external audit and outside consultants
➤ Explain how internal audit co-ordinates its plans and activities with those of
the exter­nal auditors
➤ Discuss the circumstances under which external audit may use the work performed
by internal audit in the corporate governance and financial reporting process
➤ Explain the possible role and responsibilities of internal audit in the quarterly
and annual financial reporting review process
➤ Discuss the implications for internal audit of the worldwide move by listed
companies to comply with international financial reporting standards

Financial Reporting
It is assumed that CIA students and others using this book will have completed
undergraduate courses in financial accounting and corporate finance. Consequently,
this chapter concentrates on the application of their knowledge in practice and does
not discuss the conceptual framework for accounting, nor individual accounting
standards.
Nevertheless it is worthwhile considering the reporting of financial information in
the published accounts of an organization. To be useful, financial information must
comply with certain characteristics, namely:
➤ Reliability where the financial information can be depended upon to represent
accurately the present state of financial affairs of the organization. This involves
ensuring:
◗ neutrality, such that the information is not biased;
◗ verifiability, so that independent evaluators can reach the same conclusions
using the same methods;
◗ faithful representation, such that the financial statements are in agreement
with the actual events they purport to represent.
➤ Comparability, such that financial statements of the organization can be
compared to those of other similar organizations.
➤ Relevance, where information must be usable and appropriate in decision-
making. This means that information must:
◗ have a predictive value, such that the outcome of future events can be
reliably predicted;

Internal_Auditing.indb 220 16/04/2015 11:13

 FINANCIAL ACCOUNTING AND FINANCE

have a feedback value, such that reality can be compared to prior expecta-
◗
tions;
◗ be of a timely nature, such that the information is still relevant to decision-
making.
➤ Consistency such that the financial statements are comparable over periods of
time.

Financial statements are generally taken to consist of ten specific elements.

➤ Assets are defined as probable future economic benefits controlled by an orga-
nization as a result of previous transactions or events.
➤ Liabilities are probable future sacrifices of economic benefits as a result of cur-
rent or previous transactions or events.
➤ Equity is the balance of assets remaining after deducting liabilities.
➤ Revenues are associated with the gross increase in assets or decrease in liabili-
ties and can be recognized by different methods depending on the circumstanc-
es of the organization
➤ Expenses are associated with the gross decrease in assets or increase in liabili-
ties as a result of the organization’s operations.
➤ Investment by owners increases the equity by transferring assets of value to an
entity, resulting in an increase in ownership interest.
➤ Distribution to owners decreases the equity by transferring equity to the own-
ers.
➤ Gains are defined as those increases in equity resulting from transactions
affecting the organization, except those resulting from investment by owners on
normal revenues.
➤ Losses are classed as decreases in equity from transactions and other circum-
stances, except those resulting from normal expenses for distribution to owners.
➤ Comprehensive income is defined as the change in equity during the period that
is not caused by investments by owners or distributions of equity to owners.

Many global companies boast turnovers and net assets in excess of the gross
domestic product of small countries and exercise considerable political and eco­
nomic influence. In order to gain access to capital internationally to finance their
operations, many of these organizations are listed, for example, on the New York
Stock Exchange or the NASDAQ in the US, the London Stock Exchange in the UK,
the Hong Kong Stock Exchange and stock exchanges in several European Countries
and the Johannesburg Securities Exchange in South Africa. Each stock exchange
has strict requirements for listed companies to comply with, including requirements
to comply with national or international financial reporting standards. IOSCO – the
international organization that regulates stock exchanges worldwide – has also influ­
enced international developments to find common standards of accounting inter­
nationally.
Globalization of business operations is probably regarded as the most significant
change agent for accounting standards that has occurred during this period. It
has led to demands by businesspeople for comparable national and international
standards in the accounting treatment of transactions and disclosures in financial
statements nationally to make financial reporting comparable and comprehensible
to users.

221

Internal_Auditing.indb 221 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

The field of financial accounting has undergone sweeping changes in the past ten
to 20 years with accounting standards being developed nationally and internation­
ally by standard setters that seek to harmonize ‘generally accepted accounting
frameworks’ of different countries with those developed internationally. In spite of
this, there are differences between the standards of several major countries and
international standards. The International Federation of Accountants (IFAC) and the
International Accounting Standards Board (IASB) has lead with the promulgation of
the International Financial Reporting Standards (IFRS), which dozens of countries
around the world are adopting as the accepted standards of financial reporting for
both listed and unlisted companies.
The ongoing collapses of large corporate entities in the US, the UK, Europe,
Australia and South Africa and many others are frequently followed by claims
that, in addition to blatant fraud by top management, companies have misapplied
accounting standards or manipulated them to misstate their financial results or have
used inappropriate accounting policies to mislead their shareholders and the pub­lic
with fraudulent financial reporting. There is a need to achieve greater accounta­bility
and transparency by all organizations, whether profit-making, non-profit-mak­ing or
governmental. Consequently, management and regulators are looking to internal
audit and audit committees for assistance to improve the governance and financial
reporting process.

Auditing the Financial Reporting Process

IIA Practice Advisory 2120.A1-4: Auditing the Financial Reporting Process identifies
the following activities that internal audit is likely to become involved in when eval­
uating the internal controls that ensure the reliability and integrity of an organiza­tion’s
financial reporting, and providing support for the organization’s governance process
and oversight responsibilities of the board of directors and its audit com­mittee.

‘Financial Reporting
➤ Providing information relevant to the appointment of the independent accountants.
➤ Co-ordinating audit plans, coverage, and scheduling with the external auditors.
➤ Sharing audit results with the external auditors.
➤ Communicating pertinent observations with the external auditors and audit commit-
tee about accounting policies and policy decisions (including accounting decisions
for discretionary items and off-balance sheet transactions), specific components of
the financial reporting process, and unusual or complex financial transactions and
events (eg related-party transactions, mergers and acquisitions, joint ventures, and
partnership transactions).
➤ Participating in the financial reports and disclosures review process with the audit
committee, external auditors, and senior management; evaluating the quality of the
financial reports, including those filed with regulatory agencies.’

Appointment of External Auditor and Consultants

An internal auditor’s participation in the selection, evaluation or retention of an
organization’s external auditors may vary from no involvement in the process, to
advising management or the audit committee, providing assistance or participa-
tion in the process, management of the process, or auditing the process. The audit

222

Internal_Auditing.indb 222 16/04/2015 11:13

 FINANCIAL ACCOUNTING AND FINANCE

com­mittees of many large organizations are given the responsibility for advising
the board of directors on external audit, and the head of internal audit advises on
appointments and approves external and internal audit fee budgets.
The IIA Standards require internal auditors to share information and co-ordinate
activities with other internal and external providers of relevant assurance and con­
sulting services. Depending on the circumstances of the particular internal audit
structure within an organization, internal auditors may have some involvement in
the selection or retention of the external auditors and in the definition of the scope
of the work required, in addition to the external auditor’s statutory responsibilities
(further guidance is provided in IIA Practice Advisory 2050-2).
Appropriate policies for the selection or retention of external audit services should
consider addressing the following attributes:
➤ board or audit committee approval of the policy;
➤ the nature and type of services covered by the policy;
➤ the duration of the contract, the frequency of the formal request for services
and/or determining whether to retain the existing service providers;
➤ participants or members of the selection and evaluation team;
➤ any critical or primary criteria that should be considered in the evaluation;
➤ limitations on service fees and procedures for approving exceptions to the
policy; and
➤ regulatory or other governing requirements unique to specific industries or
countries.

The board of directors will also address the acquisition of consultant services other
than just financial statement audits that may be offered by external audit firms
and may delegate responsibility for negotiations to the audit committee. These
may include:
➤ tax services;
➤ consulting and other non-audit services;
➤ internal audit outsourcing and/or co-sourcing services;
➤ other outsourced or co-sourced services;
➤ special services, such as agreed service engagements;
➤ valuation, appraisal and actuarial services;
➤ temporary services such as recruiting, bookkeeping and technology services;
and
➤ legal services provided by external audit firms, such as forensic investigations.

A word of warning must be sounded here. Following the collapse of Enron and
WorldCom in the US, the Sarbanes-Oxley Act severely restricts the nature of the
consulting services that an external auditor may provide to an audit client listed
on the New York or NASDAQ Stock Exchanges, wherever in the world the organiza-
tion may have operations. This is intended to reinforce auditor independence and
pre­vent conflicts of interest. For example, an external audit firm may not provide
both external and internal audit services to the same US listed client. The large
audit firms worldwide have responded by selling off their consulting activities to
inde­pendent organizations and distancing their audit and assurance services from
their consulting services.
Some of the large audit firms have generally moved their statutory audit services
into incorporated companies and formed separate private companies to handle

223

Internal_Auditing.indb 223 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

the audit firm’s other assurance services, such as tax and audit advisory activi-
ties. This enables the audit firm to offer its services under the same firm brand­ing
while limiting its liability on the non-statutory, other assurance and related serv­ices
engagements. Arrangements for external audit engagements and other assur­ance
and related services should be documented in a letter of engagement and signed
by both the service provider and the engagement client.
Internal auditors should determine how an organization monitors ongoing service
activities from external auditors. Compliance with the terms of service contracts and
other agreements should be assessed on a periodic basis. Assessment of the inde­
pendence of the external auditors should include internal audit participation, be
performed at least annually, and be communicated to the audit committee.

Audit Plans and Co-ordination with External Audit

Since audit fees are substantial, the board of directors will generally want to ensure
that where an effective internal audit function exists, whether internal or out­sourced,
the external auditors make use of the relevant aspects of the work of inter­nal audit
to reduce the extent of work that they need to perform.
The external auditors will then consider the scope of the internal audit activities
at the planning stage and, in consultation with the internal auditors, identify those
areas where they may be able to use the work of internal audit and areas where the
activities of the internal and external audit teams must be co-ordinated.

External Auditors’ Use of the Work of Internal Audit

The extent of use made by the external auditors will depend on their assessment
of the independence, competence and effectiveness of the internal audit function,
as well as the relevance of the scope and nature of work performed that may pro-
vide evidence required for the external audit of the financial statements. Hence the
importance of internal audit involvement in auditing the effectiveness of an organi­
zation’s corporate governance processes and controls designed to ensure the integ-
rity of the financial reporting process.
IIA Practice Advisory 2120.A1-4 recognizes that an important role of internal
audit is to report on their assessment of the effectiveness of the organization’s
financial reporting, governance and control processes to the audit committee. The
work that may be performed by internal audit in this regard that could be used by
external audit includes the aspects dicussed below.

Corporate Governance Controls

This involves:
➤ reviewing corporate policies relating to compliance with laws and regulations,
ethics, conflict of interests, and the timely and thorough investigation of mis­
conduct and fraud allegations;
➤ reviewing pending litigation or regulatory proceedings bearing on organizational
risk and governance; and
➤ providing information on employee conflicts of interest, misconduct, fraud and
other outcomes of an organization’s ethical procedures and reporting
mecha­nisms.

224

Internal_Auditing.indb 224 16/04/2015 11:13

 FINANCIAL ACCOUNTING AND FINANCE

Corporate Controls over the Financial Reporting Process

This involves:
➤ reviewing the reliability and integrity of the operating and financial information
compiled and reported by an organization;
➤ performing an analysis of the controls for critical accounting policies and com­
paring them with preferred practices, eg transactions in which questions are
raised about revenue recognition or off-balance sheet accounting treatments
should be reviewed for compliance with appropriate national GAAS or IFRS and
applicable laws and regulations;
➤ evaluating the reasonableness of estimates and assumptions used in preparing
operating and financial reports;
➤ ensuring that estimates and assumptions included in disclosures or comments
are in line with underlying organizational information and practices and with
similar items reported by other companies, if appropriate;
➤ evaluating the process of preparing, reviewing, approving and posting journal
entries; and
➤ evaluating the adequacy of controls in the accounting function.

The Financial Reporting Review Process

IIA Practice Advisory 2120.A1-4: Auditing the Financial Reporting Process identi-
fies the following role and responsibilities for internal audit.

➤ ‘Assessing the adequacy and effectiveness of the organization’s internal controls, spe-
cifically those controls over the financial reporting process; this assessment should
consider the organization’s susceptibility to fraud and the effectiveness of programs
and controls to mitigate or eliminate those exposures.
➤ Monitoring management’s compliance with the organization’s code of conduct and
ensuring that ethical policies and other procedures promoting ethical behavior are
being followed; an important factor in establishing an effective ethical culture in the
organization is when members of senior management set a good example of ethical
behaviour and provide open and truthful communications to employees, the board,
and outside stakeholders.’

Section 302 of the Sarbanes-Oxley Act places sweeping responsibilities on the

CEO and CFO to certify in each quarterly and annual report of US listed companies
lodged with the SEC:
➤ the truth and fairness of the reports;
➤ the effectiveness of the financial reporting controls and that any significant
deficiencies in such controls have been disclosed to the auditors and audit
committee;
➤ whether any fraud has occurred involving management; and
➤ whether any corrective actions have been taken regarding significant deficien-­
cies in controls.

Heavy penalties, including jail sentences and substantial fines, may be imposed on
any CEO and CFO who fails to comply with these requirements.
IIA Practice Advisory 2120.A1-4 suggests that the internal audit function should
allocate the internal audit’s resources to the financial reporting, governance and

225

Internal_Auditing.indb 225 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

control processes in a way that is consistent with an organization’s risk assessment.

Internal audit should perform procedures that provide a level of assurance to sen­
ior management and the audit committee that controls surrounding the processes
supporting the development of financial reports are adequately designed and effec­
tively executed. The controls should be adequate to ensure the prevention and
detection of significant errors, irregularities, incorrect assumptions and estimates,
and other events that could result in inaccurate or misleading financial statements,
related notes or other disclosures.
The roles and responsibilities of the internal and external auditors for providing
assurance that management has met its obligations need to be clearly defined. This
will affect the extent to which the external auditors may be able to use internal audit
procedures and findings.
The push for the standardization of global accounting and financial reporting stan-
dards and increasing acceptance of IFRS has resulted in thousands of compa­nies
worldwide having to bring their accounting policies and disclosures in line with IFRS.
In some cases, this has meant changes in the financial accounting processes; con-
trols; and the recognition, measurement and recording of transactions. Many inter-
nal and external auditors are engaged in projects to assist management to make the
necessary changes to systems and perform analyses of transactions that provide the
basis for adjustments to accounting records and financial statement dis­closures. In
addition to a sound knowledge of financial accounting principles, both internal and
external auditors involved in performing financial reporting reviews need to familiar-
ize themselves with their national accounting standards and inter­national standards
applicable to organizations.

Internal Controls over Financial Reporting

Internal controls cannot ensure success. Bad decisions, poor managers or environ­
mental factors can negate controls. Also, dishonest management may override
con­trols and ignore or stifle communications from subordinates. An active and inde­
pendent governing board that is coupled with open and truthful communications from
all components of management and is assisted by capable financial, legal and internal
audit functions is capable of identifying problems and providing effective oversight.
Section 404 of the Sarbanes-Oxley Act requires the annual report of US listed compa-
nies to include an assessment by management of the effectiveness of the internal control
structures and procedures for financial reporting. The external audi­tor of an organiza-
tion is required, as part of the audit of the financial statements, to attest and report on
management’s assessment. Continuous internal audit work in this area throughout the
financial year can help management gain assurance regard­ing the effectiveness of the
controls, as well as providing early identification of sig­nificant weaknesses and assistance
with changes to address such weaknesses. An important factor, however, is the authority
that internal audit has to recommend changes to management.
However, we should not lose sight of the other important areas where internal
auditors perform valuable work to assist management, such as their strategic and
business process risk analysis and procedures to examine and assess controls in a
variety of operational and verification areas that do not directly affect the integrity
of the financial reporting. Nonetheless, as this chapter has indicated, internal audit
can and should fulfill a very important role in helping management to restore confi­
dence in the financial reporting process of organizations.

226

Internal_Auditing.indb 226 16/04/2015 11:13

 24
CHAPTER

Cost and Managerial

Accounting

Learning objectives
After studying this chapter, you should be able to:
➤ Explain the importance of cost and managerial accounting principles for the
work of an internal auditor
➤ Discuss how an internal auditor can add value to management in auditing
aspects of costing systems
➤ Describe some of the important cost and managerial accounting principles
➤ Discuss briefly the different audit work that an internal auditor may perform in
respect of an organization’s costing systems
➤ Explain the principles underlying cost and revenue decision models and the
role of internal audit in management’s decision processes
➤ Discuss briefly the issues that arise in determining cost allocations and how
this affects the evaluation of management
➤ Explain briefly the nature of quality control costs and the work of an internal
auditor in this regard

The Importance of Cost and Managerial Accounting Principles

It is assumed that CIA students and others using this book will have completed
undergraduate courses in managerial and cost accounting. There are also many
excellent texts published in this field. Consequently, this chapter examines briefly
why it is important that an internal auditor understands the principles of manageri­al
and cost accounting and how they may be applied in his/her work.

As every business works with limited resources, management is concerned with

managing the costs of its business processes effectively, efficiently and economical­ly
to achieve the various objectives of the business. To mention a few examples, these
may include management plans to:
➤ maximize profits;
➤ become the market leader in the industry or field;
➤ meet promised delivery targets;
➤ penetrate new markets, eg going global or using online marketing to expand;
➤ develop new products;
➤ manage environmental issues;
➤ meet black economic empowerment (BEE) targets; and
➤ meet social and community commitments.

One of the roles of an internal auditor is to assist management to improve organi­

zational performance. Consequently, he/she may be involved in conducting auditing

Internal_Auditing.indb 227 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

procedures that evaluate the effectiveness, efficiency and economy of different

aspects of a business’ processes. The internal audit objectives may be to determine
whether these processes do in fact achieve the strategic and operational objectives
of the organization and to provide positive and negative feedback to management.
Threats identified and communicated should result in appropriate responses by
management. In this way, internal audit contributes value to organizational per­
formance and the quality of the management process.
An internal auditor may often be called on to conduct performance audits.
Performance audits require a sound understanding of a business and its various
business and costing processes. Failure to understand the nature of the business
may result in an internal auditor focusing on the wrong aspects or failing to identi­
fy a key threat to the business processes, with the result that he/she cannot make
meaningful recommendations. In addition to the complexity of the particular cost­ing
systems in use, an internal auditor may find it difficult to decide what bench­marks
are appropriate in order to determine whether the processes are operating effec-
tively, efficiently and economically and to identify which particular aspect is more
critical to the performance audit being conducted.

A Value Chain for Business

The seven categories below suggested by Horngren et al54 illustrate very simply a
typical value chain of a manufacturing business. Every aspect of the value chain will
comprise a number of different, often interrelated, business processes, giving rise
to both direct and indirect costs and revenues. Management are faced with mak-
ing cost-benefit operational decisions on a daily basis that affect the effectiveness
and efficiency of the business processes and the profitability of the organization.

Depending on the particular performance audit being conducted, an internal auditor

will need to obtain a sound understanding of the costs and costing systems applied
or the revenue implications of the various processes in order to audit their effective-
ness, efficiency and economy.
➤ Strategic and resource management represents the senior management and
other resources that facilitate the operational business processes, such as
human resource recruitment, training and deployment; capital investment, such
as buildings plant and equipment and information technology; accounting; gen-­
eral administration; and an understanding of, and compliance with, the legal
environment in which the business operates.
➤ Research and development involves the generation of new products, services
and improved production processes.
➤ Design involves the detailed planning, design and engineering of the ideas from
research and development.
➤ Production includes the management of supplier relationships and the procure­
ment of raw materials at optimal price and delivery; the use of labor, plant and
equipment in the manufacturing process; and the outputs, comprising finished
goods or services.

54. H
 orngren, C.T., Foster, G. & Datar, S.M. 1994. Cost Acccounting: A Managerial Emphasis. 8th
ed. Englewood Cliffs: Prentice Hall. p. 3.

228

Internal_Auditing.indb 228 16/04/2015 11:13

 COST AND MANAGERIAL ACCOUNTING

➤ Marketing includes the marketing of the organization’s products and services

to potential purchasers; the conducting of market surveys and management of
customer relationships; and the development of new markets.
➤ Distribution includes the means by which the organization’s products and serv-­
ices are delivered to the customer, whether through multiple distribution
points, physical delivery or services performed at customers’ premises.
➤ Customer service includes after-sales service, maintenance and support to cus­-
tomers who have bought the organization’s products or services.

In order for management to make sound business decisions, the information pro­
vided by the management accounting systems must have integrity and be focused
and relevant. Management will often establish benchmarks or key performance
indi­cators against which to continuously evaluate the actual performance or outputs
from the different business processes, in order to control costs and optimize pro­
ductivity and revenues.

An internal auditor may therefore be asked to report on, or may identify, the fol­
lowing areas for audit:
➤ key aspects of the management information system and its controls, in order to
verify the integrity of the information being reported to management;
➤ the analysis of particular cost aspects and behavioral aspects affecting the
effectiveness, efficiency and economy of the business processes, and the
achievement of the key performance indicators or benchmarks set by manage­
ment; and
➤ the causes and quantum of unexpected losses, waste and fraud in any of the
business processes or individual areas of the value chain. (Internal audits for
losses, fraud and waste are dealt with more fully in Section 6.)

The reports of the internal auditor on any of these aspects should inform the strate­
gic and operational decisions of management. Thus it is important that the internal
auditor understands the basic principles underlying costing systems in order to
ensure that appropriate audit procedures are applied, correct analyses of costs
are performed, and weaknesses in internal controls or business processes affecting
costs are identified and reported promptly to management.

The Public Sector

Public sector or government organizations do not have a profit motive, but do have
a service delivery level to meet with limited budgets and targets set by national and
local government departments. Consequently, the concerns of management in pub­
lic sector entities will focus on whether taxpayers’ monies have been used for the
purposes for which they were intended. Thus, the focus of the head of a department
and senior department management, for example, may be to establish whether:
➤ controls over the tendering process at the procurement stage to obtain opti­
mum supply costs and delivery terms are effective and reduce the risk of
bribery and corruption;
➤ government policy imperatives, such as the alleviation of poverty; and
➤ service delivery of goods and services promised to the public have been met,
such as whether:

229

Internal_Auditing.indb 229 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

◗ access to running water and electricity is provided to areas that have never
previously received such services; or
◗ the roll-out of medical programmes is implemented in accordance with pol­
icy directives at government hospitals and clinics and is being complied with.

These are a few examples of the imperatives that government departments may
seek to meet and for which these departments will implement controls and opera­
tional processes. Since such departments also incur both direct and indirect costs,
an internal auditor in the public sector similarly needs to understand the basis for
allocating costs according to departmental budgets and the types of performance
and compliance requirements that have to be met in order to identify problems and
report on them.

Cost Accounting Principles

An internal auditor needs to be familiar with the many terms encountered in cost­ing
systems. Most important of these is the distinction among:
➤ direct costs, which are related to the cost object and can be attributed to it in
a feasible way;
➤ indirect costs, which are related to the cost object but cannot be attributed to
it in a feasible way. Indirect costs are then allocated or assigned to the cost
object using an appropriate cost allocation method;
➤ variable costs, which change in direct proportion to the volume of outputs; and
➤ fixed costs, which do not vary with volumes produced, eg facto­ry rentals, pay-
able irrespective of production volumes.

Different costing approaches and their implications will be encountered. These will
be determined not only by the specific business and product or service provided, but
also by the types of costing systems generally in use in the sector that the organiza-
tion is engaged in, such as manufacturing, service and merchandising sectors.

An internal auditor may become involved in operational audits to determine the

reasonableness of costs attributable to inventory and work in process.
➤ Inventory for the services sector (professional services of accountants and audi­-
tors, lawyers, banking services) will generally be negligible.
➤ In the merchandising sector (such as retail outlets for consumer goods), signifi­-
cant levels of inventory comprising finished goods purchased for resale may
becarried at any period end.
➤ Organizations in the manufacturing sector will generally distinguish among
raw materials inventory, work in process and finished goods inventory. Work
in process and finished goods will usually include the direct cost of materials
and direct manufacturing labor costs, with an allocation of manufacturing over-
head costs assigned on an appropriate costing basis. Care has to be taken that
costs included in inventory that should be expensed in the accounting period
are not included in inventory values carried forward to the following financial
period.

The allocation of costs incurred within service departments is normally taken to be

part of the indirect costs known as overheads. These costs are normally allocated

230

Internal_Auditing.indb 230 16/04/2015 11:13

 COST AND MANAGERIAL ACCOUNTING

to production departments based on the proportion of services which are used.

The three most commonly used methods of such allocation are:
➤ Direct method, which allocates service department costs to production depart-
ments using the proportional use of their services as a basis. This method
ignores the use of service departments by other service departments.
➤ Step-down method, which includes an allocation of service department cost to
other service departments. The method starts by the allocation of costs from
the service department providing the highest percentage of its total services to
service departments and is stepped down from there. No attempt is made to
reciprocate costs.
➤ Reciprocal method, which is the most complex model, reflecting the allocation
of each service department’s costs to other service departments prior to calcu-
lating the allocation to other users. This system uses simultaneous-equations to
calculate the costs.

An internal auditor called upon to review the profitability of particular product lines
needs an understanding of the cost-profit-volume (CPV) analysis for determining
the breakeven point and contribution margins of the revenues generated by an
organi­zation. Any analysis is subject to uncertainties, and management may often
look for ‘what if’ scenarios to be presented involving the application of a sensitiv-
ity analy­sis allowing for changes in the original predicted data or changes in the
underlying assumptions. These approaches are discussed in detail in Chapter 21.

Depending on the type of products or services manufactured, an organization may

assign costs to its products by means of either a job costing system or a process
costing system.
➤ The job costing system will be encountered where a distinct, separately identi­-
fiable product or service results, and occurs frequently where a job is custom-
made for a specific customer.
➤ The process costing system will usually be encountered where an organization
mass produces a product or service for general distribution and not for any
particular customer.

Costing systems will generally involve a comparison between actual and budgeted
costs to allow for monitoring of profitability of products, services and departments,
and performance of employees and management. Many manufacturing organiza­tions
use standard costing approaches. The standard costing variances provide informa-
tion about the process that enables management to monitor production. Price and
efficiency variances are amongst important cost performance measures that many
manufacturers monitor closely. It is also recognized that costs may be affected by
both quantitative and qualitative factors. Internal audit may conduct investigations
to identify qualitative factors affecting productivity and, indirectly, costs of products.
Historical data from costing systems also provide the basis for management’s pre-
dictions and budget estimations, affecting short-term and long-term strategic and
operational decisions. Hence, maintaining the integrity of the information provided
by the cost accounting systems is important.

231

Internal_Auditing.indb 231 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Costing of Production
Spoilage, scrap, rework and waste
Under normal, efficient operating conditions, a certain degree of spoilage is to be
expected in the short run and should be treated as a cost of production of good
units. This is referred to as normal spoilage. Abnormal spoilage is classed as spoilage
which is not expected to occur under normal, efficient operating conditions. Such
costs must be identified separately so that management can monitor and correct
the conditions which led to the spoilage.

Scrap is taken to be raw materials left over from normal production and usable for
purposes other than those for which the material was originally intended. These
purposes could include usage within a different production process were being sold
off to third parties for a nominal amount. The scrap is usually taken to be a result of
normal production and the disposal value credited to the factory overhead account.

Rework costs are those associated with the conversion of defective production units
into saleable ones. If the costs can be identified against a specific job, then they are
normally allocated to that job, otherwise normal rework costs would be charged to
factory overhead.

Waste is taken to be those raw materials left over from the production process and
not saleable at any price.

Joint products and By-products

Joint products are classified as discretely identifiable products produced from a
single set of inputs. In order to be classed as joint products, certain characteristics
must be present. The joint products will typically have common costs incurred prior
to reaching the split-off point where they can be uniquely identified. Costs included
after this point are separable costs identified with individual joint products. In order
to be classified as a joint product, the production must have a significant value.
Products with low saleable values which do not incur further costs after the split-off
point are referred to as by-products.

Standard Costing
Standard costing involves a notional value of the cost to produce a given unit.
It is used to identify variances from production target costs when actual cost
differ from the budgeted standard cost. Standard costs are usually established
separately for materials, labor and factory overheads. It should be noted that
variances from standard cost can be favorable (where actual costs are less than
the budgeted standard cost) or unfavorable (were the actual costs exceed the
standard). Standard costs are also closely associated with a management decision
technique known as incremental costing. Incremental costs are the additional costs
incurred to produce one more unit. Under normal circumstances the incremental
costs would be for direct materials, direct labor, and any variable overhead
associated with production. Additional fixed costs would not normally be incurred
to produce one more unit, unless the additional production would involve the

232

Internal_Auditing.indb 232 16/04/2015 11:13

 COST AND MANAGERIAL ACCOUNTING

acquisition of increased capacity (eg by hiring one more worker or purchasing one
more machine). Incremental costing is commonly used in decisions to make or buy,
should production capacity need to be expanded.

Other classifications of costs include the following:

➤ Avoidable costs are costs that can be saved by not implementing a particular
alternative.
➤ Opportunity costs are those profits lost by choosing one alternative over another.
➤ Sunk costs are costs which have already been incurred or which are already
committed to. These would normally have no effect on management decision-
making since the expenditure has already been made.
➤ Fixed costs are costs which remain unchanged regardless of changes in vol-
umes.
➤ Variable costs vary proportionally with a change in volume, although the vari-
able cost per unit remains constant.
➤ Contribution margin is a contribution of a given unit towards the fixed costs and
profits and is taken to be the selling price minus the variable costs of the unit.
➤ Breakeven point is the level of sales at which the total revenues equalled total
expenses. Breakeven point can also be calculated as the point at which total
contribution margins equals the fixed costs.

Management is often faced with making choices between cost and revenue alterna­
tives, for example:
➤ rearranging production lines to achieve cost savings in labor by introducing
greater use of technology and then having to predict the effect on levels of out­
put, production costs and savings, and quality of products;
➤ decisions regarding retention vs replacement of ageing plant, where new and
more sophisticated plant may have a greater production capacity;
➤ decisions on product mix, where a production line is working to capacity – typ­
ically encountered by food processing plants offering different brands and
needing to maintain inventory levels in all product lines, or to meet a shortage
to fill a large customer order;
➤ decisions to outsource production or processing operations instead of running
them in-house; and
➤ changes in customers that may affect the products produced and open up
other more profitable opportunities.

In each of the examples above, management consider relevant revenue and costs
analyses to identify the key cost drivers. Of themselves, historical costs have no rel-
evance in making decisions affecting future courses of action. The predicted rele­vant
costs and revenues, based on historical data should changes not be made, do, how-
ever, provide a basis for comparison to the predicted future costs and benefits from
the available options. This enables management to determine the effect on business
profitability and its planned strategic directions before making an informed decision.
Due consideration must also be given to the opportunity cost from pursu­ing one
course of action rather than another. Internal auditors often assist in deter­mining
which revenues and costs are relevant to such business decisions.

233

Internal_Auditing.indb 233 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Another aspect requiring management decisions is that of the pricing of products

and services. Three aspects should be considered.
➤ Customers: Price changes must first be considered in light of the effect on exist-
ing customers – whether this will drive them away to other suppliers or to seek
alternative products that they can use in a more cost-effective way. Customers
thus influence prices through demand levels. Price discrimination may also arise
relative to supply volumes, with customers buying significant volumes at lower
prices.
➤ Competitors: Competition may directly affect prices set, as an aggressive com­petitor
may force an organization to reduce its prices in order to remain in the market.
Manufacturers may often use a differential pricing when selling into export markets.
However, such actions may contravene anti-trust and anti-dumping laws in other legal
jurisdictions and attract the attention of anti-dumping authorities in countries seeking
to protect local producers’ markets. For other products, prices may be set globally,
such as the gold and platinum prices on precious metal exchanges. Alternatively, do
you have a ‘monopoly’ on the product that forces the customer to buy from your
organization at any price?
➤ Costs: Care must be taken that the selling price is not set by reference to costs
of output for particular products. This could result in a selling price below
cost, in which case an organization will incur substantial losses. What is criti-
cal here is exactly what costs are deemed to be part of the cost of the finished
output. For example, where the product has been researched and designed by
the organization itself, do the overhead costs assigned include any part of the
research and design costs or only the direct and indirect production costs?
Similarly, does the selling price include marketing, distribution and customer
service costs that might inflate the price and make it uncompetitive? In some
instances, the supply contract with the customer works on a cost-plus basis.
Examples of these will be construction contracts and bulk supply contracts to
government departments.

Internal audit may well become involved in auditing both costs and pricing models
to provide assurance that relevant costs have been taken into account, or to provide
evidence regarding the basis used for pricing the organization’s products.

Analyzing Costs and Evaluating Cost Management

Decisions affecting the assignment of fixed and variable overhead costs to products,
transfer-pricing policies and the assignment of costs of support services are fraught
with many complexities and considerations. Organizations often have multiple cost
objects to which costs may initially be accumulated before becoming an indirect cost
for another department. Transfer pricing policies may vary greatly. Cost alloca­tions
may affect remuneration of managers, who in turn may influence the alloca­tion of
costs in order to justify costs, to increase their bonuses or to measure income and
assets for financial and other reporting purposes.
Debates may arise around which basis of allocation is most appropriate for out­
put produced and whether the same basis is appropriate for all outputs, or whether
different bases should be used for different departments or product lines. Cost
allo­
cations may be influenced by plant capacity and actual capacity used. They
may also be affected by the stage of the production process at which the costs are

234

Internal_Auditing.indb 234 16/04/2015 11:13

 COST AND MANAGERIAL ACCOUNTING

allo­cated. Another challenge is the allocation of costs to joint products and byprod-
ucts. In the case of merchandise inventory, costs may be determined on the basis of
a percentage of sales prices. Organizations may apply a FIFO or weighted average
system for costing finished inventories. Both approaches have merit depending on the
type of inventory. However, tax considerations may influence the choices made.
A further consideration will be the costs of spoilage, reworked units and scrap
arising from the production process. Reworked items may finally be included in
inventory, but spoiled units and scrap are not part of the inventory output and
should be expensed.
An internal auditor may well become involved in auditing the calculations or
pro­viding input on various cost allocation bases relevant to the organization or the
cost object affected in order to resolve disputes.

Capital Budgeting and Cost Analysis

Refer to Chapter 21 for a discussion of the various capital budgeting models and
formulae available for calculating forecasts of revenues, costs and investment out­
lays over many future periods. Discounted cash-flow methods are appropriate for
forecasting the investment costs and payback periods. These topics will not be
dealt with in this chapter.

Quality Control Costs

The final aspect to be explored in this chapter is that of costs of quality that affect
customer satisfaction and internal performance evaluation.
➤ Costs of quality are those costs incurred to prevent poor quality from occurring
and the costs incurred because of poor quality. Most organizations distinguish
among:
◗ prevention costs, which occur at the start of the production process to pre­
vent the production of products that do not meet specifications;
◗ appraisal costs, which are costs incurred to quality check products coming
off the production line before they are moved to finished inventory (defec-
tive products are then scrapped or sent back for reprocessing);
◗ internal failure costs, which are costs incurred when a defective product is
detected before being shipped to the customer; and
◗ external failure costs, which are costs incurred after a product is shipped
to the customer and has to be returned and replaced, or reworked before
being sent out again.

Many organizations have separate quality control departments and processes to

minimize losses and wastage, as well as to protect market reputational risk from
supplying defective products. Invariably, quality control in a production environ­ment
requires a careful analysis to ascertain where the failure occurred, in order to deter-
mine the appropriate action to take. In some circumstances, organiza­tions carry
high levels of professional indemnity or risk insurance, in the event that claims are
received from parties adversely affected by the failure of a prod­uct. Organizations
may also have strict policies regarding penalties for manage­ment and employees
who have failed to meet quality standards, the ultimate consequence being that the
individual is fired.

235

Internal_Auditing.indb 235 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

➤ Measures of quality failures may be financial or non-financial.

◗ Customer indicators of poor quality include as financial measures: warranty,
repair costs, liability claims, and credits passed for defective goods supplied.
They do not, however, provide an indication of where in the production pro-
cess the quality failed.
◗ Consequently, non-financial measures are generally used as well. These may
include the number of defective units sold as a percentage of total sold, the
number of customer complaints received, or the number of late deliveries of
products as opposed the number of deliveries made on time.
➤ Internal performance measures of quality problems may include:
◗ the number of defects per product line; I the proportion of quality output to
total output;
◗ manufacturing lead time taken to convert raw materials into finished inven-
tory; and
◗ employee turnover.

An internal auditor may audit the quality control processes or be called on to inves­
tigate and identify the causes of poor quality performance in particular depart­
ments. Refer to Chapters 16 and 18 for further discussions of performance audits.

236

Internal_Auditing.indb 236 16/04/2015 11:13

 25
CHAPTER

The Legal and Regulatory

Environment

Learning objectives
After studying this chapter, you should be able to:
➤ Outline briefly the legal and regulatory environment in which an internal audi-
tor operates
➤ Explain how the regulatory and legal environment in which an organization
operates affects the work of an internal auditor
➤ Design internal controls to identify and monitor any non-compliance with laws
and regulations that may adversely affect an organization
➤ Develop audit programs to evaluate the effectiveness of internal controls over
critical regulatory compliance areas

The Legal and Regulatory Environment

The business environment nationally and internationally is being subject to an
increasing proliferation of laws and regulations. Not only do companies have to com-
ply with the relevant Companies Act but they also face a host of laws and regulations
governing the particular sector in which their business operates.
Strict laws and regulations govern basic conditions of employment, and in South
Africa, skills development, employment equity and black economic empowerment
too. Organizations in a number of sectors are required to comply with environmen-
tal laws and regulations, while companies operating globally have to comply with
laws and regulations in multiple legal jurisdictions. Companies listed on any of the
securities exchanges in countries around the world will have rigorous listing require-
ments to comply with that require specific disclosures to the public, designed to
enhance corporate governance, accountability and transparency. Most far-reaching
of the laws governing listed companies has been the draconian Sarbanes-Oxley
Act that applies to US corporations listed on the New York Stock Exchange and
NASDAQ, as well as their subsidiaries and associated companies anywhere in the
world. Among other requirements is one for management to report on the effective-
ness of its company’s system of internal controls and for the CEO to report on the
‘correctness’ of the annual financial statements.
The cost of compliance for organizations has increased exponentially during the
past five years following the numerous collapses of large global corporations. Many
of these collapses were a result of management greed, excesses and fraud, and a
seemingly blatant disregard for sound corporate governance practices, with manag-
ers often treating the organization for which they worked as their personal fiefdom.
Governments around the world have responded by trying to entrench ‘good
governance’ principles into legislation and by giving far greater enforcement pow-
ers to public oversight bodies and to commercial fraud units of their police forces.

Internal_Auditing.indb 237 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Penalties for non-compliance have been significantly increased and many breaches
are now classified as criminal activities, resulting in CEOs, CFOs, senior management
and external auditors facing jail terms if convicted of fraudulently misleading the
public or failing to comply with relevant laws.
The public sector has similarly responded with legislation entrenching corporate
governance requirements, such as the Public Finance Management Act and the
recent Municipal Finance Management Act in South Africa. Among other things,
these Acts require the appointment of an audit committee and internal audit func-
tion for every public entity to which they apply.

Impact on the Internal Auditor

The increased regulation and demand for improved corporate governance has influ-
enced the changing role of the internal auditor from a focus on financial risk and
the audit of individual transactions to a focus on enterprise-wide risk and emphasis
on evaluating the control self-assessment of departments or business units within
the organization, as discussed in Chapter 22. The other significant effect has been
to shift the focus of internal auditors to some extent away from concerns that
employees have failed to comply with internal policies and procedures, to a more
external concern, namely to establish that the organization has adequate and
effective controls that ensure compliance with the significant laws and regulations
with which it, and each of its business units, has to comply.
The IIA Practice Advisory 2100-5: Legal Considerations in Evaluating Regulatory
Compliance Programs recognizes the more legal and potentially forensic nature of
this audit work, and sounds a word of caution as follows:

‘Internal auditors are encouraged to consult legal counsel in all matters involving legal
issues as requirements may vary significantly in different jurisdictions.’

As non-compliance may arise from criminal actions by employees and others,

this falls into the category of ‘fraud investigations’ work by an internal auditor.
The reader is referred to Section 6, which deals with fraud investigations
comprehensively.

Identifying and Monitoring Non-compliance

The Practice Advisory provides examples of processes and standards that an organi-
zation can implement to ensure compliance with relevant laws and regulations, and
indicates that the role of internal audit is to ‘evaluate an organization’s regulatory
compliance programs’ in order to contribute to the improvement of risk manage-
ment, control and corporate governance systems.

‘Compliance programs assist organizations in preventing inadvertent employee viola-

tions, detecting illegal activities, and discouraging intentional employee violations. They
can also help prove insurance claims, determine director and officer liability, create
or enhance corporate identity, and decide the appropriateness of punitive damages.
Internal auditors should evaluate an organization’s regulatory compliance programs in
light of the following suggested steps for effective compliance programs.’

238

Internal_Auditing.indb 238 16/04/2015 11:13

 THE LEGAL AND REGULATORY ENVIRONMENT

The steps suggested in the Practice Advisory may be summarized as follows:

➤ Establish a code of conduct to reduce the prospect of criminal conduct by
employees.
➤ Designate a specific ‘high-level’ person with responsibility for overseeing regula-
tory compliance.
➤ Screen applicants for employment at all levels for evidence of past wrongdoing,
and if they are employed, exercise due care to limit their discretionary authority.
➤ Communicate compliance standards and procedures to all employees.
➤ Take reasonable steps to ensure compliance by:
◗ monitoring and auditing systems to detect criminal conduct by employees and
agents, and
◗ establishing a fraud ‘hotline’ for anonymous reporting of fraud within the orga-
nization by ‘whistleblowers’.
➤ Strictly enforce disciplinary mechanisms.
➤ If offences are detected, respond appropriately and take steps to prevent a
recurrence.

Clearly management will weigh up the cost benefit of controls that ensure compli-
ance relative to the sanctions that might be imposed if non-compliance is detected
by the regulatory authority.

Internal Audit Programs to Evaluate the Effectiveness of

Controls
The principles to be followed by an internal auditor are no different from those for all
work he/she undertakes when following a risk-based approach to internal auditing.
➤ Identify those laws and regulations that will have a significant impact on the
very survival of the organization.
➤ Ascertain by inquiry and observation what procedures are implemented specifi-
cally to control the particular risk, and monitor any non-compliance.
➤ Perform tests of controls to ascertain the incidence of non-compliance, if any,
during the period being audited for the particular department or business unit.
➤ Inquire of employees and management about any known instances of non-com-
pliance and, if any are detected, identify how these occurred and, if possible,
who was involved.
➤ Perform substantive procedures to gather evidence to support suspected non-
compliance.
➤ If necessary, obtain legal advice and communicate your suspicions to more
senior levels of management, unless they are suspected of being involved.
➤ Identify where and how controls failed to work effectively and make recommen-
dations to management for changes and improvements.

Several new laws in South Africa concerned with investor protection require organi-
zations affected to appoint compliance officers to perform specific duties under the
relevant Act, for example those regulating investment advisers and micro-lenders. In
such instances, an internal auditor would need to establish whether the compliance
officers have met their responsibilities in terms of the relevant statute.

239

Internal_Auditing.indb 239 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Corporations in the US make use of their internal auditors to help manage-

ments meet their responsibilities under the Sarbanes-Oxley Act. In such instanc-
es, internal audit will need to be familiar with the specific sections of the Act and
consider whether the controls implemented by management are appropriately
designed to meet the specific objectives and have operated throughout the
period under review.

240

Internal_Auditing.indb 240 16/04/2015 11:13

 5
S ECTION

Information Technology

Internal_Auditing.indb 241 16/04/2015 11:13

Internal_Auditing.indb 242 16/04/2015 11:13
 26
CHAPTER

Auditing Information
Technology

Learning objectives
After studying this chapter, you should be able to:
➤ Outline briefly the scope and objectives of an IT auditor
➤ Explain the essential jargon of IT and its meaning
➤ Explain the basic concepts within an IT environment
➤ Describe the impact of IT on risk, control objectives and audit objectives
➤ Define and describe the range of IT audit services offered by internal audit
➤ Define the nature and types of system controls
➤ Define the nature and type of general controls

Control and Audit of Information Technology

The IIA Practice Advisory 2100-6: Control and Audit Implications of E-commerce
Activities highlights the challenges facing internal auditors in organizations that
increasingly use IT in business operations, and provides guidance as to the role and
responsibilities of internal audit.

‘Continuous changes in technology offer the internal auditing profession both great
opportunity and risk. Before attempting to provide assurance on the systems and pro-
cesses, an internal auditor should understand the changes in business and information
systems, the related risks, and the alignment of strategies with the enterprise’s design
and market requirements. The internal auditor should review management’s strategic
planning and risk assessment processes and its decisions.’

Some Computing Terminology

Before we can start to discuss the audit and control of computer systems, we must
have a common understanding of the terminology used.

Hardware
Hardware consists of those components that can physically be touched and manipu-
lated. Principal among these components are the following:

CPU
The central processing unit is the heart of the computer. This is the logic unit, which
handles the arithmetic processing of all calculations.

Internal_Auditing.indb 243 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Peripherals
Peripheral devices are those that attach to the CPU to handle, usually, inputs and
outputs. These include:
➤ screens and monitors;
➤ terminals;
➤ printers; and
➤ disk and tape devices.

Memory
In computers, memory takes the form of silicon chips capable of storing information.
In commercial computers, this information takes the form of 1 and 0 in the notation
known as binary. Memory comes in various forms:
➤ RAM: Random access memory is also called dynamic or volatile memory. Its
contents can be changed, but can also be lost if the power supply is interrupt-
ed.
➤ ROM: Read-only memory is a form of memory whereby instructions are
‘burned in’ and not lost in the event of a power failure. These programs cannot
be changed. This is also known as non-volatile memory.
➤ PROM: Programmable read-only memory is similar to ROM, but its contents
can be changed.
➤ EPROM: Erasable programmable read-only memory is similar to PROM, but the
instructions can be erased by ultraviolet light
➤ There is another version of memory known as non-volatile RAM. This is memory
that has been attached to a battery so that, in the event of a power failure, the
contents will not be lost.

Mainframe
Mainframe computers are the large (physically as well as in terms of power) com-
puters used by companies to carry out large-volume processing and concentrated
computing.

Mini-computers
Minicomputers are physically smaller than mainframes, although the power of many
minicomputers exceeds that of recent mainframes.

Micro-computers including personal computers (PCs) and laptops

Microcomputers are physically small computers with limited processing power and
storage. Having said that, the power and capacity of today’s micro is equivalent to
that of a mainframe only five years ago. Many of these have been replaced with the
more versatile PC and laptop. An exponential growth has occurred in the use of PCs
and laptops in the office and home environments in the past ten years. These may
be stand-alone or linked to others in a distributed LAN or WAN situation. The PCs
and laptops may be connected to central servers that store data and programs for
the various applications.

LANs
Local area networks are collections of computers linked together within a compara-
tively small area.

244

Internal_Auditing.indb 244 16/04/2015 11:13

 AUDITING INFORMATION TECHNOLOGY

WANs
Wide area networks are collections of computers spread over a large geographical
area.

Storage
Data is stored in a variety of forms for both permanent and temporary retention.
➤ Bits are binary digits, individual ones and zeros.
➤ Bytes are collections of bits making up individual characters.
➤ Disks are large-capacity, generally magnetic, storage devices containing any-
thing from 10 Mb to several terabytes of data.
➤ Diskettes are small-capacity removable disks such as:
◗ floppies or stiffies that hold from 360 Kb to 100 Mb (plus) of data;
◗ optical disks which are laser-encoded disks such as compact disks (CDs) and
DVDs.
➤ Tapes – can be reel-to-reel or cassette.
➤ Memory sticks contain either volatile or non-volatile RAM.

Communications
In order to maximize the potential of the effective use of the information on comput-
ers, it is essential that isolated computers be able to communicate and share data,
programs and hardware devices.

Terminals
Terminals are remote devices allowing the input to and output from the computer
of data and programs.

Modem
A MOdulator/DEModulator translates digital computer signals into analogue signals
for telephone wires and retranslates them at the other end.

Multiplexer
This combines signals from a variety of devices to maximize utilization of expensive
communication lines.

Cables
These are metallic cables, usually copper, that carry the signals between computers.
They may be a ‘twisted pair’ cable, where two or more cables are strung together
within a plastic sleeve, or a coaxial cable, where a cable runs within a metallic braid-
ing in the same way as a television aerial cable.

Fiberoptics
These consist of fine strands of fiberglass or plastic filaments that carry light signals
without the need for electrical insulation. They have extremely high capacity and
transfer rates but are expensive.

245

Internal_Auditing.indb 245 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Microwave
This form of communication involves sending high-power signals from a transmitter
to a receiver. They work on a direct line-of-sight basis and require no cabling.

Input
Inputs to computer systems have developed rapidly over the years. An auditor will
still occasionally encounter some of the earlier types.

Cards
Rarely seen nowadays, punched cards were among the first input and output media
and consisted of a cardboard sheet, some eight inches (20 cm) by four inches
(10 cm), with 80 columns where rectangular holes could be punched in combina-
tions to represent numeric, alphabetic and special characters.

Paper tape
Another early input/output medium, paper tape was a low-cost alternative to
punched cards and consisted of a one-inch (2,5 cm) wide paper tape with circular
holes punched to form the same range of characters as with punched cards.

Keyboard
The most common input device today (although this is changing), most keyboards
are still based on the original typist’s QWERTY keyboard design.

Mouse
This is an electromechanical pointing device used for inputting instructions in real
time.

Scanner
This is an optical device that can scan pictures into a digitized computer-readable
form. It can be used in combination with OCR (optical character recognition) soft-
ware to allow the computer to interpret the pictures of data into actual characters.

Bar code
This is optically recognizable printing that can be interpreted by low-cost scanners.
This type of coding is common in retail operations.

Voice recognition
Perhaps the future of computer input, this is a system whereby a computer user,
programmer or auditor simply dictates into a microphone and the computer
responds appropriately.

Output
As with inputs, outputs are changing rapidly. In early computing times, output came
in three basic forms. The most common of these was paper; however, quantities of
cards and paper tape were output for subsequent reprocessing. Nowadays most
outputs are via screens or directly onto magnetic media.

246

Internal_Auditing.indb 246 16/04/2015 11:13

 AUDITING INFORMATION TECHNOLOGY

Paper
Still a popular output medium, paper may be in continuous stationery form, cut
sheet form, pre-printed business stock such as invoices, or negotiable instruments
such as checks.

Computer
Output directly to another computer is a growing trend with the coming of age of
electronic data interchange (EDI).

Screen
Output to screen is the current norm for the majority of outputs, with text, graphics,
tables and charts, and three-dimensional forms possible.

Microfilm/fiche
For the permanent, readable recording of outputs, and needing a small storage space,
microfilm is a popular output medium. Each frame contains one page of printed out-
put. An alternative is the creation of a microfiche measuring approximately six (15 cm)
inches by four (10 cm) inches and containing some 200 pages of printout.

Magnetic media
Output to disks, diskettes and tapes is commonly used to store large volumes of
information.

Voice
Where a permanent record is not required, another new output medium is voice.

Control
Within computer systems, control is exercised at a variety of points within the over-
all architecture. At each stage, opportunities exist to vary the manner in which the
systems perform to meet users’ needs.

Operating system
The operating system is the set of programs that controls the basic operations of the
computer. All other software runs under the direction of the operating system and
relies on its services for all the work it undertakes.

Applications
These systems perform the business functions required of the computer. They run
under the direct control of the operating system but contain many powerful control
elements themselves.

Parameters
These are user-defined variations adjusting the way in which programs normally
operate.

Run instructions
These are instructions to operators of computers instructing them on the jobs to be
run and responses to machine questions to be entered.

247

Internal_Auditing.indb 247 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

JCL
Job control language is a means of automating the job running process by giving the
computer the instructions in the form of batch programming language.

The human element

Ultimately, the people who use, operate, program and manage computers exercise
control.

People
Operators
They run the computers on a day-to-day basis.

Programmers
They write the application programs that run on computers.

Systems designers
They design the overall structure of the application systems and specify the pro-
grams required.

Systems analysts
They analyze the business structures, applications and procedures to determine
what, if any, contribution Information Systems (IS) can make. They will also design
the outline business specifications of new systems.

Systems programmers
They are responsible for the well-being of the operating systems and the related
systems software components.

Database analysts
They are responsible for maintaining the database management system (DBMS),
which is the systems software controlling access to and the format of the data.

Network analysts
Network analysts are responsible for ensuring that availability, performance stan-
dards and security are achieved on networks.

Management
Management plan, organize and direct to ensure corporate objectives are
achieved.

Data
Data in IT terms consists of fields held in records, in turn held in files, and stored on
disk or any other storage medium discussed elsewhere in this section.

248

Internal_Auditing.indb 248 16/04/2015 11:13

 AUDITING INFORMATION TECHNOLOGY

Systems of Internal Control

Within our computer systems, there are two primary software components that add
to, or subtract from, control.

Systems software
Systems software includes computer programs and routines controlling computer
hardware, processing and non-user functions. This category includes the operating
systems, telecommunications software and data management software.

Applications software
Applications software includes computer programs written to support business
functions, such as the general ledger, payroll, stock systems, order processing and
other such line-of-business functions.
End-user systems are special types of application systems that are generated
outside the IS organization to meet specific user needs. These include microbased
and user-developed systems.

Control Procedures
In order to ensure that control over the corporate computer investment is ade-
quate, a range of controls is required.

General IS controls
These cover the environment within which the computer systems are utilized.

Computer operations controls

These cover the day-to-day operations of the machine.

Physical security controls

These cover the security of the physical hardware, software, buildings and staff.

Logical security controls

These cover the way in which data and software are protected from access via the
systems themselves.

Program change controls

These ensure that systems that are correct and functional and continue to be so.

Systems development controls

These ensure that the systems in use by the organization continue to be effective,
efficient and economical.

Application Controls
Application systems have their own sets of in-built controls, which are primarily
business systems-oriented. Generally they include such control objectives as accu-
racy, completeness and authorization. In addition, there may be compensating con-
trols, where weak controls in one area may be compensated for by other controls.
249

Internal_Auditing.indb 249 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Classifications of Controls
Controls are usually classified into the general categories of preventative, detective
and corrective.
➤ Preventative controls prevent an undesirable event from occurring and include
controls such as restrictions on users, requirements for passwords and separate
authorization.
➤ Detective controls detect undesirable events after the fact so that action may
be taken. These include effective use of audit trails and the use of exception
reports.
➤ Corrective controls allow things to be put right and include such controls as rec-
onciliations, transaction inquiry and correction procedures, and disaster recov-
ery plans.

Control Objectives and Risks

All computer environments face a variety of risks, which include such dangers as:
➤ fraud;
➤ business interruption;
➤ errors;
➤ customer dissatisfaction;
➤ poor public image; and
➤ ineffective and inefficient use of resources.

These are controlled through a variety of control objectives that address specific
threat areas.

General Control Objectives

These general objectives cover the overall aspects of the integrity of information;
computer security; and compliance with policies, plans, rules, laws and regulations.

Data and Transactions Objectives

The processing of transactions and the handling of data are also subject to control
procedures at each stage of processing.

At the input stage, typical examples of control objectives might be that:

➤ all transactions are initially and completely recorded;
➤ all transactions are completely and accurately entered into the system; and
➤ all transactions are entered once only.

Input methods could include a mixture of online input, batch input, input from inter-
facing systems and EDI. Controls at this stage would typically include:
➤ the use of prenumbered documents;
➤ control total reconciliation;
➤ data validation in all its forms;
➤ activity logging;

250

Internal_Auditing.indb 250 16/04/2015 11:13

 AUDITING INFORMATION TECHNOLOGY

➤ document scanning;
➤ access authorization; and
➤ document cancellation.

At the processing stage, typical examples of control objectives might be that:

➤ approved transactions are accepted by the system and processed;
➤ all rejected transactions are reported, corrected and re-entered;
➤ all accepted transactions are processed once only;
➤ all transactions are accurately processed; and
➤ all transactions are completely processed.

Processing types may include batch processing, interactive update (real-time) and
online batch processing, where the data is captured online but the processing takes
place in a batch environment.

Controls at this stage would typically include:

➤ control totals;
➤ program balancing;
➤ segregation of duties;
➤ restricted access;
➤ file labels;
➤ exception reports;
➤ error logs;
➤ reasonableness tests; and
➤ concurrent update control.

At the output stage, control objectives might include:

➤ assurance that the results of input and processing are delivered as output; and
➤ output being available only to authorized personnel.

Outputs could include hard-copy printouts, file output for onward processing or
online enquiry replies.

Controls at this stage would include:

➤ complete audit trail; and
➤ output distribution logs.

Program Control Objectives

The development and running of computer programs are subject to their own control
objectives and procedures.

Control objectives would include ensuring:

➤ the integrity of programs and processing;
➤ the prevention of unwanted changes;
➤ adequate design and development control;
➤ adequate testing;
➤ controlled program transfer; and
➤ the ongoing maintainability of systems.

251

Internal_Auditing.indb 251 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Controls around the development of programs would include:

➤ the use of a formal systems development lifecycle (SDLC);
➤ user involvement;
➤ adequate documentation;
➤ a formalized testing plan;
➤ planned conversion;
➤ the use of post-implementation reviews;
➤ the establishment of a QA function; and
➤ the involvement of internal auditors.

If these control objectives are adequately addressed and the appropriate controls
are implemented, then the risks within the computer systems should be effectively
minimized.

Batch vs Online
In the early days of commercial computing up to the late 1960s, most processing
took place in batches only. This meant that all inputs were collected centrally and
entered together in ‘batches’ of documents. This would usually take place using a
centralized data preparation function to convert the data from written form into
holes punched into either cards or continuous paper tape. The process was highly
error-prone and the input medium could be easily damaged.
In later batch systems, the data was entered through a terminal onto a file, which
would later be processed in batch mode.
In this type of system, the primary control objectives were the accuracy and com-
pleteness of capture.
Many highly effective controls were designed and implemented to ensure com-
pleteness of capture of batches of data, complete capture of all batches, and
accurate capturing of batches of input data. These controls included the manual
preparation of batch header documents for later comparison to computer-gener-
ated information, and double keystroke verification, whereby an operator entered
the data into a batch of cards or directly into a file containing a batch of input trans-
actions. This data was then re-entered by an independent data capture clerk and
system-compared to ensure accuracy and completeness.
With the advent of online systems, such controls fell away, since they were no
longer appropriate. In many cases within an online environment, very few alternative
controls were implemented and often an auditor will find that large assumptions are
made as to the adequacy of the controls surrounding the accuracy and complete-
ness of data input.

In today’s systems, capture and processing will normally take place using online,
real-time data capture with a small batch component. Input is typically through a
terminal with instantaneous update. Overnight report production in batch mode is
common. The terminals may be local or remote, and the remote terminals may be
either dial-up or dedicated. The terminals themselves may be of differing types, but
the principal control objectives remain as:
➤ availability;
➤ security;

252

Internal_Auditing.indb 252 16/04/2015 11:13

 AUDITING INFORMATION TECHNOLOGY

➤ confidentiality; and
➤ accuracy.

In online systems, there is an additional component to the system, which comes

complete with its own concerns, and that is the communications component. This
can take the form of microwave links, satellite hook-ups or the more basic cables,
which themselves may be either dedicated or dial-up.
Computers communicate in a digital form, where a signal is either on or off, while
normal telephone cables operate in an analogue mode, where the signal is moder-
ated either by changing the height of the curve (amplitude modulation or AM) or by
changing the frequency of the signal (frequency modulation or FM). Communications
may operate in a simplex mode, where traffic is one way only. This means effectively
that a circuit must make a complete circle to get a message there and get a reply
back. This form of circuit is inexpensive but vulnerable. Half-duplex communications
allow two-way traffic, but only one way at a time. This is the type of signal used in
CB radio. Duplex communications involve simultaneous two-way communication.
Computer systems typically use half-duplex communications.

Other Communication Concepts

➤ Synchronous communications involve the high-speed transmission and recep-
tion of long groups of characters.
➤ Asynchronous communications involve slow, irregular transmissions, one charac-
ter at a time, with start and stop bits.
➤ Encryption involves the scrambling of data into unreadable forms such that it
can be unscrambled by the receiver.
➤ Protocol comprises a set of rules for message transmission in a network.

Networks themselves may be of varying types, including:

➤ private networks;
➤ public switched networks (PSNs), such as the telephone system;
➤ value-added networks (VANs), such as Beltel, where the service provider adds
additional services onto point-to-point connection;
➤ local area networks (LANs), where the connections are both private and nearby;
and
➤ where there is a significant physical distance involved, the network may be
referred to as a wide area network (WAN).

In recent years, the Internet has become of increasing concern as well as use to
internal auditors. The Internet is a worldwide collection of computers connected
together loosely, and provides both a source of information and a source of external
risk.
Networks may be configured as point-to-point with separate direct links.
An alternative configuration could be a multidrop one, with multiple terminals
sharing a single line. Ring networks have no central computer: each machine is
classed as a ‘node’ on the network; while star networks have a single, central
computer co-ordinating all communications.

253

Internal_Auditing.indb 253 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Where an online system exists, there are various capabilities.

➤ Online enquiry allows a remote user to retrieve data directly. In this case, the
primary concern should be confidentiality of information.
➤ Online data entry permits remote entry of data and allows its concurrent pro-
cessing. In this case, the primary concerns would be transaction authenticity,
accuracy and completeness.
➤ Online update is similar to online data entry but with immediate effect on trans-
actions. The primary concerns here would be concurrency control (prevention of
two users updating the same record at the same time) and availability.

The basic online concerns remain as:

➤ availability;
➤ security;
➤ unauthorized access; and
➤ accidental or intentional changes.

Areas where security could be threatened include the operating system and particu-
larly its management features, as well as intercomputer communication, including
dial-up access, gateways and poor network performance.
In any networked operation, availability is a major concern. This includes avail-
ability of the hardware components, the software, the data, the networking capabil-
ity and the human resources.

Typical controls in this area to protect against unavailability are the ensuring of:
➤ an adequate physical environment;
➤ adequate back-ups;
➤ multiple redundancies in equipment to ensure no reliance on a single piece;
➤ peer-to-peer networking to permit mutual back-up;
➤ adequate disaster recovery planning; and
➤ appropriate training.

Security itself is a factor of the hardware, the software and the human element.
➤ Hardware is liable to theft, sabotage and penetration.
➤ On the software side, the operating system software may itself be stolen, cor-
rupted or bypassed, while applications software may suffer a similar fate and
may also be substituted by an alternative application.
➤ Data is one of an organization’s most valuable assets and may be liable to
theft, corruption, substitution or manipulation.

Such security threats may come from normal users of the systems, deliberately
or accidentally, specialist insiders such as the IT staff, legitimate outsiders such as
computer engineers or even customers and suppliers who have been granted access
to the site, or outside hackers who attempt to penetrate an organization’s security
for fun or profit.

254

Internal_Auditing.indb 254 16/04/2015 11:13

 27
CHAPTER

Auditing General
and Application Controls

Learning objectives
After studying this chapter, you should be able to:
➤ Outline briefly the exposures and control objectives within the various types of
information processing center
➤ Describe the controls normally used to mitigate the risks
➤ Formulate and implement an appropriate audit program to evaluate the ade-
quacy and effectiveness of general IT controls
➤ Modify such a program for use in distributed environments and networks

The Control Environment

The control environment includes the governance and management functions, and
the attitudes, awareness and actions of those responsible for the governance and
management of an organization’s internal controls. The control environment sets the
tone of an organization, influencing the control consciousness of its people, and is
the foundation for effective control, providing discipline and structure. The control
environment will include the following elements:
➤ communication and enforcement of integrity and ethical values;
➤ commitment to competence and service;
➤ independent review and monitoring functions;
➤ management’s philosophy and operating style, including its approach to taking
and managing business risks;
➤ organizational structure and the framework for achieving the organization’s busi-
ness objectives;
➤ assignment of authority and responsibility; and
➤ human resource policies and practices.

The control environment will include controls over the computer systems, which fall
into two broad categories: general controls and application controls.

General Controls
General controls comprise all the policies and procedures, both manual and
computerized, that govern the environment within which an organization’s computer
systems are developed, maintained and operated, and within which the application
controls operate. General controls include the systems development standards
operated by an organization, which are dealt with in Chapter 30, and those con-
trols that apply to the operation of the computer installation, such as its hardware

Internal_Auditing.indb 255 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

components, networks and systems software. General controls have a pervasive

impact on multiple application systems. Computer systems may range from a simple
stand-alone PC or microcomputer to a large, complex and sophisticated installation
with a LAN or WAN in a distributed environment.

Application Controls
Application controls, on the other hand, are defined as the controls, both manual
and computerized, within the area of the business application that ensure that data
is processed accurately, completely and in a timeous manner. Application controls
are specific to individual applications and include:
➤ controls over input, such as data validation and batching;
➤ run-to-run controls designed to check the accuracy and completeness of pro-
cessing by checking file totals at prespecified stages in processing; and
➤ controls over output to ensure accuracy, completeness and confidentiality.

Computer Operations Controls

IT departments will vary considerably from one organization to the next. The struc-
ture of a particular department will obviously depend on constraints such as work-
load and size, but will usually involve an operations function, a project-based or
programming function and technical services.

The computer operations department houses the staff involved in the day-to-day
operation of the information processing facility. This may be a large mainframe
environment or a small LAN. The operations function is responsible for many of the
routine tasks associated with the effective and efficient running of an installation,
including:
➤ mounting and dismounting data files;
➤ loading paper into printers;
➤ aligning special forms;
➤ scheduling runs;
➤ loading programs;
➤ balancing run priorities;
➤ responding to operating system prompts;
➤ responding to application system prompts;
➤ maintaining incident logs;
➤ performing routine housekeeping tasks;
➤ responding to equipment failures;
➤ producing back-up copies as defined;
➤ restoring from back-up when authorized; and
➤ handling ‘unpredictable’ conditions.

The operations department may itself be subdivided into:

➤ a control section, responsible for monitoring information passing into, through
and out of the computer operations area;
➤ a data preparation section (although considerable progress has been made in
moving this function into the user area);

256

Internal_Auditing.indb 256 16/04/2015 11:13

 AUDITING GENERAL AND APPLICATION CONTROLS

➤ computer operators, who are responsible for accurate and efficient operation
of the scheduled jobs on the computer and who report to the chief operator or
shift supervisor; and
➤ possibly a tape librarian to handle the vast quantity of physical tapes, disks and
other back-up media.

The operations department is responsible for maintaining physical security over the
computer, peripherals, magnetic media and stored data. This includes the various
measures designed to minimize the impact of such disasters as flood, fire, malicious
damage, etc.
Data must be secured against accidental or deliberate disclosure, modification or
destruction. Processing controls must exist to ensure that the organization receives com-
plete, accurate, timely and secure processing of data. This includes on-site and off-site file
and program libraries. Included in these libraries will be safety copies of data, as well as
program source and object codes. Automated library software can help to ensure that the
library is maintained in an appropriate form. Ensuring segregation of duties, handling the
distribution of output and despatch of hard copy, and controlling access to spool files and
networked printers are usually functions of the operations department.

Operations Exposures
These include the normal range of exposures, including human error, hardware fail-
ure, software failure, computer abuse and potential disasters. The prime error areas
in daily operation are the data entry procedures and operator commands entered
from the control console. Using wrong generations of files or wrong versions of pro-
grams can be catastrophic should they occur, and an ever-present danger is simple
media damage in handling.

Operations Controls
Controls within the operational area are primarily performance and compliance
controls associated with the running of computer jobs. These would usually include
the use of:
➤ predefined run schedules;
➤ computer and manual run logs;
➤ system performance statistics;
➤ budgetary controls; and
➤ supervision.

Personnel Controls
Since operations departments are so heavily dependent on people, it is vital to
ensure that the personnel aspects are adequately controlled. This includes the seg-
regation of duties, where we would institute controls to ensure that:
➤ IT staff cannot initiate transactions;
➤ systems and programming are independent from operations;
➤ programmers cannot operate the machine;
➤ operators cannot access file libraries;
➤ the IT librarian is an independent function; and

257

Internal_Auditing.indb 257 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

➤ IT staff have no control over corporate assets, other than access required to
meet their specific responsibilities for IT hardware and software operations.

In addition, we should ensure that IT operations staff have their duties rotated peri-
odically, are required to take holidays when leave is due, and do NOT attempt to
correct programs.

Supervisory Controls
The nature of the operations function makes it very easy to implement effective
supervisory controls. Such controls would include:
➤ approving run schedules;
➤ monitoring operations;
➤ scrutinizing the daily console log;
➤ reviewing the manual reports; and
➤ continuous observation.

Generally, 80 per cent of machine usage can be predicted, but there will always be
additional user demands, program reruns, reprocessing of files and the handling of
unforeseen problems.

Machine usage can itself be categorized into machine time spent in:
➤ compilation;
➤ testing;
➤ reruns;
➤ maintenance; and
➤ production.

Operational efficiency and effectiveness should be determined and monitored.

Reruns will always be required from time to time because of machine failure, opera-
tor failure, application failure, operating system failure or simply high volume or
critical input errors.

Operations Audits
Reviewing an operations area involves initially obtaining an organization chart of the
function and job descriptions of the staff. These would then be reviewed to ensure
proper segregation of duties, particularly in smaller departments. In addition, lists of
equipment, networks, system software and running applications will be required.
The personnel of the operations section have hands-on access to the hardware, soft-
ware and networks of the organization. As such, it is imperative that the personnel
practices of this section are above reproach. The personnel policies of the operating
department must be reviewed with respect to delegation of duties when staff are
absent because of illness, leave or for any other reason. Termination procedures
must be scrutinized in order to ensure that no weakness occurs when staff resign or
retire or when their employment is terminated.

The view of the operations function itself would include scrutiny of computer room
access in order to determine:

258

Internal_Auditing.indb 258 16/04/2015 11:13

 AUDITING GENERAL AND APPLICATION CONTROLS

➤ who is permitted access;

➤ under what circumstances outsiders are permitted access; and
➤ how control over access is enforced.

The operation of computer equipment would include determining who is autho-

rized to operate such equipment. An auditor must examine operating instructions
to ensure that installation standards exist and are followed for operating system
software, application software, restart and recovery procedures, and handling the
disposition of inputs and outputs. Operator actions will be scrutinized to determine
whether controls exist in areas where operators have discretion, such as amending
parameters while systems are running.
This would also include scrutiny of incident logs covering reporting of system fail-
ures, restart and recovery, emergencies, and any other unusual situations. It should
be noted that logs will include both manual and automated ones and that compari-
sons may be done between the two in order to determine whether management is
informed of all deviations from normal procedures.
From time to time, operators may have to cope with emergency circumstances,
which could involve making urgent modifications to production programs, job con-
trol language and procedure libraries bypassing the normal procedures. In these cir-
cumstances, it is critical that adequate documentation is maintained of all operator
actions and the reasons for these actions. Operators may have access to powerful
utilities that can typically dump data, production programs or even memory at exe-
cution time. Management must closely monitor access to utilities and any changes
made to ensure that no unauthorized procedures are carried out. Evidence must be
sought of adequate supervision of operators. This may include management or shift
supervisor sign-off of logs.

Application Controls
Systems, generally, may be defined as a set of elements or components that interact
to accomplish goals and objectives. These systems may take the form of:
➤ systems that perform business-related activities (application systems); or
➤ systems that help the computer function (operating systems).

Application systems include payroll, sales, purchases, inventory, accounts payable and
accounts receivable, fixed asset registers and production processing applications. In
this section, we will concentrate on the auditing of application systems controls.
Well-controlled application systems can be distinguished by the quality of pro-
cessing and usability of the outputs they produce. At a minimum, application sys-
tems must process data accurately and completely and must do so in a reliable
manner. The data presented to the user must be relevant to the business function
and simple to use. It must be presented in a timely manner to permit the user to
carry out the business function timeously and the processing must be verifiable. In
achieving all of these control objectives, the system must operate in an acceptably
economic manner.
Systems themselves come in all shapes and sizes. They are categorized in Table
27.1 to assist us in evaluating the appropriateness of their handling of business
risk.

259

Internal_Auditing.indb 259 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Table 27.1: Types of IT systems

Type of system Description of system

Simple vs Complex Simple and complex systems both face the normal risks of
inaccuracies, incompleteness, etc, but complex systems, by
their very nature, are more likely to experience these
problems, since the more complex a system becomes, the
harder it is to test adequately and the easier it is for a
system error to go undetected.

Open vs Closed Open systems are more vulnerable to both errors and
attempted penetration. This is a factor of the number of
sources of input and output, and the degree of systems
interactivity.

Stable vs Dynamic The higher the degree of instability of a system, the more
likely it is that changes will be made to it that are not clearly
thought through with all of the side effects taken into account.
There is also a greater probability of rushed and inadequate
testing in a highly dynamic system.

Adaptive vs Adaptive systems are designed to be flexible and to

Non-adaptive be all things to all people. As such, it is comparatively easy to
tailor these systems incorrectly. By the same token,
non-adaptive systems may be run in an inappropriate manner
and supplemented with unofficial add-on sub-systems with
all of their inherent error opportunities.

Permanent vs Permanent systems are designed, implemented and

Temporary maintained within a controlled environment. Temporary
systems may fall outside of this system of internal control and
may be undertested, undocumented, open for all to change
and generally out of control. They also have a habit of
becoming semi-permanent unintentionally.

Systems Controls
Several individuals may exercise control in several ways using several application
systems. At a macro level, the business decision-maker will determine system vari-
ables to cover such issues as:
➤ Will the payroll be daily, weekly or monthly?
➤ Will the financial ledger be produced monthly or in 13 four-week periods?

On a day-to-day basis, the system parameters, controllable by the system opera-

tor, will be used to alter variables that require amendment, such as report dates,
file control dates, etc.

Control Stages
Control over applications is exercised at every stage and commences at the start
of the development of the system. This takes two basic forms:

260

Internal_Auditing.indb 260 16/04/2015 11:13

 AUDITING GENERAL AND APPLICATION CONTROLS

➤ control over the development process itself; and

➤ ensuring adequate business controls are built into the finished product.

Major control stages would include the system design, system development, system
operation and system utilization. Controls will include both manual and computer-
ized (programmed) controls for each of the major control stages.

System Models
Systems may take several forms.
➤ The most basic types of systems are those that are used continuously to pro-
vide facilities for the day-to-day operations of an organization. These normally
involve the processing of everyday business transactions. Typical examples of
transaction processing systems would include sales order processing, inventory
control, purchasing, etc.
➤ In addition to these systems supporting normal business processing, manage-
ment constantly requires information to inform it of the status of various parts
of the organization. These management information systems could include
financial systems, manufacturing systems, marketing systems, personnel, etc.
➤ A further categorization of systems comes when the information is used by a
variety of decision makers to support business decisions. These decision sup-
port systems are becoming more and more sophisticated and may be found in
all business areas, such as financial, statistical analysis, project management
and data warehouses that, among other things, may be used to monitor busi-
ness operations, and control distribution of goods to outlets from central ware-
houses, etc.

Control Objectives of Business Systems

In order to achieve the potential benefits of properly managed information sys-
tems, they must themselves be generated and operated in order to achieve specific
control objectives. These would include the general control objectives of accuracy,
completeness, validity, integrity and confidentiality.
In addition, the differing system types may have additional control objectives and
differing priorities within the general control objectives. System types could include
order processing systems, invoicing systems, accounts receivable and payable sys-
tems, and the rest of the full range of business systems. Other specialized systems
may exist depending on the nature of the business. Such systems could include
online Internet and treasury management banking systems, retail systems, manufac-
turing systems, and Electronic Data Interchange (EDI) for e-commerce applications
and the like.

Overall Control Objectives

In addition to the overall objectives for information processing of integrity of infor-
mation, security and compliance, there are specific control objectives at every
stage of input processing and output, as set out in Table 27.2.

261

Internal_Auditing.indb 261 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Table 27.2: Control objectives and control procedures

Stage Objective Control Procedures

Input ➤ All transactions have ➤ Prenumbered documents
occurred and are valid ➤ Control total reconciliations
business transactions of ➤ Data validation
the entity, are properly ➤ Activity logging
authorized initially and are ➤ Document scanning
completely recorded ➤ Access authorization
➤ All transactions are com- ➤ Document cancellation
pletely and accurately
entered into the system
➤ All transactions are entered
once only
Process ➤ Programmed controls to ➤ Completeness and accuracy
ensure completeness and of transactions: record counts,
accuracy of transactions in sequence tests, control totals,
the processing stage for the hash totals, programmed limit and
relevant application reasonableness tests, cross-addi-
➤ Programmed controls to tion of analyses and exception
detect loss of data, and reporting
prevent duplication of ➤ Completeness and accuracy of
transactions updating: correct generation of
➤ Programmed controls to master file used – manual agree-
ensure completeness and ment of computer-generated
accuracy of arithmetic cal- totals to original documents, run-
culations and allocations to to-run totals, check of brought
ledger accounts and analy- forward and carry-forward totals,
ses check of file setup for application.
➤ Control over data storage, ➤ Data storage and retrieval: internal
retrieval, updating and file and external file labels, computer
maintenance updating procedures, audit trails
and manual checks to source
documents by IT administrator.
➤ Data storage for file maintenance:
reconciliation of file totals, com-
parison of computer balances to
physical counts and cut-off checks,
review of results (output) by
users, one-on-one manual checks,
especially for master-file changes
processed, computer generated
batch and hash totals for total
additions/deletions from master
files for processing period checked
manually to input headers.

Output ➤ Assurance that the results ➤ Complete audit trail

hard copy of input and processing are ➤ Output distribution logs
file output correct and are reconciled ➤ Reconciliations of input docu-
online enquiry files to the output reports ments to output reports and to
➤ Output is available only to control totals
authorized personnel ➤ Error detection and correction
➤ Error reports are distrib- ➤ Application program control
uted to responsible person- objectives
nel and corrective steps are ➤ Integrity of programs and
taken promptly processing
➤ Prevention of unwanted program
changes
➤ Ensuring adequate design and
development control
➤ Ensuring adequate testing

262

Internal_Auditing.indb 262 16/04/2015 11:13

 28
CHAPTER

Auditing Systems under

Development

Learning objectives
After studying this chapter you should be able to:
➤ Outline briefly the process involved in developing a new IT system
➤ Outline briefly the process involved in acquiring a packaged IT system
➤ Outline briefly the process involved in maintaining an IT system
➤ Describe the various possible roles of an IT auditor in a development environment
➤ Define the types of database management systems and describe the advan-
tages and disadvantages of database systems
➤ Explain the causes of systems development exposures and the control opportunities
available
➤ Explain the vareities of lifecycle models available

Why Do Systems Fail?

It is an unfortunate fact that computer systems do fail from time to time. The dis­
tance between these times or the mean time between failures is to a large extent
governed by events that took place during systems development. The most com­mon
of these problematic events are discussed below.

➤ Poor support from top management

Top management, even today, is content in many cases to leave the development
of new and strategic systems to computer staff rather than being actively involved.
This can mean that IT staff develop what is known as systems blind and the systems
become the IT staff’s interpretation of what they believe management should be
looking for. This interpretation is not always accurate.

➤ Poor staff attitude

Taking their lead from top management, the users whose system it is from inception
will also often sit back and leave the detail to the IT staff. An attitude of non-own­
ership of the development process becomes prevalent.

➤ Unclear business objectives

In many systems, the development was triggered by a senior manager thinking,
‘Wouldn’t it be a good idea if we had a system that could ...’. The system is then
developed to meet the (often poorly defined) requirements of a single manager
rather that the needs of the organization as a whole.

➤ Management and users are unsure of their needs

It is a common occurrence that, when asked to express their needs in terms of IT
support, management and users are unable to articulate clearly what they want.

Internal_Auditing.indb 263 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Auditors find the same problem in asking managers to explain how control is
achieved. Think how difficult it would be to explain to someone exactly how you
breathe. You have done it all your life, but would find it difficult to explain exactly
how you do it. It is part of the job of the IT staff to find out the users’ business needs
and translate these into potential computer support areas.

➤ IT personnel are unfamiliar with user needs

In many cases, the IT staff assigned to a given project have no fundamental under­
standing of the actual business process to be computerized. Once again, this leads
to misinterpretation of users’ wants and needs.

➤ Additional user requirements are not previously specified

A common complaint of users is that: ‘The system can’t do ...’ while the IT response
is ‘You never told me you wanted it to ...’. One of the most difficult areas of systems
analysis is ensuring that your understanding is fully comprehensive and that all
requirements are known.

➤ Changes in user requirements

Many systems are developed over a number of years. During this time, the business
needs of the final user will change due to a changing business environment, new
technology requirements, changes in managerial personnel and style, etc. Systems
must be developed with as much flexibility as possible, both during development
and in the final product.

➤ Organizational changes during the project

Given the life of many IT projects, it would be unusual for a project to reach com­
pletion without staff changes. At either the IT or user end, loss of a key member
of the development team can create havoc and seriously jeopardize the project’s
via­bility.

➤ Failure to understand interrelationships between parts of the organization

In today’s environment, most systems implemented are designed to be integrated
systems treating the business needs of a disparate group of corporate functions. In
many cases, management, even at director level, are so specialized that they have
no understanding in depth of how other areas of the business function. As a result,
many integrated systems do not adequately map onto the business functionality
required.

➤ Overoptimistic file conversions

Acquiring data and converting from previous systems is a critical task and should be
treated as such. This does not happen overnight and of its own accord. It must be
planned for and appropriate resources must be committed to the process.

➤ Poor quality input for file conversions

In many cases, the source of the data to be converted for the new system is suspect
and such data must be ‘sanitized’ or cleaned up prior to systems implementation.

264

Internal_Auditing.indb 264 16/04/2015 11:13

 AUDITING SYSTEMS UNDER DEVELOPMENT

➤ Poor documentation
Many systems development projects work on the basis that the documentation will
be completed at the end of the project after the new system has stabilized. This is
a source of two distinct forms of problems. Firstly, the time when documentation is
most needed is at the design and coding stage, to ensure the final system is what
was intended. Secondly, completion of documentation at the end results in rushed
and scanty documentation and occasionally no documentation at all, since project
time has run out.

➤ Inadequate system and program testing

Testing of systems is a complex business involving programmers, systems analysts,
users and internal auditors. The first three must satisfy themselves that the system
performs as desired in that it does everything it is supposed to and conversely does
NOT do the things it is not supposed to. An auditor’s role is to satisfy him-/herself
that the testing has, in fact, been done to acceptable standards.

Systems Development
IIA Practice Advisory 2100-6: Control and Audit Implications of E-commerce
Activities provides guidance as to areas that an internal auditor should assess and
evaluate in circumstances where there are new and ongoing IT developments in the
business processes.

‘The internal auditor should evaluate how well business units are managing the e-com-
merce process. The following are some relevant topics.
➤ Project management reviews of individual initiatives and development projects.
➤ System Development Life Cycle reviews.
➤ Vendor selection, vendor capabilities, employee confidentiality, and bonding.
➤ Post-implementation economic reviews: Are anticipated benefits being achieved?
What metrics are being used to measure success?
➤ Post-implementation process reviews: Are new processes in place and working
effectively?’

One of the major controls over the development process is itself the systems devel­
opment life cycle. This has the advantages of uniformity, enabling of performance
measurement, reducing the maintenance effort and improving the quality of the
fin­ished product. It involves specific tasks, namely:
➤ drawing up requirements and proposals;
➤ systems design;
➤ detailed design;
➤ coding, testing and documentation; and
➤ systems testing.

Drawing up Requirements and Proposals

Systems proposals come from a variety of sources and happen for a variety of rea­
sons. They may come from the board of directors, as a result of a business change.
They may come from the government, in the form of legislative changes. They
may be intended to improve business effectiveness or efficiencies. They may come

265

Internal_Auditing.indb 265 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

because technology itself has changed. They may be required as a response to com­
petitive forces. In all cases, the feasibility of the change and its cost desirability must
be assessed. This means that the outline systems design must be known. This out-
line design expresses the business requirements of the proposed system in terms of
user requirement specifications.

Specifications
User specifications identify:
➤ the business functionality required of the system;
➤ the actions the user is to take;
➤ the decision rules to apply;
➤ the services required of IS;
➤ the methods and timescales for user/IS interaction; and
➤ the assignment of responsibility.

Technical Specifications
Once the outline design has been agreed, the detailed design must be defined. This
involves taking the business design and interpreting it into computerese by defining:
➤ file and record layouts;
➤ operational constraints;
➤ processing logic definitions; and
➤ access rules.

Problems at the specification stage include:

➤ the availability of user staff, as a result of which the IT section may be left in
isolation to develop the system as it sees fit;
➤ access to the right level of staff – in many cases the user staff available are not
of the right authority level or do not have the required knowledge base to carry
out the appropriate liaison;
➤ ‘technology lust’, which results in a constant search for the latest technology,
regardless of whether it is genuinely required;
➤ overextended time scales with no measurement points (defined milestones) in
between. To allow effective project planning, timescales should be short, with
measurement milestones at frequent intervals. In addition, overextended
timescales can mean that key staff change during the process, business objec­
tives change, costs will escalate and hardware/software may become obsolete;
and
➤ inexperienced staff, who can cause complications, since many organizations hire
extra staff for large-scale projects who may be technically competent but have
no understanding of the organization, its objectives and standards.

Implementation Planning
Once the system has been designed successfully, it must be implemented. This
involves:
➤ reviewing the scope and objectives to ensure they are still appropriate;

266

Internal_Auditing.indb 266 16/04/2015 11:13

 AUDITING SYSTEMS UNDER DEVELOPMENT

➤ reassessing the timescales, budgets and benefits based on the fuller under­
standing of the system now available;
➤ drawing up implementation timescales based on the full detailed design;
➤ allocating responsibilities for the development of the various parts of the sys­-
tem; and
➤ conducting a pre-implementation review to ensure that problems encountered
in the past do not recur.

Implementation
Implementation itself involves:
➤ programming;
➤ coding;
➤ prototyping;
➤ unit testing;
➤ test-linking to other modules;
➤ documentation;
➤ installation;
➤ user acceptance testing;
➤ parallel running;
➤ user training;
➤ file conversion; and
➤ live running.

Some of these activities may be conducted simultaneously, but this, again, is a fac­tor
of the effectiveness of the project planning process.

Conversion Activities
Once the system has been developed and adequately tested, conversion from the
previous manual or computer system must take place. This will usually involve:
➤ the acquisition of data;
➤ the identification of sources;
➤ the development of conversion programs;
➤ the sanitization of input data; and
➤ file conversion.

System conversion is a major task and requires strict control to be enforced. Poor
conversion may jeopardize the whole project on the principle ‘Rubbish in – rubbish
out’. Audit involvement is essential. Care should be taken to ensure that audit’s role
does not become one of IT quality assurance. Our role is to ensure that manage­ment
has adequate controls to ensure that conversion was effective. While all this is going
on, maintenance must continue on the current systems.

Post-implementation Review
The final stage of the SDLC is the post-implementation review. This is used to
deter­mine what went/is going wrong with the development process, as well as what
went/is going right. Its objective is not to determine flaws in the developed system

267

Internal_Auditing.indb 267 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

but to refine the SDLC itself by identifying skill shortcomings and improving control
techniques.
From this point onwards, the system will be subject to ongoing maintenance for
the normal business reasons such as design corrections and ‘bugs’, mandatory
changes, enhancements as the business changes or to accommodate changes in
technology.

Systems Development Exposures

Failures of control during systems development can lead to a variety of business
problems, including:
➤ wrong management decisions;
➤ unacceptable accounting policies;
➤ inaccurate record-keeping;
➤ business interruption;
➤ built-in fraud;
➤ violation of legal statutes;
➤ excessive operating costs;
➤ inflexibility;
➤ overrun budgets; and
➤ unfulfilled objectives.

These may prove minor annoyances or major business catastrophes to the business,
depending on the organization and the system concerned. The primary causes of
development exposures may be summarized as:
➤ incomplete economic evaluation;
➤ management abdication;
➤ inadequate specifications;
➤ systems design errors;
➤ incompetent personnel;
➤ technical self-gratification;
➤ poor communications;
➤ no project ‘kill’ points;
➤ temptations to computer abuse; and
➤ incoherent direction.

Systems Development Controls

In order to achieve controlled systems, the development process must itself be con­
trolled. Major controls in this area are:
➤ the methodology (SDLC);
➤ staff hiring policies;
➤ training;
➤ technical review and approval;
➤ management review and approval;
➤ audit participation;
➤ the systems test phase;
➤ post-implementation review; and
➤ documentation.

268

Internal_Auditing.indb 268 16/04/2015 11:13

 AUDITING SYSTEMS UNDER DEVELOPMENT

Project management controls to assist the process involve:

➤ periodic schedule reviews;
➤ work assignment;
➤ performance monitoring;
➤ progress monitoring;
➤ status reporting; and
➤ follow-up.

In other words, an IT project is managed no differently from any other long-term,

high-cost engineering project.

The project planning elements would include:

➤ appropriate project guidelines;
➤ work breakdowns complete with start and completion dates; and
➤ an effective monitoring mechanism to measure against agreed schedules.

SDLC Control Objectives

Control objectives for each stage of the SDLC are given below.

Methodology
➤ Formalized, structured methodology will be followed.
➤ Roles and responsibilities will be clearly laid out and adhered to.
➤ Methodology will be kept up-to-date and in step with current developments.

Project initiation
➤ Each new project will be clearly scoped before work starts.
➤ The user department will be involved in the definition and authorization of new
or modified systems.
➤ Team assignment will result in the use of appropriately skilled and qualified
staff.
➤ The start of each phase will be preceded by the appropriate authorization.

Feasibility study
➤ Alternative courses of action will be evaluated in order that an appropriate
solution is selected.
➤ Technological feasibility of the recommended solution will be assured.
➤ All relevant costs will be included in the cost/benefit analysis.
➤ All relevant risks will have been identified and quantified.
➤ Project approval will be given by the appropriate levels of management based
on knowledge.
➤ The project will be capable of being monitored through its existence.

Systems design
➤ Design methodology is appropriate to the proposed system:
◗ lifecycle;
◗ structure;
◗ database;

269

Internal_Auditing.indb 269 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

◗ skeletal; and
◗ prototype.
➤ Documentation will be created to standard.
➤ Input validation requirements will be appropriate.
➤ File structures will conform to departmental standards.
➤ All requisite processing steps will be identified and designed into the system.
➤ All programs will be fully specified according to departmental standards.
➤ All sources of data required for the system will be identified and approved.
➤ The security requirements of the system will be fully defined and approved.
➤ Audit trails will be appropriate and approved.
➤ Documentation of the system design will adhere to departmental standards.
➤ The overall design will include the design of appropriate testing and verification
plans.
➤ Design approval will be obtained from the appropriate levels of management.

Development and implementation

➤ Written narratives of all programs in the system will be available and up-to-
date.
➤ Commercial packages selected will be compatible with existing operations and
departmental policies.
➤ Use of contracted programming staff will be approved and the quality of their
work will be contracted for.
➤ Operational documentation will be produced according to departmental stan­
dards.
➤ Training plans will be produced for all users of the system.
➤ Program testing will be comprehensive and effective.
➤ System testing will test both for functional capability and operational efficiency.
➤ Conversion planning will ensure smooth conversion to the new system.
➤ Acceptance testing will be comprehensive and carried out by the appropriate
staff.

System operations
➤ All organizational controls will operate as designed and intended.
➤ Cost monitoring will ensure that the system operates efficiently.
➤ Modifications to the system will be permitted only by those authorized to carry
them out.

Post-implementation review
➤ Post-implementation review will be carried out by the appropriate staff and sys-
tems will be examined to determine their efficiency, effectiveness and econ­omy.
➤ The systems will be examined to determine areas for improvement in the devel­-
opment methodology.

The project life cycle has been defined as having identifiable start and end points
and passing through six distinct phases, namely:
➤ concept;
➤ definition;

270

Internal_Auditing.indb 270 16/04/2015 11:13

 AUDITING SYSTEMS UNDER DEVELOPMENT

➤ design;
➤ development;
➤ application; and
➤ post-completion.55

This led to the development of the Waterfall cycle, illustrated below in Figure 28.1.
Here we can see that each activity ‘cascades’ from the previous activity to lead the
fully developed information system. In this model, the difference you can see that
the major activities overlap significantly. The major difficulty with this model is that
software development’s need to progress iteratively is not catered for, since each
project remains within the identifiable start and end points.
System Requirements

Software Design

Analysis

Program Design

Coding

Testing

Figure 28.1 ‘The Waterfall’ cycle Operations

In 1988 Boehm proposed an iterative spiral model for the development and
enhancement of computer software.56 Boehm’s spiral involved five major func-
tions, namely:
➤ next stage planning;
➤ determining objectives, alternatives and constraints;
➤ evaluation of alternatives;
➤ identifying and resolving risk issues; and
➤ developing and verifying the next level product.

These functions started with the development of a baseline product and then moved
through several iterations until the final product was implemented.
An alternative development model based upon the waterfall cycle was suggested
by Fish57 and is known as the Vee cycle. This follows a sequence such as that
shown in Figure 28.2. Business requirements are dictated by business strategy,
which incorporates explicit user requirements. These then lead to the definition of

55. Archibald, R.D. 2003. Managing High-Technology Programs and Projects. 3rd ed. New York:
Wiley. p. 19.
56. Boehm, B. 1988. 'A Spiral Model of Software Development and Enhancement'. IEEE May. pp.
61–72.
57. Fish, E. 2002, 2003. An Improvement Project Lifecycle Model. Pandora Consulting, http://www.
maxwideman.com/guests/pic/intro.htm (Guest Department) updated.

271

Internal_Auditing.indb 271 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Discovery Close-out

User requirements Audit

Functionality Review

Design Check

Sanction Construct
Figure 28.2 The ‘Vee cycle’

systems requirements and specifications. These, in turn, allow the formation of the
architectural design of the software and coding then creates the individual com-
ponents of the system, which is then tested ‘up’ the waterfall against the different
levels of specification. From a control and audit perspective, this form of systems
development is considered easier to audit since at each level there are standards
to match against, as well as the fact that there is a separate audit stage.

Within an IS environment, this approach would typically involve the following:

➤ Discovery is the point in the process when the IS or user area finds there is a
market for a specific system. This phase is brief, and there are few decisions to
be made.
➤ Requirement is the stage at which the user can write an outline system speci-
fication which states: ‘We need a system capable of the following functionality
A., B., C.’. At this stage a feasibility study may include an assessment of the
technical feasibility of this system, its costs and potential benefits.
➤ Functionality occurs when the user can write a detailed business specification
which states all of the business, operational and control requirements. At this
stage the feasibility study may be revisited to re-assess the technical feasibility
of this system, its costs and potential benefits.
➤ Design results in the detailed system specification that specifies file layouts,
screen design, the required hardware and software environment, networking
requirements, and any potential limitations or requirements for new hardware
and software to acquire.
➤ Sanction is the phase in which board approval for design and expenditure is
sought prior to the commitment of resources to the longest part of the process.
➤ Construct is the purchase or development of the software, including the coding,
unit-testing and documentation of the application systems.
➤ Check is used to verify that what is installed is what was intended to be
installed, as set out in the design documents, and that installation was done
according to those design documents. This verification is a critical element of
the ISO 9000 standard.
➤ Review involves testing sub-systems, usually with test material, to ensure that
the intention of the system has been met. This phase tests collections of hard-
ware and software (systems) against the design intent and the interaction of
integrated systems.

272

Internal_Auditing.indb 272 16/04/2015 11:13

 AUDITING SYSTEMS UNDER DEVELOPMENT

➤ Audit is the verification stage, which may be deemed to be complete when the
system can meet the functional, operational and control stipulations of the
detailed business specification. ISO 9000 defines this as validation, where tests
are applied to see if the customer’s requirements are addressed in reality.
➤ Close-out is the stage in which the cycle is completed by insuring the install
product matches the need identified during the discovery phase.

As can be seen from the model illustrated in Figure 28.2, the left hand side of the
Vee shows the planning stages, while the right hand side indicates the implementa-
tion or ‘doing’ stages.

Micro-based Systems
In-house developed micro-based systems should be subject to the same controls,
but often are not. They are frequently substituted for IS developed systems and
suf­fer the same SDLC problems, but, in addition, they fall under nobody’s control
and may be developed by amateurs with no specifications, documentation, con-
trols, cost/benefit analysis and back-ups.

273

Internal_Auditing.indb 273 16/04/2015 11:13

 29
CHAPTER

The Use of CAATs in Auditing

Computerized Systems

Learning objectives
After studying this chapter, you should be able to:
➤ Outline briefly the major types of computer-assisted audit techniques (CAATs)
➤ Describe the benefits and limitations of CAATs
➤ Define the types of automated tools available to an IT auditor
➤ Select the appropriate technique and pick the appropriate tool
➤ Understand and use IDEA as generalized audit software

Computer-assisted Audit Tools and Techniques

In today’s environment, a review of business systems will almost inevitably involve
the use of appropriate information retrieval and analysis programs and procedures.
An auditor will use test transaction techniques to review system level activity. In
advanced auditing, the use of knowledge-based systems will allow less-skilled staff
to use advanced audit techniques.

Standards of Evidence
IIA Practice Advisory 2310-1: Identifying Information indicates that audit evidence
should be:
➤ sufficient;
➤ reliable;
➤ relevant; and
➤ useful.

The use of computer-assisted audit solutions involves the merging of software

into an audit program. For this to prove effective, key control questions must be
predefined in order to facilitate the use of the technology to analyze the data and
provide the answers.

Advantages from an auditor’s perspective include:

➤ increased auditor productivity;
➤ creativity; and
➤ the application of a consistent methodology.

Information retrieval and analysis programs and procedures include programs that
organize, combine, extract and analyze information. This includes generalized audit
software, application software and industry-related software. Customized audit

Internal_Auditing.indb 274 16/04/2015 11:13

 THE USE OF CAATs IN AUDITING COMPUTERIZED SYSTEMS

software and information retrieval software, as well as standard utilities and online
enquiry may also be used for information retrieval and analysis. Where an auditor
has computer skills in programming, conventional programming languages may pro-
vide a viable alternative, but a lack of such skills does not preclude auditors from
using such techniques. The ready availability of microcomputer-based software,
which provides computing power without the requirement of technical expertise,
puts direct data analysis within the toolkit of any auditor. The primary requirement
is an understanding of the business application and how data relates.

Generalized Audit Software

Generalized audit software (GAS) is software designed specifically for auditors in
order to provide a user-friendly audit tool to carry out a variety of standard tasks,
such as examining records, testing calculations and making computations.
A common audit technique is to take a copy of a file of standard data for later
comparison to a changed version of the same data. Once again, GAS can conduct
the comparison and analysis.
Selecting, analyzing and printing audit samples are techniques that can significantly
improve the quality of an audit by allowing the quantification of audit and sampling
risk. In a high-volume system, these techniques may be the only method an auditor
can employ to achieve a satisfactory audit. In such systems, the use of computerized
sampling simplifies both the usage and interpretation of results. Most GAS comes
complete with sampling and analysis functions to handle the complexities.
An auditor will commonly have to handle data that is not in a suitable format for
analysis. Summarizing and resequencing data are required to put the information
into a more useable format. Once reformatted, the software can also perform the
appropriate analyses.

Benefits
GAS cannot resolve all of an auditor’s problems, but it can help in many of the com-
mon problem areas. It is specifically designed for the handling of volumes of data.
The output can be used for further computer processing, allowing audits to be linked
together. The time to audit can be reduced and the auditor freed to spend time
interpreting results. Since limited programming skills are needed, the audit reliance
on IS staff is reduced.

Limitations
Hardware and software environments may be restrictive if an inappropriate pack-
age is selected. The number of files to be handled may be restrictive and the types
of record structures may not be comprehensive. Numbers of computations may
be limited and the number of reports per ‘pass’ may be restrictive. This makes the
selection of software a critical element in the effective use of GAS.

Application and industry-related audit software

In addition to GAS, audit software is available for standard business applications,
such as accounts receivable and payable, payrolls, general ledgers and inventory
management. Such software applications are available as stand-alone or as add-ons
to standard GAS packages.

275

Internal_Auditing.indb 275 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Industry-related audit software is available for specific industries, such as insur-

ance, health care and financial services. Most of these packages require conversion
of input to standard package layouts and the selection of appropriate parameters.
This means that a degree of IS skill is required for conversion. The software itself is
normally both cost-effective and efficient.

Customized Audit Software

Customized audit software is software designed to run in unique circumstances and
to perform unique audit tests. Where output is required in unique formats, custom-
ized audit software may be required. Such software is normally expensive to develop
and requires a high level of IS skills. It must be handled with care, since running it
may not tell you what you think it does; however, it may be the only viable solution
in a unique processing situation.

Information Retrieval Software

Standard information retrieval software, such as report writers and query languages,
can perform many common audit routines, although not specifically written for
auditors. This category of software includes report writers, program generators and
fourth-generation languages.

Utilities
Utilities are programs written to perform common tasks, such as copying, sorting,
printing, merging, selecting or editing. These programs are normally parameter
driven and can be used in combination with other software. They are extremely
powerful and the right to use them should be restricted. From an audit perspective,
they see data as it exists, which makes their results more reliable.

Online Enquiry
Interactive interrogation can provide comparison data for audit reports and confir-
mation of corrective action taken, and can be an additional source of audit informa-
tion. Effective use requires few IS skills, but an understanding of the information is
essential. Armed with the appropriate access authority, auditors can obtain ade-
quate audit evidence to meet their requirements. However, you must be sure about
what you are looking at, since it is easy to draw the wrong conclusions.

Conventional Programming Languages

Standard languages, such as COBOL, BASIC, RPG, PASCAL, C, etc, can be effec-
tive audit tools, but require a certain amount of programming experience. Such
programs are normally slow to develop and expensive and may not be reliable,
since auditors are not professional programmers. They can, however, perform any
audit test an auditor can envisage and can be used in conjunction with any other
type of audit software.

276

Internal_Auditing.indb 276 16/04/2015 11:13

 THE USE OF CAATs IN AUDITING COMPUTERIZED SYSTEMS

Microcomputer-based Software
Microcomputer-based software can prove a flexible and powerful tool for an
auditor and includes GAS, computer-aided software engineering (CASE), spread-
sheet packages (analysis, manipulation, recalculation, etc), specialized packages
(eg NCSS) and specialized software for auditing micros (eg CSAN).
➤ They have the advantages of being able to use input from multiple hardware/
software platforms, are comparatively inexpensive and mean that a user has
only to learn a set of portable software.
➤ Disadvantages include the fact that an auditor is not looking at the live data
and that the software may not handle all data formats from mainframes.

Test Transaction Techniques

Test transaction techniques are used to confirm processing controls functioning
and include the evaluation of edit and validation controls, the testing of exception
reports and the evaluation of data integrity controls. Total and calculation verifica-
tion may be performed.

The transaction test techniques could include the following:

Test data
This technique involves using a copy of the live computer system through which a
series of transactions is passed in order to produce predetermined results. The vol-
ume of data that can be handled limits this technique, while it is effective in search-
ing for defects. Also, the results may be biased by the results an auditor expects.

Integrated test facility (ITF)

This technique, while similar in nature to test data, is effected by creation within the
live system of a dummy entity (department, warehouse, etc) and the processing of
test data against the dummy entity together with the live data. This technique has
the advantages of testing the system as it normally operates and testing both the
computer and manual systems. It has distinct disadvantages as well. All test transac-
tions must be removed from the live system before they affect live totals, postings or
the production of negotiable documents such as cheques. In addition, there may be
a very real danger of destroying the live system. ITFs must be used with great care.

Source-code review
This computer audit technique involves the review of the source code originally
written by the programmer. In the past, this has meant browsing through piles of
printout. In today’s environment, sophisticated searches can be implemented using
GAS to establish weaknesses in the source code.

Embedded Audit Modules (SCARFs – System Collection Audit Review Files)

In systems where audit trails may exist only as computer records and then only for a
short time or discontinuously, it may be necessary for an auditor to have an in-built
facility to collect and retain selected information to serve as an audit trail for subse-
quent examination. This obviously makes the collected data a target for destruction
or manipulation and it must be treated as such.

277

Internal_Auditing.indb 277 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Parallel Simulation
Parallel simulation is a technique involving the creation of software to simulate
some functional capability of the live system, such as a calculation. The live data is
processed through the simulating program in parallel with the live system, and the
outputs are compared.

Review of System-level Activity

This involves the examination of control areas with a pervasive influence such as
telecommunications, the operating environment itself, and the systems develop-
ment function and change control. End-user computing, although not in the same
category or general control, can be treated in the same manner as a general threat.

CAATs Case Study

As part of your purchase of this book, you have been given access to an educational version
of IDEA® – Data Analysis software. This software can improve your audit performance and
extend your capabilities with IDEA’s powerful functionality. With IDEA®, you can lower
your cost of analysis, add more quality to your work, and meet the new professional
requirements regarding fraud and internal control.
IDEA® can read, display, analyze, manipulate, sample an extract from data files
from almost any source including reports printed to a file. Included with this version is
a combination of extensive HTML-based Help, Information User’s Guide and a tutorial
including a CAAT’s case-study.
IDEA® is a registered trademark of CaseWare International Inc.
The link to the software is https://www.caseware.com/IDEACDBook1

278

Internal_Auditing.indb 278 16/04/2015 11:13

 30
CHAPTER

Auditing Security and

Privacy

Learning objectives
After studying this chapter, you should be able to:
➤ Outline briefly the major computer security risk areas and preferred security
mechanisms
➤ Explain the criteria for effective security
➤ Describe the basic building blocks of operational environments and operating
systems
➤ Select the appropriate methodology for reviewing computer security
➤ Describe the current legislative situation regarding IT privacy

Security
IIA Practice Advisory 2100-2: Information Security provides guidance as to the
responsibility of internal audit for evaluating information security and associated
risk exposures.

‘The chief audit executive should determine that the internal audit activity possesses, or
has access to, competent auditing resources to evaluate information security and associ-
ated risk exposures. This includes both internal and external risk exposures, including
exposures relating to the organization’s relationships with outside entities.’

The first issue affecting information security is identifying who has access to the
organization’s computer systems. This consists of both logical and physical access
aspects and must, in general, provide support for:
➤ management;
➤ users;
➤ data processing;
➤ internal audit;
➤ external auditors; and
➤ all parties concerned who have an interest.

Criteria
Hardware, firmware and software co-exist and an auditor cannot examine one aspect
in isolation. It is the interaction of these components that provides complexity and
an auditor should look on access control as a complex exercise in risk management
technology. This exercise may be aided by utilizing the features within the operat-
ing system itself, as well as security packages such as RACF, ACF2, TOP SECRET
and the like. Even librarian packages controlling access to source libraries such as
LIBRARIAN or PANVALET may help.

Internal_Auditing.indb 279 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

The overall objective is to ensure control over access to data files. This includes
preventing unauthorized amendments or disclosures, and means that access to
online data files, authorization of data file usage and physical security over data
files become essential. The use of standard utility programs to access such data
files directly must be controlled, whether by authorized users or by the members
of the IT function itself. Functional capabilities within application systems must be
segregated, which, in turn, means that there must be highly effective user authen-
tication. If there is not a high degree of certainty that a user is who he/she claims
to be, then the use of user profiles defining access authorities becomes ineffective.

User Authentication
IIA Practice Advisory 2100-8: The Internal Auditor’s Role in Evaluating an
Organization’s Privacy Framework states the following:

‘The internal auditor can contribute to ensuring good governance and accountability by
playing a role in helping an organization meet its privacy objectives. The internal audi-
tor is uniquely positioned to evaluate the privacy framework in their organization and
identify the significant risks along with the appropriate recommendations for their
mitigation.’

User authentication involves gaining the assurance that a user is who he/she claims
to be. Users may be authenticated by:

Something he/she knows:

➤ personal identity numbers (PINs), which are normally short and often written
down; and
➤ passwords, which are any combination of letters, digits or special characters
that should be:
◗ hard to guess;
◗ easy to remember;
◗ well guarded; and
◗ frequently changed.

Passwords are the most common form of user authentication, but suffer from some
major drawbacks.
➤ The initial password assignment can be a problem in that, if users are not
forced to change the initial password, it will generally remain unchanged and
therefore be known to the security administrator.
➤ The system must hold a password file somewhere within itself. If this pass-
word file is not adequately protected, it becomes a separate source of vulner-
ability within the system.
➤ Users must remember their passwords and this leads to short, easily guessed
passwords. Longer or more difficult passwords are commonly written down
and kept near the terminal where they are needed. This causes obvious prob-
lems in that someone else can find and use them.
➤ Passwords must be changed periodically to be an effective control. Passwords
that remain unchanged for a long time will often become common knowledge.
➤ Users must enter their password into the system and someone can simply
watch them do it.
280

Internal_Auditing.indb 280 16/04/2015 11:13

 AUDITING SECURITY AND PRIVACY

In a well-designed password system, the user must change the default password
before it can be used. Password changes must be system-enforced and must
exclude previous passwords. Passwords over communication lines must ALWAYS
be encrypted. Passwords themselves must be as long as possible, contain at least
one alpha and one numeric character and never be displayed on the screen.

Something he/she has:

These are usually hand-held devices such as smartcards, microchip cards or laser
cards that contain user identification parameters. They operate in challenge and
response mode. They are used to establish a session, while additional random chal-
lenges will be issued and the response keyed into the device. To be effective, the
device must be secured at the user end. It should be emphasized that such authenti-
cation will not protect privacy and will not prevent a session from being taken over.

Something he/she is:

Biometric measurement based on physical characteristics of the computer user
include:
➤ fingerprint scanning;
➤ voice recognition;
➤ optical scanning;
➤ holographic recognition;
➤ signature recognition; and
➤ password entry rhythm.

Bypass Mechanisms
User authentication aims at confirming that a user is who he/she claims to be. These
controls can be circumvented by mechanisms such as trapdoors and backdoors.
These software loopholes are deliberately left in systems to permit unauthorized
entry. They are normally hidden and used when needed; however, anyone can use
them if they are aware of them and know how to activate them. Such bypass mecha-
nisms are very popular in mainframe environments and are normally introduced
by insiders, for various reasons. The systems programmers may claim they have to
modify O/S without an IPL. They may want to issue operator commands from a TSO
terminal or even require unlimited access at 3 a.m.
Generally, these are not a good idea for several reasons. The wrong persons may
find them and, since there is usually no inbuilt security, all access controls may be
bypassed. Therefore, all systems maintenance should go through change control sys-
tems, without exception. The operators and no one else should operate the machine,
and no one should be able to bypass the security system at will.

Auditing Operating Systems

In truth, it is unlikely that an auditor will ever actually audit the operating system
itself. Rather, he/she will examine the operating environment and the way in which it
has been implemented and controlled.
With no computer assistance available, an auditor can still look for normal con-
trols, such as segregation of duties, authorization of work, etc. It is still possible
to seek abnormalities such as excessive machine usage, regular late hours and the

281

Internal_Auditing.indb 281 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

like. A more effective audit will involve using the computer to audit the computer.
This will typically involve the use of CAATs, such as GAS, specialized audit software
or utilities.
Before using CAATs, it is essential that an auditor knows what he/she wants to do.
General browsing is expensive, does not inspire confidence and, worst of all, gener-
ally does not work. From your manual audit you should know what you want to look
at, where to find it, how to get it and what you will do with it.

Using CAATs in interrogation of files can be highly effective if:

➤ you know they have not been doctored;
➤ you have the right files; and
➤ you know what you are looking at.

An auditor should basically never believe what the first printout tells him/her.
Ultimately, an auditor is not there to exercise control, the manager is, and the audi-
tor should check the controls the manager relies on.

Auditing Communications Security

Computer communications are vulnerable to a number of security threats.

Availability
Computer networks provide valuable services to their users. Users rely on these ser-
vices in order to perform jobs efficiently. When services are not available, a loss in
productivity and profitability results. A network may be rendered unusable by:

Flooding
A server is attacked by bombarding it with transmissions at a rate that it cannot
cope with. Unfriendly transmissions are hidden in the flooding transmissions, which
can now attack the targeted system.

Eavesdropping attack
An intruder eavesdrops on a connection session and, before the connection is
completed, inserts spurious transmissions into the stream in order to pick up the
connection.

Viruses
A virus can slow down or cripple a computer system. Viruses are self-replicating
pieces of software that spread by infecting a host program.

Logic bombs
A software logic bomb, sometimes called a time bomb, is a hostile software fragment
or program set to inflict damage under certain conditions.

Spam
Spam is unsolicited junk mail that mainly originates with individuals who have mass
e-mail lists and who use them for random mailings. Most spam in South Africa

282

Internal_Auditing.indb 282 16/04/2015 11:13

 AUDITING SECURITY AND PRIVACY

offers pornographic material, pyramid selling schemes, chain letter schemes or

bogus drug offers. Individuals should never reply to spam. By replying, they simply
confirm that they are active users, which can lead to further attacks.

Hostile programs
Mini-programs (applets), such as Java or Active-X components, are usually used to
create moving images or for other innocuous reasons. Some of these, however, may
have a more sinister purpose. The activities of hostile applets have ranged from the
redirection of telephone calls to overseas or premium-charged numbers all the way
up to the diversion of banking funds.

Threats to Confidentiality
There are four common ways that confidentiality may be breached.
➤ Information may be disclosed as a result of impersonation or an intruder mis-
representing someone else.
➤ Performing traffic analysis on communications networks may compromise infor-
mation. By analyzing the timing and frequency of communications, a great deal
about the purpose of the activity may be revealed.
➤ Information may be disclosed as a result of monitoring or tampering with com-
munications, either by logically intercepting the message with network or pack-
age sniffers, which can capture packets circulating through the network, or by
penetrating the communication medium itself.
➤ A security breach in a communications partner may occur in a network other
than the one controlled by the user, but may still result in that user’s system
being compromised.

Threats to Data Integrity

➤ Loss of confidentiality may also lead to loss of integrity.
➤ Information may be modified as a result of an impersonation, as noted above.
➤ Information may be changed as a result of interfering with the communications
medium, permitting the destroying, corrupting, substituting, replaying or
resequencing of transmitted information.
➤ Information may be modified as a result of a security breach in someone else’s
remote system.

Spoofing (Masquerade Attacks)

Spoofing may occur if an attacker can convince a trusted network that his/her
computer is a valid host on the internal network. Alternatively, by compromising
a domain name server for a valid domain, an attacker can route all messages to
him-/herself.

Playback of a Recording (Replay)

A replay attack involves the recording of an authentication session and then playing
it back into the system.

283

Internal_Auditing.indb 283 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Password Capture
Impersonation using someone else’s user identification and password is becoming
increasingly common. Passwords can be obtained from a variety of sources. Even
encrypted passwords may be obtained using keystroke-recording software, looking
in unprotected data directories or by using package sniffers.

Brute Force Attacks

With the speed of today’s computers, brute force attacks, which use repeated guess-
es to try to crack a password, are comparatively easy. A 6-digit password including
numeric and alpha characters used to be considered comparatively safe. This can
now be cracked in a couple of hours on a PC.

Log Tampering
An attacker may be able to destroy or modify log or audit trail evidence if the files
are not properly protected.

Libel and Contentious Material

In the past, libelous chain letters were not unknown. Today’s equivalent is defama-
tory e-mails. This can leave an organization open to a lawsuit because of a defama-
tory statement by an employee.
You need to know precisely what users are doing with your e-mail system. You
should have a defined policy about the nature of any materials transmitted from
within your system to the outside world and vice versa.

Loss of Intellectual Property

Could someone take your knowledge for nothing? If a computer displays or makes
available materials or data that is felt to be valuable to the organization, steps must
be taken to protect that material.

284

Internal_Auditing.indb 284 16/04/2015 11:13

 31
Disaster Recovery
CHAPTER

and Business Continuity

Planning

Learning objectives
After studying this chapter, you should be able to:
➤ Outline briefly the distinguishing characteristics of the various types of contin-
gency plans
➤ Define the roles and responsibilities in producing a contingency plan
➤ Describe the internal audit role and strategies for auditing contingency planning
➤ Evaluate and test a corporate contingency plan

Disasters: ‘Before and After’

Perhaps the best-prepared organizations are the ones who have lived through a
calamity. Among the risks of disasters faced by an organization daily are:
➤ fire;
➤ floods;
➤ earthquakes and/or tornadoes;
➤ building collapse;
➤ explosion;
➤ industrial failure;
➤ power failure;
➤ loss of data;
➤ deliberate sabotage;
➤ computer abuse;
➤ deliberate action by staff;
➤ ‘hacking’ into systems;
➤ Internet penetration; and
➤ EDI abuse.

As you can see, many of these risks have nothing to do with computer systems, but
affect the enterprise as a whole. There is a tendency to focus on the information
systems to the exclusion of everything else within an organization, and this is as
dangerous as not looking at contingency planning at all.
Disasters may be grouped in four basic categories, as Table 31.1 shows. In all
these cases, a different approach to disaster recovery planning is required. A plan
for evacuation of the building is inappropriate if the disaster involves the loss of a
small but vital file. On the other hand, a disaster on the scale of the 11 September
2001 attack on the Twin Towers of the World Trade Center in New York, which
led to the complete collapse of both buildings in a matter of an hour, with the
loss of thousands of lives, and the destruction of business entities occupying the

Internal_Auditing.indb 285 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Table 31.1: Types of disasters

POTENTIAL LOSS CAUSES

DISASTER TYPE A

People Explosion
Buildings Aircraft crash
Factories Fire completely destroys building and
Finance contents
Credibility Flood
Materials Industrial action
Computers Earthquake
Sabotage
Sanctions

DISASTER TYPE B

Hardware Explosion
Software Fire
In-house data Flood
Temporary loss Industrial action

DISASTER TYPE C

Software loss and the inability to recover Explosion

in-house data Fire
Flood
Freak atmospheric force, earthquakes,
tornadoes
Deliberate destruction
Bad systems design
Poor operating standards

DISASTER TYPE D

Software – partial loss only and the Computer operational error

inability to recover Deliberate destruction
Bad systems design
Poor operating standards

buildings, their complete records, information systems and equipment, may not be
possible to recover from, no matter how effective a disaster recovery and business
continuity plan an organization may have developed. However, it is noteworthy
that the New York Stock Exchange, located close to the Twin Towers and badly
affected by the destruction of electricity supplies and disruption of communication
links in that part of the city, restored its communications and restarted trading
around the world within five days of the disaster.

286

Internal_Auditing.indb 286 16/04/2015 11:13

 DISASTER RECOVERY AND BUSINESS CONTINUITY PLANNING

Disaster recovery plans must therefore be capable of responding to a variety of

‘disasters’ and providing optimal solutions for each.

Consequences of Disruption
The consequences of disruption may include delays in invoicing leading to loss of
revenues, lost interest, lost current sales and lost future business, as well as addi-
tional incurred costs because of extra staffing and overtime required to reprocess
lost data. Loss of discounts and increased interest on loans may also occur, as may
general inefficiency.
From a production control perspective in a manufacturing company, problems
would typically include lost production and schedule disruption, while, from a legal
perspective, penalty clauses for failing to meet supply contracts could jeopardize the
whole enterprise. At minimum, there would be ill will generated among customers,
shareholders and staff.
The different levels of preparedness for a disaster may be categorized as in
Table 31.2.

Table 31.2: Levels of preparedness for a disaster

Poor Organization highly vulnerable to damage to its data processing

capability; could jeopardize corporate survival.

Weak Disaster would result in conspicuous interruption of IT services and

could result in loss of business.

Adequate Organization could recover from the loss of computer capabilities at

some cost and public embarrassment.

Good Organization could recover from the loss of computing capability

with some cost but little embarrassment.

Very Good Organization is ready for virtually any eventuality. Disaster should have
no material impact on the business.

Where to Start
IIA Practice Advisory 2110-2: The Internal Auditor’s Role in the Business Continuity
Process provides guidance as to the role of an internal auditor in assessing the
organization’s disaster recovery plan (DRP) and business continuity process (BCP)
planning. The principle is as follows:

‘Internal auditing activity should assess the organization’s business continuity planning
process on a regular basis to ensure that senior management is aware of the state of
disaster preparedness.’

As with any other form of business analysis, the beginning involves understanding
the business. In DRP terms this means modeling the business, identifying data flow
and dependencies and identifying the critical systems as well as any dependent
systems (including manual ones).

287

Internal_Auditing.indb 287 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

For the purposes of this book, we will use the loss of computing capability as
an example of such a disaster. For most modern organizations, IT is an essential,
although not the only, corporate resource. The techniques described apply equally
to any other form of disaster situation.
Computer systems may be identified by type, for example by operating
objectives. Systems may be centralized, distributed or stand-alone and may also
be real-time, online or batch processes.
These can then be assigned degrees of priority based upon their business loss
rating, the alternative service level required or maximum down-time tolerable.
Systems may be categorized by the impact of stoppage and by identifying any
essential interfacing systems identified (computer and manual).
Once systems have been prioritized, all systems, including manual ones, must be
documented. Relationships must be identified and the impact of stoppage quanti-
fied.
A factor commonly overlooked is ensuring that alternative accommodation for
people, stationery supplies, office equipment and interim control procedures have
been identified.
Data used within each system needs to be graded by application and therefore by
strategic importance, as well as by alternate method of sourcing and degree of pain
in loss. In a comprehensive plan, data may even be rated by potential disruption
period. Each application is therefore graded, although not all of its data is of equal
importance or priority.

Disaster Recovery Processes in Place

It is important to establish:
➤ the minimum configuration required;
➤ whether continuity agreements with vendors exist;
➤ if back-up procedures have been agreed and are implemented;
➤ if there is compatibility of equipment and computer hardware;
➤ if there is compatibility of firm software;
➤ if security arrangements have been agreed; and
➤ if testing of off-site hardware back-up arrangements is carried out regularly
(and successfully).

In addition, controls such as redundant hardware (ie hardware in excess of cur-

rent requirements), dual controllers for peripheral devices, switchable communi-
cations capabilities and duplicated communications lines should be considered.
Uninterruptible power supply (UPS) systems and standby generators will help in
preventing power problems from becoming fully-fledged disasters.

Testing the Disaster Recovery Plan

In order to carry out a successful test of the disaster recovery plan, management
needs must be fully defined and approved. The plan must cover all in-house and
third party risks and must define all ‘retained’ risks.
This is recognized in the extensive guidance provided in IIA Practice Advisory
2100-6: Control and Audit Implications of e-Commerce Activities.

288

Internal_Auditing.indb 288 16/04/2015 11:13

 DISASTER RECOVERY AND BUSINESS CONTINUITY PLANNING

‘The internal auditor should review the business continuity plan and determine if it has
been tested. Management should have devised an alternative means to process the
transactions in the event of an interruption. Management should have a process in place
to address the following potential conditions:
➤ Volume attacks
➤ Denial of service attacks inadequacies in interfacing between e-commerce and
financial management systems
➤ Back-up facilities
➤ Strategies to counter: hacking, intrusion, cracking, viruses, worms, Trojan horses,
and back doors.’

Auditing the Disaster Recovery Plan

This involves investigating and evaluating:
➤ policies;
➤ the application systems covered;
➤ the user data defined;
➤ the hardware required;
➤ the systems software needed; and
➤ the realism of the testing.

Overall an auditor must evaluate the probability of business continuity.

Disaster Recovery Plan Maintenance

The auditor must also be satisfied that the plan itself will be kept up to date and
appropriate as the organization and business operations change over time. This
means that the auditor must be satisfied that the plan includes arrangements and
procedures that:
➤ ensure responsibility for plan maintenance;
➤ ensure management is kept informed;
➤ ensure the master copy of plan is secure for use in an emergency; and
➤ ensure copies distributed to key personnel are kept up to date and secure.

Business Continuity Planning

Management Responsibility for Business Continuity
The King II Report stressed the importance of risk-based management to be located
at the board level. As a result, the concept of business continuity management
(BCM) as a board-level responsibility has become a focal point for many organiza-
tions.
The first stage of the planning process has to be an acceptance by the board of
the organization that BCM is a valid approach to take. It is critical that a specific
member of the board accepts overall responsibility for the risk management process
and acts as sponsor or champion. This ensures that the process will achieve the
appropriate level of importance in the organization.
At the operational level, a single overall co-ordinator must be appointed to
report directly to the sponsor. This key role requires a mixture of business skills
and people skills, as the job calls for good project management and a high degree
of communication and interpersonal skills. One of the major roles of the co-ordi-

289

Internal_Auditing.indb 289 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

nator is to ensure that management at all levels understands the rationale behind
the plan so that it becomes an integral part of each manager’s normal responsibili-
ties. The co-ordinator can achieve the overall objective by following a predefined
methodology.

Understanding the Business

BCM is essentially about understanding the nature of the business and being able
to establish what is critical for its survival and ongoing good health. The founda-
tion for the plan is therefore a comprehensive analysis of the business. If this goes
astray, the whole business continuity plan and therefore corporate survival may be
jeopardized.

The analysis is designed to identify:

➤ the primary business objectives of the organization;
➤ the methodology and choice of resource allocation by management to achieve
those objectives;
➤ the major role players and their part in ensuring the ongoing conduct of the
business of the organization; and
➤ the timing chosen by management.

The success of the business is dependent on a variety of factors, some internal and
some external. Externally, government regulations, actions by competitors, positions
taken by unions and pressure groups can all have an influence. Customers, share-
holders and suppliers will also play their part. Internally, the success or failure of the
organization rests heavily on its internal control structures and its use of the right
IT systems. The broader the key relationships and back-up resources that each co-
ordinator can identify and provide for in the continuity plan, the greater the chance
of an effective plan being devised.

Business Impact Analysis

Once the critical processes and functions have been established, the co-ordinator
must work out the impact, if any, the disruption of these functions and processes
could have on the achievement of the corporate objectives. Each individual busi-
ness process may be vulnerable to a number of threats and risks, which must be
considered when conducting the overall impact analysis. Although the organization
may face a great number and variety of risks, the impacts are normally few in
number. For example, should the computerized operations be disrupted owing to
lack of power, it becomes irrelevant at this stage whether the shortage of power
was caused by a power cut, a strike or a blown fuse. The net effect is still the same
and the impact on the business is still the loss of computing power.
For this reason, the business impact analysis concentrates on the impact of the
risks to the business rather than specific causes of the risks. The process must
also take into consideration the time sensitivity of individual business functions
as part of their vulnerability to disruption, since this will affect the prioritization
of their recovery. All those involved in the critical processes should have input to
the analysis. Generally, such processes cross function or divisional boundaries and
consensus must be reached on the analysis.

290

Internal_Auditing.indb 290 16/04/2015 11:13

 DISASTER RECOVERY AND BUSINESS CONTINUITY PLANNING

Once the analysis has been conducted, the co-ordinator should seek agreement
at board level from the sponsor on the results of the analysis. Once approval has
been granted, the process may continue to the next stage.

Risk Assessment
After the impact of various disaster scenarios on the business has been established,
a risk assessment is carried out to determine, for both the internal and external
threats, the likelihood of occurrence. There are many methodologies for carrying out
such a risk assessment and the co-ordinator should select the appropriate method-
ology for the specific organization. By combining the results of the risk assessment
and business impact analysis, a ranking may be achieved illustrating the most critical
areas to be addressed as part of the continuity strategy. Once again, approval from
both the sponsor and the board must be sought.

Continuity Strategies
Having identified those areas where the organization is most at risk, a decision has
to be made as to what approach is to be taken to protect the operation. With the
guidance of King II, this decision must be taken at board level.
Many possible responses to risk exist, and usually any strategy adopted will
consist of a number of these approaches. Whichever are chosen, there are certain
alternatives to bear in mind, as Table 31.3 indicates.

Table 31.3: Approaches to risk management

Options Reason for choosing option

Do nothing In some instances the board may consider the risk

commercially acceptable

Changing or ending Deciding to alter existing procedures must be done bearing in

the process mind the organization’s key focus

Insurance Provides financial recompense/support in the event of loss,

but does not provide protection for brand and reputation or
for customer defection

Loss mitigation Tangible procedures exist to eliminate/reduce risk

Business continuity An approach that seeks to improve organizational resilience to

planning interruption, allowing for the rapid recovery of key business
and systems processes, whilst maintaining the organization’s
critical functions

The strategy chosen must recognize the internal and external dependencies of the
organization and all management members involved should agree to it.

Developing the Response

This stage involves both developing the detailed response to an incident and the
formulation of the disaster recovery plans that support that response. This process

291

Internal_Auditing.indb 291 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

is based upon inputs derived from the analyses previously carried out and would
use the business continuity strategies agreed with executive management.

Emergency Response
This phase covers the development, testing and implementation of procedures for
responding to an emergency and stabilizing the situation following an incident. At
this stage also, co-ordination may be achieved with the emergency services in order
to clarify their powers, roles and responsibilities in the event of an emergency.
Detailed steps must be designed in order to ensure the initial assessment of the
impact is carried out and that, for the protection of personnel, decisions are made
under the overall direction of the emergency plan.
One commonly omitted step within the overall emergency response is the deter-
mination of the appropriate actions to be taken in order to salvage whatever is
salvageable and to determine the actual extent of the emergency. This includes
identification of those tasks to be taken immediately to mitigate losses and to sal-
vage whatever is possible.

Developing Business Continuity Plans

The kernel of the BCM process is the development of a business continuity plan. This
document consolidates:
➤ the actions to be taken at the time of an incident;
➤ the timing of the actions;
➤ who is involved; and
➤ how they are to be contacted.

As such, it is critical that the plan be up to date and known. The plan itself should
include the definition of the organization’s view of what constitutes a disaster as
opposed to a normal interruption in processing. The individual authorized to declare
a disaster must be noted. In addition, escalation procedures will be required to
attempt to contain an emergency that continues for a long time. Also contained
within the plan should be the description, responsibilities and organization of the
recovery teams, including the support staff required.
At some point in the process, the organization will want to change over from the
emergency response plan to the business continuity plan, and this phase must be
facilitated. The draft plan should be appropriate for the organizational risks. These
may be required for further plans at the departmental or functional level. Should
this be the case, it is critical that these are aligned with the overall corporate plan.
An organization is a dynamic entity and the plan should reflect this dynamism.
This means that ongoing maintenance should be seen as a normal part of the plan-
ning process and mechanisms to make changes to the plan should be designed at
an early stage.
In summary, the plan must define the business continuity procedures covering the
mission-critical process and functions of the organization. It must specify what the
key resources are and what processes are to be followed to recover these resources
and provide continuity to the business.

292

Internal_Auditing.indb 292 16/04/2015 11:13

 DISASTER RECOVERY AND BUSINESS CONTINUITY PLANNING

Establishing a Business Continuity Culture

The success of BCM depends on the successful implementation, across the entire
organization, of any recommendations made to normal procedures to ensure
continuity. A comprehensive program of training for those directly involved in the
execution of the plan is essential. An overall education process must be executed to
ensure company-wide awareness and understanding of the plan and the implications
should the plan not be successful.
Employees at all levels, from executive management down, must commit them-
selves to the implementation of the strategies and tactics that form the foundation
for the plan. Training exercises must be built in that carry out the individual phases
of plan under both normal and emergency conditions. It is the confidence that indi-
viduals and the organization can handle a crisis that entrenches a continuity culture
within a company.

Testing the Business Continuity Plan

A business continuity plan cannot be relied on until it has been fully tested and
proved to be effective. This is especially true given the impact of failure of the plan.
Testing should cover both verification that the plan is achievable, as well as familiar-
izing staff with their role in the implementation of the plan.
The testing must be carried out on a regular basis and the frequency would
be dependent on the perception of business risk within the environment of the
organization. Normally, annual testing would be taken to be a minimum, although,
where corporate risk is evaluated at the higher level, more frequent testing may be
required.

Maintenance of the Plan

A process must be established whereby the co-ordinator is informed of any signifi-
cant changes in the business environment so that he/she can incorporate them into
the plan. Effective change control procedures are required to ensure that all distrib-
uted copies of the plan remain current.

Auditing the Plan

The final stage of the planning process is the conducting of an audit to ensure that
the process itself remains appropriate and up to date with current continuity man-
agement practice. This should be carried out by internal audit in order to ensure
objectivity. The frequency of the audit will be dependent on the volatility of the plan
and the speed of change within the operational environment of the organization.

293

Internal_Auditing.indb 293 16/04/2015 11:13

 32
CHAPTER

Auditing e-Commerce and

the Internet

Learning objectives
After studying this chapter, you should be able to:
➤ Outline briefly the distinguishing characteristics of e-commerce
➤ Quantify the unique risks inherent in such an environment and select
appropriate control techniques
➤ Discuss the legal and contractual framework required to implement corporate
e-commerce effectively
➤ Discuss the impact of e-commerce on the internal audit paradigm
➤ Outline briefly the history and growth of the Internet
➤ Describe the major risk sources from the Internet and the appropriate control
mechanisms
➤ Explain the fundamentals behind the development and use of advanced
encryption techniques
➤ Define the strengths and weaknesses of firewalls
➤ Develop an appropriate audit program for using the Internet

Changing the World

Electronic commerce technologies are rapidly changing the business world, as well
as the rules and conditions under which business is transacted. Accordingly, audi-
tors and accountants must be aware of how technology affects their business, their
industry and related industries, the legal and regulatory environment, and their
profession.
The most current and relevant information on new and emerging electronic com-
merce issues, technologies and approaches is probably on the World Wide Web.
However, finding and keeping up with these changes are a significant challenge.

Key technologies and their uses and impacts addressed include but are not limited
to:
➤ electronic data interchange (EDI);
➤ electronic funds transfer (EFT);
➤ electronic benefits transfer (EBT);
➤ the Internet;
➤ the World Wide Web (WWW, W3 or the Web);
➤ electronic trust and security;
➤ legal issues;
➤ effects on global economies;
➤ educational implications; and
➤ effects on accounting and auditing standards.

Internal_Auditing.indb 294 16/04/2015 11:13

 AUDITING e-COMMERCE AND THE INTERNET

e-Commerce
What is e-Commerce?
At its simplest, electronic commerce (e-commerce) is the process of doing busi-
ness electronically. It encompasses automating a variety of business-to-business
and business-to-consumer transactions through reliable and secure connections.
Organizational structures and cultures must be realigned as e-commerce is imple-
mented. Similarly, policies, procedures and practices will have to be reformulated to
accommodate the movement to e-commerce.

Impact on Accounting and Auditing

IIA Practice Advisory 2100-6: Control and Audit Implications of e-Commerce
Activities provides the following guidance for an internal auditor employed or
engaged in organizations using e-commerce in the conduct of their business
operations.

‘The e-commerce risk and control environment is complex and evolving. Risk can be
defined as the uncertainty of an event occurring that could have a negative impact on
the achievement of objectives. Risk is inherent to every business or government entity.
Opportunity risks assumed by management are often drivers of organizational activi-
ties. Beyond these opportunities may be threats and other dangers that are not clearly
understood and fully evaluated and too easily accepted as part of doing business. In
striving to manage risk, it is essential to have an understanding of risk elements. It is
also important to be aware of new threats and changes in technology that open new vul-
nerabilities in information security.’

The advent of e-commerce affects the core elements of accounting and auditing
– the practices, techniques, skill and knowledge requirements, liabilities and services
offered.
Historical control models address mainly internal controls and the processes for
assuring their effectiveness. With e-commerce, the control model spans the globe,
and assurance processes range from internal systems and network administration
to having to rely on a trust model of second and third parties that may be otherwise
unknown to the organization. Furthermore, the sheer quantity of transactions and
their total financial value can be huge. This being the case, the providers of assur-
ance services (accountants and auditors) are challenged to find new and different
means of making assurance possible.

The Changing Business Environment

Changes in the following business areas include:
➤ business structure and organization;
➤ business location;
➤ distribution channels;
➤ forms and means of conducting business (sales);
➤ relationships with trading partners and customers;
➤ revenue recognition;
➤ payment processes;

295

Internal_Auditing.indb 295 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

➤ tax accounting and payment;

➤ information resources management;
➤ consolidation of data from diverse sources;
➤ data warehousing/mining;
➤ application of new knowledge; and
➤ relationships with software vendors.

Each area of change requires that accountants and auditors review the basic prem-
ises and activities of the business and assess the effects on risk management and
related controls. The new techniques, risks and controls are vastly different from the
business processes they are supplanting. At the same time, organization manage-
ment at all levels will find they have new responsibilities to ensure control objectives
are met and can be measured and assessed using all the new tools and techniques
– many of which did not exist as short a time as one year before.

Technology
The accounting profession provided the first applications of business automation
with electronic accounting machinery (ie the calculator). But soon the technology
spread beyond accounting applications and into every area of business, informa-
tion and process management. At the same time, the auditing profession began to
recognize the need for information systems and technology specialists that would
expand audit practices into assessment of controls that did not previously exist,
but were increasingly to be found at the heart of issues surrounding the reliability
and integrity of information in every organization.
Today, the accounting profession needs technology specialists not only to imple-
ment advanced accounting systems, but also to oversee the accounting for assets
controlled by the technology, as well as the assets that the technology itself repre-
sents. Similarly, the auditing profession has developed the requirement for highly
specialized technologists to support virtually all auditing techniques, and to assess
controls within the detailed environments that manage complex risks.

Today, the CA, the CIA and the CISA must share both knowledge and responsibilities
as they evaluate and assess the technologies and applications of:
➤ digital/electronic signatures;
➤ data exchange protocols;
➤ secure electronic transactions (SETs);
➤ secure socket layers (SSLs);
➤ electronic licensing and security initiative (ELSI);
➤ encryption;
➤ public and private keys;
➤ key generation;
➤ key management (and custodianship);
➤ public and private key infrastructures (PKIs);
➤ token transactions;
➤ smartcards;
➤ electronic cash (Mondex, e-cash tokens);
➤ point of sale,
and much more.

296

Internal_Auditing.indb 296 16/04/2015 11:13

 AUDITING e-COMMERCE AND THE INTERNET

Example Audit and Control Issues in EDI

EDI provides a good example of where we have come from in e-commerce, and offers
insight into our future with Internet-based e-commerce.
Assessing controls and providing assurance in an EDI environment is at best a
multiparty activity. An internal audit within an organization may provide little or no
value in assessing the reliability of control environments of outside business part-
ners and the EDI network. Second- and third-party reviews may assess the business
partners and networks, but other elements of control may evade such assessments.
Moreover, if third-party assurances, as provided by encryption service providers and
key management activities, are judged adequate at a particular point in time, they
may still be invalidated some time in the future by the constant changes in technol-
ogy.
Many control issues have been central to EDI for roughly 30 years, but manage-
ment and auditors still have difficulty assuring the integrity of this environment.

Examples include the following:

➤ Audit trails: Although EDI may generate lots of paper, the original transaction is
paperless and the official evidence is electronic. Electronic evidence continues
to present a moving target in terms of reliability and non-repudiation.
➤ Business continuity: As transactions migrate to the EDI format, reliance on out-
side parties increases. Security for computer systems and networks continues
to evolve, but there is still no generally accepted control model for EDI systems
and network security, or for back-up, recovery and processing continuity.
➤ Information security and privacy: EDI transactions passing through third-party
networks are exposed to unauthorized access. Again, there is no standard con-
trol model for such risks within this constantly changing environment.
➤ Potential legal liability: Despite agreements being established to assure protec-
tion of information, even the audits conducted by and for other trading part-
ners could represent potential legal liability for an organization. And control
weaknesses in business partners’ environments represent continuous, although
probably unknown, threats.
➤ Records retention: Electronic records retention controls require a consistently
applied and fully recoverable technology environment. Again, standards may be
difficult to identify and assess.
➤ Segregation of duties: Appropriate division of duties in an EDI environment can
be achieved, but can also be compromised by seemingly unrelated events and
activities.

As these examples from the relatively mature EDI environment illustrate, it is grow-
ing more difficult to assess controls and provide assurances by relying on traditional
accounting and auditing techniques and practices. Auditors and accountants must
apply techniques to focus not only on the messages managed within EDI, but also on
the processes and technologies that provide authentication and assurance against
security breaches.

297

Internal_Auditing.indb 297 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

The Impact on Auditing and Audits

Legal issues
The Internet has few, if any, physical boundaries. The sheer number of potential busi-
ness partners and customers on the Net makes it a desirable and viable alternative
to traditional commerce methods. Its use, however, raises a host of legal issues that
will have to be resolved within an infrastructure and/or in the courts.
In July 1997, the Clinton administration in the US released A Framework for
Global Electronic Commerce.58 It defines the US position in critical areas of e-com-
merce and frames the major issues of the information age. Significantly, a main
thrust of the administration’s policy is self-regulation, not government regulation.

In addition to the findings and recommendations contained in this framework, a

number of other legal issues present themselves for consideration when examining
and assessing e-commerce risks and risk management:
➤ different intellectual property laws in different jurisdictions;
➤ situs (location, jurisdiction) for law and the initiation of any legal remedies;
➤ product liability and related claims made against organizations within the coun-
try in which the product is sold (in e-commerce, this becomes more difficult);
➤ contract enforcement, and the legality of the language used in the contract, in
the jurisdiction in which the product is sold (in addition, the laws of non-repu-
diation must be addressed in electronic contracts);
➤ enforceability of the debt, particularly the currency of sale and debt collection
laws;
➤ copyright laws and their enforcement in various countries;
➤ confidentiality of commercial contracts, transactions and related data transmit-
ted over various networks; and
➤ ‘contractual agreement’ vs ‘offer to treat’.

Financial issues
Just as legal issues promise to bring global dimensions to e-commerce risk manage-
ment and control assessment, numerous financial issues must also be addressed.
Consider: taxes, duties, import fees (particularly soft goods such as software or
music, or services such as expert opinion or advice, where the goods or services
could be provided electronically and thereby become not as easily subjected to
inspection and/or confiscation), the flow of capital across boundaries, etc.

Audit implications
Many auditors today pride themselves on their expertise in internal controls. For a
growing number, this expertise is oriented toward controls in information systems
and technology. However, highly technical and complex esoteric systems and pro-
cesses provide an increasing percentage of the fundamental controls in e-commerce
environments. Individuals (including auditors) who are capable of understanding the
elements of control in such environments and who also understand the business,
legal, financial and other implications of such controls are rare indeed.
In its most simple terms, auditors will seek to verify that e-commerce environ-
ments provide:

58. Available at http://www.iitf.nist.gov/eleccomm/ecomm/htm An executive summary can be found at

http://usinfo.state.gov/journals/itgic/1907/iige/gj-12.htm

298

Internal_Auditing.indb 298 16/04/2015 11:13

 AUDITING e-COMMERCE AND THE INTERNET

Proof of:
➤ a transaction occurring;
➤ authorization for the transaction;
➤ authentication of the sender;
➤ non-repudiation of the transaction;
➤ compliance with legal requirements, laws and jurisdiction enforceability,
taxation, etc; and
➤ established audit trails to review and assess transactions.

Assurance that:
➤ opportunities and risks are identified and assessed;
➤ continuous controls and monitoring are essential system design elements;
➤ auditability features provide for the use of expert systems techniques,
and much more.

Or, to put it another way: there are no simple audit solutions. Fortunately, the same
organizations that build and use the technologies, and the technologies themselves,
will help to solve the problem of how to provide assurances in an environment of
constant change.

Future Directions in e-Commerce Auditing

In short, auditors must reverse the thrust of their audit efforts. They must assume
a controlled environment, and perform analytical assessments of any and all avail-
able records in search of data anomalies that suggest potential flaws in information
and/or controls.
Auditors must provide assurance that things are as they are expected and report-
ed to be. In this regard, the profession is moving inside the systems and networks.
Audits have long been focused on electronic information, so the most effective
tools are electronic monitors and embedded intelligence. Historically, audit moni-
tors quickly became management tools, because management processes were not
mature enough to build the needed monitors into systems, networks and processes.
But management will soon have to grow up in terms of e-commerce use, risk man-
agement and controls, or their businesses will fail.
In the new environment, the audit process will begin with data analysis. For
electronic commerce, auditors will never have enough time to follow the traditional
information systems audit approach59 of in-depth systems analysis to discover,
define, assess, plan and execute tests of the controls. Consequently, they will
skip these tasks and assume they are well managed by the responsible parties.
(To date, system control processes have often not been managed properly, and
internal audit practice has therefore usually not been aimed at the problems. As
a result, audits have been aimed at the symptoms of problems that exist because
management failed to enforce responsibility for controls.)
The improving price/performance ratio for information processing, storage and
transmission equipment will soon provide massive redundancy in data at all points
of accumulation, transfer, processing and storage. Massive redundancy will become

59. See Mair, W.C., Wood, D.R. & Davis, K.W. 1982. Computer Control and Audit. Florida: Institute
of Internal Auditors.

299

Internal_Auditing.indb 299 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

a control requirement because it is already becoming a competitive advantage.

Thus, auditors will use powerful analytical engines to find anomalies in data using
techniques such as voting. Audit knowledge bases, supported by expert systems,
will accumulate rules and information about data patterns that can be applied on a
routine basis. Audit monitoring will take place at a fairly low level until such time as
patterns emerge indicating potential problems or a set of conditions not previously
encountered. Only when such problems are uncovered will the audit alarm go off.
When this happens, additional embedded data will be accessed, allowing auto-
mated tracking of transactions or transaction types forward and backward through
the systems.
Intelligence gained from human intervention will be added to the intelligent audit
agents built into the systems and processes. Human auditors will need highly spe-
cialized expertise to understand and manage the embedded audit agents.
A current, although somewhat elementary, example of such analysis is the
application of Benford’s Law to sets of numbers. To simplify greatly, Benford’s
Law states that certain patterns will always be present in natural sets of numbers
(frequency of the digits in the first and succeeding positions, non-repeating, etc).
Thus, applying Benford’s Law to a set of numeric transactions will quickly make the
artificial transactions (ie fraudulent transactions and errors) surface.
After analyzing data and identifying anomalies, the auditors will begin investiga-
tions of the circumstances that caused the anomalies. To the extent that these are
control deficiencies, management will be expected to provide or repair the controls
and provide evidence that they function properly.
Implementation of this future audit scenario will be accelerated by increased
demands on the governance level of management, increasing litigation and the
increasing shortage of professionals capable of practising and willing to tolerate the
current and historical approach to auditing.

Conclusion
Electronic commerce is a broad, varied and technically complex field supporting
seemingly simple components. Understanding and assessing controls in this envi-
ronment could well be the fabled ‘straw that breaks the camel’s back’, so auditors
will be forced to apply techniques that have been used only infrequently to date.
Furthermore, e-commerce will provide an avenue back to auditing through separat-
ing it from systems analysis and control consulting. This is not to imply that auditors
will become any less skilled in investigation and analysis; indeed, they will become
more skilled and specialized. However, responsibility for controls will become more
recognizably a management function – not an audit requirement.

The Internet
The Internet has a history that stretches back into early computer history. Significant
events include:
1957 – Advanced Research Projects Agency (ARPA)
1962 – packet-switching networks
1969 – ARPANET commissioned by the US Department of Defense
1970 – ARPANET starts using network control protocol (NCP)
1972 – e-mail invented by Ray Tomlinson

300

Internal_Auditing.indb 300 16/04/2015 11:13

 AUDITING e-COMMERCE AND THE INTERNET

1973 – ARPANET goes international

1976 – UUCP developed
1979 – Usenet established
1982 – ARPA establishes TCP and IP
1983 – Internet Activities Board (IAB) established
1984 – Domain name server (DSN) introduced – 1 000 host barrier broken
1987 – UUNET founded – 10 000 host barrier broken
1988 – Internet relay chat (IRC) developed
1989 – 100 000 host barrier broken
1990 – ARPANET ceases to exist
1991 – PGP developed – 1 trillion bytes per month/10 billion packets per month
1992 – Internet Society (ISOC) is chartered – 1 million hosts
1993 – WWW growing at 341.634 per cent per year
1994 – Shopping centers trade on the Internet
1995 – Search engines are the ‘technology of the year’
1996 – Internet 1996 World Exposition
1997 – Bill Gates nominates 1997 ‘The Year of the Internet’

From this it can be seen that the Internet has grown in a largely uncontrolled manner
at an exponential rate. As a tool it is, perhaps, unrivalled as an information reposi-
tory. It is, however, a potentially unreliable source of information, since the source
and accuracy cannot be guaranteed. Some data will be correct, some misleading
and some wrong.
Initially, Internet information was extremely unfriendly. There were no search
engines. Most of the useful Internet information was on ftp (file transfer protocol)
sites. The user needed to know the address of the ftp site required. To get hold of the
information, knowledge of the Unix programming language was required. Primarily,
scientists and academics whose main interest was in publishing their ideas and
enabling a peer review of their material used the Internet. Because they were all part
of a common community, they felt no need to check the identity of the information
provider. As a result, the Internet evolved with no perceived need for copyright,
security or other fundamental controls.
With the introduction of the World Wide Web, the Internet was transformed. By
1994, the Web could be used to send text and pictures and, eventually, even sound
and animation over the Internet. Powerful search engines made it easy to find infor-
mation and ‘surfing the Web’ became a major research and business tool.

Internet Communication
The Internet uses the concept of the ‘packet’ to transmit information, where a
packet is a collection of related data that is parcelled, addressed and dispatched to
a destination. Each packet travels independently across different networks using the
addresses of the sending and receiving computers. The packets are reassembled at
the other end into the full original message. Switches work out the fastest Internet
communication routes, or routers, located at intermediate stages.
Communication is achieved by using an agreed set of standards or layers, which
enable different users to speak in a mutually understandable language. Primary
among these layers in the Internet is the application layer.

301

Internal_Auditing.indb 301 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Application layer
Defined by the application developer, the application layer fulfills specific business
needs, for example:
➤ file transfer protocol (ftp) is used to transfer files;
➤ simple mail transfer protocol (smtp) is used to deliver e-mail;
➤ network news transfer protocol (nntp) is used to deliver Usenet news; and
➤ hypertext transfer protocol (http) is used to transfer hypertext documents.

Addressing
In order for the Internet to work, the addresses used for sending and receiving mes-
sages must be common. This is achieved using TCP/IP addresses.
Internet addresses consist of a 12-digit, 32-bit number that is unique for every
machine across the network (ie unique in the world). The Network Information
Center (NIC) in the US (or its local counterpart) assigns addresses, which look like
this: 199.009.200.001.
The first three digits are the network number and the last three digits designate the
host. The rest represent the subnet and each group of three can go from 0 to 254.
These conventions are intended to permit communication for specific purposes,
some of which are discussed below.

E-mail
Using e-mail gives an immediate, practical use of the Internet. It follows the same
basic principle as normal mail. There is a message, which is placed in an envelope
with or without attachments. The envelope is addressed. A return address is added
and the mail is posted, but the communication is virtually instantaneous.
E-mail is a low-cost and standard communication medium that offers substan-
tial advantages over fax or even normal mail in terms of speed, cost and security.
However, the major problem of e-mail lies in its reliability. Because it is so reliable,
it becomes unquestioned, but e-mail can be compromised as a result of deliberate
penetration. The use of an alias can allow unapproved users to get mail, and while
posing as someone else is generally considered highly unethical, even as a joke, nev-
ertheless it can and does happen. Communicating anonymously is possible for posi-
tive reasons – anonymous tip-offs – or negative reasons – harassment, libel, etc.

WWW (World Wide Web, the Web or W3)

This consists of resources that have addresses and browsers and allow access to
these resources. A uniform resource locator (URL), which is basically a website
address, describes how to find a resource and these resources are linked using Web
pages. The WWW is rapidly taking over as the de facto Internet standard based
around the basic protocol of hypertext transfer protocol (http).

ftp
Ftp is both a program and a protocol and allows files to be copied to and from PCs,
Macs, minis or mainframes. It can permit the obtaining of directory listings, allow the
creation of directories and even permit the deletion or renaming of files. Usernames
and passwords are transmitted unencrypted and ftp can connect to any host on
the Net if the name or IP address is known. A variety of ftp, called anonymous ftp,
permits ftp by unknown users.

302

Internal_Auditing.indb 302 16/04/2015 11:13

 AUDITING e-COMMERCE AND THE INTERNET

html
Hypertext mark-up language (html) is a plain ASCII language that interleaves plain
text with <tags>. Hypertext links to other pages are supported and there are several
editors available in the public domain, as well as commercial software products such
as Microsoft’s Front Page. The primary use of html is the design of web pages.

Connecting to the Internet

Connecting to the Internet involves obtaining a communications address on the
Internet. This is done through a DSN (domain name system), which holds an address
registered to link your organization's network to the Internet.

Personal access to the Internet is normally achieved via either SLIP or PPP. SLIP is
the serial line Internet protocol and is used for Internet connection vial dial-up. PPP
is the point-to-point protocol, which is a newer protocol doing the same job, but
better designed. Access generally has three requirements:
➤ an access phone number of a service provider;
➤ a personal user-ID; and
➤ a personal password.

These are obtained by registering with a service provider who provides Internet
access commercially to a variety of users.

Finding Information on the Internet

Given the nature of the Internet and the vast quantities of information available,
you need help to locate specific areas of interest. This usually involves using search
engines such as Altavista, Lycos, Yahoo, Hotbot and Google.
These services are provided free by companies that gather information on web-
sites and permit public browsing. They can also be used in searching for e-mail
addresses.
General tips for effective use of such search engines or web browsers include
keeping search commands as simple as possible to minimize the time taken for the
search, while at the same time using combinations of keywords, focused searches
and operators to minimize the number of pages returned. It is a good policy to
use several search tools for simple searches to familiarize yourself with the process
before using them for urgent searches. Useful websites or pages located can be
bookmarked for future ease of access.

Internet Security
Internet security is a potential risk area.
➤ Problems include entry to corporate systems through the Internet and loss of
confidentiality of messages.
➤ Message authentication problems exist that can lead to acceptance of false mes-
sages or instructions. Verification of authorization then becomes non-negotiable.
➤ User authentication is difficult unless specific efforts are made to ensure the
genuineness of claimed identity. At the same time, user anonymity cannot be

303

Internal_Auditing.indb 303 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

ensured and accesses can easily be traced back to source using the inbuilt
facilities of the browsers.
➤ Unattended terminals that are logged on to the Internet can lead to unauthor-
ized use. This in turn may lead to time wasting on a grand scale and huge
phone bills.
➤ Since many sites accessed are ‘untrusted’, uncontrolled downloading of
unknown software easily spreads viruses.
➤ E-mail overflow can result if insufficient space is reserved for incoming mes-
sages, and messages can be lost.
➤ Infrastructure observation and infrastructure interference may be possible if
external users have the capability of observing people and events on the inside
of a connected network.
➤ Standard vulnerabilities of computer systems, including back-up thefts, staff
bribery, password guessing, observation of password entry or ‘shoulder surfing’,
viewing poorly disposed of confidential output or ‘dumpster diving’ continue
to be problem areas. These are compounded by network-specific threats such
as the use of packet watching ‘sniffers’ or by wire closet attacks at the control
points of the physical network.

Combating these threats involves establishing the risk areas and defining an appro-
priate security architecture. This will typically include:
➤ the use of firewalls (hardware/software combinations that prevent unauthorized
outsider access);
➤ network address translation, which conceals origins of messages by providing a
barrier between the message sender and the receiver; and
➤ operating system hardening, which involves ensuring that all possible options to
enhance security are taken.

Packet-level screening, encryption, looking after the infrastructure and monitoring

Internet use by individuals can all help.
E-mail security can be enhanced by using encryption software such as PGP, which
can be downloaded from ftp://net-dist.mit.edu/pub/PGP. PGP has become the de
facto standard for e-mail encryption. RIPEM (Riordan's Internet privacy enhanced
mail), available from ftp://ripem.msu.edu/pub/crypt/ripem/, supports e-mail using
DOS, OS/2 and NT operating systems.
Recent hacks via the Internet included a hacker who stole 100 000 credit card
numbers using a packet sniffer to catch the data. He was caught trying to sell the
numbers. Hackers broke into the official Lost World site and changed it to ‘The Duck
World: Jurassic Pond’. In itself this was a fairly innocuous act, but the site also con-
trolled the safety of the rides at the theme park and the changes could have resulted
in injury or even death.

Internet/Intranet Security
Internet and internal network attacks on corporate enterprises seem inescapable in
today’s computing environment. Most companies admit to having been attacked at
some time in the past year. While the most costly attacks have been from the inside,
external attacks from hackers and competitors are rising dramatically. How do you

304

Internal_Auditing.indb 304 16/04/2015 11:13

 AUDITING e-COMMERCE AND THE INTERNET

know when you are under attack? The chances are you already create enough audit
trail data, but who has time to look at it?
Intrusion detection tools solve this problem by automatically discovering and
responding to attacks. We will explore the need for intrusion detection, discuss les-
sons learned from early intrusion detection efforts, and explore the different types
of intrusion detection tools available. We will also compare and contrast the three
common methodologies used for intrusion detection, and discuss the advantages
and disadvantages inherent in various architectures.
Not so long ago, hacking took a lot of time and study. While expert hackers
still abound, the Internet has entered a new era. Using almost any search engine,
ordinary Internet users can quickly find information describing how to break into
systems by simply searching for such key words as ‘hacking’, ‘password cracking’
and ‘Internet security’.
Thousands of sites publish step-by-step instructions on how to break into Windows
NT systems, Web servers, UNIX systems, etc. The sites often include tools that auto-
mate the hacking process. In many cases, the tools have easy-to-use graphical inter-
faces. For instance, a tool called Crack automatically tries to guess UNIX passwords.
A similar tool called L0phtcrack breaks Windows NT passwords. A software probe
called SATAN discovers vulnerable systems in a network and reports on the specific
holes that can be exploited.
What does all this mean? Almost anyone with the motivation to break into sys-
tems can quickly obtain the technology to do so without having to become an expert
hacker.
To be effective, an intrusion detection solution must be capable of detecting
attacks from both inside and outside the network.
In the early 1980s, conventional wisdom dictated that the best way to detect
intrusions was to create logs or audit trails of all security-relevant activity. As a
result, most operating systems, databases, routers and mission-critical applications
generate audit trails. The original idea was that a security administrator would
review the audit logs looking for suspicious events.
This seemed like a fine idea when companies only had a few systems and a few
users. The industry quickly realized that no one had time to read all that audit trail
data. A few enterprising developers built query and reporting programs to help ana-
lyze the audit trail in an attempt to find trouble spots. For example, in 1984, Clyde
Digital Systems developed a product called AUDIT, which automatically searches
through OpenVMS audit trails looking for suspicious events. (Incidentally, this prod-
uct is still in use today.) In 1987, a US government-funded project called IDES at
Stanford Research Institute read audit trails and created profiles of normal use pat-
terns for users and then reported deviations.
Unfortunately, as the number of users, systems, applications and databases has
grown, the audit trails have also grown so large that now they can actually cause
denial of service problems from using up too much disk space. Many production
environments routinely turn off audit trails to avoid disruptions to production
systems. So, the current situation at most sites is that they plan to rely on audit
trails to detect intrusions. But without the staff to review the audit trails, these
sites turn off the audit trails to improve productivity.

Today’s intrusion detection products fall into three basic categories:

➤ post-event audit trail analysis;

305

Internal_Auditing.indb 305 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

➤ real-time packet analysis; and

➤ real-time activity monitoring.

Each of these categories has value and particular advantages and disadvantages.

Post-event audit trail analysis

The traditional intrusion detection method has been to perform post-event audit
trail analysis. SAIC’s CMDS and TIS Stalker fall into this category, since they analyze
certain UNIX audit trails for suspicious activity.

This type of product has two key advantages.

➤ One is that it addresses the tremendous difficulties that organizations experi-
ence in examining and managing audit trails. Many times the purchase of such
a product can be justified on the cost savings achieved through the centraliza-
tion and automation of audit trail management.
➤ The second advantage is that investigators can go back in time and do histori-
cal analysis of events that have occurred in the past. More sophisticated prod-
ucts can graph results and show trend analysis by attack category, system, type
of system, etc. This is particularly useful in investigations of break-ins that have
taken place over a period of time.

From a network-security perspective, the disadvantage of a pure ‘after-the-fact’

product is that by the time it detects the security problem it is generally too late
to respond and protect the data. The resulting consequences of the attack go far
deeper into the network without resistance. Ultimately, the damage is already done
by the time you find out. Also, since most hackers learn how to cover their tracks by
tampering with audit trails, after-the-fact analysis often misses attacks.

Real-time packet analysis

Several products are now available that detect attacks in real time and respond
immediately, ideally before damage is done.
One method of real-time intrusion detection is to dedicate a system to sniffing
packets traveling across a single network segment. Using this methodology, the
intrusion detection software is placed on the system, which puts the Ethernet card
in ‘promiscuous mode’ so that the software can read and analyze all traffic. It does
this by examining both the packet header fields and packet contents. The intru-
sion detection software includes an engine that looks for specific types of network
attacks, such as IP spoofing and packet floods. When the packet analysis software
detects a potential problem, it responds immediately by notifying a console, beep-
ing a pager, sending an e-mail, or even shutting down the network session. This
category includes products such as Wheelgroup’s NetRanger, ISS’s RealSecure, and
Network Associates’ CyberCop.
In a typical deployment, a sniffer is placed outside the firewall to detect attack
attempts coming from the Internet. A sniffer is also placed inside the network to
detect Internet attacks that penetrate the firewall and to assist in detecting internal
attacks and threats. For full enterprise coverage, sniffers must be placed on each
network segment. In addition, tools are required to manage the various sniffers
remotely, collate the information gathered, and display the enterprise-wide informa-
tion on a console.

306

Internal_Auditing.indb 306 16/04/2015 11:13

 AUDITING e-COMMERCE AND THE INTERNET

The advantages of the packet analysis technique are that there are certain
network-oriented attacks (IP spoofing, packet storms, etc.) that are best detected
via packet examination. Also, you do not need to put software on various hosts
throughout the network. But remember that the basic definition of a network is an
organization of nodes and links. A packet analyzer monitors traffic on the links but
does not monitor the nodes, which are key pieces of any network. Referring to a
packet analyzer as ‘network-based’ intrusion detection ignores the basic definition
of a network, which includes nodes as well as links.

Using the packet-sniffing methodology as the exclusive intrusion detection tech-

nique has other disadvantages as well, as indicated below.
➤ Packet analysis intrusion detection is distant from the mission-critical applica-
tions and the data it is trying to protect.
➤ Packet analysis does not detect typical attacks like:
◗ exploiting a buffer overflow flaw on UNIX to gain access;
◗ exploiting a Windows NT registry vulnerability to gain administrator access;
◗ browsing for files that the user should not have access to;
◗ attacking mission-critical servers through dial-up lines;
◗ inserting Trojan horses on systems, such as changing the Windows NT login
program;
◗ illegally using a mission-critical application (eg funds transfer system);
◗ tampering with the content of Web pages and a Web server;
◗ improperly modifying firewall or router settings; and
◗ inappropriately accessing a database.
➤ Sniffers require dedicated hardware for each segment of the network being
monitored. The cost of the hardware increases depending upon the speed of
the network link. The sniffer box must also be capable of keeping up with the
volume of traffic. As faster networks are deployed, this will require significant
hardware upgrades for the packet analyzers.
➤ Packet sniffers do little in the space of encrypted packets. At best, sniffers can
acknowledge that a packet was transferred across the link. But since the data is
encrypted, the sniffer cannot report in context as to what the packet contained.

Real-time activity monitoring

An effective method for real-time intrusion detection is to monitor security-related
activity occurring on the various systems and devices that make up the network.
While most activity monitors watch the operating system audit trails, more
sophisticated tools:
➤ track audit trails from applications, databases, Web servers, routers, firewalls,
etc;
➤ monitor critical files for Trojan horses, unauthorized changes, etc;
➤ watch TCP and UDP port activity; and
➤ accept SNMP traps and triggers.

Real-time activity monitors can detect attacks such as attempts to access unau-
thorized sensitive files or to replace the login program with a new version. Unlike
packet sniffers, they can detect when a user illegally obtains ‘root’ or administrator
access. When suspicious activity is detected, the real-time activity monitor can take

307

Internal_Auditing.indb 307 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

immediate action before damage is done. This action can include notifying a con-
sole, sending an e-mail, beeping a pager, disabling a user account, terminating the
intruder’s process, terminating the intruder’s session, shutting the system down or
executing a command procedure.

e-Commerce over the Internet

Electronic commerce (e-commerce) is the process of doing business electronically.
It encompasses automating a variety of business-to-business and business-to-con-
sumer transactions through reliable and secure connections.
Since the turn of the millennium, business has awakened to the opportunities the
Web provides to advertise and sell products and services in an international mar-
ket of millions of potential customers. From its beginnings, when business on the
Internet was disapproved of, the position has changed to one where most Internet
users have come to realise that it is unavoidable that business should exploit the
Internet and its facilities.
This has resulted in the growth of legal disputes regarding the ownership of
material on the Web, domain names and Internet fraud, and distrust can arise if
not swiftly dealt with. When engaging in e-commerce, it is important that the busi-
ness partner has confidence in the trading partner’s confidentiality practices for
e-commerce transactions. Lack of confidence in the electronic information and com-
munications systems can hinder the development of e-commerce. Consumers will
embrace e-commerce only if the risks are perceived to be at an acceptably low level.
As a result, internal auditors must pay special attention to assessing the level of risk
when auditing e-commerce systems.
Unlike private information, which is being defined at law in many countries world-
wide, there is no internationally recognized definition of confidential information or
rights of access to confidential information to ensure its accuracy and completeness.
As a result, interpretations of what is deemed to be confidential information must
normally be driven by contractual arrangements.
For example, an unauthorized party may intercept business partner identification
and authentication information and transaction data while they are being transmit-
ted over the Internet. If access to the information is controlled by encryption, it is
difficult for the unauthorized party to decipher it. Again, if the computer system
where the data is stored is not protected by a firewall and a rigorous system of
access controls, unauthorized people may access the information.
Most large organizations have a firewall, but many are incorrectly configured,
rarely updated and seldom monitored for signs of trouble. Ensuring that internal
audit staff periodically test the security can help identify exposures and reduce the
likelihood of unauthorized access to the system.
Often it is found that an organization’s own people are its greatest weakness, yet
many organizations fail to have even a security policy. It is critical that security become
fundamental within corporate culture. This involves understanding which information
within the business is at risk, and then designing the appropriate policies and proce-
dures to protect it. Senior management needs to promote the importance of security
actively and make sure its people are educated about security threats.

308

Internal_Auditing.indb 308 16/04/2015 11:13

 AUDITING e-COMMERCE AND THE INTERNET

e-Commerce has resulted in fundamental changes to many of the risks internal audi-
tors try to identify controls over, such as:
➤ Audit trails: Within an e-commerce system, the original transaction is paperless
and the official evidence is electronic. As such, an auditor will have to be able
to follow an electronic audit trail.
➤ Business continuity: As e-commerce expands, reliance on the effectiveness of
other organizations’ network security, back-up, recovery and processing conti-
nuity increases.
➤ Information security and privacy: Transactions passing through third-party net-
works may be exposed to unauthorized access.
➤ Potential legal liability: The audits conducted by and for other trading partners
could represent potential legal liability for an organization.
➤ Records retention: The replacement of paper by electronic records means that
retention controls require a consistently applied and fully recoverable technol-
ogy environment.
➤ Segregation of duties: Appropriate division of duties in an electronic environ-
ment can be achieved, but can also be compromised by inappropriate access
rights.

At the heart of e-commerce are the messages sent across the Internet. Encryption
and authentication of identity are vital issues. A number of cryptography technolo-
gies are available for e-commerce. These include symmetrical key cryptography,
asymmetrical (public key) cryptography and digital signatures.

Symmetrical key cryptography

This uses an algorithm to encrypt information in order to render it unintelligible
to anyone who does not possess the secret key to decrypt it. The secret key must
be shared between the encrypting party and the decrypting party. The US govern-
ment's data encryption standard (DES) is perhaps one of the best-known symmetri-
cal key encryption techniques and is the standard against which other encryption
techniques are evaluated.

Asymmetrical (public key) cryptography

Instead of a single key, a two-key set is used, one for encryption and one for decryp-
tion. One key of the pair is designated the public key (disclosed to the public) and
one kept secret as a private key. A message that is encrypted using the public key
can only be decrypted using the corresponding private key, and vice versa. As a
result, assurance can be gained that the message was not tampered with and that
the authorized only person can decrypt the message.
By reversing the process, a message that is encrypted using a private key can be
decrypted only by using the matched public key, thus ensuring both the integrity
of the message and the authenticity of the sender. This is the basis for the sender’s
electronic signature. The major difference found in public key encryption is that the
two communicating parties do not have to know each other in advance and do not
have to share a single key.

Digital signature
In the world of e-commerce, the digital signature is perhaps the most impor-
tant application of public key cryptography. In written documents, handwritten

309

Internal_Auditing.indb 309 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

signatures are traditionally used to authenticate the document. An electronic docu-

ment signed using a private key by the originator confirms that the document comes
from the purported author (authentication), ensures that the document has not been
tampered with (integrity), and ensures that the sender cannot deny that the mes-
sage was sent (non-repudiation).
Internal auditors must focus not only on the messages managed within e-com-
merce, but also on the processes and technologies that provide authentication and
assurance against security breaches.

310

Internal_Auditing.indb 310 16/04/2015 11:13

 33
Current and Emerging
CHAPTER

Technology Issues for

Internal Auditors

Learning objectives
After studying this chapter, you should be able to:
➤ Recognize the impact of new technology on the overall IT audit approach and
methodology
➤ Differentiate between continuous auditing and continuous monitoring
➤ Understand the audit role in IT governance
➤ Define the components of project management and identify internal audit’s role
➤ Recognize various types of IT outsourcing and the types of risks associated
➤ Identify the component parts of the negotiation of service level agreements
➤ Determine the degree of criticality of services outsourced
➤ Recognize the impact of the varying types of cloud computing
➤ Identify areas of potential audit participation
➤ Differentiate between the three basic types of smart mobility
➤ Recognize the risks inherent in the concept of Bring Your Own Device
➤ Recognize the risks to the organization inherent in social media
➤ Advise social media users on the use of privacy modes
➤ Identify risks inherent in Advanced Persistent Threats and the process nor-
mally adopted in such threats

IT Audit Approach and Methodology

In examining the impact of current and emerging technology issues on the internal
audit function, three basic principles of IT risk management must become ingrained.
1. Information risk strategies should primarily be driven by business risks with
technical risks playing a secondary role.
2. Effective risk management for IT encompasses a combination of strategy,
organisation, process and technology.
3. The overall information risk management process needs to be applied to discreet,
yet interrelated, components of an organization’s business processes and related
information technology.

Of recent years the emphasis in overall risk management has developed from
straightforward compliance and prevention through operating performance to the
current goals of enhancing shareholder value. When mapping these changes onto
the control of IT risk, a top-down approach is commonly used in determining the
areas of risk and the roles in implementing the control environment. Overall policy
formulation and control is part of the general IT governance layer while operationally,
management will dictate the implementation of the appropriate standards, structures
as well as physical and environmental controls. At the technical level system software
controls, system development controls and the overall application-based controls are
all impacted by the dictates of the higher layers.

Internal_Auditing.indb 311 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Recent changes in technology have facilitated new directions and benefits for the
organization. These bring their own issues with concomitant changes to the technical
details integral to control, security and auditing.
In the past 10 years we have seen major changes in the form of:
➤➤ growth in distributed computing environments;
➤➤ integrated network support in voice, data and video transmissions;
➤➤ new types of network media and protocols;
➤➤ increased integration with external networks, clouds, etc;
➤➤ proliferation of sophisticated database technology providing transparent access
to data across dissimilar platforms; and
➤➤ increasing trends towards open systems.

Deriving from these technological changes we have seen major changes in our people
and our processes. From a human perspective, more users with higher levels of
computer literacy ensure information access over a wide spectrum of international
access routes. With enhanced customer connectivity has come the downsizing
and flattening of organizational structures. On the process side, e-commerce and
integrated systems have meant a shift in corporate speed-to-market requirements
with flexibility of systems becoming critical. In many organizations, revised technology
has been the driving force for the implementation of business process reengineering
(BPR) resulting in new rules for the gaining of competitive advantage.
These changes have required a rethink of the strategies, rules and relationships
in information technology management. Cost structures have changed as well as the
skills requirements, tools and methods of interaction to operate effectively in today’s
high volatility IT environment. These changes have also induced changes in the control,
security and auditing issues surrounding IT. The elimination of management control
layers due to the integration of system capabilities have resulted in the requirement
for new rules for separation of duties. Continuous control monitoring (CCM) and
continuous process auditing systems (CPAS) have become the order of the day.
The migration towards cloud-based systems has required the retraining of both
information technology and end-user staff. Multiple vendors selling package products
and application enablers abound and, while there exist undoubted benefits of
successful implementations, the risks inherent in failed migrations can threaten the
integrity and even corporate survival of organizations.
From an internal audit perspective, the audit approach must adapt because of
the changes in business requirements. The disappearance of hard-copy audit trails
and the sophistication of the IT systems in use means a revision of the automation
strategies employed by internal audit. Distributed activities and systems as well as
dramatic changes to hardware and software platforms mean that the auditor must
become adept at operating within a variety of environments with a variety of security
and control implications. At a technical level, there has been a quantum shift in the
minimum level of technical knowledge required for all auditors. This, in turn, has
forced the shift in the way we manage audits in an automated environment. There
will always be a need for the specialized conduct of technical system audits but when
and how these will be done is in a permanent state of flux. The use of technology to
facilitate continuous auditing has now become an imperative.
Faced with today’s audit challenges, including the massive increases in regulatory
requirements over the world-wide IP environment combined with the demand for
increasing internal audit value, and a growing shortage of skilled resources, the effect

312

Internal_Auditing.indb 312 16/04/2015 11:13

 CURRENT AND EMERGING TECHNOLOGY ISSUES FOR INTERNAL AUDITORS

of the introduction of appropriate automated audit solutions has become a strategic

issue. The need for timely, ongoing assurance over risk management and control of
systems having instantaneous impact on the organization has meant that continuous
auditing to provide more frequent and timely analyses of control deficiencies and risk
is now essential.
It should be stressed that continuous auditing is a methodology used to perform
audit-related activities on a continuous basis and is performed by internal audit.
Continuous monitoring, on the other hand, involves the processes implemented by
management, operational or financial, to ensure that policies and processes are
operating effectively and to ensure the adequacy and effectiveness of controls.
Audits would then independently evaluate the adequacy of management’s continuous
monitoring activities. Continuous assurance involves a combination of continuous
auditing and audit oversight of continuous monitoring.

IT Governance
IT governance has been defined as ‘specifying the framework for decision rights and
accountabilities to encourage desirable behavior and the use of IT’.60 It is seen to be
less about the specific decisions made and more about determining which decisions
are to be made, who makes each type of decision, how decisions are arrived at and
who will be held accountable for the results of the decision. Overlaid on this is the
government structure defining the composition of the bodies that are empowered to
make or execute joint decisions. As with any other form of governance, IT governance
directs the IT operations to ensure alignment with the enterprise in order to realize
the promised benefits by exploiting opportunities and maximizing benefits.
The board retains overall responsibility to drive the enterprise alignment and
directing management in the delivery of measurable value. A variety of models define
structures for IT controls including the COSO model and the CobIT© framework
referred to elsewhere in this book. IT governance is also specified as a requirement in
legislation such as the Sarbanes-Oxley Act, 2002 in the USA and the Basel Accords
governing financial institutions.

Project Management
The auditing of project management requires an understanding of the purpose and
structure of the computer project. Projects, as opposed to normal management
activities, are established on a temporary basis, to achieve a certain specific objective.
All projects must have a start point and a clearly defined end point. Four basic stages
exist in project management methodologies.
1. Project definition
2. Project planning
3. Implementation
4. Project completion.

60. Weill, Peter & Ross, Jeanne W. 2004. ‘IT governance on one page’. MIT Center for Information
Systems Research (CISR) WP 349.2.

313

Internal_Auditing.indb 313 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Project definition includes having meetings and discussions with affected parties
in order to set the project boundaries and, when necessary, conducting feasibility
studies.
Project planning involves work-breakdown and the development of specifications
of the tasks to be undertaken. Part of the specification includes the resource planning
including costs, time, staff and other resources required. Where outside resources
are needed, the appropriate tendering process must be followed. The implementation
phase includes task prioritization, monitoring via the use of inspections, client
meetings, system testing, conversions, documentation, training and user acceptance
testing, while constantly identifying problem areas to solve or avoid. The project
completion phase includes final user acceptance and sign-off, the closedown of the
project team and the evaluation of the project process.
Difficulties encountered in project management include the span of today’s IT
projects which may entail virtually the whole organization’s information flow. There
is always a balancing exercise to be carried out between the delivery of quality and
functionality vs the speed to delivery and the associated costs. Overcoming these
difficulties will be dependent upon the skills and training of the project team itself.
Two types of project audit are possible: in-process project audits, which allow for
corrective changes if conditions have changed and focus on project progress and
performance; and post-project audits, which emphasize the improvement of future
projects and take a longer-term view of the project’s role in the organization.
From an audit perspective, it is recognized that a formal project management
methodology does not necessarily guarantee success, though the use of such a
methodology facilitates the identification of problems at an early stage allowing cost-
effective changes to be made and reducing the risk of project failure. Controls sought
may include:
➤➤ Project initiation reports
➤➤ Outputs of planning and estimation tools
➤➤ Ongoing project progress assessment reports
➤➤ Testing documentation
➤➤ The project costing reports
➤➤ Project team reviews.

A well-executed project audit can assist in the early diagnosis and resolution of
problems as well as facilitate identification of performance/cost/schedule/relationships
thus enabling the improvement of project performance. It can also have the benefit of
giving IT management an independent appraisal on the project status and prospects of
successful accomplishment as well as reconfirming the feasibility of that commitment
to the project as a whole.
The project audit typically follows predefined stages, namely:
➤➤ Analysis of the project’s context and stakeholders;
➤➤ Objectives analysis;
➤➤ Review of the plan of activities, resources and inputs required;
➤➤ Analysis of problems encountered;
➤➤ Review of indicators and measurements in use within the project;
➤➤ Risk analysis of events or decisions which could delay or impede the project
process; and
➤➤ Analysis of the ongoing validity of assumptions made at the inception of the
project.

314

Internal_Auditing.indb 314 16/04/2015 11:13

 CURRENT AND EMERGING TECHNOLOGY ISSUES FOR INTERNAL AUDITORS

The success or failure of a given project is commonly measured by the extent to which
it meets its objectives. From a customer impact and satisfaction perspective, the
quality, timeliness, degree of customer satisfaction and achievement of specifications
become the key measurement criteria. In terms of business success, improvements
in cash flow on market share as well as meeting expectations in return on investment
may be critical indicators. For a project in-process, efficiency in terms of cost efficiency
and schedule efficiency are normally evaluated.

Outsourcing
Outsourcing of IT has become a major outcome of the pressures involved in a modern
information processing environment. Significant technical expertise and skills are
required to operate effectively while time-to-market and technology dynamics require
rapid development and enhancement. Costs, too, have an impact. The cost to license
software or purchase services can be significantly lower than the cost to develop and
maintain a proprietary system. In today’s environment, there has been a shift in the
nature of outsourced functions to include mission-critical systems. Niche providers
and specialization frequently results in multiple vendor relationships. These dynamics
create new challenges for the management and audit of vendor oversight. Major
types of IT outsourcing include:
➤➤ Applications management
➤➤ Infrastructure management
➤➤ Independent testing and validation services
➤➤ Data center management
➤➤ Helpdesk services
➤➤ Security services.

From a corporate perspective, a variety of risks are evident in an outsourced environment.

At its most fundamental, there is a risk that the outsourcing strategy is not aligned
with the corporate objectives. Even where there is a strong alignment, fundamental
assumptions regarding cost savings, payback periods, customer satisfaction and the
impact on the supply chain may be wrong as a result of inadequate risk assessment
at the feasibility stage. Where appropriate procurement policies are not followed,
service-level agreements may not be adequate or properly implemented, while local
regulatory implications may not be adequately covered in an international outsourcing
environment. A common problem is the inadequacy of contingency arrangements
planning. When outsourcing is chosen as a strategic direction, transition planning
is critical including a methodology for effective escalation resolution of operational
issues and a plan for retention of any essential skills in-house. In many outsourcing
agreements there is an implied assumption that outsourcing will continue forever and
no consideration is given to termination or renegotiation processes should the current
outsourcing prove ineffective.
When outsourcing a chosen direction, selection of the service provider becomes
critical including the negotiation of service-level agreements. These are normally
developed using a four-step process:
➤➤ Determining the objectives – how will the outsourced service fit into the
organization’s strategic plan?
➤➤ Defining the requirements – what are the operating and performance needs in
terms of availability, response time, functionality, etc?

315

Internal_Auditing.indb 315 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

➤➤ Setting of target measurements – what metrics will be used and where will these
be obtained?
➤➤ Establishing accountability – who will be responsible for what and how much risk
has been retained within the organization?

From an audit perspective, the internal auditor must determine the degree of
criticality of the services outsourced as well as the governance structure related
to the outsourced operations in terms of roles and responsibilities. Critical to the
process is the extent of detailed risk analysis which was performed at the time of
outsourcing and whether an ongoing risk analysis is being continued.
The auditor would also seek to determine whether formal service level agreements
exist and are kept current for the outsourced activities including the key performance
indicators for monitoring vendor performance. The auditor will seek evidence
of management’s monitoring of service performance and the mechanism used to
address any non-compliance issues with the service-level agreement. Outsourcing
can be effective in controlling costs and achieving strategic objectives where in-house
skills are not available or are cost-prohibitive.

Cloud Computing
Cloud computing is the term given to Internet-based computing whereby shared
resources, software and information may be provided to computers and other
devices on demand in the same manner as an electrical grid. Its origin lies in the days
of large-scale mainframe computers where an individual organization may not have
been able to justify the use of one single large computer and instead purchased time
on another organization’s computer as timesharing. At the base of cloud computing
is the concept of virtualization in which each user sees their own ‘virtual’ computer
which may, in fact, be scattered over a variety of machines in a variety of locations.
In practice, cloud computing has evolved into a variety of models delivering different
levels and types of service such as:
➤➤ Software as a service (SaaS)
➤➤ Platform as a service (PaaS)
➤➤ Infrastructure as a service (IaaS).

The overall definition is blurred giving rise to a variety of marketing concepts such
as Compute as a service (CaaS) and others. The overall model of business is the
pay-as-you-go where each type of service can be provided at a cost and adjusted as
corporate needs arise or decline. Cloud-based software services are now in a maturing
mode with applications that are specifically enabled for the cloud and support and
architecture capable of running multiple instances in a variety of locations. Such
services are normally paid on a subscription basis. The platform delivery model is
one that enables developers to write applications to specifically run on the cloud
while the scaling of infrastructure is comparatively new and consists of servers,
storage devices, databases and other peripherals with inbuilt security services. Both
platform and infrastructure offerings are currently in the early stages of development
compared to software services.
Although cloud computing appears to offer flexibility and cost effectiveness there
are, however, problems in its usage. The cloud appears to the clients as a huge
opaque box where they have little or no control over what happens inside the box.

316

Internal_Auditing.indb 316 16/04/2015 11:13

 CURRENT AND EMERGING TECHNOLOGY ISSUES FOR INTERNAL AUDITORS

Cloud computing does not remove the IT control objectives over data confidentiality,
integrity, availability and privacy but may expose the organization to additional risks
such as the difficulties involved in integrating with current in-house IT systems. In
some business environments regulatory requirements effectively prohibit the use of
cloud-based systems unless the cloud is a private client directly under the control of
the originating organization.
Where the cloud is a public cloud, security issues may also include loss of control since
the customer’s data application and resources are located with the service provider.
Thus user identity management, access rules, security policies and enforcement are
all managed by the service provider. In a public cloud, which is by definition a multi-
tenant environment, conflict may arise between tenants’ opposing goals since they
share a common pool of resources. The fact that multiple independent users may
share the same physical infrastructure can lead to vulnerability whereby an attacker
can legitimately be in the same physical machine as a target.
From an audit perspective, it becomes difficult to audit data held outside the
organization in a cloud and the obtaining of forensically acceptable data may also be
more difficult since the data is no longer maintained locally. Legal jurisdiction can also
be problematic with different regulatory requirements in the country of the cloud host
and further complications if the cloud provider sub-contracts to third party clouds.
In terms of audit’s additional roles in a cloud environment, IT audit may participate
by assisting management:
➤➤ identify their control requirements and evaluate the controls to be contracted with
the cloud provider;
➤➤ evaluate vendors to ensure balanced assessment and a drawing of appropriate
vendor contracts;
➤➤ evaluate the controls and procedures in place for managing vendor relationships;
and
➤➤ assess the scope and methods of planned data migrations into the cloud as well
as the potential for reversing the process if required.

Smart Mobility
Although the term smart mobility is used fairly randomly, there are three basic types
of mobility:
➤➤ Terminal mobility refers to the ability of a user terminal to continue to access and
network as the terminal moves.
➤➤ User mobility refers to the ability of a user to continue to access network services
from different terminals under the same user identity when the user moves around.
➤➤ Service mobility refers to the ability of a user to access the same services regardless
of where the user is.

The management of smart mobility includes the need to support all forms of mobility
for all types of application, across heterogeneous radio systems in the same or
different administrative domains, without interruption as the user moves around, with
the ability of the user to move into, and use, different operators’ networks.
Achieving this requires that the network be able to determine a mobile device’s
current location and use that information to deliver packets of information to the
device. At the same time it must be capable of handing over from one network
attachment point to another including the ability to roam and use different operators’

317

Internal_Auditing.indb 317 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

networks. In providing this functionality, the network provider must be able to

determine whether users are permitted to use their network or a specific service
provided by the network. This involves authentication of the identity of the user,
verifying the authorization of the user and gathering information on the resources
used by the user.
The common workplace implementation of smart mobility is a concept of Bring Your
Own Device (BYOD). It has inherent benefits to the organization in terms of flexibility
responsiveness and accessibility while at the same time introducing complications as
a result of the wide range of mobile vendors and operating environments which IT
must now support. It also becomes difficult for IT to mitigate the risks of unsecured
personal applications gaining an unsecured access to corporate data. To some extent
these risks can be mitigated by requiring such devices to be registered in order to
ensure virus protection, device authentication and encryption where required. Some
organizations will only allow the installation of applications which have been authorized
by the firm despite the fact that the device does not belong to the organization. In
many cases IT reserves the right to monitor all usage of mobile devices within the
organization.
Mobile devices come with their own set of concerns including malicious threats,
lost or stolen devices (70,000,000 smart phones were lost or stolen in 2011 but
only 7% were recovered),61 uncontrolled application portfolios and users casual in
their attitude to security on their own devices.
It should not be seen that mobile computing is always, or even often, detrimental
to the organization. Smartphone applications facilitating self-service mobile
transactions allow existing customers access to organizational functionality, while
non-customers can obtain insurance quotes, prices from comparison shopping sites,
as well as locate shopping venues and restaurants. This can permit the organization
to effectively gain competitive advantage by the placement, flexibility, consumer
appeal, and prioritization of the applications.
In addition to interfacing with consumers and customers, increasingly employees are
seeking mobile support from the organization in order to achieve cost and performance
objectives. With increasing numbers of employees working away from the head office
environment, mobile connections via laptops, personal digital assistants (PDAs), mobile
phones, and tablets can give flexible access to business processes.
Naturally, in this environment, one of the IT auditor’s key concerns is the adequate
protection of information both on mobile devices as well as in communication transit
to ensure confidential business information is not lost or stolen. In addition, the
consistency and accuracy of information held on mobile devices would require
effective real-time synchronization.

Social Media
Social media is a generic term for the various forms of user-generated content and
the collection of websites and applications enabling people to interact and share
information online. Generally, these can be categorized into:
➤➤ Social networking sites [Facebook, Twitter, Myspace]
➤➤ Blogs [Wordpress]
➤➤ Video sharing sites [YouTube]

���
. Global state of insecurity survey, 2012, PriceWaterhouse Coopers.

318

Internal_Auditing.indb 318 16/04/2015 11:13

 CURRENT AND EMERGING TECHNOLOGY ISSUES FOR INTERNAL AUDITORS

➤➤ Photo sharing sites [Flickr]

➤➤ Crowdsourcing [Wikipedia]
➤➤ User reviews [Amazon, Yelp]
➤➤ Streaming sites [Ustream]
➤➤ Social bookmarking [Digg, del.icio.us].

Social media can be a powerful tool for business enabling them to find customers
and build clientele by introducing the organization’s brand on an international basis.
E-marketing is a rich source of new customers reachable globally in a manner
hitherto unimagined. In addition to the new customers, the potential to influence
buyer behavior via electronic marketing by leveraging the information base of existing
purchasing behavior is enormous.
Social media, one of the most culture-changing trends in e-business, is the
integration of social media across all activities. The use of social media strategies
for marketing, sales, and service across the enterprise can not only increase market
awareness of an organization’s products and services but can also provide valuable
feedback on customer experience and branding. The use of technology such as Twitter
is now fully recognized as a means of rapid deployment of information to consumers
in matters ranging from one-day price reductions to early warning of severe weather,
depending on the nature of the organization.
From a small business perspective, professional blogging used as a corporate
tool for communicating with customers or for employees to share knowledge and
expertise, works well for knowledge workers such as consultants.
Once again, exposure of this nature introduces its own risks such as opportunities
for malicious action to systems and information and the exposure of sensitive or
private information. In many job applications these days, human resource departments
research applicants on the social media websites to evaluate the appropriateness of
employment within the corporate culture. Before use is made of social media posting
it is wise to consider the following questions:
➤➤ Will this post or picture cause a problem for me in the long term? (this has caused
recent problems with disclosed celebrity photographs)
➤➤ Would I make this comment in front of my mother? (aggressive or insulting Tweets
have led to lawsuits)

In order to use social media responsibly, most social media sites offer the user options
in privacy modes:
➤➤ mostly open where the default sharing mode is public and the individual user must
choose to keep their content private; and
➤➤ mostly closed where the default mode is private and the individual user must
choose to share content.

Some rules of thumb for achieving appropriate medical privacy include:

➤➤ Do not Friend or Connect with people you have not met in person or know well.
➤➤ Reject Friend requests and Connections where there is no way of tracking the
individual who has made the request and confirming their acceptability.
➤➤ Limit your overall visibility on Services.
➤➤ Be mysterious.
➤➤ Keep your software and settings up to date with the latest security patches.
➤➤ Think before you Tweet.

319

Internal_Auditing.indb 319 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Advanced Persistent Threats and Targeted Cyber Attacks

Advanced Persistent Threats (APT) was a term coined by the US Air Force back
in 2006 describing planned, sophisticated, determined and co-ordinated attackers
attacking governmental and large organizational networks. Unlike conventional hack
attacks, this type of threat is classified as:
➤➤ Advanced where the attacker adapts to defenders’ efforts with a far higher level of
sophistication and where the hacker may develop or purchase zero-day exploits.
These attacks exploit previously unknown vulnerabilities where the developers
have not had time to patch the vulnerability. Once the patch is available it is no
longer classed as a zero-day exploit.
➤➤ Persistent where the attacks are both objective and specific and will continue
until the goal is achieved. Normally such attacks seek to maintain long-term
connectivity for the attacker.
➤➤ Threats in these attacks are typically not the attack itself but the entity behind
the attack.

APTs have originated in nation states as well as organized crime groups. Hactivist
groups have also had APTs traced to them. The objectives of such attacks are
dependent upon the groups or individuals attacking. From a political perspective,
APTs may be used for suppression of the nation’s own population to maintain
stability. Militarily, APTs may be used to identify weaknesses to allow inferior military
forces to defeat superior military forces by exploiting the network weaknesses. From
a criminal perspective, the gaining of illicit competitive advantage or the theft of
intellectual property are common objectives. Frequent targets of hacker groups are
software houses where the objective is to obtain the source code for further exploit
development either for their own use or for sale to other APT groups. Generally, such
attacks are specifically designed to bypass the known anti-virus and anti-malware
software and take the form of low and slow attacks designed to move easily across
networks. Such attacks commonly follow a seven-step process:
1. Reconnaissance over a number of public website pages that targets contact
information may be extracted and subsequently used in targeted social engineering
attacks.
2. Initial intrusion into the network including spoofing of e-mails with attachments
are links to zip files containing software exploits or malware. Such attacks are
commonly carried out overnight (US time).
3. Establishing a back door to retain long-term access into the network. If an attacker
can obtain domain administrative credentials, they can utilize this to move laterally
through the network establishing multiple back doors with different configurations.
Malware introduced with these authority levels can infect registries and use the
legitimate user’s credentials to blend in with normal network traffic.
4. Obtaining user’s credentials through use of the administrative access rights. In this
manner attackers can obtain user accounts and password hashes in volume.
5. Installing various utilities to extract information, dump passwords, extract e-mails
from servers and other malicious tasks. When these utilities are installed, they
may reside in sleep mode for anything from a few days to a year or more.
6. Privilege escalation with lateral movement through the network and data
exfiltration. By using the rights of authentic, authorized users, firewalls can be
negotiated as legitimate system users.

320

Internal_Auditing.indb 320 16/04/2015 11:13

 CURRENT AND EMERGING TECHNOLOGY ISSUES FOR INTERNAL AUDITORS

7. Maintaining persistence since such attacks will eventually be identified and

remediation steps taken, the remediation itself will be detected by the attackers
with the responding increase in the sophistication of their malware and attempts
to gain additional footholds.

For certain large-scale corporations and for government functions, hardening systems
against APTs is essential but for many smaller organizations taking the appropriate
steps to prepare for, and detect such attacks also makes sense. Such hardening takes
the form of ensuring robust logging is in place with servers and workstations using
the latest security patches and with users ensuring that their credentials are hard to
crack.
The conventional information security approach is to attempt to protect all
information assets equally. The advanced approach to control coverage is to identify
the most important assets and focus protection efforts in those areas. Preventive
controls such as firewalls and antivirus software are still essential, however, monitoring
and data analytics used as detective controls are also critical in this form of attack.
Overall security has moved from the concept of the peripheral defense when an
outside barrier will identify and authenticate the user, to a data-centric approach with
controls focused where the threat would be most damaging. Both IT and audit must
develop a deep understanding of the organization’s key assets and the IT environment
surrounding them. This will allow appropriate research on attackers’ chosen targets,
modus operandi and malware commonly in use.

321

Internal_Auditing.indb 321 16/04/2015 11:13

Internal_Auditing.indb 322 16/04/2015 11:13
 6
S ECTION

Fraud and Forensic

Auditing

Internal_Auditing.indb 323 16/04/2015 11:13

Internal_Auditing.indb 324 16/04/2015 11:13
 34
CHAPTER

Fraud Auditing

Learning objectives
After studying this chapter, you should be able to:
➤ Outline briefly the definitions and concepts underlying fraud, irregularities,
waste and abuse
➤ Explain the role of forensic accountants and other outsiders
➤ Understand the profiles and motivators of fraudsters
➤ Differentiate between fraud, waste and abuse
➤ Recognize likely fraud indicators and red flags

Fraud Detection and Identification

IIA Practice Advisory 1210.A2-2: Responsibility for fraud detection provides guid­
ance as to the respective responsibilities of management for establishing and main­
taining effective systems of control to prevent fraud; and, should it occur, to detect
fraud and take action against those responsible. The practice advisory also provides
guidance as to the responsibilities of an internal auditor in such circumstances.

‘Management has a responsibility to establish and maintain an effective control system

at a reasonable cost. To the degree that fraud may be present in activities covered in
the normal course of work as defined above, internal auditors have a responsibility to
exercise due professional care as specifically defined in Standard 1220 with respect to
fraud detection. Internal auditors should have sufficient knowledge of fraud to identify
the indicators that fraud may have been committed, be alert to opportunities that could
allow fraud, evaluate the need for additional investigation, and notify the appropriate
authorities.’

Further guidance as to an internal auditor’s responsibilities for the identification of

fraud is set out in IIA Practice Advisory 1210.A2-1: Identification of Fraud.

‘Internal auditors are responsible for assisting in the deterrence of fraud by examining
and evaluating the adequacy and the effectiveness of the system of internal control,
commensurate with the extent of the potential exposure/risk in the various segments
of the organization’s operations.’

The Context of Fraud

White-collar criminals are making their fortunes in Africa and around the world, with
many of them evading discovery and continuing to drain the lifeblood of companies
and governments for long periods of time.

Internal_Auditing.indb 325 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Virtually any form of dishonest behavior can be classified as fraud in one form or
another. Under private law, fraud involves a false statement or a deliberate omission
intended to induce someone to place reliance upon it to his/her prejudice. Where it
can be shown that a contract was entered into because of a fraudulent inducement,
the contract can be set aside and the victim of the fraud may also be able to recov­er
any damages suffered in an action in delict.
In criminal law, the same conduct would result in criminal prosecution. In South
Africa, courts have ruled that the offense of fraud need not require a specific indi­
vidual to be prejudiced. As such, it is not necessary that a victim be established for
the police to secure a conviction. Potential prejudice will be sufficient.
Many auditors confuse fraud and internal theft. The most significant difference
is that frauds are always planned while thefts may be planned or unplanned. Theft
tends to be an opportunistic crime occasionally arising out of genuine need. Frauds
usually arise out of genuine greed and must be concealed for the fraud to continue.
Fraud in South Africa is deemed to occur when the following elements exist:
➤ An untrue representation about a material fact or event is intentionally made
by an individual or an organization.
➤ Such an untrue representation is believed by the person or individual to whom
representation was made.
➤ The victim relies on the untrue representation and acts upon it.
➤ The victim suffers the loss of property and/or money as a result of acting upon
or relying on the untrue representation.

Fraud may be carried out for the benefit of an individual or an organization. The
benefits or gains made as a result of fraud carried out by an individual may be
direct, such as the receipt of property or money, or indirect in the form of bonuses,
promotion, power or influence. When fraud is carried out by an individual acting
on behalf of an organization, the benefits are normally direct and take the form
of financial gain. Business fraud is then taken to be any business activity in which
deceitful practices are resorted to by an organization or representative of an organ­
ization with the intent to cause economic injury or deprive another of property or
other entitlements.
Over the years, South Africa has seen a variety of fraudulent activities. Common
types are discussed below.

Misrepresentation of Material Facts

In this category, the fraudster makes false statements or false claims, or deliberate­
ly misstates material facts to persuade someone to part with money. To prove mis­
representation of material facts, an auditor must prove ‘intent’, which may not be
easy.

Concealment of Material Facts

Here, the perpetrator must have knowledge of the fact, have concealed a material
fact, have had a duty to disclose and have intent to mislead or deceive the other
party. Once again, proving ‘intent’ may prove difficult.

326

Internal_Auditing.indb 326 16/04/2015 11:13

 FRAUD AUDITING

Larceny
In this category, the perpetrator must have taken or converted the property of
another without the consent of the owner with the intent to permanently deprive
the owner of its possession.

Obtaining Fraudulent Loans

A common methodology of fraudsters is obtaining loans by using fake references,
with no intention of repay­ing them.
All references should be viewed with a healthy scepticism. Fake references tend to
be highly complimentary to the person or organization seeking finance. A com­mon
technique for the fraudster is to provide a contact telephone number for a spe­cific
person who should be asked to provide the reference sought. If individuals are
contacted, the individuals seeking confirmation must ensure that the person who is
giving the reference actually works for the referee company and has the authority to
give such a reference. Trade references have, in the past, been ‘given’ by non­-existent
companies, and care should be taken to check the excesses of such busi­nesses.

Unsolicited Orders
Where an organization carries out most of its business through a normal sales force,
customers who approach the organization with unsolicited orders may be a source
of concern. ‘Golden opportunity’ may be a catch phrase to trap the unwary com­pany
and lead it into providing assets with little hard information about the cus­tomer
and the company to which assets have been provided. Sudden, unexpected, urgent
orders can be used to create a willingness to cut corners in the checks and balances
normally carried out in order to land a large new customer. Such urgency, particu-
larly on credit, may indicate a higher risk.
Even if the customer is known, many fraudsters have first established their cred­
ibility by placing small orders, which are paid for on time. Once credibility is estab­
lished, larger orders are placed with no intention of ever paying for them.

Advance Fees
This type of fraud involves the offering of services that require an up-front payment
in order to cover costs. The fraudster then disappears with the advance fee. Many
such frauds in South Africa have involved offering the transfer of funds from anoth­
er country with currency restrictions. The victim is offered a commission to be the
recipient of funds with no risk to him-/herself. The fraudster may offer official look­ing
documentation confirming that such funds are available and will be paid. All that is
required is the payment of an amount to cover initial expenses (always much smaller
than the commission to be paid). Unfortunately, the fraudster does not have such
funds available and therefore the victim, in order to obtain the commission, will be
asked to cover the initial expenses. Once the money has been handed over, the
fraudster disappears, together with all traces of the officials who confirmed that the
money was available.

327

Internal_Auditing.indb 327 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Bribery
Bribery can be defined as the giving, receiving, offering or soliciting of any ‘thing
of value’ in order to influence an official in the performance of, or failure to perform,
the law for duties of that official. It may include soliciting the commission of any
other type of fraud or the influencing of an official to carry out any act that violates
the lawful duty of that official. Under such circumstances, bribery is defrauding the
employer of that official of the right to honest and loyal services by an employee.
Such bribery may include giving, receiving, offering or soliciting of a ‘thing of value’
because of an official act that has already taken place.
In the case of commercial bribery, the offense is the same, but the intent is to
influence some business decision without the organization’s knowledge or consent.

Theft of Trade Secrets

The perpetrator must have possessed information valuable to the business that
was to be treated confidentially and have breached the confidential relationship by
improper means. This is a particular problem in the perfumes, drug and chemical
industries, where formulae are critical to business survival and competitiveness; in
fashion designs; and branded food products, such as Coca-Cola™. Similarly, secrecy
often surrounds the development of new software and operating systems pro-
grams.

Conflicts of Interest
Closely allied to bribery is conflict of interest. When an organization or person act­ing
on behalf of another organization or individual has, or appears to have, a self inter-
est in the activity or a hidden bias that is potentially detrimental to the inter­ests of
the party being represented, and such bias is not made known to the repre­sented
party, a conflict of interest has occurred. Should such a conflict of interest result in a
loss to the represented party, a fraud has taken place. In the public sec­tor, laws exist
that prohibit conflicts of interest in government employees and those doing business
with the government. In the private sector, conflicts of interest may not be a criminal
offense as such, although the results may be deemed to be unjust enrichment and
therefore a criminal offense.

Breach of Fiduciary Duty

When a person who is employed by, and has a duty to, an organization or another
individual acts in a manner not in the best financial interests of that organization or
individual, a breach of fiduciary duty has occurred. This is not a criminal offense,
but is regarded as a civil matter. As such, the burden of proof required for convic-
tion is not as onerous as for criminal fraud and it is normally unnecessary to prove
wrong­ful intent.

Embezzlement
Embezzlement entails the fraudulent conversion of personal property by the person
in possession of that property where the possession was obtained as a result of trust
placed in the embezzler.

328

Internal_Auditing.indb 328 16/04/2015 11:13

 FRAUD AUDITING

False Claims
A false claim fraud occurs when a person knowingly and intentionally makes a false
or fictitious representation or falsifies a material fact, which results in financial loss
to the victim to whom the false representation was made.

Extortion
The obtaining of something from an individual or organization through the use of
actual or threatened force or fear, including the fear of an official’s office or the
fear of an economic loss, is classified as extortion.

Conspiracy
Conspiracy occurs where there is intent that a crime be performed and there is an
agreement with another person or persons to engage in that crime, and where one
of the conspirators commits an overt act to further the conspiracy.

Lapping
Lapping involves the use of funds received in payments to conceal a theft of cash.
The fraudster will initially steal funds offered in payment of a debt. To conceal the
initial theft, a subsequent payment by a second party is used to make good the
shortage resulting from the original theft. Payment from a third customer is used to
cover the second shortage, and the process continues.

Kiting
Kiting is made possible when a financial institution permits the withdrawal of funds
from an account based on deposits of cheques that have not yet cleared. Under
such circumstances, the funds may be in transit or they may, in fact, be non-exis­tent.
Money is obtained from legitimate sources of goods purchased by writing cheques
against the non-existent balances. By continuously ‘kiting’ from bank account to
bank account cheques drawn against non-existent balances, the fraud continues.

Fraudulent Affiliations
In order to establish credibility, a fraudulent company may often claim an associa­
tion with a well-known and legitimate company. This may take the form of pretend­
ing to be a branch or subsidiary of an existing and well-known organization.
Company names that resemble well-established brand names should be treated with
suspicion. Impressive trade names implying stature or international status may also
be misleading. Claims of overseas offices or foreign ownership, which is difficult to
confirm, are also popular.

With the intense competition that businesses have been subjected to over recent
years, there is pressure on all parties to move quickly, get the big order or get new cus­
tomers. This pressure leads to the cutting of corners and the elimination of controls,
which make it easier for the fraudster to exploit the organization’s vulnerability.

329

Internal_Auditing.indb 329 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Frauds often come to light as a result of an allegation from a third party regarding
misconduct on the part of the organization or an officer of the organization. In many
cases, such allegations are anonymous and there is a temptation to ignore them,
since to deal with them would require an uncomfortable decision. Other frauds are
detected when significant changes to profitability, market share or cash flow are
observed. Some frauds are noticed purely by accident when someone is looking for
something else.

Red Flags for Fraud

In many cases, investigation of fraud reveals an underlying failure of management
supervision and poor execution of company policies and procedures. People tend to
follow their role models and studies have indicated that fraud is more likely to occur
under management that is unethical or incompetent. Fraud should also be suspect­
ed when an organization’s salaries are lower than those of competitors. Reward
struc­tures based on short-term goals, dictatorial management in a power-driven
environ­ment and constant crisis management are breeding grounds for fraud. Where
indi­viduals are in positions of power to award lucrative contracts or where they
handle large amounts of cash without adequate supervision, fraud may also arise.
Managers who play one subordinate off against another and seek personal loyal­ty
without giving it may also create an environment in which fraud is probable. Such
managers often prefer informal procedures to formal, laid down policies, since they
usually feel exempt from the rules and override them with impunity.
Red flags may also be seen within individual business processes which should
alert the auditor to the possibilities of fraud occurring. Once again, what should be
emphasized is that these red flags are only indicators of possible fraud and do not
guarantee that a fraud is taking place.

Payroll
Indicators in this area may include high volumes of manually prepared statements;
major movements in total payroll or overtime not justified by increases in business
activity; easy access to payroll records, negotiable documents or electronic funds
transfer systems; and sudden decreases in staff turnover within a business area.

Cash Handling
Red flags for possible fraud opportunities could include lack of segregation of duties
over the receipt of cash, bank deposits and post into customer accounts; lack of
adequate safeguards over physical storage of cash; infrequency of bank deposits;
persistence shortages in cash itself; and excessive volumes of voided transactions.

Purchasing
Potential fraud indicators here could include volume of purchases from sole vendors;
buyer turnover; occurrences of missing or duplicate purchase order numbers; unusu-
al purchases in terms of the nature of the items of value of the items; and abnormal
rises in the volumes or prices of routinely purchased items.

330

Internal_Auditing.indb 330 16/04/2015 11:13

 FRAUD AUDITING

Accounts Payable
Accounts payable involves monetary disbursements and are a favorite target for
fraudsters. Red flags here which could draw the auditors’ attention to potential
fraud occurrences could include: remittance addresses or bank accounts matching
employee addresses or bank accounts; recurring amounts from the same vendor
just below and authorization level; sequential invoice numbers from the same ven-
dor; lack of segregation of duties over processing of accounts payable invoices,
authorization of payment and execution of payment; inadequate authorization over
changes to vendors’ records; lack of authorization documentation for payments;
unauthorized credit adjustments for a specific vendor; comparatively new vendors
with slowly increasing credit utilization followed by a sudden increase in exceeding
the credit limit; paid invoices not properly cancelled; and easy access to negotiable
documents or electronic funds payment systems.

Accounts Receivable
In the same way as a fraud can be carried out where money leaves the organization,
manipulation of debt to the organization can equally lead to fraud. Red flags here
could include inadequate segregation of duties between the processing of accounts
receivables, recording the movements and recording the payment receipts; exces-
sive movements in the allowances for bad debts; inadequate controls over credit
note processing; and inadequate reconciliation of accounts receivable activity.

Personal Fraud Indicators

Individuals involved in frauds often display characteristics that indicate a willingness
to commit frauds. These characteristics, when coupled with a corporate environ­ment
conducive to fraud, create a breeding ground for fraud. Fraud is often indi­cated by
the presence of one or more of the following characteristics.
➤ Gambling: Where managers are known to be frequent gamblers, care should be
taken to ensure that the gambling is not being funded from corporate resources.
➤ Unusual expenses: A common methodology covering up the existence of fraud
is the posting of expense claims. Unusual patterns or values of such claims
should be treated as suspicious.
➤ Extravagant living standards and conspicuous consumption: The desire to live
a lifestyle that is out of financial reach can be a powerful inducement to fraud.
Fraud-prone managers are often conspicuous consumers. Financial success and
its trappings are important to their self-images. Impulsive by nature, they find
it difficult to postpone gratification and wait for what they feel should be theirs
now. Many fraudsters are hard workers who compensate their families with
material things because of their hours away from home. Where an individual in
a position of authority over the disposition of corporate funds is known to lead
an extravagant lifestyle, suspicions should be aroused.
➤ Sexual promiscuity: Sexual promiscuity may be an expensive habit for an indi­
vidual with a known and fixed income. Such expenses must then be funded out
of corporate funds in order to conceal the activity.
➤ Undesirable associates: An individual outside an organization may encourage
an employee to participate in a fraud. For example, a manager may be able to
sign off on fraudulent documents submitted by the outside conspirator.

331

Internal_Auditing.indb 331 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

➤ Poor social skills: Many fraud-prone managers are self-centered in relationships

both at work and home. This attitude may lead them to treat subordinates as
objects to be exploited rather than as valued employees, and leads to their
being disliked by business associates and competitors alike.
➤ Extravagant with the truth: Fraud-prone managers are often careless with facts
and may boast of their personal achievements while ignoring the contributions
of others. Such managers commonly treat opposition as betrayal and react with
a hostility that can ruin working relationships.
➤ Substance abuse: Managers involved with fraud may also be heavily involved
with drugs and alcohol abuse. Such extravagances have to be paid for and may
be beyond the manager’s means without ‘assistance’.

Generally, studies of executives involved in fraud indicate a typical profile as a male,

35 years of age, who is married and has two children. He has been employed by the
organization for about nine years and did not start the fraud until he had worked
with the organization for six years.

Triggering Events
What causes a trusted employee to begin fraudulent activity is varied, but most
commonly it is an emotional trauma in the individual’s life involving home, work,
marriage or some other aspect. This affects the person’s behavior pattern and may
well be noticed by his/her colleagues. The manager may assume responsibility for a
single client or a specific task, which he jealously guards as he continues the fraud.
Where the change involves heavy drinking, gambling, an expensive social life or
extra-marital sexual activity, a pattern of lies and deceptions may emerge. Such
deceptions are frequently believed because the individual has given long and hon­est
service before the fraud actually begins.
Most frauds are caused by a lack of internal controls. However, in many cases,
the con­ trols are there, but are not being adhered to and management is not
policing them.

Fraud Prevention
The biggest deterrent to fraud is not controls, but rather the perception of detec­
tion. Ultimately, the best control may be for an organization to demonstrate its will­
ingness and ability to catch and punish offenders. This increases the offender’s belief
that he/she will be caught, which is the strongest of all fraud deterrents.
In an ideal world, the responsibility for the prevention and detection of fraud
would rest solely with management, while the resolution of fraud would be seen as
the responsibility of the forensic auditor. To understand the difference between an
auditor and a forensic auditor, one needs to understand the fundamental difference
between auditing and forensic audit.

The Role of a Forensic Auditor

Forensic auditing may be defined as the methodology for resolving fraud allegations
from inception to disposition with sufficient proof to prove or disprove allegations of

332

Internal_Auditing.indb 332 16/04/2015 11:13

 FRAUD AUDITING

fraud. This includes obtaining evidence, taking statements, writing reports, testify­ing
to findings, and the detection and prevention of fraud.

Table 34.1: Common types of fraud

Type of Fraud Form of Detection

Cash schemes
(occur frequently but rarely material) ➤ bank reconciliation
➤ cut-off bank statements
➤ surprise cash counts
➤ investigation of customer complaints
➤ review of journal entries
➤ review of sales/cash trends

Accounts receivable schemes

➤ lapping ➤ accounts receivable confirmations
➤ fictitious receivables ➤ cut-offs
➤ charge-offs ➤ trend analysis on written-off accounts
➤ personal borrowing ➤ matching deposit dates

Inventory fraud schemes

➤ theft ➤ missing documents
➤ misappropriation ➤ physical counts
➤ scrap sales ➤ analytical review

Purchasing fraud schemes Analytical review for:

➤ fictitious invoices ➤ timing of bids
➤ overbilling ➤ pattern of bids
➤ cheques paid to employees ➤ amount of work
➤ conflict of interest ➤ pattern of new vendors
➤ matching addresses
➤ lack of street addresses on invoices

Payroll schemes
➤ ghost employees ➤ independent payroll distribution
➤ overtime abuses ➤ cash flashing around
➤ withholding taxes ➤ matching addresses

The goals of a forensic auditor are then to:

➤ obtain a legal confession (if an accused is guilty, it is the forensic auditor’s
objective to obtain a binding confession of guilt, which is legally admissible);
and
➤ individually prove each element of fraud, including the intent, disguise of pur­-
pose, reliance by the victim and concealment of the offence.

Responsibilities for Fraud Detection and Prevention

The role of an auditor is to assist management in establishing a control environment
in which fraud is unlikely to occur, but if it does occur, it will be quickly detected.

333

Internal_Auditing.indb 333 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

The approach of a forensic auditor is the resolution of fraud with sufficient proof
to prove or disprove allegations of fraud. Forensic auditors must presume that all
cases will eventually end up in litigation.
A forensic auditor cannot conduct a forensic audit without credication or just
cause or a valid reason to suspect that a fraud has occurred.
Credication may be defined as that set of circumstances that would lead the
pru­dent, reasonable and professionally trained person to believe that a fraud has
occurred, is occurring or will occur.
Credication normally comes from a tip-off, but can also come from analytical data,
eg – for a retail company – a dramatic increase in the value of refunds or voids, or a
sudden decrease in the turnover figures. This can give credication to a forensic audi-
tor to conduct a forensic audit. Of recent years, with the advent of fraud ‘hot lines’,
tip-offs have become the biggest single source of fraud allegations.
Forensic audit must exclude any other possibility, eg that a mistake or error
has been made. To achieve this, forensic auditors often employ a concept called
‘reverse proof’. This means that, in order to prove that an allegation of fraud has
occurred, part of the proof must include attempts to prove that a fraud has not
occurred and vice versa. Both sides of an allegation must be examined.

In addition to technical auditing skills, forensic auditors must have the following
abilities:
➤ to elicit facts from witnesses in a fair, impartial and lawful manner;
➤ to report the results of a forensic audit accurately and completely;
➤ to be part accountant, part investigator and part criminologist; and
➤ to deal effectively with people – professionally, empathetically and thoroughly.

A forensic audit normally begins with the examination of documentary evidence,

before progressing to meet with neutral third party witnesses. The forensic auditor
will then interview corroborative witnesses and subsequently suspected co-conspir­
ators. Finally, the forensic auditor will approach the target.
In the case of allegations of kickbacks from a supplier, a neutral third party wit­
ness could be the personnel manager. A co-worker could be a corroborative witness.
A co-conspirator would be the supplier. The accused would be the staff member
against whom the allegations were made.
The target or accused should always be interviewed last, once all the ‘facts’ are
obtained.

Fraud Prevention
The vast majority of internal frauds are discovered by accident rather than by plan.
Internal auditing is not designed to detect fraud, but to help managers to create
an environment in which fraud is unlikely to occur, but will be swiftly detected if
it does. The first defence against fraud is the hiring of the right person for a posi-
tion and this normally falls to human resource professionals. A human resources
professional identifies the skills required to complete the job successfully; assesses
the person­ality of co-workers, juniors and supervisors; and then begins searching
for the right candidate. If this is done effectively, the applicant will have the skills
and personal­ity to do the job; however, whether the successful applicant is honest,
honest so far, or just not caught yet, remains unknown.

334

Internal_Auditing.indb 334 16/04/2015 11:13

 FRAUD AUDITING

Fighting Corruption
Corruption in all shapes and forms has a corrosive impact on both local and over­
seas market opportunities, as well as the broader business climate. From the indi­
vidual piracy of DVDs or branded-name products to a worst-case scenario where it
may deter foreign investment, stifle economic growth and sustainable development,
distort prices, and undermine legal and judicial systems, corruption is a problem
in international business transactions, economic development projects and govern­
ment procurement activities.
Developing a comprehensive anti-corruption compliance program may limit an
organization’s risk and help protect an organization’s reputation and long-term sur-
vival.
An effective corporate anti-corruption program is one that ultimately yields the
intended results of education, detection and deterrence. For such a program to be
effective, the full support of executive management is necessary, since the program
must be enforced at all levels. If executive management do not take corruption seri­
ously, then neither will employees.

Codes of Conduct
A corporate code of conduct consists of a clear set of legal and ethical guidelines
for employees to follow. Such a code must exist in writing, be promulgated to all
employees and be understood by all involved. It may be necessary to translate
the code of conduct into the home languages of the employees, to make sure they
understand it fully. To be effective, penalties for violation must be clear and the code
must be effectively implemented and enforced at all times.
Such a code is a directive control and therefore not 100 per cent effective.
Nevertheless, a comprehensive and understood code of conduct may significantly
reduce the likelihood of misconduct by employees.
A compliance program may be instituted and run by either an individual or a
team of compliance officers, depending on the size and nature of the business.
Compliance officers and committees can be essential in producing and maintaining
codes of conduct, as well as in educating employees on compliance procedures. The
overall success of a code of conduct depends on the provision of legal and ethics
training and the creation of a culture of integrity. As such, regular ethics train­ing pro-
grams are required for all management and employees from executive man­agement
down through the hierarchy.
Violations of the code should be reported, but many employees are reluctant
to report wrongdoing, either because of fear of reprisals or, more commonly,
because they do not know who to report it to. It is critical that employees have a
clear and known line of communication that they can use to report wrongdoing,
anonymous­ly if they prefer. Where fear of reprisals exists, an organizations must
be at pains to protect whistleblowers that are prepared to expose themselves
for its benefit. Suggestion boxes or anonymous ‘hot-lines’ make the reporting of
questionable con­duct easier. Many employees, influenced perhaps by television
amateur sleuths, are under the impression that wrongdoing cannot be reported
unless the employee has ‘solved the case’ and has incontrovertible proof. This
belief must be overcome and employees encouraged to report their suspicions so
that professional investigators may find proof that will stand up in court.

335

Internal_Auditing.indb 335 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Another common reason for non-reporting is the belief that nothing will be done
or, indeed, that nothing can be done. Feedback should be publicly given as to
actions taken as a result of tip-offs. This, in turn, will encourage the ongoing report­
ing of violations of the code. Such violations need not be restricted to fraudulent
activity, but may also include racism, sexual harassment or other illegal or unethi­cal
behavior.
Enforcement of the code of conduct is critical. Creation of a strong code with weak
enforcement may prove worse than not having a code at all. Employees effec­tively
have it pointed out to them that, while the company officially frowns on such behav-
ior, it is prepared to turn a blind eye to it.
Organizations may also have to provide guidance and assistance to employees
after a fraud has been uncovered. Innocent employees may need advice on how to
cope with and resolve stressful situations resulting from the investigation or prose­
cution.

Internal Audit
The auditing and monitoring of systems of internal controls will themselves con­
tribute toward the establishment of effective anti-corruption programs. The early
detection of inaccuracies and misconduct (eg bribery, fraud or corruption) can
swiftly create the climate of honesty sought by an organization.

336

Internal_Auditing.indb 336 16/04/2015 11:13

 35
CHAPTER

Forensic Evidence

Learning objectives
After studying this chapter, you should be able to:
➤ Outline briefly the legal environment in South Africa and the court structures
➤ Differentiate among the differing forms of fraud and the elements of proof
➤ Define the key elements of audit as opposed to legal evidence
➤ Explain the role of the polygraph

Courts and the Administration of Justice

Courts and the administration of justice are dealt with in South Africa under the
auspices of the Constitution. The major courts in South Africa are the Constitutional
Court, the Supreme Court of Appeal, the High Court, the magistrates’ courts and any
other court established or recognized in terms of an Act of parliament.

Constitutional Court
The Constitutional Court consists of a president, a deputy president and nine other
judges. Any matter before the Constitutional Court must be heard by at least eight of
the judges. Although the Constitutional Court is the highest court in all constitutional
matters, it may decide only constitutional matters and it has the final say on whether
the matter is classed as a constitutional matter or not.
Only the Constitutional Court may decide disputes between the organs of state
regarding the constitutional status, powers or functions of those organs of state. It
may also decide on the constitutionality of any parliamentary or provincial bill, or
any amendment to the Constitution. It may also decide whether parliament or the
president has failed to fulfill a constitutional obligation.

Supreme Court of Appeal

The Supreme Court of Appeal consists of a chief justice, a deputy chief justice and a
number of judges of appeal determined by an Act of parliament. Whether an appeal
is proper for the Supreme Court of Appeal to lead judgment on may be decided on
by the number of judges determined within the Act of parliament. The court may
decide appeals in any matter and is the highest court of appeal, except for consti-
tutional matters.

High Court
The High Court may decide any constitutional matter except a matter that only the

Internal_Auditing.indb 337 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Constitutional Court may decide or a matter that is assigned by an Act of parliament

to another court of a status similar to the High Court.

Magistrates’ Courts and Other Courts

Magistrates’ courts and all other courts may decide any matter determined by an
Act of parliament, but may not inquire into the constitutionality of any legislation.
Any evidence brought before a court must be capable of standing up to public
scrutiny, and have been obtained and documented in accordance with the Criminal
Procedure Act. Such evidence is deemed to be forensic evidence.

Forensic Evidence
Evidence in general may be defined as anything perceivable by the five senses and
includes:
➤ testimony of witnesses;
➤ documents;
➤ facts or data;
➤ tangible objects legally presented; and
➤ direct or circumstantial evidence.

Circumstantial evidence can be admissible but must be relevant and material.

The relevance of evidence includes evidence of the motive, opportunity, method
and means of the perpetrator to commit the crime. In addition, admissible evidence
includes physical evidence and evidence of attempts to conceal and or destroy evi-
dence. The most important point for admissibility of evidence is relevance.
Evidence may be excluded if it is seen to be unduly prejudicial, confusing, causes
delay or is repetitive.
Fraud often leaves a paper trail, which can assist investigators to identify the
individual(s) responsible and estimate the extent of the loss. Documents used to
facilitate the fraud link the perpetrator to the crime and may become key evidence.
Evidence, regardless of the type, must be preserved and documented to be useable
in criminal trials or employment hearings.
Opposing counsel will often attack the admissibility of evidence in terms of its
relevance and chain of custody. Especially in the early stages of an investigation, the
relevance of a piece of evidence may not be evident. As a result, every item recov-
ered should be treated as though it were relevant. Seemingly useless items may later
play key roles in the prosecution of the case.
As was seen in the previous chapter, there are various types of fraud. In order to
prove the case in court, an auditor will seek to obtain sufficient evidence.
For such evidence to the accepted by the court, the rules of evidence must be
followed. These vary from country to country and are primarily designed for legal
evidence and therefore have to be complied with in legal cases. In a non-forensic
case not resulting in a prosecution, an auditor is not normally so restricted and may
use any evidence until he/she is satisfied based on his/her professional judgment. In
either event, he/she tries to foster an honest belief. In all cases, an auditor acting as
a forensic investigator will seek to find and present the best possible evidence.

338

Internal_Auditing.indb 338 16/04/2015 11:13

 FORENSIC EVIDENCE

What Constitutes Best Evidence?

For documentary evidence, the best evidence is always the original document, which
should be obtained wherever possible. Secondary evidence would include copies of
written documents or oral evidence of the contents, but these are generally consid-
ered inferior. Evidence can also be categorized as:
➤ direct evidence, such as the evidence of a witness to an event;
➤ circumstantial evidence, which proves an intermediary fact and can trap an
unwary auditor;
➤ conclusive evidence, where only one reasonable conclusion can be drawn;
➤ corroborative evidence, which substantiates evidence already given; and
➤ opinion evidence.

A general rule is that facts are allowable while opinions are not, unless they are
expert opinions.
Hearsay evidence is generally inadmissible, although dying declarations, valid
confessions, tacit admissions or res gestae statements (spontaneous exclamations
as part of the criminal act) may be accepted at the discretion of the court.

Relevant evidence would be seen as evidence regarding:

➤ the motive for the crime;
➤ the ability of the defendant to commit the crime;
➤ the possession of the means to commit the crime; and
➤ the opportunity to commit the crime.

Threats by the suspect, the suspect's conduct and comments at the time of arrest
or evidence linking the suspect to the actual crime are also highly relevant. Any
attempt to conceal the fraudster’s identity or attempts to destroy evidence may also
be submitted to the court.
As each piece of evidence is collected, the auditor must maintain an inventory
reporting live data, location, time of collection and by whom the item was collected.
Original documents should be protected against damage, which could destroy future
opportunities to derive additional evidence. Originals would normally be stored in
an envelope or plastic folder and should not be altered or written on other than an
unobtrusive notation for identification purposes. Any copies made for working pur-
poses should be clearly marked ‘Copy’.

Chain of Custody
Forensic auditors must maintain the chain of custody of any evidence that comes
into their possession. Any break in the chain of custody may result in the item or
document being inadmissible at trial. This means that the evidence must be securely
stored with access controlled by an ‘evidence custodian’. Securing the location can
be as simple as keeping a door locked. From time to time, evidence must be trans-
ferred from one person to another and the transfer must be documented. Any move-
ment of evidence, including sending it to a crime laboratory, document examiner or
the police, must be accounted for as well. The simplest way to do this is to create
an evidence trail within the register that lists each item by number and description.

339

Internal_Auditing.indb 339 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Any transfer of evidence is noted in the evidence register by the person designated
as evidence custodian, thus maintaining the item's chain of custody.

Forensic Examination
IIA Practice Advisory 1210.A2-1: Identification of Fraud recognizes that this is a
specialized area of work that may well involve experts in the field.

‘Investigation of fraud consists of performing extended procedures necessary to

determine whether fraud, as suggested by the indicators, has occurred. It includes
gathering sufficient information about the specific details of a discovered fraud. Internal
auditors, lawyers, investigators, security personnel, and other specialists from inside
or outside the organization, are the parties that usually conduct or participate in fraud
investigations.’

Document examination, normally carried out by a specialized forensic document

examiner, can be used to create an evidentiary linkage between the suspect and
the fraud. Handwriting evaluation may be able to determine whether a signature
is genuine or forged and who the author of a particular piece of writing is. Printed
documents may similarly be linked to an individual printer or typewriter. Document
examination may also be able to reveal alterations or erasures and may even be able
to recover the original text.
In addition to the text itself, the ink used can also be analyzed and it may be pos-
sible to reveal alterations by identifying the brand of ink used, the production batch
number and even intervals between the writing of the original message and the
amendment. This may identify alterations after the document was created, result-
ing in forgeries. The paper itself can also be examined for time of production or the
inclusion of watermarks.
In general, documents may be examined for the handwriting used as well as the
sequence of entries. Alterations, obliterations and erasures may be detected and
deciphered. Printers, word processors and copiers can be identified, the authenticity
of reproduction copies established and original documents identified. Inks may be
compared and dated, and specific pens or pencils used for writing can be differenti-
ated. Paper can be authenticated and dated, and even documents that have been
burned or faded may be reconstructed.

Forensic Audit Department

The mission of the forensic audit department is to provide fair and objective inves-
tigation of serious irregular incidents and tendencies, as well as the rendering of
security scenario, advisory and consulting services within an organization.
Unlawful or irregular conduct and practices must be reported to the forensic audit
department without delay. It would normally be policy to refer alleged transgres-
sions of a criminal nature for prosecution by the appropriate authorities. Should the
responsible manager, after consulting forensic audit department functions, feel this
is not the appropriate action, he/she can decide not to refer the incident. Human
resources and the normal disciplinary procedures may address alleged incidents of
a less serious nature.

340

Internal_Auditing.indb 340 16/04/2015 11:13

 FORENSIC EVIDENCE

The forensic audit department obtains, assembles and researches information

on unlawful or irregular conduct and practices in order to identify causes, and will
advise and consult on interventions and action plans. All practices and procedures
utilized during investigations must comply with the requirements of the law.
The scope of the forensic audit department would normally include the investiga-
tion of alleged or suspected theft or other unlawful or irregular activities of a serious,
sensitive or corporate nature. Fraud itself, along with forgery and uttering, including
electronic transactions; unlawful or irregular disclosure of corporate information,
including electronic disclosure and industrial espionage; and any matters regarded
as sensitive by the board and audit committee, would fall within its scope.
The department may also be commissioned to conduct special investigations from
time to time and will develop and maintain records to facilitate the identification,
evaluation and analysis of threats to the organization as a result of irregular inci-
dents.
To be effective, the forensic audit department must have unrestricted access to
all functions, records, property and personnel, as well as full and free access to the
audit committee. It must have the independence to allocate resources, set frequen-
cies, select subjects, determine scopes of work and apply the techniques required
to accomplish its objectives. If necessary, the department should be empowered to
obtain the necessary assistance of personnel in units of the organization where it
perform, audits and investigations, as well as other specialized services from within
or outside the organization.

Polygraph Testing
A polygraph is a measuring device that makes a permanent recording of various
physiological changes taking place within the body of the subject as a result of
psychological stimuli. The stimulus is brought about by maintaining a certain envi-
ronmental and emotional climate during the polygraph examination and the asking
of questions that have been structured and phrased in a specific way. The questions
asked during the examination will have been developed beforehand with the subject
so that there are no surprise questions.
Two basic types of polygraph instruments are in current use, namely analogue
and computerized polygraphs. Both of these are state-of-the-art technology, which,
if used by a professional polygraph examiner in a satisfactory environment, can very
accurately distinguish between truth and deception.
During a pre-examination interview, the examiner gathers details on both the
case and the person to be tested. The examiner must establish a rapport with the
examinee and allay his/her fears, suspicion and general anxiety. The examinee would
then normally be questioned in a non-accusatory interview about his/her knowledge
regarding the alleged incident and the test questions would be developed. As men-
tioned above, the test questions should be discussed with the examinee in advance.
At no stage during the test should any surprise questions be put to the examinee.
During the examination itself, pneumographs, GSR (galvanic skin response) and
cardiograph sensors are attached to the examinee. The examinee is then asked each
of the test questions at least twice and the physiological responses are recorded.
The polygraph is not a lie detector. It is an instrument that uses what is referred
to as the autonomic nervous system, ie that part of the nervous system that we
cannot voluntarily control. There are two branches to the autonomic nervous

341

Internal_Auditing.indb 341 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

system, one having to do with growth and development, the other being an emer-
gency system. The emergency system becomes dominant only when there is some
threat and the individual becomes fearful.
The polygraph test measures such a response. If the truth is told, the body will
function at its normal level. If the examinee comes to a question in response to which
he/she intends to lie, he/she becomes afraid of being caught in that lie and the body
automatically shifts into the emergency system. All of the physiological changes will
take place and be recorded on the polygraph chart.
After the test, the examinee is questioned about the responses to the relevant
questions, if any, and a numerical scoring system is then employed to analyze the
examinee’s polygraph charts to determine if there are any significant physiological
responses to the relevant questions.
Since its invention, over 250 studies have been conducted on the accuracy of
polygraph testing. These studies suggest that when an established testing proce-
dure is used by a properly trained examiner, the accuracy of the decision made by
polygraph examiners can be around 95 per cent for specific issue investigations.62
The studies also indicate that, although it may be possible for someone lying to
be shown as truthful, it is highly unlikely that a person telling the truth will be
evaluated as lying. The polygraph is a useful aid with many applications, but is
not without its limitations. It cannot replace conventional investigation, since its
focused approach cannot be used to examine more than one specific issue at any
one time. It should be used to confirm or refute specific elements of information.
At present, there is no law in South Africa that prohibits the use of the polygraph,
but the examinee must agree to its use in writing before the examiner starts with the
test. There is no precedent set regarding the use of polygraph evidence in court at
present. It is at the discretion of the magistrate to decide what weight the polygraph
will carry as supporting evidence. In some countries, such as Israel, Germany and the
USA, the polygraph is widely accepted within the legal systems.

62. Barland, G.H. 1975. Detection of Deception in Criminal Suspects. A Field Validation Study.
PhD thesis, University of Utah.

342

Internal_Auditing.indb 342 16/04/2015 11:13

 36
CHAPTER

Conducting Fraud
Investigations

Learning objectives
After studying this chapter, you should be able to:
➤ Outline briefly the elements of the crime of theft
➤ Understand and explain the rights and powers of an investigator
➤ Select the appropriate investigative techniques for a variety of crimes
➤ Describe how to prepare a case for court and how fraud should be reported
➤ Match the use of investigative techniques and the appropriate support agencies

What are Fraud Investigations?

Investigation may be defined as the scientific process whereby facts and evidence
are gathered in order to reconstruct an incident objectively and accurately to form
the basis on which action and behavior can be evaluated.
A fraud or theft investigation relies on the collection of evidence, and the interview
and interrogation of individuals involved in a case in order to determine who, what,
where, when, how and why. These may be victims, witnesses or suspects in the case.
The approach to the investigation of internal fraud, irregularities or other serious
crimes differs from organization to organization. Some companies retain an in-house
capacity, others make use of consultants and advisers as required, while some rely
solely on the police for their investigations. If successful litigation is to occur, the
investigation process must be carried out in a manner acceptable to the courts in
order to gather the forensic evidence detailed in the previous chapter.
The investigation process itself is made up of the situation, the victim and the
identification of the perpetrator.

Elements Required to Establish Evidence of Theft

Four elements are essential for a specific crime to be classified as theft.
➤ The first essential element of theft is that there must have been a contrectatio,
ie the accused must have handled the items stolen. In normal circumstances,
this would involve removing the item from the lawful possession of the person
in charge of it. This means that if the accused person fraudulently influenced
an individual to voluntarily hand over an item with the intent of stealing it, a
contrectatio did not occur, but the accused could be charged with theft by
false pretenses after the contrectatio had taken place.
➤ The second element is that the object stolen must be a movable object. This
term is used in the sense that a house cannot be stolen, because it is immov-
able. Fixtures and fittings that form an integral part of such an item may not be
stolen. However, the furnishings would be considered movable objects.

Internal_Auditing.indb 343 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

➤ The third element is that the state must prove intent to steal, without which
the act is not a punishable offense. The intention must be to deprive the law-
ful owner of his/her ownership or a lawful possessor of his/her possession,
eg a hired car subsequently stolen.
➤ The fourth element is that the state must prove that it was the intention of the
accused to permanently deprive the owner of the object of his/her ownership. If
the intent was merely to deprive the owner temporarily, the accused is not pun-
ishable for theft. The accused would instead be charged with unlawfully using
somebody else’s property without their permission.

Whenever a theft has taken place, certain basic information must be gathered. A
statement should be taken from the complainant detailing the specific time and
date when the object stolen was last seen, together with the date and time of the
discovery of the theft. The complaint should also record that no one had the right
to steal the property or temporarily remove it. A full description of the article stolen
and of any identification marks are critical for proper identification in the event of
recovery. If the object was insured against theft, this must be recorded, together
with the name of the insurance company. The value of the objects stolen will also be
required both for prosecution and by the insurance company.

The Power of the Investigator

In conducting an investigation, the private individual does not automatically have
the right to take affidavits or receive sworn statements from witnesses. Investigating
auditors should be appointed commissioners of oaths in order to ensure the legality
of any sworn or avowed statements from possible witnesses.
Investigators should be aware of the fundamental rights of freedom of every South
African citizen and that unlawful interference with such rights is looked on as a seri-
ous violation by the courts.
In searching a premises, any person who is lawfully in charge of any premises or
lawfully in occupation of it and who has reason to suspect that an object has been
placed in the premises in contravention of any law may, in the absence of a police
official, enter into the premises for the purpose of searching the premises and any
person therein. Should such an illegal article be found, the person should take pos-
session of it and deliver it to a police official. Once again, the rights of the suspect
must be taken into consideration and any such search should be conducted with
strict regard to decency and order. If a female has to be searched, only a female
police officer or a woman designated by a police official may carry out the search.
Under normal circumstances, the arrest of a wrongdoer would be the responsibility
of the police. However, under certain circumstances, detailed in Section 42 of the
Criminal Procedure Act, a private individual may arrest a person without a warrant of
arrest. If the arrest takes place without the provisions of Section 42 being complied
with, the arresting person may be liable for unlawful arrest, resulting in a civil claim,
and the detention of the suspect will also be unlawful. Section 39 of the Act lays
down the manner in which an arrest must be made. A critical component is that the
body of the person to be arrested must be touched and the accused must imme-
diately be informed of the reason for his/her arrest. If the person arrested contests
the lawfulness of the arrest, the onus of proving that the arrest was lawful rests on
the person who made the arrest.

344

Internal_Auditing.indb 344 16/04/2015 11:13

 CONDUCTING FRAUD INVESTIGATIONS

Private individuals may also be called upon by a police official to assist in arrest-
ing a person or in detaining a person so arrested. Failure to assist the police in this
matter without sufficient cause is an offense.
Entry into premises for the purpose of effecting an arrest may be gained by an
individual who may lawfully arrest another and who reasonably suspects that the
other person is on the premises. Certain procedures must be followed to make the
entry lawful. The individual must first audibly demand entry into such premises and
notify those inside of the reason for which he/she seeks entry. He/she may then, if
necessary, break open, enter and search the premises in order to make the arrest.
The use of force in effecting an arrest is permissible to an authorized person where
the suspect resists arrest and cannot be arrested without the use of force, or where
the suspect flees when it is clear that an attempt to arrest is being made. Only such
force as may be necessary to overcome the resistance or prevent the flight may be
used.

Corporate Investigation
IIA Practice Advisory 1210.A2-1: Identification of Fraud indicates that fraud detec-
tion is not a primary function of internal audit and that internal auditors’ knowledge
and experience is not equivalent to that of a fraud investigator. Consequently, while
fraud may be detected in the course of internal audit procedures, this is not a guar-
antee that all such fraud has been detected, and this in turn does not imply that an
internal auditor has not exercised due professional care.

‘Internal auditors are not expected to have knowledge equivalent to that of a person
whose primary responsibility is detecting and investigating fraud. Also, audit procedures
alone, even when carried out with due professional care, do not guarantee that fraud will
be detected.’

This is not to say that in the present environment of endemic fraud, management of
large organizations may not establish a forensic audit department employing special-
ist investigators or may not appoint external service providers for these services.
When management becomes aware of possible wrongdoing within an organiza-
tion, it has a duty to ascertain the truth and extent of the wrongdoing. This normally
involves conducting an investigation. Such an investigation must be professionally
planned and executed to avoid the normal emotional reaction that occurs when
indications of impropriety arise. Hasty overreactions can compromise an investiga-
tion before it even starts.
Generally, people’s initial reaction when faced with the first indications of possible
wrongdoing is an instant judgment regarding the extent of the problem and the
potential wrongdoers. Suspicion abounds when fraud is revealed and the behavior
patterns of innocent people become suspect. Such knee-jerk reactions can be highly
damaging both to the futures and reputations of innocent people and to the orga-
nization itself. The suspected fraud should be treated as a management issue and
careful planning should be carried out prior to the investigation.
At the planning stage, information regarding the suspected fraud should be restrict-
ed to those who have a need to know. The extent of this restriction will depend on the
individual or individuals suspected, the nature of the fraud and the authority levels
of the suspects. Maintaining secrecy at this stage increases the possibility of gaining

345

Internal_Auditing.indb 345 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

appropriate evidence. If the suspected fraudster is unaware of the investigation, there

is a greater probability that the fraud will continue and that co-conspirators may be
identified. The evidence to be gained by monitoring an ongoing fraud may be critical
in proving the case in court. Secrecy can also protect the organization from a lawsuit
by the suspect for defamation resulting from libelous or slanderous statements made
to a third party damaging to the suspect’s reputation.
As part of the early planning process, selection of the individuals to be involved in
the investigation must take place. Professional investigators, either private or from
the police services, will normally spearhead the investigation, but other members
of the organization may also be called on to participate. A senior manager should
be designated to ensure liaison takes place between the investigators and executive
management. Internal audit can secure evidence and provide background informa-
tion on the control structures and authority levels of employees. In most cases, legal
advice will be required to ensure that the investigation is lawful, that the evidence is
maintained in a form acceptable to the courts, and that the appropriate procedures
are followed to permit the organization to proceed civilly to recover its losses from
the dishonest employee. With the extent of current personnel legislation, it is critical
that the senior manager from human resources be involved to ensure that the rights
of the accused employee are not violated and that personnel law is followed.
Once the team has been appointed, each participant’s role in the reporting rela-
tionships must be clearly defined. The goals and objectives of the investigation must
be agreed and these could range from temporary suspension to criminal prosecu-
tion. These objectives will have a significant impact on the method of investigation,
the nature of the evidence to be gathered and the timing of the investigation. Timing
can be critical and it is easy to underestimate the duration and resources required
for an investigation. A fast resolution may limit further losses but may be counter-
productive in attempting to recover losses so far.

Lies, Lies and More Lies

In conducting the investigation, suspects may be interviewed and may choose to lie.
This can take several forms and clues may be detected depending on the nature of
the lie.
➤ Lying by omission is the most common form of deception. The interviewee
does not actually lie, but evades answering by omitting the information that
he/she wants to conceal. If the omission is detected, the interviewee can always
claimed that he/she forgot or that he/she did not consider the matter was
important enough to mention. Since the person is not directly lying, the per-
sonal stress is limited.
➤ Denial of having participated in the fraud or having any knowledge of it is
another common form of lying. While it avoids the stress of giving a false
answer, it creates a mental conflict known as dissonance, as the liar attempts to
balance the prohibitions against lying learned as part of his/her upbringing and
the need to protect him-/herself from the consequences of being caught.
➤ Making up a story is the most difficult type of lie to attempt and maintain.
The liar will require a good memory to remember what has already been said
and must be a quick thinker to maintain consistency in the lie. Such fabrica-
tion is normally uncovered because of inconsistencies in the details of the lie or
the sequence of events claimed. The starting point of the fabrication and the

346

Internal_Auditing.indb 346 16/04/2015 11:13

 CONDUCTING FRAUD INVESTIGATIONS

end point are normally genuine events and time periods. It is what happened
in between and when it happened that is fabricated and where the sequence
series of events claimed can be forgotten.
➤ Lying by minimization is used to deceive by downplaying negative aspects of
the suspect’s behavior or performance. Careful questioning and healthy skepti-
cism on the part of the investigator can normally uncover the truth.
➤ In the same way, exaggeration may also be used as a lie and is frequently used
when a job applicant exaggerates his/her qualifications, work experience and
responsibilities. Once again, careful questioning may reveal the truth.

Detecting Lies
In the absence of a polygraph, investigators will use observation of the interviewees’
behavior patterns to identify areas of possible concern.
Delays in responding to questions involving the simple recollection of facts may
alert the investigator to a possible attempt at deception, as the liar has to consider
his/her version of the facts to ensure consistency with what he/she has already said.
People who are telling the truth can normally answer promptly, as they are simply
recalling a memory. Care should be taken, however, to distinguish between the delay
before a lie and the delay of a person taking sufficient time to ensure the question
is answered accurately. Questions that require an answer based on the individual’s
judgment will normally involve some form of delay. Delay over ‘yes’ or ‘no’-type
questions indicates the weighing of the pros and cons of a given answer.
Repeating the question may be a tactic used by the interviewee to delay answer-
ing while weighing the options. Once again, the delay may be caused by a genuine
attempt to give the best possible answer.
Lying can also be indicated by the use of qualifiers in answering questions.
Expressions such as ‘as far as I can remember’, ‘to the best of my knowledge’ and
‘probably’ can be used to conceal deception. They may signify omissions and areas
that the interviewee wishes to avoid.
Analyzing an individual’s behavior and body language is a skilled science. When
used effectively, it can provide focus for further investigations and questioning, and
assists identification of areas where a deception may be occurring. It is, however,
easy to draw the wrong conclusions and such analysis should be taken as a guideline
rather than as actual evidence.
One of the final steps an investigator takes in concluding the inquiry is confronting
the target of the investigation. Often, the ultimate outcome of the case may depend
on whether the suspect confesses. Confession is responsible for more successful
investigations than all the other forensic techniques combined.
Confronting a suspect is a complicated process. The individual’s age, education,
job, experience with the criminal justice system, and his/her awareness of the inves-
tigation must be considered when preparing to confront a suspect and trying to get
a confession.

347

Internal_Auditing.indb 347 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Two common techniques exist:

The cognitive behavioral model of confession

This model is based on the premise that the confession results from the unique rela-
tionship between the subject, the environment and others involved in the process
like other suspects, victims, witnesses and interrogators. The interviewer seeks to
elicit a confession by inducing social isolation, fatigue, stress or feelings of guilt in
the interviewee. There are four basic areas in the cognitive behavioral model that the
interrogator uses in inducing a confession:
➤ social, in which the individual's fear of isolation from friends and co-workers
may or may not increase his/her resistance to a confession. A benefit for the
individual comes in the shape of positive reinforcement, and praise for confess-
ing is provided by the interrogator;
➤ emotional, in that the fear of the unknown, combined with guilt and shame of
the wrongdoing, generates emotional relief when the suspect decides to con-
fess;
➤ cognitive, which involves the suspect interpreting facts and making assumptions
about what is or is not known. The suspect may convince him-/herself that his/
her guilt is known absolutely, even when this may not be true, and that confes-
sion is therefore the best course of action; and
➤ situational, which relates to the timing of the confrontation and the circum-
stances surrounding it, such as whether the subject is forced to wait or the
interrogation begins immediately, who conducts the interview, and where and
when is it held.

The emotional model of confession

This model suggests that the subject's failure to tell the truth is the result of attempt-
ing to avoid the consequences of his/her actions, whether real or perceived. The
suspect attempts to shift the blame for his/her actions to some other source. Face-
saving suggestions allow the subject to justify his/her actions without removing the
legal responsibility for his/her criminal acts. The interrogator in this instance is not
viewed by the suspect as an opponent, but rather a mediator between the suspect
and the organization.
This model encourages the individual to make an emotional decision to confess,
rather than a rational one, and may result in the suspect reacting emotionally by
crying as he/she confesses.
Just as frauds can be solved by good interviewing techniques, they can also fail
because of errors in interviewing. Wherever possible, the investigation should con-
clude with the obtaining of a valid, signed confession.

348

Internal_Auditing.indb 348 16/04/2015 11:13

 37
CHAPTER

IT Fraud Investigation

Learning objectives
After studying this chapter, you should be able to:
➤ Outline briefly the fundamental goals and methodologies of an IT fraud investigation
➤ Define appropriate policies and procedures to facilitate an IT fraud
investigation
➤ Explain the basic technology in IT forensics and sources of evidence
➤ Define the elements required in preplanning for an IT fraud investigation
➤ Design an appropriate IT fraud response toolkit
➤ Describe the current legislative basis for using computer evidence

The Exponential Growth of Computer Crime

Over recent years, an enormous amount of publicity has been given to the threat of
computer crime, which has led to a greater awareness at an executive level of the vul-
nerability of their IT functions. The growth of organized fraud in the computer world
in conjunction with the comparatively new threat of organized terrorism or politically
motivated penetration of computer systems makes this awareness essen­tial.
Advances in computer science have come at a staggering pace and computer
crime has remained in step with all of these advances. Unfortunately, computer
crimes happen in real-time and the crime is completed in microseconds. Only a tiny
percentage of such crimes have been found in time to perform any form of mean­
ingful investigation, unless care had been taken beforehand to create an appropri­ate
detective environment.
Where investigations do take place, less than 20 per cent will actually go to court
and, of all those prosecuted, less than five per cent will be convicted. In many cases,
it is the fear of failure of prosecution and of exposing the corporation to ridicule that
is the real deterrent to prosecution. The failure of successful convictions is often due
to a lack of proper care or a methodical approach by the investigator. Often, the evi­
dence obtained is improper, inconclusive and not legally gathered or maintained.
In addition, business moving onto the Internet has created the greatest opportu­
nity for widespread and methodical fraud the world has ever known. The most
common computer crimes are those that merely involve the computer as a tool
to implement the crime. In addition, the computer may itself be the victim of the
attack, resulting in the theft of information, disclosure of confidential data, vandal-
ism, sabotage or viruses.

Classification of Computer Fraud

Given that activities within a computer environment consist of three main elements,
input, processing and output, it is no surprise that IT fraud can be classified in the
same way.

Internal_Auditing.indb 349 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

➤ Input frauds normally take the form of amended or forged transactions entered
into the computer and unauthorized changes to standing data on masterfile so
that valuable assets, normally cash, can be obtained. This type of fraud does
not need any specific IT expertise and is a common form of user-level data
entry fraud.
➤ Processing or throughput frauds usually involve modifications to live programs
in order to enter unauthorized codes for improper purposes. Viruses, trap-doors
and Trojan horses are all examples of such coding.
➤ Output frauds commonly occur when correct and valid outputs are intercepted
and amended before they are used. This may take the form of altered pay­
ments or breaches of confidentiality.

Once more, with the advent of the Internet, computer hacking has become a source
of risk to computer systems. Perhaps fortunately, hacking for fraudulent purposes is
not yet widespread.

The Investigation of IT frauds

IIA Practice Advisory 2100-6: Control and Audit Implications of E-commerce
Activities states that internal audit should be alert for irregularities that may indi­cate
the presence of IT fraud in organizations involved in e-commerce.

‘The internal auditor should be alert for:

➤ Unauthorized movement of money (eg, transfers to jurisdictions where the recovery
of funds would be difficult).
➤ Duplication of payments.
➤ Denial of orders placed or received, goods received, or payments made.
➤ Exception reports and procedures, and effectiveness of the follow-up.
➤ Digital signatures: Are they used for all transactions? Who authorizes them? Who has
access to them?
➤ Protections against viruses and hacking activities (history file, use of tools).
➤ Access rights: Are they reviewed regularly? Are they promptly revised when staff
members are changed?
➤ History of interception of transactions by unauthorized persons.’

Many IT fraud investigators have a fundamental fear of computers, but are being
called in to investigate computer-related crime, and are therefore happy to leave
such investigations to specialist auditors or outside consultants. This fear has built
up over the years as a result of the air of secrecy surrounding IT and the techni-
cal jargon associated with. Once the technical jargon has been got out of the way,
understanding the risks and controls within computer systems and the means of
investigating an IT fraud become clear.
IT fraud often comes to light because of its impact on the organization; however,
the most common way in which computer crime is uncovered occurs when another
person, who may or may not be an employee, tips off the organiza­tion. When an
IT fraud is suspected, the first objective of the IT auditor or security personnel is
to confirm whether an incident has actually occurred. If there appears to be a case
for believing such an occurrence has taken place, all subsequent steps must be

350

Internal_Auditing.indb 350 16/04/2015 11:13

 IT FRAUD INVESTIGATION

specifically designed to help the accumulation of accurate information and estab­lish

control for retrieval/handling of evidence.
This can cause complications, because of the need to protect the privacy rights of
both the suspected perpetrator and the defrauded organization. There is little point
in recovering stolen assets by destroying corporate confidentiality.
The investigation must minimize business disruption. Gathering of forensically
acceptable evidence will commonly involve isolating the information source to pre­
vent contamination. In the case of information systems, such isolation, if extended
over a period of time, could result in considerably more damage to the organization
than the original fraud.
Once gathered, the evidence must allow for legal recrimination, ie it must be
capable of standing up to scrutiny and challenge in court.

In order to achieve successful prosecution, there is a whole series of events that

must take place, namely:
➤ pre-incident preparation;
➤ detection of incidents;
➤ initial response;
➤ forensic back-ups;
➤ investigation;
➤ network monitoring;
➤ recovery;
➤ reporting; and
➤ follow-up.

Pre-incident Preparation
The objective of pre-incident preparation is to ensure that, should an incident occur,
the organization is in a position to identify what exactly happened and to what sys­
tems. From this it may be determined what information was compromised, what files
were created/modified, and who may have caused the incident. It is also useful to
prepare, in advance, who should be notified and what steps will be required to get
back to normal.
Major steps in the process would include identifying the vital assets in advance
and conducting a risk analysis to determine what would be the most likely nature
of exposure faced. Individual hosts could then be prepared to detect incidents by
pro­ducing cryptographic checksums of critical files and enabling secure logging.
Preventative measures would include hardening the hosts’ defenses in a variety of
ways. Back-ups of critical data stored securely can help protect against the threat
of non-availability leading to fraud. Directive controls would include compre­hensive
user education about host-based security.
Networks should be prepared by installing firewalls and intrusion detection sys­
tems (IDS), as well as by the use of access control lists on routers. Companies can
create a topography conducive to monitoring, encrypt network traffic and require
authentication beyond the password level.

351

Internal_Auditing.indb 351 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

At the user end, preparations would include determining an appropriate corpo­rate

response stance. This could be:
➤ to ignore the incident;
➤ to defend against further attacks;
➤ to prosecute; or
➤ simply to perform surveillance and gather data on the incident for future use.

The appropriate response may, in fact, vary based on the circumstances of the
inci­dent. If, for example, a hacker is detected, it may be more beneficial to the
organi­zation to allow the hacker to believe the system penetration is successful and
let him63 in. This would allow time to gather forensically acceptable evidence for
his future prosecution, as well as facilitate tracing the hacker to his lair. Obviously
such a policy would require a very high level of confidence that the activities of the
hack­er could be traced and limited.
From the audit and investigation perspective, preparation could include the
build­ing of a forensic response toolkit. Such a toolkit would normally consist of a
hard­ware/software combination to promote the demonstrably uncorrupting nature
of the investigation. The hardware would usually be a high-end processor with a
large memory capacity and a large-capacity empty drive. A DVD-RW drive, a high-
capacity tape drive and a large number of cables for creating multiple connections
would be needed for the interchange of information. An uninterruptible power
supply would be necessary to prove that no corruption took place during the
inves­tigation phase because of power outages. DVD/Rs and labels, together with
external hard disks and a high-capacity memory stick, would also prove essential.
In addition, the standard tools for forensic examination including folders and labels
for evidence; a digital camera so that evidence might be captured directly into
the system; lockable evidence storage containers; a printer and paper; and finally
burn bags to dispose of evidence securely when approval is given by legal counsel,
would all be required.
On the software side, response software would include two or three native
oper­ating systems (W98/WNT/LINUX); forensic duplication tools such as EnCase,
Imagecast or Expert Witness; all the drivers for all your hardware on all platforms;
a file viewer such as Quickview Plus or Handy Vue, capable of handling a variety of
file structures and formats; as well as disk-write blocking routines.
With this toolkit, an auditor should be able to conduct forensically acceptable
examinations.
An incident response team should be established to respond to all security inci­
dents and conduct a complete, unbiased investigation. The team must confirm or dis­
pel an incident quickly and assess the damage and scope. A 24/7 hot-line should be
established to allow the team early notification so that they can control and contain
the incident. The team’s job is to collect and document all evidence while maintain­
ing a chain of custody, to protect privacy rights and to provide expert testimony.

63. S
 ince hackers are apparently always male, the use of ‘him’ and not ‘him/her’ seems
justified here.

352

Internal_Auditing.indb 352 16/04/2015 11:13

 IT FRAUD INVESTIGATION

Detection of Incidents
Incidents may be detected via intrusion detection systems, firewalls, suspicious
account activity, malfunctioning services or even defaced websites. In all cases, it is
essential that the discoverer note the critical details, such as:
➤ the current date and time;
➤ who/what is reporting;
➤ the nature of the incident;
➤ when the incident occurred;
➤ the hardware and software affected; and
➤ contacts for involved personnel.

Initial Response
The initial response should be directed towards finding out what probably hap­pened
and what the best response strategy is. At all times, an investigator must be mindful
of the legalities and must ensure that all searches are carried out within the letter
of the law.
This will typically involve an examination of network topologies and verifying
poli­cies, and investigating the incident by conducting personnel interviews, systems
administrators interviews, management interviews and interviews of the end-user.
Only then should hands-on action be taken.
All actions taken must follow the fundamental rules, everything the investigator
does must be documented, and every care should be taken to ensure that the evi­
dence itself is not compromised during the investigation.
Acquiring the evidence will first involve securing the physical area. Before any­
thing is disturbed, photographic evidence should be gathered of the system itself,
the monitor and all cable interfaces. Photographs should also be taken of the sur­
rounding area and all papers and disks should be inventoried and collected.
The IT system should then be shut down by unplugging it directly from the power
supply. Under no circumstances should the keyboard be touched or the power
switch used to power down the machine. Shutting down the machine in the normal
way may activate software traps to encrypt or delete sensitive data. At a minimum
it will alter the data held in virtual memory.
Before the computer itself is moved, it should be sealed and all cables and con­
nectors clearly labeled. Once the computer is in the place where it is to be exam­
ined, the computer case may be opened and, once again, photographs should be
taken of the inside before anything is touched. Disconnecting the power leads prior
to starting the system should isolate all hard drives.
The system can then be started so that the date and time may be collected from
the setup menu. This will be used in later examination to compare to date and time
stamps and other evidence. At this stage it is also recommended that the BIOS be
changed to ensure that the system boots only from a floppy drive.
The machine should then be switched off once more. An unused hard drive will be
connected to the system to be the target drive for the forensic back-up. This drive
should become drive 0, with the original drive classed as drive 1. This prevents the
system from attempting to boot from the original drive. A bootable diskette contain­
ing the forensic copying software should be placed in the diskette drive and the
sys­tem restarted.

353

Internal_Auditing.indb 353 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

The forensic copy of the hard disk should then be made. All drives should then be
removed from the system, placed in anti-static banks and sealed. The sealed disks
should be dated and signed and placed in a secure environment.

Forensic Back-ups
Forensic examinations should never be performed on the original medium. An exact
clone of the medium should be made and the original evidence must then be stored
securely. Care must be taken to ensure that the cloned medium is in fact a complete
copy of the original evidence. Most back-up software available on the market today
does not copy information in a way that would be acceptable for further investiga­
tion. In the normal course of events, data that has been deleted still remains on the
magnetic medium until it is overwritten. This data can be a rich source of forensic
evidence. Most copying, cloning and back-up software will copy only current files
from the medium. To be acceptable, the copy must be made bit by bit and sector
by sector. Only in this way can the investigator assert that the working copy was a
true reflection of the original evidence.
In addition, encryption technology should be used so that the investigator in court
can state that the working copy could not be adulterated in an undetectable manner
or even read by an individual without personal supervision by the investigator.
When the copy is made, the medium used for copying to should be forensically
sterile. Preferably, the target medium should be brand new and unused, or alterna­
tively scrubbed clean to internationally acceptable standards prior to use. The
forensic investigator must understand that the examination must be carried out in
a way that ensures that the evidence remains unmodified. Even looking at a file on
computer modifies its file attributes. Where such modifications are not preventable,
the maintenance of an investigation log detailing all accesses becomes critical.
As with any forensic examination, the chain of custody of evidence must be main­
tained at all times.
Common mistakes at this stage include the failure to maintain proper documen­
tation throughout the investigation process. Failure to notify decision makers within
the organization may jeopardize the legality of any evidence gathered. If digital evi­
dence is not properly controlled and secured, its forensic acceptability may also be
challenged.
Failure to report the incident in a timely manner may lead to problems with
authorities, as such reporting is a matter of law. Such failure may confuse the issue
and allow the perpetrators of the wrongdoing enough time to defeat the ends of the
investigation.
One of the most common mistakes involves simply underestimating the scope of
the incident. If too narrow a focus is applied, some evidence may be omitted or even
destroyed during the course of the investigation.
At the technical level, altering date and time stamps on evidence systems before
recording them can occur, inadvertently destroying the forensic nature of the evi­
dence. Failure to record the commands used or the use of untrustworthy commands
and tools can also raise questions about the validity of any evidence gathered. Even
the very act of installing the tools, if done wrongly, can overwrite significant evi­dence
and cast doubt on the remaining evidence.

354

Internal_Auditing.indb 354 16/04/2015 11:13

 IT FRAUD INVESTIGATION

Investigation
Once a working copy of the data is available, the investigator must decide what evi­
dence is to be sought. Depending on the nature of the investigation, files accessed,
e-mails sent and received, Internet sites visited, programs executed and graphic files
accessed may all be of interest to the investigator.
In its simplest form, an investigator seeking evidence of the presence on the
com­puter of illicit or illegal files or software may simply have to do a search for a
spe­cific file name or file type. Even this may be complicated if the files concerned
have been deleted, and the investigator may have to resurrect such deleted files
before examining them.
Where fraud has occurred, the files accessed, the date and time of access, the
network paths taken and the software executed can be critical. Most modern oper­
ating systems have the capacity to record such accesses. Log files and registry
entries can contain such information as user names, passwords, recently accessed
files and network connections used. Unfortunately, having the capacity does not
necessarily mean that such records are created and retained. Once again, the inves­
tigator will have to search for such files, possibly now deleted, before suspects can
be interrogated.

Network Monitoring
In the course of the investigation of an ongoing fraud, investigators may have to
monitor traffic flowing over the communication network. This will typically involve
using packet sniffers to monitor traffic flow. Such activity is, by nature, detective, and
is designed to confirm or dispel suspicions of fraud or irregular transactions. The
accumulated evidence may be used to verify the scope and extent of the sys­tem
compromise by identifying compromised systems, user accounts and pass­words. It
may be possible to identify source addresses on the network, as well as to intercept
stolen files, pornography or downloaded hacker tools.
At its best, such monitoring can identify the parties involved, determine the time­
lines of an event and possibly even assess the skill level or numbers of individuals
involved in the illicit activity.
In a covert investigation into activities on a specific machine, monitoring software
can be placed on the machine to record all e-mail sent and received, keystrokes,
images on screen, and mouse clicks when Internet and intranet sites are visited.
Such software would run in stealth mode and gather the information for later retriev-
al. The software can be used to send the information gathered automatically to the
investigator’s machine. In all cases, care should be taken to ensure that the evidence
gathered is stored in an acceptably secure manner both on the target’s machine and
while in transit to the investigator.
Investigators should be aware that many anti-virus and spyware detectors can
detect such monitoring and care should be taken to ensure the specific software
cannot be detected on the target’s computer.

Recovery
Recovery is the process of restoring the systems to their normal, secure status. The
nature of the recovery process will be dependent upon the nature of the specific
fraud and the recovery strategy selected by the organization. At the end of the

355

Internal_Auditing.indb 355 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

investigation the auditor should be aware of which parts of the system were com-
promised and what needs to be done to repair the damage. The recovery strategy
itself may involve the rebuilding of the system from backup or from original source
media.
In all cases, the system itself must be adequately secured prior to the introduc-
tion to the live environment. This may involve the acquisition or implementation of
additional security measures in order to prevent the fraud from recurring.

Reporting and follow-up

In every fraud investigated, the most critical component of the investigation when a
prosecution is sought is the comprehensive nature of the documentation throughout
the investigation. This documentation must take place as the investigation takes
place and not in retrospect. Courts tend to place more reliance on information
gathered during the investigation rather than produced as memory serves after the
investigation.
Reporting activities overall include producing detailed notes and documentation
to support both criminal and civil prosecution as well as the production of a final
report detailing the fraud, impact on the business, actions taken and the appropri-
ate recommendations to reduce the likelihood of a similar incident elsewhere within
the organization.
As with all auditing, following up of the report is critical to ensure that appropriate
action is not only agreed but implemented.

356

Internal_Auditing.indb 356 16/04/2015 11:13

 Appendices

List of Appendices

Appendix Description Page No.

A Internal Auditors’ Guidelines   359

B Sample Audit Committee Charter   360
C Sample Internal Audit Charter   362
D Working Papers   365
E General Standards of Completion   370
F Sample Working Papers   373

G Sample Job Descriptions   384
H Sample Engagement Contract 396
I Sample Audit Program   397
J Sample Audit Report   400

Internal_Auditing.indb 357 16/04/2015 11:13

Internal_Auditing.indb 358 16/04/2015 11:13
 A
APPENDIX

Internal Auditors’ Guidelines

All professional internal auditors should be guided by the Institute of Internal

Auditors’ Code of Ethics, Standards for the Professional Practice of Internal Auditing
and advised by the IIA Practice Advisories, Practice Guides and Position Papers.
These documents are downloadable from:

https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Standards.aspx

They are free to IIA members and available to purchase for non-members.

Internal_Auditing.indb 359 16/04/2015 11:13

 B
APPENDIX

Sample Audit Committee Charter

1. Purpose
To assist the XXXXXXXXXXXX in fulfilling the oversight responsibilities for the financial
reporting process, the system of internal control over financial reporting, the audit
process, the organization’s process for monitoring compliance with laws and regula-
tions, and the code of conduct.

2. Mission
To provide professional advice to assist the Accounting Officer and Executive
Management to secure transparency; accountability; and sound management of
revenue, expenditure, assets and liabilities of the organization.

3. Composition
The Audit Committee will consist of at least three external and two internal mem-
bers, with alternatives where necessary.
The Executive Committee will appoint members and the Audit Committee will
elect its own Committee Chair.

4. Meetings
The committee will meet at least four times a year, with the authority to convene
additional meetings as circumstances require. The committee will invite members
of management, auditors or others to attend meetings and provide pertinent infor-
mation as necessary. It will hold private meetings with the Head of Internal Audit.
Meeting agendas will be prepared and provided in advance to members, along with
appropriate briefing materials. Minutes will be prepared.

5. Responsibilities
The committee will carry out the following responsibilities:

5.1 Financial Statements

➤ Review interim financial reports with management and the external auditors
before filing with regulators, and consider whether they are complete and con-
sistent with the information known to committee members.

5.2 Internal Control

➤ Consider the effectiveness of the organization’s internal control over annual and
interim financial reporting, including information technology security and con-
trol.
➤ Understand the scope of internal and external auditors’ review of internal con-
trol over financial and operational reporting, and obtain reports on significant
findings and recommendations, together with management’s responses.

Internal_Auditing.indb 360 16/04/2015 11:13

 B: SAMPLE AUDIT COMMITTEE CHARTER
APPENDIX D:

5.3 Internal Audit

➤ Review with management and the chief audit executive the charter, plans, activ-
ities, staffing and organizational structure of the internal audit activity.
➤ Ensure there are no unjustified restrictions or limitations, and review and concur
in the appointment, replacement or dismissal of the internal chief audit execu-
tive.
➤ Review the effectiveness of the internal audit activity, including compliance
with the Institute of Internal Auditors’ Standards for the Professional Practice of
Internal Auditing.
➤ On a regular basis, meet separately with the chief audit executive to discuss
any matters that the committee or internal audit believes should be discussed
privately.

5.4 External Audit

➤ On a regular basis, meet separately with the external auditors to discuss any
matters that the committee or auditors believe should be discussed privately.

5.5 Compliance
➤ Review the effectiveness of the system for monitoring compliance with laws
and regulations and the results of management’s investigation and follow-up
(including disciplinary action) of any instances of non-compliance.
➤ Review the findings of any examinations by regulatory agencies, and any audi-
tor observations.
➤ Review the process for communicating the code of conduct to the organization’s
personnel, and for monitoring compliance therewith.
➤ Obtain regular updates from management and the organization’s legal counsel
regarding compliance matters.

6. Other Responsibilities
➤ Perform other activities related to this charter as requested by the
Management Board.
➤ Institute and oversee special investigations as needed.
➤ Review and assess the adequacy of the committee charter annually, requesting
board approval for proposed changes.
➤ Confirm annually that all responsibilities outlined in this charter have been car-
ried out.
➤ Evaluate the committee’s and individual members’ performance on a regular
basis.

_______________________________ __________
Chairperson: Audit Committee Date

______________________________ __________
CEO/CFO or Accounting Officer Date

361

Internal_Auditing.indb 361 16/04/2015 11:13

 C
APPENDIX

Sample Internal Audit Charter

1. Mission and Scope of Work

The mission of the internal audit activity is to provide independent, objective assur-
ance and consulting services designed to add value and improve the organization’s
operations. It helps the organization accomplish its objectives by bringing a sys-
tematic, disciplined approach to evaluating and improving the effectiveness of risk
management, control and governance processes.

The scope of work of the internal audit activity is to determine whether the organiza-
tion’s network of risk management, control and governance processes, as designed
and represented by management, is adequate and functioning in a manner that will
ensure the following:
➤ Risks are appropriately identified and managed.
➤ Interaction with the various governance groups occurs as needed.
➤ Significant financial, managerial and operating information is accurate, reliable
and timely.
➤ Employees’ actions are in compliance with policies, standards and procedures,
and applicable laws and regulations.
➤ Resources are acquired economically, used efficiently and adequately protect-
ed.
➤ Programs, plans and objectives are achieved.
➤ Quality and continuous improvement are fostered in the organization’s control
processes.
➤ Significant legislative or regulatory issues affecting the organization are recog-
nized and addressed properly.

Opportunities for improving management control, economy and the organization’s

image may be identified during audits. They will be communicated to the appropri-
ate level of management.

2. Accountability
The Head of Internal Audit (HIA), in the discharge of his/her duties, shall be account-
able to management and the Audit Committee to:
➤ provide annually an assessment on the adequacy and effectiveness of the orga-
nization’s processes for controlling its activities and managing its risks in the
areas set forth under the mission and scope of work;
➤ report significant issues related to the processes for controlling the activities
of the organization and its affiliates, including potential improvements to those
processes, and provide information concerning such issues through resolution;
➤ provide information periodically on the status and results of the annual audit
plan and the sufficiency of department resources; and

Internal_Auditing.indb 362 16/04/2015 11:13

 APPENDIX C:
E: SAMPLE INTERNAL AUDIT CHARTER

➤ co-ordinate with and provide oversight of other control and monitoring func-
tions (risk management, compliance, security, legal, ethics, environmental and
external audit).

3. Independence
➤ To provide for the independence of the internal audit activity, its personnel
should report to the HIA, who reports functionally and administratively to the
xxxxxx and periodically to the Audit Committee in a manner outlined in the
above section on Accountability. It will include as part of its reports to the Audit
Committee a regular report on internal audit personnel.

4. Responsibility
The HIA and staff of the internal audit activity have responsibility to:
➤ develop a flexible annual audit plan using appropriate risk-based methodology,
including any risks or control concerns identified by management, and submit
that plan to the audit committee for review and approval;
➤ implement the annual audit plan, as approved, including, as appropriate, any
special tasks or projects requested by management and the Audit Committee;
➤ maintain a professional audit staff with sufficient knowledge, skills, experience
and professional certifications to meet the requirements of this charter;
➤ establish a quality assurance program by which the HIA assures the operations
of internal auditing activities;
➤ perform consulting services beyond internal auditing’s assurance services to
assist management in meeting its objectives. Examples may include facilitation,
process design, training and advisory services;
➤ evaluate and assess significant merging/consolidating functions and new or
changing services, processes, operations and control processes coincident with
their development, implementation and/or expansion;
➤ issue periodic reports to the Audit Committee and management summarizing
results of audit activities;
➤ keep the Audit Committee informed of emerging trends and successful prac-
tices in internal auditing;
➤ provide a list of significant measurement goals and results to the Audit
Committee;
➤ assist in the investigation of significant suspected fraudulent activities within the
organization and notify management and the Audit Committee of the results;
and
➤ consider the scope of work of the external auditors and regulators, as appropri-
ate, for the purpose of providing optimal audit coverage to the organization at a
reasonable overall cost.

5. Authority
The HIA and staff of the internal audit activity are authorized to:
➤ have unrestricted access to all functions, records, property and personnel; and
➤ have full and free access to the Audit Committee.

363

Internal_Auditing.indb 363 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

6. Audit Management
Audit management will:
➤ allocate resources, set frequencies, select subjects, determine scopes of work
and apply the techniques required to accomplish audit objectives; and
➤ obtain the necessary assistance of personnel in units of the organization where
they perform audits, as well as other specialized services from within or outside
the organization.

7. Standards of Audit Practice

The internal audit activity should endeavor to meet the Standards for the Professional
Practice of Internal Auditing of the Institute of Internal Auditors at all times.

________________________________ __________________________
Head of Internal Audit Chief Executive Officer

________________________________
Audit Committee Chairperson

Dated ___________________________

364

Internal_Auditing.indb 364 16/04/2015 11:13

 D
APPENDIX

Working Papers

1. Working Papers Policy

This policy reflects the minimum standards IA expects its auditors to meet. It is
essential that working paper standards for both manual and automated working
papers be consistent.
These standards have been developed to ensure compliance with the Standards
for the Professional Practice of Internal Auditing (Institute of Internal Auditors or IIA)
and Generally Accepted Auditing Standards (GAAS). ‘Working papers’ is the generic
name given to the documents that are prepared throughout the auditing process.
Working papers should reflect clearly the extent of the auditor's examination and
the methods of verification used, and contain sufficient evidence to support the
conclusions reached.

2. Working Papers
Working papers should promote efficiency in the planning and performing of indi-
vidual assignments throughout the current audit, as well as for subsequent audits/
reviews. They serve as a reference guide for information, notations, quantitative
data, etc, and support all material contained in the report during, and subsequent
to, the completion of the audit.
Working papers evidence the scope and depth of coverage of the examination,
while supervisor and external auditors use working papers to help them assess and/
or review the adequacy and quality of the work performed.
Working papers provide evidence of the auditor's adherence to generally accepted
auditing and IIA standards by documenting the planning and supervising of the audit,
the procedures followed, the evidence obtained and the conclusions reached.
The findings, recommendations and statistics contained in the audit report must
be supported in the working papers. They must stand on their own to the extent that
a reviewer should be able to understand clearly the objective for each test, as well
as the conclusion reached without further explanation from the auditor.

3. Working Paper Types

Working papers for an audit are made up of two general types of files. The first type
of file is the permanent file, which contains all the relevant information that may be
of interest during future audits. The second type of file is the current file, which con-
tains various schedules and documents prepared as the compliance and substantive
audit procedures are completed. These current files contain a record of all of the
audit work completed and any conclusions reached.
The term ‘working papers’ thus refers to both the current year's audit documen-
tation and the permanent file. The working papers represent a clear, self-contained
record of the audit and should not require any supplementary oral explanation.

Internal_Auditing.indb 365 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

A good working paper technique is an essential element to the successful

completion of any audit. Remember that all work will be reviewed by a number
of people, some of whom will not be part of your organization (ie regulators and
independent auditors). A reviewer should be able to easily understand all of the
audit work performed and the conclusions drawn from this work.

These papers are used for a number of important functions:

➤ They demonstrate whether professional standards were adhered to during the
audit.
➤ They aid in the organization, control, administration and review of the audit
work.
➤ They provide evidence of the audit work performed and the conclusions drawn
from that work.
➤ They show whether the reported data is in agreement or has been reconciled
with the actual records.
➤ They provide the principal evidentiary support the report issued about the
audit performed.
➤ They record conclusions reached during the audit.

A high degree of consistency must be maintained when preparing the working

papers in order to ensure their clarity and functionality.
Although all audit testing and audit findings must be adequately documented
and supported in the working papers, the amount of actual supporting data requires
judgment.

4. Factors Affecting what Data is Included in Audit Working Papers

The factors that will affect the need to include specific data include the following:
➤ The type of audit being performed: A larger amount of detailed information
should be included if the examination involved a potential fraud, as opposed to
a lesser amount of data for a routine audit.
➤ The type of findings encountered: A larger amount of detailed information
should be included if the examination includes a million rand receivable error,
as opposed to a lesser amount of data for a minor error in petty cash.
➤ The strength of the internal control system in place: A larger amount of detailed
information should be included if the internal controls are found to be very
weak and the auditor is unsure whether the system can catch all errors of omis-
sion and commission.
➤ The amount of supervision and review of the assistant's work necessary: If the
auditor performing the audit is new or inexperienced, the lead auditor may ask
for a greater amount of detailed data to ensure that the area has been covered
adequately.
➤ The condition of the auditee's records: If the auditee's records are found to be
unreliable, the auditor must gather and document more detailed information to
support the audit findings.

There is no definitive guideline for the inclusion or exclusion of data; however, the
above list may aid in the decision-making process and in preparing your working
papers.

366

Internal_Auditing.indb 366 16/04/2015 11:13

 APPENDIX D: WORKING PAPERS

5. Contents of the Permanent File

There is no standard organizational rule for the permanent files. However, the follow-
ing types of documents should normally be included:
➤ organization charts;
➤ descriptions of business activities, systems, procedures and the business plan;
➤ key ratios, loss norms, etc;
➤ the latest corrective action plan;
➤ legal and regulatory issues affecting the business;
➤ risk assessment;
➤ deviations;
➤ other correspondence; and
➤ an updated audit program.

6. Contents of the Current File

Current working paper files should have a consistent organization and documenta-
tion, irrespective of the type of audit.
The front of the file should display the business or department name, the nature
of the audit (or the name of the audit), the names of the staff that participated, the
as-of audit date, and the audit number. The number of files will vary, depending on
the number of working papers prepared and the number of locations audited.
The current file contains a number of sections that will change from audit to audit
and may typically include the following sections:
1. Selection
2. Client Background
3. Internal Control Descriptions
4. Audit Program
5. Results of Audit Tests
6. Audit Comment Worksheets
7. Report Planning Worksheets
8. Copy of Audit Report
9. Follow-up Program
10. Follow-up Report
11. Audit Evaluation
12. Ongoing Concerns
13. Administrative/Correspondence

6.1 Selection
This section is used for documenting the audit selection planning. This is where the
results of any risk assessment are recorded. All of the planning efforts and docu-
ments should be recorded in this section.

6.2 Client Background

This section contains the overall statement of the audit area’s business and control
objectives, together with the principal control structures relied upon, the auditor’s
first impression of overall control and the sources of information to be used in the
audit.

367

Internal_Auditing.indb 367 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

6.3 Internal Control Descriptions

This section details the preventative, corrective, detective and directive controls that
management believe it has in place and relies on for each of the control objectives
outlined in section 6.2.

6.4 Audit Program

This section contains the tailored and updated audit program. This is a schedule of
the detailed testing to be carried out and will document the work performed. These
schedules should start from the control objectives in the internal control description,
detail the steps to be carried out and demonstrate logical support of audit conclu-
sions.
This audit program is essential to all levels of corporate audit. It allows the audit
manager an advance view of the planned scope of work and, at completion, a record
of work performed. In fact, the audit program, together with the budget and the work
schedule, documents corporate audit's accountability for the upcoming audit.
For the audit manager or in-charge auditor, it provides a means of communicating
the necessary instructions to the audit staff, and furnishes a sound basis for deter-
mining staffing requirements and budgeting staff hours. It also serves as a checklist
in reviewing the working papers and controlling the audit.
Finally, for an auditor involved in the audit, it serves as a means of becoming
familiar with the assignment, and furnishes the detailed plan of action for guiding
and controlling the audit work.

6.5 Results of Audit Tests

This section contains a record of the actual audit work performed and the detailed
results. Each procedure point in the audit program should be referenced to the
appropriate working paper. By the time an audit is completed, you may have hun-
dreds of sheets of paper containing the various data collected during the audit
process. Proper cross-referencing is essential for the reviewer to find the details of
the work performed for each audit procedure without having to go through all the
working papers.

6.6 Audit Comment Worksheets

Detailed comments are written for each audit exception, finding or control weakness
encountered during the audit. Each finding must clearly and concisely enumerate
the condition found, the criterion or standard that is supposed to be complied with,
the cause expressed in terms of the absence of or failure of the appropriate control
and the effect expressed in terms of the impact on the business. In addition, the
auditor records his/her opinion and recommendations.
By completing these as the audit progresses, an auditor will save valuable time
when preparing to write the audit report.

6.7 Report Planning Worksheets

This section contains the worksheets used to plan the final audit report. The audit
comment worksheets are collated to group together findings with common causes.
These are then used to complete the report planning worksheets allowing the audi-
tor to produce, in outline format, the sections of the audit report. Sorting these
planning worksheets into order of business priority will provide the structure of the
final audit report.

368

Internal_Auditing.indb 368 16/04/2015 11:13

 APPENDIX D: WORKING PAPERS

6.8 The Audit Report

This section contains the final report issued to the business being audited. This
report is prepared according to the corporate audit report guidelines. It contains a
brief description and/or statement of the business’s background and the scope of
the audit, together with a summary of the evaluation.

6.9 Follow-up Program

This section contains the follow-up audit program. This is a schedule of the detailed
testing to be carried out that will examine the results of any changes carried out as
a result of the original audit. Care should be taken not to simply repeat the original
audit.

6.10 Follow-up of Prior Audit Findings

This is the section in which the auditor follows up on all prior audit exceptions. It
includes a copy of the previous audit report and its exceptions. The file should note
whether or not the exceptions found in previous audits have been cleared.

6.11 Audit Evaluation

This section is used to evaluate the audit process and records the positive features,
the failures and the lessons to be carried forward into subsequent audits in this or
other areas.

6.12 Ongoing Concerns

This section is used to record items of ongoing concern for future audits in this area,
such as depreciation tables, long-term plans or issues with ongoing effects.

6.13 Administrative/Correspondence
This section contains all minutes of meetings, together with administrative and/or
correspondence memos and documents. Specifically, it contains:
➤ the engagement memo; and
➤ the closing meeting memo/minutes.

The audit engagement memo should be addressed to the business manager that you
will be working with during the audit. This memo should be sent by the audit man-
ager in order to explain your plans and reasons for conducting the audit. It includes
the agreed scope and objectives of the audit, together with the timescales.
This section also includes minutes summarizing the closing meeting where the audit
report is discussed and the tickmark schedule.

369

Internal_Auditing.indb 369 16/04/2015 11:13

 E
APPENDIX

General Standards of Completion

1. Cross-referencing
Cross-referencing serves two useful purposes. Firstly, it promotes accuracy in the
preparation of working papers, because it means that a member of the audit team has
compared two findings and found them to be the same. Of more importance, however,
is the second purpose. Many of the elements of operational and financial information
that are considered during the audit are interrelated. Cross-referencing demonstrates
that the audit team understands and has considered such interrelationships.

2. Tickmarks
Tickmarks are numbers and letters that are marked on the schedules. These are
used:
➤ to reference a particular explanation to a specific item; and
➤ to reference a series of items to one explanation.

Tickmarks should always be letters or numbers and be written on the right of the
item.
A useful standard is to ensure that numbers are used for remarks, notes or where
no errors are detected. Lettered explanations are used when errors are detected
while performing the audit work or when the audit work cannot be completed as
planned.
The typical tickmarks (ie checkmarks, crosses) are not used, to allow for consis-
tency between manually prepared working papers and automated working papers
generated using MS Word. Each tickmark should have a clear and precise expla-
nation of what it represents. This explanation should include a verb describing
what was done, an object on which the work was done and, where appropriate, a
description of the results of the work.
Ticking an item means that the work indicated was completed. Thus an item on
a working paper should not be ticked until the work has been completed exactly as
indicated in the tickmark explanation.
Tickmark explanations should be placed on the schedule. When the same tick-
marks are used throughout a file, a standard tickmark sheet can be very helpful.
The standard tickmark sheet should be placed in the administrative/correspondence
section of the file and can be referred to whenever standard tickmarks are used on
a working paper.
Tickmark use can greatly reduce the need for lengthy explanations, thus saving
time in doing and reviewing the audit work.

3. Notes
Notes are commonly used to describe the purpose, source and scope of a test when
the reason for the test is not obvious and/or not described by the audit program.

Internal_Auditing.indb 370 16/04/2015 11:13

 APPENDIX E: GENERAL STANDARDS OF COMPLETION

They may also be used to describe work done relating to most of or all the items on
a schedule, as described in the audit program, or to describe work done on items
not appearing on a schedule but relating to that schedule.
Notes should be placed in a conspicuous location so that the reviewer will read
them when starting the review. As with all documentation, the information presented
in the notes should be complete yet concise. You should be careful not to put too
much or too little information in the notes. In the case of underdocumentation, you
would have to go back later and add information. This could lead to inefficiencies
or possibly a duplication of efforts. In the case of overdocumentation, time is spent
on unnecessary information. Thus, you should not include details that are irrelevant
or redundant.

4. Working Paper Review

Working paper review is part of the overall quality control process, since it falls into
the category of supervision. Just as business management must review the work
performed by its department, internal audit must internally review its own work.
The working papers generated from the audit will be subject to review. Everything
an auditor does in an audit must be properly substantiated. It is the audit supervi-
sor’s responsibility to review all working papers thoroughly in order to ensure that all
of the audit team's work is verified and proven. When reviewing the working papers,
the audit supervisor strives to ensure that audit program coverage is adequate to
meet the audit objectives, that the audit was expedited efficiently using the mini-
mum resources, and that the working papers are in accordance with departmental
and professional standards. If the audit work performed cannot be adequately sup-
ported by documentation, the work has been worthless, since any opinion expressed
is a personal opinion without substantiation.
When either an internal or external quality assurance review takes place, a selec-
tion of the working papers is used to verify that the overall effort of the audit team
was effective.

5. General Review Considerations

The following is the list of questions an audit supervisor would consider while review-
ing working papers:
➤ Does each working paper properly show:
◗ descriptive title?
◗ the name of the business and area audited?
◗ appropriately descriptive column headings?
◗ the date the working papers were prepared in the bottom centre?
◗ the auditor's initials in the bottom left-hand corner?
◗ the appropriate and necessary indexing symbols?
◗ a conclusion if necessary?
➤ Are all tickmarks properly explained?
➤ Were all of the important calculations tested and checked by the auditors?
➤ Are all of the necessary cross-references included?
➤ Are all of the data sources included and thoroughly described in a manner that
exactly represents the tests from start to finish?
➤ Are the data and the testing valid? Do they support all of the actions of the
auditors? Do they support the conclusions reached by the auditors?
➤ Is the method of selection indicated?

371

Internal_Auditing.indb 371 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

➤ Were computer-prepared retrievals and/or photocopies used (when practical)

rather than handwritten copies?
➤ When used, did the auditor adequately support the reason for including the
retrievals or copies?
➤ Was the schedule prepared in such a way that it will prevent unnecessary
repetition in future audits?
➤ When a schedule was prepared by an auditee, is that clearly indicated in the
working papers?
➤ Were all unnecessary items removed from the working papers?
➤ Were all findings discussed with the appropriate individuals?
➤ Are the papers arranged in a logical sequence that follows the program?
➤ Are all of the program steps individually signed off and referenced to their
respective points of origination? If an audit step was not performed, is it appro-
priately referenced to an explanation for the omission?
➤ Are the papers neatly prepared and in a logical format?

As a part of ongoing professional development and for quality purposes, it is critical

that each auditor perform a self-review of all working papers produced. A thorough
self-review enables other reviewers to concentrate on the true meaning of the audit
findings rather than on poor working paper technique.
A thorough working paper review is one of the most valuable tools available to
auditors and helps to improve and strengthen their audit skills.

6. Working Paper Retention and Security

Working papers contain confidential information and should be accessed only by
authorized personnel. Working papers must be secured during all phases of an audit
and subsequent to an audit's completion.
Working papers must also be retained for specified periods of time so that they
can assist with any subsequent audits or investigations. The length of retention
should be determined in consultation with the appropriate corporate legal advisors
and should be in line with other corporate vital record retention policies.

372

Internal_Auditing.indb 372 16/04/2015 11:13

 F
APPENDIX

Sample Working Papers

Audit Title Audit Reference

Date of Audit Duration

Audit Manager Supervisor

Audit Staff

Department

Manager

Departmental Objectives

Audit Objectives

Report Recipients

Internal_Auditing.indb 373 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

File Contents
Audit Title Audit Reference

1. Selection
➤ Risk Factors
➤ Evaluation
➤ Audit Frequency
➤ Last Audited
➤ Audit Due
2. Client Background
➤ Business Objectives
➤ Control Objectives
➤ Principal Control Structures
➤ Overall Impression of Internal Control
➤ Management Structure and Contacts
➤ Major Sources of Evidence
3. Internal Control Descriptions
4. Audit Program
5. Results of Audit Tests
6. Audit Comment Worksheets
7. Report Planning Worksheets
8. Copy of Audit Report
9. Follow-up Program
10. Follow-up Report
11. Audit Evaluation
12. Ongoing Concerns
13. Administrative/Correspondence

Examples of working papers for each of the above file contents 1–13 follow on the
next pages.

374

Internal_Auditing.indb 374 16/04/2015 11:13

 APPENDIX F: SAMPLE WORKiNG PAPERS

Audit Title Audit Reference

1. Selection
Risk Factors _________________________________________________________

Evaluation ___________________________________________________________

Audit Frequency ______________________________________________________

Last Audited _________________________________________________________

Audit Due ____________________________________________________________

Notes ________________________________________________________________

Audit Title Audit Reference

2. Client Background
Business Objectives ___________________________________________________

Control Objectives ____________________________________________________

Principal Control Structures ___________________________________________

Overall Impression of Internal Control__________________________________

Management Structure and Contacts ___________________________________

Major Sources of Evidence _____________________________________________

375

Internal_Auditing.indb 375 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Audit Title Audit Reference

3. Internal Control Descriptions

Control Objective

Preventative Controls

Detective Controls

Corrective Controls

Directive Controls

376

Internal_Auditing.indb 376 16/04/2015 11:13

 APPENDIX F: SAMPLE WORKiNG PAPERS

Audit Title Audit Reference

4. Audit Program

Audit Objective
Control Tested
Source of Evidence
Testing Method

Audit Objective
Control Tested
Source of Evidence
Testing Method

Audit Objective
Control Tested
Source of Evidence
Testing Method

Audit Objective
Control Tested
Source of Evidence
Testing Method

Audit Objective
Control Tested
Source of Evidence
Testing Method

377

Internal_Auditing.indb 377 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Audit Title Audit Reference

5. Results of Audit Tests

Nature of Finding

Same in Last Audit? Yes No

Directive or Procedure Involved

Tests Made:
Population Size Sample Size
Selection Method Percentage
Discrepancies

Causes

Corrective Action

Discussion with Auditees:

Name Title Dept Date Auditor

1.

2.

3.

Comments by Auditees:

1.

2.

3.

378

Internal_Auditing.indb 378 16/04/2015 11:13

 APPENDIX F: SAMPLE WORKiNG PAPERS

Audit Title Audit Reference

6. Audit Comment Worksheets
Condition

Criteria

Cause

Effect

Recommendations

379

Internal_Auditing.indb 379 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Audit Title Audit Reference

7. Report Planning Worksheets
Report Topic or Section

Conclusion or Key Message

Key Points Supporting Message

Action I Would Like to See Taken

Impression I Would Like to Convey

380

Internal_Auditing.indb 380 16/04/2015 11:13

 APPENDIX F: SAMPLE WORKiNG PAPERS

Audit Title Audit Reference

8. Copy of Audit Report

Audit Title Audit Reference

9. Follow-up Program

Audit Title Audit Reference

10. Follow-up Report

381

Internal_Auditing.indb 381 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Audit Title    Audit Reference

11. Audit Evaluation
What Went Wrong

What Went Right

What Can We Learn?

Audit Title Audit Reference

12. Ongoing Concerns

382

Internal_Auditing.indb 382 16/04/2015 11:13

 APPENDIX F: SAMPLE WORKiNG PAPERS

Audit Title Audit Reference

13. Administrative/Correspondence

383

Internal_Auditing.indb 383 16/04/2015 11:13

 G
APPENDIX

Sample Job Descriptions

Typical job descriptions are provided in this appendix for the seven positions
indicated below.
Job Descriptions: Position Title for ‘THE COMPANY’ Page No.
1. Audit Manager  
384
2. Supervising Auditor    
386
3. Senior Auditor  
387
4. Financial Auditor and Operational Auditor    389
5. Auditor/Associate Auditor    390
6. Information Systems Audit Supervisor   391
7. Auditor Senior/Auditor Specialist      394

Position Title: Audit Manager of THE COMPANY

Date:

Position Summary
This position is responsible for identifying, planning, organizing, controlling and
directing audits necessary to assure management that organizational goals and
objectives are met efficiently and economically.

Nature and Scope

This position reports to the XXXXXXX. Reporting to the incumbent are supervising
seniors, and senior and staff auditors,
The audit manager develops an audit program and an audit staff capable of
analyzing all operations in a complex business and offers recommendations for
improvements. Executing this responsibility requires that audits be designed to
provide senior management with an evaluation of and recommendations on the reli-
ability and the integrity of financial and operating information; compliance with poli-
cies, plans, procedures and government laws and regulations; adequacy of means
established to safeguard THE COMPANY’s assets, and the economy and efficiency
with which resources are employed; and the realization of objectives and goals for
operations or programs.

The principal job responsibilities of this position include the following require-
ments:

Internal_Auditing.indb 384 16/04/2015 11:13

 APPENDIX G: SAMPLE JOB DESCRIPTIONS

➤ the development of an annual and five-year audit plan and strategy to present
to the Audit Committee and the operating management of THE COMPANY for
their review and approval;
➤ the training of a proficient audit staff to meet the audit plan;
➤ financial audits to ensure that the THE COMPANY’s financial accounts are pre-
sented according to generally accepted accounting principles;
➤ managerial audits to ensure that the means used to accumulate financial/
operational data result in complete, accurate, timely, reliable and relevant
information;
➤ operational audits to ensure that control systems are in place to safeguard THE
COMPANY’s assets and that such assets are employed with optimal economy
and efficiency;
➤ compliance audits to ensure that functional activities are conducted according
to plans, policies, procedures, laws and regulations;
➤ investigation of misappropriation to determine wrongdoing, identify parties
involved, quantify loss, negotiate terms for restitution, and make recommenda-
tions for criminal or civil prosecution;
➤ evaluations of audits to make sure that audits are conducted according to
audit standards, that sufficient evidence is obtained, and that procedures are
properly documented to support audit findings;
➤ follow-up on audit findings to ensure adequacy and timeliness of corrective
action;
➤ proficiency in and knowledge of the profession, including auditing and account-
ing standards, and changes in financial reporting requirements and in laws and
regulations promulgated by government agencies;
➤ participation at professional seminars, classes and meetings;
➤ promotion of the profession by preparing articles and speeches, and partici-
pating in professional organizations;
➤ satisfactory interpersonal relationships with auditors and executive manage-
ment; and
➤ semi-annual reviews with executive management of audit results and corrective
action.

In addition to sound auditing and accounting knowledge and skills, the audit man-
ager must possess a broad business knowledge, experience, insight and maturity.
Knowledge of the requirements of the Statement of Audit Standards of the PAAB
and Financial Accounting Standards is essential, since the position is responsible for
directing all financial auditing for the internal audit department.
Audits of compliance and controls to monitor compliance with government regula-
tions require the audit manager to be familiar with THE COMPANY’s requirements
and regulations. This person must be broadly experienced in order to understand
the organization, its goals and the peculiarities of the business areas in which he/she
is functioning. The audit manager must be management- and systems-oriented and
have problem-solving and -finding abilities and possess knowledge of business and
functional procedures. Also, he/she must be capable of developing these traits in
the staff.
The audit manager must possess sound behavioral and motivational skills and
be able to supervise audits. This responsibility covers the entire audit cycle, from

385

Internal_Auditing.indb 385 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

definition of audit goals and objectives through the preliminary survey, execution,
documentation and reporting stages of the audit.
The ability to communicate orally and in writing is essential, because the audit
manager will frequently deal with all levels of corporate management.
The audit manager must hold at least an undergraduate degree. A graduate
degree, CIA or CA certification is an additional advantage. In addition, this position
requires at least six years of audit business experience and two years of supervisory
experience.
The position requires about 25 per cent travel time away from home.

Principal Accountabilities
The audit manager:
➤ ensures the effective accomplishment of annual and long-range audit strategy
for THE COMPANY’s audit staff functions;
➤ ensures the development of long- and short-range group audit plans;
➤ conducts acquisition reviews and special assignments timeously and reliably;
➤ conducts evaluations of audits and reviews of auditors to meet audit standards
and procedures;
➤ promotes the professional development of staff and him-/herself;
➤ ensures the professional proficiency of audit staff;
➤ ensures effective audit coverage of assigned locations outside South Africa;
and
➤ makes sure significant concerns are brought to the attention of the Audit
Committee and appropriate executive management.

Position Title: Supervising Auditor

Reports to: Internal Audit Manager

Department: Internal Audit
Date:

Definition
Under general direction, this employee supervises and directs financial and opera-
tions audits conducted by the audit staff and reviews audits performed by contract
auditors.

Description of Tasks
➤ Schedules, assigns, supervises and directs audits; discusses audits and recom-
mendations with departmental officials; and clarifies internal audit's viewpoint.
➤ Prepares preliminary evaluations to determine the audit scope and the extent
that staff audits may encompass special problems.
➤ Reviews pertinent laws and ordinances; co-ordinates and confers with outside
auditors, the district attorney, the sheriff, and other agencies about investiga-
tive reviews; and conducts training in audit policies, methods and procedures.

386

Internal_Auditing.indb 386 16/04/2015 11:13

 APPENDIX G: SAMPLE JOB DESCRIPTIONS

Distinguishing Characteristics
The incumbent is responsible for the scheduling, timeliness, quality and quantity of
audits performed.

Employment Standards
The incumbent must be a graduate from an accredited college or university with
specialization in accounting.
Additional auditing or accounting experience above the minimal requirement
and supplemented by at least 12 units of accounting course work as per the NQF,
including intermediate accounting, may be substituted for university education on a
year-for-year basis. A passing score on an accounting proficiency test approved or
administered by the company may be substituted for accounting course work.
The incumbent must have three years of auditing or accounting experience,
including at least one year in a capacity comparable to a senior accountant. An
advanced degree in a related field may be substituted for one year's experience.
The incumbent must have knowledge of the principles, theories, techniques and
practices of accounting and auditing; basic trends and developments in the auditing
profession; generally accepted accounting principles and auditing standards; and IS
techniques, concepts and operating procedures.
The incumbent must be able to apply the principles, theories, techniques and
practices of professional auditing; apply knowledge of operations, procedures and
legislation applicable to activities under audit; gather, assemble, consolidate and
analyze facts and draw conclusions; solve complex problems; make oral and written
reports and presentations clearly, concisely and effectively; and anticipate the effect
of changes recommended.

Position Title: Senior Auditor

Reports to: Supervising Auditor

Department: Internal Audit
Date:

Definition
Under direction, this employee conducts audits of fiscal and operational activities of
departments or other agencies. This person also audits new and revised accounting
and management systems as required.

Description of Tasks
Duties for financial auditors include the ability to resolve difficult technical prob-
lems; analyze, develop, co-ordinate and revise accounting systems and procedures;
improve internal controls; discuss accounting and management problems and other

387

Internal_Auditing.indb 387 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

significant points disclosed in audits with responsible officials; audit the receipts of
commercial firms having percentage contracts with the company; audit and analyze
the company's insurance coverage; prepare working papers, schedules and reports;
and perform special assignments as required.
Duties for operational auditors include the ability to analyze information systems
and procedures; analyze management controls; verify conformance with pertinent
laws and program achievements; prepare working papers, schedules and reports
for completed audits; discuss audit results with responsible officials; and perform
special assignments as required.

Distinguishing Characteristics
This position differs from that of the supervising auditor in that the latter is respon-
sible for supervising audits. It differs from assistant auditors (11) in that incumbents
perform the most complex audits requiring greater technical knowledge, have the
ability to resolve difficult problems (whether financial or operational in nature), and
possess a specified accounting education. They also generally have one or more
subordinate auditors assigned to work with them.

Employment Standards
Financial auditors must have a Bachelor's degree from an accredited university with
a major in accounting or its equivalent. Courses should include basic, intermediate
and advanced levels; cost accounting; and auditing.
Operational auditors must have a Bachelor's degree from an accredited university
with a major in administrative or quantitative fields or their equivalent, preferably
including at least two courses from among those listed for financial auditors, with
the balance from among management and analytical courses: computer science,
financial administration, organizational management, statistics and quantitative
methods.
These employees must complete accounting and auditing courses at a minimum
of one course per semester and two semesters per year after being hired.
Incumbents must have two years or more of experience in either auditing or
accounting. Experience in both financial and operational auditing is preferred.
The office of the audit manager will assess prior work experience.
These auditors should have knowledge of management control and general
accounting and auditing principles, methods and procedures and the ability to apply
these in performing audits. They should be able to:
➤ perform complex analytical-critical reviews of the company’s records;
➤ perform difficult analytical and critical examinations of auditee records and to
establish and maintain effective relations with fellow employees;
➤ earn and maintain the confidence of auditees while conducting financial or
operational audits and resolving difficult problems; and
➤ communicate effectively orally and in writing.

388

Internal_Auditing.indb 388 16/04/2015 11:13

 APPENDIX G: SAMPLE JOB DESCRIPTIONS

Position Titles: Financial Auditor and Operational Auditor

Reports to: Senior Auditor

Department: Internal Audit
Date:

Definition
Under general supervision, these auditors conduct audits of departments' or other
agencies' fiscal or operational activities, assist in audits of new or revised accounting
or management systems, and perform work as required.

Description of Tasks
The financial auditor conducts financial audits of average difficulty and assists in
complex audits. Duties include the ability to analyze accounting systems and proce-
dures; analyze internal controls; review costs and financial data; verify conformance
with pertinent laws and ordinances; prepare audit reports, working papers and
audit schedules; discuss audit results with responsible officials; and perform special
assignments as required. He/she may also conduct operational audits.
The operational auditor conducts operational audits of average difficulty and
assists in complex audits. Duties include the ability to analyze information systems
and procedures; analyze management controls; verify conformance with pertinent
laws and ordinances; perform reviews for economy and efficiency of operations and
program achievement; prepare audit reports, working papers and audit schedules;
discuss audit results with responsible officials; and perform special assignments as
required.

Distinguishing Characteristics
This class differs from the senior auditor in that incumbents are not expected to
have experience in both financial and operational areas, are not required to have an
accounting education (when performing as an operational auditor), are not assigned
the responsibility that is characteristic of a senior auditor, and are supervised by the
latter. It differs from associate auditor in that incumbents exercise more indepen-
dent judgment and perform audits of average difficulty.

Education and Experience

The financial auditor must have (1) a Bachelor's degree from an accredited university
with a major in accounting or its equivalent; and (2) one year of experience as an
associate auditor or its equivalent.
The operational auditor must have (1) a Bachelor's degree from an accredited
university with a major in administrative or quantitative fields or equivalent; (2) one
year of experience as an associate auditor or its equivalent; and (3) completed at
least one accounting or auditing course per semester (two per year) after having
been hired.

389

Internal_Auditing.indb 389 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Other Criteria
Extensive (more than three years) related work experience may be substituted
for up to three semester (five quarter) hours of specified course work. The auditor
controller's office will assess the acceptability of work experience.

Knowledge and Abilities

The appointee must have:
➤ knowledge of management control and general accounting and auditing prin-
ciples, methods and procedures and the ability to apply these in performing
audits;
➤ the ability to perform difficult analytical and critical examinations of auditee
records, and to establish and maintain effective relations with fellow employees;
➤ the ability to earn and maintain the confidence of auditees in conducting finan-
cial or operational audits and during the resolution of difficult problems; and
➤ an above-average ability to communicate orally and in writing.

Position Title: Auditor/Associate Auditor

Reports to: Senior Auditor

Department: Internal Audit
Date:

Major Responsibilities
The appointee will:
➤ perform financial and operational audits of regional offices to determine com-
pliance with THE COMPANY, government and contract requirements, and to
evaluate the effectiveness of internal controls;
➤ inspect, identify and document systems of internal financial and operational con-
trols through interviews, documents, questionnaires, manuals and publications;
➤ prepare flowcharts of systems and determine reliability and compliance by
testing key control points; and
➤ help prepare audit reports on findings; give opinions on whether financial
statements are prepared according to company, government and contract
requirements; and recommend improvements in systems of internal control.

Requirements
The appointee will have knowledge of:
➤ accounting, auditing techniques, taxation principles, concepts, techniques, ter-
minology and procedures used in THE COMPANY;
➤ sources of information to ascertain THE COMPANY’s policy and contractual
requirements; and
➤ IS methods, systems analysis and computer programming.

390

Internal_Auditing.indb 390 16/04/2015 11:13

 APPENDIX G: SAMPLE JOB DESCRIPTIONS

He/she will have the ability to:

➤ gather pertinent information through interviews and analytical inspection of
documents, apply appropriate audit techniques and prepare reports of findings;
➤ analyze the adequacy, reliability and compliance of internal control systems
and developing audit reports;
➤ interact with various levels of personnel in conducting interviews and testing
internal systems.

He/she will be:

➤ accountable for determining the accuracy of account balances and the
effectiveness of internal control systems, and for maintaining relevant
documentation.

Distinguishing Characteristics
Auditor Associate
This entry-level classification is for employees who work on routine audits and assist
other auditors on audits of moderate difficulty or complexity. Work is done accord-
ing to audit plans and under close supervision.

Auditor
This classification is for employees with some auditing experience who work on
assignments of moderate difficulty and complexity. Work is performed under general
direction.

The descriptions given here are not exhaustive and do not explain all the duties and
responsibilities in detail.

Position Title: Information Systems Audit Supervisor

Reports to: Internal Audit Manager

Department: Internal Audit
Date:

Position Summary
This position is responsible for supervising and performing audits of Information
Systems (IS), operational and financial functions. It assists audit management in
cross-training, integrating and co-ordinating the functions of the audit department,
and monitoring and controlling the department's training program. It also assists the
IS audit manager in the management of the IS audit function.

Dimensions
It covers THE COMPANY's worldwide financial, operational and IS functions and
activities.

391

Internal_Auditing.indb 391 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Nature and Scope

The nature of IS technology and the increasing reliance on IS to plan, evaluate
and control activities have changed the traditional methods of internal auditors.
In today's environment, computers are found in almost all business systems and
must be approached as auditable entities. Auditors must audit through computers.
Moreover, with the increasing complexity of computer-based systems, the enormous
volume of transactions being generated, and the disappearance of paper trails to
support transactions, manual audit methods are no longer satisfactory. To be effec-
tive, audit departments have to independently use computers as audit tools.
To compensate for their lack of IS proficiency, some audit departments obtain
people with IS backgrounds to perform reviews of IS functions and to support
financial and operational auditors by reviewing IS-related areas and using audit
software as required. Although this approach has been successful, segregating this
knowledge and responsibility is not enough. To keep audit departments abreast of
IS technology, their staff must be cross-trained. Basic IS audit responsibility must be
integrated into the normal audit function, and advanced IS audit functions must be
co-ordinated with operational and financial audit functions. The IS audit supervisor
will assist audit management in this cross-training, integration and co-ordination
process.
The IS audit supervisor will supervise or perform IS audits such as a specialized
software data center, etc, and is responsible for seeing that IS aspects of financial
or operational audits and financial or operational aspects of IS audits are reviewed.
This person also makes sure that computers are used whenever feasible for audits
in which he/she participates. These responsibilities require a sound background in
all audit areas, good audit skills and the ability to supervise. To be effective, the
auditor must have a good sense of business logic, a strong analytical ability and IS
knowledge. Experience in using an audit software package is essential.

Principal Job Responsibilities

The appointee:
➤ supervises the IS audit function, including monitoring the audit program,
reviewing working papers and resolving auditee problems;
➤ supervises the financial/operational auditors in aspects of their audits that are
IS-oriented and sees that IS aspects are properly evaluated for audits in these
areas;
➤ is a liaison whenever financial/operational staff require support from the IS
audit staff and makes sure that this support meets needs by assisting in devel-
oping and communicating requirements and in handling financial/operational
aspects;
➤ supervises financial/operational staff in using audit software packages to deter-
mine whether potential applications are identified, whether they are cost-busi-
ness justified, whether IS audit support is required, whether all staff members
are aware of these applications, and whether the applications provide needed
information and have adequate internal controls;
➤ supervises, performs or participates in IS audits that are generally in the sys-
tem development area and data center, or are application reviews comple-
menting financial-operational audits;

392

Internal_Auditing.indb 392 16/04/2015 11:13

 APPENDIX G: SAMPLE JOB DESCRIPTIONS

➤ sees that audits are conducted according to generally accepted auditing proce-
dures and departmental procedures;
➤ performs or participates in special reviews assigned by audit management and
is responsible for technical aspects of these reviews, including software support
as necessary;
➤ maintains proficiency and knowledge of the profession, including auditing and
accounting standards, laws, philosophies, IS hardware, software and technology
trends; attends professional seminars, classes and meetings; reads audit- and
IS-related literature; and promotes the profession through articles and speech-
es; and
➤ controls, monitors and administers the audit department's IS training program.
This includes maintaining staff skills, advising about course alternatives, moni-
toring class attendance and controlling related expenditures.

Principal Accountabilities
The appointee ensures:
➤ the timely and accurate completion of IS audits according to the annual audit
plan;
➤ the proper use of audit software to accomplish the objectives of financial/oper-
ational audits;
➤ the communication of significant audit concerns to audit management and to
the management of the area reviewed;
➤ quality training for auditors in subjects that are pertinent to their work; and
➤ the conduct of IS audits according to the Standards for the Professional
Practice of Internal Auditing.

Co-ordinating use of computers is another responsibility of the IS audit supervisor.

This involves consulting on potential applications of the audit software package,
assisting non-IS auditors to use it, and making sure that its use is cost-business justi-
fied. As a liaison, the auditor will help make sure that support applications provided
by IS audit properly reflect financial and operational considerations.
The IS audit supervisor is responsible for monitoring and controlling the audit
department's IS training program.
This position requires the ability to be flexible and to co-ordinate and perform
several activities at the same time. Since the auditor will be working with IS, financial,
operational and audit personnel, as well as all levels of management, good commu-
nication skills are essential.
This employee must hold an undergraduate degree. A graduate degree or a recog-
nized auditing certification is an added positive factor. A combination of four years'
experience in a financial field or financial auditing, an operational field or opera-
tional auditing, and IS or IS auditing with at least two years in auditing is needed to
meet the minimal requirements of this position.
This position requires about 25 per cent travel time away from home.

393

Internal_Auditing.indb 393 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

Position Title: Auditor Senior/Auditor Specialist

Reports to: Internal Audit Manager

Department: Internal Audit
Date:

Major Responsibilities
The appointee:
➤ performs financial and operational audits of groups, divisions, subsidiaries and
subcontractors to determine compliance with company, government and con-
tract requirements and to evaluate the effectiveness of internal controls;
➤ inspects, identifies and documents systems of financial and operational con-
trols through interviews, documents, questionnaires, manuals and publications;
➤ prepares flowcharts of systems and determines reliability and compliance by
testing key control points;
➤ performs substantive tests on financial and account balances to determine the
propriety of presentations;
➤ prepares audit reports on findings;
➤ issues opinions on whether financial statements are produced according to
company, government and contract requirements; and
➤ recommends improvements to systems of internal control.

Requirements
The appointee should have knowledge of:
➤ accounting, auditing and taxation concepts; and techniques, terminology and
procedures used in the company;
➤ cost-accounting principles and government cost-accounting regulations;
➤ flowcharting and key control point testing, and financial account balance test-
ing;
➤ sources of information to ascertain the company's policy and contract require-
ments; and
➤ IS methods, operations and systems analysis.

He/she will have the ability to:

➤ gather pertinent information through interviews and analytical reviews of docu-
ments;
➤ write clear reports;
➤ express opinions on reliability, accuracy and compliance with internal control
systems and make recommendations to improve their effectiveness; and
➤ determine the content and format of audit reports.

He/she will have:

➤ frequent contacts with varied levels of financial and management personnel in
conducting interviews, testing internal systems and reviewing audit findings;
and
➤ occasional contacts with public and government auditors and with financial
staff and management personnel of subcontractors.

394

Internal_Auditing.indb 394 16/04/2015 11:13

 APPENDIX G: SAMPLE JOB DESCRIPTIONS

He/she will be accountable for determining the accuracy of account balances; evalu-
ating the effectiveness, compliance and integrity of internal control systems; recom-
mending improvements; and maintaining documentation.

Distinguishing Characteristics
Auditor Senior
This classification is for experienced auditors who regularly work on assignments
of moderate to high complexity or areas involving significant financial or technical
considerations. Work is performed under general direction. This person may give
technical assistance to less-experienced auditors.

Auditor Specialist
This classification is for experienced and qualified auditors who perform the full
spectrum of audit assignments effectively with minimal guidance. This person helps
develop audit plans and provides guidance and technical direction to other audi-
tors.

395

Internal_Auditing.indb 395 16/04/2015 11:13

 H
APPENDIX

Sample Engagement Contract

Date
To: Distribution List
From: Internal Audit Management

Forthcoming Internal Audit of XXXXXXXX Department/Section

As a result of meetings held between management and the internal audit function,
we confirm our understanding of the scope and nature of the internal audit assign-
ment.

The audit will be conducted between <date> and <date> by a team consisting
of <auditors’ names>. The team will be headed by <lead auditor> who may be
contacted at <telephone number and e-mail address> should you require any
clarification.

The primary focus areas of the audit will be: <areas agreed>, although these may
be modified based upon findings as the audit progresses.

During the audit, as agreed, we will need access to the following staff, premises and
records: <list of agreed accesses>.

All findings will be discussed with operational management prior to the issuance of
our report. The anticipated date for discussion of our draft report is <due date>.
Should our findings result in any amendment to this date, we will inform you in
advance.

We agree that, from this audit, you are seeking the following benefits: <measure-
ment criteria>, and we will report on the achievement of these at the end of the
audit process.

Additionally we will require your feedback on the audit process using the form
attached.

Thank you in advance for your co-operation.

________________________________
Head of Internal Audit Department

Internal_Auditing.indb 396 16/04/2015 11:13

 I
APPENDIX

Sample Audit Program

These audit programs are given as examples of typical audit programs. All audit
programs should be thoughtful, and tailored to meet the risk and control needs of
the users.

Computer Security

QUESTIONS YES NO N/A COMMENTS

Access Paths

Access paths are those areas or points

where access may be gained to the
system. When accessing the computer
system, a user may pass through one of
multiple software levels before obtaining
access to the data resources.
➤ Review all possible access paths to
the data resources to determine that
the security features in each software
are utilized to minimize the
vulnerabilities.
➤ Pay specific attention to ‘backdoor’
methods of accessing data by opera-
tors and programmers.
➤ Interview management and review
documentation to determine if inte-
grated access control software is used
to streamline security administration
and improve security effectiveness.

Passwords

Passwords are widely used to control

access to the computer environment;
however, passwords may be guessed,
copied, overheard, recorded and played
back.
Identification is the process of distin-
guishing one user from all others.
Authentication is the process of confirming
that individuals are who they claim to be.

Internal_Auditing.indb 397 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

QUESTIONS YES NO N/A COMMENTS

Review the procedures, observe the

operations and interview staff users to
ensure that:
➤ passwords are controlled by the owner
of the password;
➤ passwords are changed periodically. In
more sensitive areas the changes must
be more frequent;
➤ a minimum character length is set for
the passwords;
➤ the use of names, words or old
passwords is prohibited;
➤ users are uniquely identified;
➤ the sharing of passwords is
prohibited; and
➤ passwords are not displayed when
they are entered.

Biometrics

Authentication of individuals by personal

characteristics is also known as
biometrics. Biometric devices include
fingerprints, retina patterns, hand
geometry, speech patterns and keystroke
dynamics.
➤ If such authentication is used, review
the devices and observe the opera-
tions to evaluate the effectiveness of
this authentication.

Access Rights

Each user can be assigned a scope of

access and each resource a degree of
protection. Resources should be
protected from unauthorized access.
➤ Review the access rules for the
resources that should be protected to
evaluate propriety.
➤ Review responses to security viola-
tions such as termination of process-
ing, forced shutdown of terminals,
issuance of warning or error messages
for propriety.

398

Internal_Auditing.indb 398 16/04/2015 11:13

 APPENDIX I: SAMPLE AUDIT PROGRAM

QUESTIONS YES NO N/A COMMENTS

➤ Evaluate the effectiveness of audit

trails. Such data may include user ID,
resource accessed, date, time, termi-
nal location and specific data modified
during the access.
➤ Review the security tables to deter-
mine that they are encrypted.
➤ Review access control software to
determine that the following controls
are in place:
◗ Access to the system is restricted
to authorized individuals.
◗ Access rules or profiles are estab-
lished to restrict departmental
employees from performing incom-
patible functions and to enforce a
separation of duties.
◗ Access to application software
is controlled in such a way that
permits authorized users to gain
access only for purposes of per-
forming their assigned duties.
◗ Procedures are enforced so that IT
staff are prohibited from making
unauthorized program changes.
◗ Users are limited to the specific
types of data access (eg read,
update) required as part of their
functional responsibilities.
◗ Security profiles or tables are
protected from unauthorized access
and modification.
◗ Security tables or profiles are
encrypted to restrict unauthorized
use.
◗ Security data and resource access
audit trails, including audit trails,
are protected from unauthorized
modification.
◗ Modifications or changes to the
access control software itself are
restricted to the appropriate
personnel.

399

Internal_Auditing.indb 399 16/04/2015 11:13

 J
APPENDIX

Sample Audit Report

Audit Report
Private and Confidential

Smith & Company

Computer Security Audit
January 2005

Copy 1 of 5

I Executive Summary Page 3

II Examination of Back-up Procedures Page 4
III Examination of the Adequacy of Access Control Page 5
IV Examination of the Adequacy of Internet Firewalls Page 8

I Executive Summary
This review was carried out at the request of the Internal Audit of Smith & Co. during
January 2005 with the following specific briefs:
➤ Examine the adequacy of back-up procedures at the disaster recovery site and
the adequacy of the site itself.
➤ Examine the adequacy of controls over access control and security procedures
in the Novell network.
➤ Examine the adequacy of Internet firewalls.

General Conclusion
Our review of Smith & Co. security reveals a comparatively well-controlled site with
the appropriate controls in place that are generally effective. Improvements need to
be made in the contingency planning area, and logical access control, particularly
within UNIX, could be strengthened. Nevertheless, the recommendations made
should be seen as improving on an already effective system of internal control
structures.

NOTE: The submission of this report constitutes neither a warranty of results by

‘Computer Security Audit Firm’ nor a surety against risks. This report represents
only our best judgment and is based solely on the facts as provided by the manage-
ment and staff of Smith & Co.

Internal_Auditing.indb 400 16/04/2015 11:13

 APPENDIX J: SAMPLE AUDIT REPORT

II Examination of Back-up Procedures

An examination of the off-site storage and disaster recovery site was made, together
with a review of the DRP documentation, resulting in the following observations.
The back-up site is well equipped and secured. Back-ups are taken of data on
daily, weekly, monthly and yearly cycles. The back-up procedures are not well
documented but are well known and understood be the staff and appear to be well
executed.

Recommendation
We recommend that formal procedures be documented as a matter of
standard procedure.

Management Comments
Accepted and in progress. Recovery documentation is lacking, with the disaster
recovery plan relying heavily on the expertise of staff who may not be available in
an emergency with inadequate documented procedures. For example, the executive
committee is held responsible for the execution of the plan, but contact numbers
are missing and formal recovery plans are absent. Testing of systems recovery has
been carried out, but full contingency testing of a total extended outage, which is
what the off-site facility is intended to cater for, is yet to come.

Recommendation
We recommend that serious consideration be given to the implementation of a cor-
porate, structured contingency plan, identifying IS as only one of the key resources
to be protected and to cater for a variety of disaster categories from total loss
through denial-of-service attack to software disasters that may not require the use
of the off-site facility. This would involve the assessment of the risk and nature of
probable disasters, together with the formulation of several response scenarios,
depending on the severity of the problem encountered.

Management Comments
A corporate, structured contingency plan is in an advanced stage of development
and will be presented to the Executive Committee for consideration and evaluation
when completed.

III Examination of the Adequacy of Access Control

➤ User IDs
The process of obtaining a user ID involves the completion of the Request for User
ID form. This form is authorized by the appropriate manager and sent to MIS for
implementation.
When an employee leaves, a clearance procedure is carried out to ensure all
systems access is revoked. On a monthly basis, user access is checked to ensure no
unauthorized access from ex-employees is possible.

401

Internal_Auditing.indb 401 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

These controls are appropriate and in line with the best industry practice.
It was noted, however, that improvements can be made, as indicated below.

➤ Network access
New accounts are created from scratch every time instead of using standard tem-
plates. This is time-consuming and mistakes in access rights can creep in.

Recommendation
We recommend that, wherever practical, standard templates be used in assigning
access rights.

Management Comments
This is not practical, owing to limited new users and unique access required.

Audit Response
While we agree that there are limited numbers of new users, nevertheless Smith &
Co. currently has more profiles than users and our recommendation on standardiza-
tion remains.

➤ Logins
1. No scrutiny is done of invalid login attempts. Only back-up logs are scrutinized
in the system.

Recommendation
We recommend that all invalid access attempts be logged and the logs scrutinized
weekly in order to identify early any patterns of access break-in attempts.

Management Comments
A recording system for invalid login attempts is under investigation.

2. Access accounts for employees on planned leave are not disabled. This means
that an employee, while on leave, could enter the systems and process transactions,
or alternate users could use the access rights of the person on leave by impersonat-
ing that person. This should not be possible without management authority.

Recommendation
We recommend that, for planned leave, a procedure be introduced whereby user
management notifies MIS of impending leave so that access may be temporarily
suspended.

402

Internal_Auditing.indb 402 16/04/2015 11:13

 APPENDIX J: SAMPLE AUDIT REPORT

Management Comments
Accepted and implemented.

➤ Password access
1. A number of user accounts exist with no password required. This means that
these accounts can be used to access the system with no user authentication.

Recommendation
This is an obvious security risk and we recommend that these accounts are either
removed, if not in use, or require a password immediately.

Management Comments
Accepted and rectified.

2. No expiry date exists for passwords. If passwords do not expire, they will not be
changed. At present, four users have the same password as their user ID.

Recommendation
We recommend that all passwords be subject to password expiry.

Management Comments
Agreed, will implement.

IV Examination of the Adequacy of Internet Firewalls

Firewalling is designed to provide a barrier between Smith & Co. and the outside
world and thus prevent unauthorized access from the outside or access from the
inside to unauthorized sites on the Internet.
The firewall software in use at Smith & Co. was installed and implemented in con-
junction with a professional firm of firewall suppliers.
Initial attempts to penetrate the firewall from the inside were almost 100 per
cent successful. After discussions with MIS, amendments to the blocking param-
eters were made and the success rate fell dramatically. It should be noted that the
weakest part of a firewall is usually the prevention of insider access to unauthorized
sites. This is also true in the case of Smith & Co. While access to many of the com-
mon pornographic sites was barred, many local sites and some international sites
were accessible. This means that a determined browser will indeed gain access to
unauthorized sites, but not without leaving a trail. This would appear to be adequate
protection for Smith & Co.’s needs.
We examined the set-up parameters for the firewall and found them to be in line
with Smith & Co.’s needs. External attempts to penetrate the firewall were unsuc-
cessful.

We have no recommendations to make in this area.

403

Internal_Auditing.indb 403 16/04/2015 11:13

Internal_Auditing.indb 404 16/04/2015 11:13
 Index

A alpha risk 193 asynchronous

abnormal spoilage 232 alternative defense 105 communications 252
absolute advantage theory American Certified Public attack strategies 105–106
108 Accountants 3, 66 attractiveness of market
accepted authority 90 analysis 102–103
accountability 70, 209–213, correlation 199 attribute
216, 362–363 cost-profit-volume (CPV) sampling 196
accounting 231 standards 16
controls 172–173 of costs 234–235 AUDIT 305
cost 227–236 graphical 199 audit
e-commerce 295 post-event audit trail activities 15, 52–53, 176
financial 222 analysis 306 committee 9–12, 213–
managerial 227–236 ratio 200 214, 360–361
officers 208 real-time packet 306– department 340–341
accounts 307 evidence 79–84, 162,
payable 331 regression 200 274–275
receivable 331, 333 sensitive 231 execution 164–166
action trend 198 external 215, 224
affirmative 23–24 analysts 248 financial reporting process
phase of conflict 119 analytical evidence 80 222
plans 98 analyzing audit evidence 82 information systems 273
act utilitarianism 24 anti-corruption programs IT approach 311–313
activities 335–336 objectives 194
audit 15, 52–53, 176 apathy 92 plans 224
conversion 267 APO see align, plan and preparation 163–164
key 6–7, 160–161 organize (APO) programs 80–81, 165,
operational 67 Appeal 239–240, 397–399
adaptation to change 95 Supreme Court of 337 project 314
adapters 106 application(s) reporting 166–168,
adaptive IT system 260 audits 155 183–189, 400–403
addresses 302 controls 249, 256, risk 48
adequacy of internal control 259–260 service delivery 157–158
164–165 layer 302 software 275–277
adjourning stage of groups software 249 techniques 162
117 systems 259 testing 166
administration of justice terminology 247 trails 173, 297, 309
337–338 appraisal costs 235 auditee
administrative controls APT 320–321 follow-up 188
172–173 assessment selection 163
admissions 339 control(s) 169–171 auditing
advanced persistent threats assets board of directors and
(APT) 320–321 definition 221 9–10
advance fees 327 safeguarding of assets business continuity
affiliations 172–173 planning 293
fraudulent 329–330 threats to 56 communications security
affirmative action 23–24 associates 282–284
aids see Development and undesirable 331 company activities and 9
Practice Aids assurance 313 continuous 313
alienated labor 29 asymmetrical cryptography controls 5
align, plan and organize 309 corporate governance 5
(APO) 76–77

Internal_Auditing.indb 405 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

corporate strategy B as a good citizen 25

139–140 Babbage, Charles (1792– impact analysis 290–291
definition 14–15 1871) 122 morality 30
development 3–5 back-ups 354 needs 6
disaster recovery plan backwards vertical network model 211
289 integration 102 objectives 6–7, 162, 263
e-commerce 295, BAI 77 organizations 37–39
299–300 balanced scorecards 41–44 process cycles 133–140
enterprise-wide risk banking understanding of 6,
management (ERM) control frameworks 74 160–161, 290
12–13, 62–64 Banks Act 28, 215 value chain 228–229
evaluation 163, 166 bar buyers’ bargaining power
external auditors 10, charts 201 102
224–226 codes 246 BYOD 318
fraud 336 bargaining power 102 bypass
generic audit process Basel Accords 74, 313 attack 106
158, 162–163 basic needs 129 mechanisms 281
guidelines 359 batches 251 by-products 232
history 3–5 behavioral risks 49–50 bytes 245
King II 217–218 belonging needs 129
macroprocesses 157–160 Benford’s Law 300 C
management process best practice 20–22, 75, CAATs 247–278, 282
160–162 206 cables 245
outsourcing 218 beta risk 193 Cadbury Report 70,
planning 163–166 binary 244 205–206
privacy 279–284 biometric measurements CAE 8, 10–11, 15
process structure 163– 281, 398 calculation of sample size
166 bits 245 195–198
professionalism 8 board capital budgeting 235
resourcing 218 committees 212–213 capitalism 29–30
responsibilities 8 of directors 9–10, cards 246
risk-based 52–53, 218 210–213 ‘Cascarino Cube’ 58–62
role of 4–5, 12–13 structures 210–212 cash
security 279–284 body space 94 handling 330
types of 151–156 Boehm’s spiral model 271 schemes 333
auditors bookmarking 303 CC 38
education 16–18 bounded rationality 128 CCSA 17
external 4, 10, 222–226 Bouton Report 206 CDs 245
follow-up 187–188 breach of fiduciary duty central processing unit (CPU)
forensic 332–334 328 243
legal and regulatory breakeven point 233 CEO 225
environments 238 bribery 328 Certificate in Control Self-
meaning of name 3 Bring Your Own Device Assessment (CCSA) 17
project management 18 (BYOD) 318 Certified
role of 217, 238 British Institute of Chartered Financial Services Auditor
authentication of users Accountants 3 (CFSA) 17–18
280–281 brute force attacks 284 Government Auditing
authority(ies) budgeting 235 Professional (CGAP)
accepted 90 build, acquire and implement 17–18
controls and levels of 69 (BAI) 77 Internal Auditors (CIA)
formal 89 building staff competencies 16–17
of knowledge 90 132 CFIA 14, 16
situational 90 business CFO 225
availability as security threat continuity planning CFSA 17–18
282 289–293, 297, 309 CGAP 17–18
avoidable costs 233 environment 5, 12–13, champion 289
avoidance 107–113, 295–296 change
conflict resolution 120 ethics 23–24, 97 resistance to 92
globalization 107–108

406

Internal_Auditing.indb 406 16/04/2015 11:13

 INDEX

check external 90–91 Standards for the

Vee cycle 272 formal and informal 88 Professional Practice of
chief horizontal 90 Internal Auditing 15
audit executive (CAE) 8, meaning 245 comprehensive income 221
10–11, 15 networking 90–91 compromise 120
executive officer (CEO) overcoming barriers 92 computer
225 security threats 282–284 crime 349
financial officer (CFO) steps in process 89 evidence 83–84
225 systems 67 fraud 349–356
Chi-square tests 198–199 types of 90 operation controls 249,
CIA 16–17 verbal and non-verbal 256–259
circumstantial evidence 338 92–94 operators 257
claims vertical 90 terminology 247
false 329 at work 89–91 computer-assisted audit
classical written 92 techniques (CAATs)
school 122–124 compact disks (CDs) 245 274–278, 282
theory 25 companies computing
class struggle 29 incorporated 38 cloud 316–317
client satisfaction 42 listed companies 221 concealment of material
cloners 106 private 38 facts 326
close corporations (CC) 38 public 39 conduct
Close Corporations Act of section 21 39 codes of 27, 335–336
1984 38 Companies Act of 1973 28, conferences 187
closed IT system 260 38–39, 237 confessions 339, 348
close-out 273 Companies Act of 2008 38 confidentiality
closing conferences 187 company-wide quality duty of 26
cloud computing 316–317 control (CWQC) 125 ethics 27–28, 34
cluster sampling 197 comparability 220 IT infrastructure 60
COBIT® 74–78 comparative advantage 108 threats to assets 283
Code of compensating controls 173, conflict
Best Practice 206 249 definition 119
Ethics 15, 22, 33–34 competence ethical resolution 31–32
codes of conduct 27, control(s) 69 functional and
335–336 ethics 34 dysfunctional 119
coercive power 143–144 Competency Framework for group 119–120
cognitive behavioral model Internal Auditing (CFIA) of interest 28, 328
of confession 348 14, 16 negotiating 144–145
cohesion of groups 118 competency(ies) organizational behavior
collaboration building staff 132 119–120
conflict resolution 119– Competency Framework process 119
120 for Internal Auditing resolution 119–120
control self-assessment (CFIA) 14, 16 role 118
(CSA) 71 competitive social 144
collaborative approach 40 advantage 103–104, 109 confronting a suspect 347
collectivism 109 strategies 102–103 consistence of financial
command competitors information 221
economy 29 price changes 234 conspicuous consumption
groups 116 completion 331
Committee of Sponsoring general standards 370– conspiracy 329
Organizations 66–69 372 Constitutional Court 337
committees project 313–314 construct
audit 9–12, 360–361 complex IT system 260 Vee cycle 272
board 212–213 compliance consultants 147, 222–224
risk 212, 216 auditing 137, 151 contentious material 284
communication(s) identification and contingency theory 125
barriers to 91–92 monitoring 238–239 continuity
description 87 with policies, plans, planning 289–293
diagonal 90 procedures, laws and strategies 291
elements of 87–89 regulations 172

407

Internal_Auditing.indb 407 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

continuous information systems 67 objectives 170

assurance 313 integrity of people 69 social responsibility 30
auditing 313 internal 5, 13, 56, 67–68, strategy 139–140
monitoring 313 173–174, 226 corrective controls 173,
negotiation 141 IT 60, 74–78, 249 250
contract auditing 138–139 key 61 correlation analysis 199
contrectatio 343 levels of authority 69 corruption 335
contribution margin 233 management 170 COSO 66–69
control guides 72 monitoring 6–7, 67, 160, costing
controllable risks 55 162 incremental costing
controlled markets 29 nature of 169 232–233
controlling of project 179 objectives 68, 157, 162, of production 232
control model workshops 165, 250–252, 261–262 standard 232–234
72–73 operations 67, 257 systems 231
Control Objectives for organizational structure variances 231
Information and related 68 cost-profit-volume (CPV)
Technology (COBIT®) organizing 68 analysis 231
74–78 over financial reporting cost(s)
control(s) 226 accounting 227–236
accountability 70 performance evaluation analysis of 234–235
adequacy 164–165 169–174 benefit considerations
adequate resources 70 personnel 257–258 171
administrative vs planning 68 classifications 233
accounting 172–173 procedures 249, 262 direct 230
analysis 164–165 processes 65–66 evaluation 234–235
application 249, 256, purpose of 67–68 fixed 230
259–260 reporting 169–171 indirect 230
assessment 169–171 responsibilities 68 leadership 103
banking 74 review 70 management 181,
business systems 261 risks 47, 48, 57–58, 250 234–235
classification of 250 scope 164–165 opportunity 49–50
communications 67, 89 section 256 price changes 234
competence 69 segregation of duties 69 quality control 235–236
computer operation self-assessment 17, queuing theory 202
256–259 70–73 variable 230
computer systems 247 self-review 78 counterfeiters 106
Control Objectives for sound environment 66 counteroffensive defense
Information and related sound risk assessment 105
Technology (COBIT®) process 66 courts 337–338
74–78 strategies 6–7, 160–161 CPM 201
corporate governance supervision 70, 258 CPU 243
224–225 systems 68, 249–250, CPV 231
cycle 171 260–261, 268–273 credication 334
definition 47, 67–68 testing 61, 165–166, 174 criminal law 326
description 164–165 types of 173 Criminal Procedure Act 344
development of systems conventional programming crisis negotiation 141
268–269 languages 276 critical path method (CPM)
directing 68 conversion activities 267 201
effectiveness 239–240 core competencies 98 Cromme Code 206
electronic data corporate Crosby, Philip C. (1926– )
interchange (EDI) 297 codes 27, 211–212 126
elements of 69–70 collapses 222–223 cryptography 309
environment 68, 255– environment 180–182 CSA 17, 70–73
256 ethical practices 28 ‘cube’ approach 58–62
frameworks 66–77 governance 5, 7–8, cultural
general 255–256 205–210, 215–219, analysis 111
guides 72 224–225, 237–238 climate 180–182
implementation 6–7, 160, investigations 345–348 relativism 112
162 morality 30 sensitivity 112

408

Internal_Auditing.indb 408 16/04/2015 11:13

 INDEX

culture detection diversification

business continuity of fraud 325, 333–334 market 105
planning 293 of IT fraud incidents 353 DNS 303
definition 110 of lies 347–348 documentary evidence 80
ethics 112–113 detective controls 173, 250 documentation
globalization 110–111 development of evidence 83
management 125 of findings 167 poor 265
organizational 111–112 group 117 document examination 340
current management theory research and 137–138, domain name system (DNS)
125–126 228 303
custodial risk 49 systems 265–273 domestic rivalry 109
customer(s) Development and Practice DRP see disaster(s):
bargaining power 102 Aids 14–15, 22 recovery
changes in 233 development of findings Drucker, Peter (1909– ) 125
needs establishment 21 167 DSS 77
price changes 234 deviations from the mean duplex communications 252
service 229 195 duty(ies)
customized diagonal communication 90 of confidentiality 26
audit software 276 diagram of loyalty 26
questionnaires 71–72 scatter 199 obedience 26
CWQC 125 differentiation 102–104 segregation of 69, 297,
cyber attacks 320–321 digital 309
evidence 83–84 DVD/Rs 245, 352
D signatures 309–310 dying declarations 339
data direct dynamic
analytical capabilities 13 control activities 73 IT system 260
encryption standard (DES) costs 230 memory 244
309 evidence 339 dysfunctional
integrity 283 method of cost allocation conflict 119
objectives 250–251 231 workplaces 50
preparation section 256 directive
security 254 approach 40 E
terminology 248 controls 159, 167, 173, eavesdropping attacks 282
test 277 335, 351, 368 EBT 294
database analysts 248 directors 212 e-commerce 295–310
decisional roles of see also board: of economic activity areas 23
management 116 directors economy
decision-making 127–128 disaster(s) command 29
declining industries 114 consequences 285 mixed 29
defensive strategies 105 levels of preparedness EDI 294, 297
delays 50 285 EDM 76
deliver, service and support recovery 284–289 education 16–18
(DSS) 77 types of 284–285 effectiveness
demand 29, 101, 109 discipline 123, 209, of controls 239–240
Deming, W. Edwards discount 106 measures 99
(1900–1993) 125 discovery 272 of operations 173
denial of having participated discretionary audit activities efficiency
346 53, 176 measures 99
deontological ethics 24–25 diskettes 245 of operations 173
dependent variable 200 disks 245 EFT 294, 330–331
DES 309 disseminator role of electronic
design manager 115 benefits transfer (EBT)
systems 269–270 distribution 294
value chain for business to owners 221 commerce 295–310
228 value chain for business data interchange (EDI)
Vee cycle 272 229 294, 297
designers of systems 248 distributive negotiation 141 funds transfer (EFT) 294,
destructive negotiation 141 distrust 91 330–331
disturbance handlers 116 e-mail 302

409

Internal_Auditing.indb 409 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

embedded audit modules free market system costs 235

277 28–30 quality 236
embezzlement 328 gifts 27 system 263–264
emergency response 292 independence 34–36 fairness 30, 209
emerging industries 114 management 31 faithful representation of
emotional model of objectivity 5, 34–36 financial information 220
confession 348 resolving conflicts 31–32 false claims 329
emotions 88, 92 role of in distinguishing favorite model
employee ethics 26, 174 profession 33–34 implicit 128
Employment Equity Act 55 evaluate, direct and monitor Fayol, Henri (1841–1925)
of 1998 23 (EDM) 76 123–124
empowerment 71 evaluation feasibility study 269
encirclement attack 105 audit 168 feedback 41, 187, 221, 228
encryption 252, 304 costs 234–235 fees
engagement evidence 83 advance 327
contract 396 internal auditing 158, fiberoptics 245
letter 178, 215 160, 163, 166 fiduciary duty 328
planning 175–182 performance 6–7, 160, figureheads 115
tools 190–202 162 file
enterprise-wide risk evidence conversions 264
management (ERM) analytical 80 transfer protocol (ftp)
12–13, 62–64 audit 79–84, 162, 274 302
entrepreneur 116 categories of 339 financial
entry threats 100–101 chain of custody 339– accounting 222
environment 340 audits 151–152
business 5, 12–13, computerized 83–84 evaluations 172–173
107–113, 295–296 definition 338 information 220–221
control 255–256 digital 83–84 issues relating to
legal and regulatory documentary 80 e-commerce 298
237–240 documentation 83 measures 42
environmental audits 152 forensic 338–342 reporting 220–226
EPROM 244 physical 80 services 18
equilibrium price 29 rules of 338 statements 221
equity 221 testimonial 80 findings 166–167, 186
erasable programmable of theft 343–344 fingerprint scanning 281,
read-only memory exaggeration 347 398
(EPROM) 244 execution 158–160, finished
ERM 12–13, 62–64 164–166 goods 135–136, 228,
errors executive 230
process risks 50 authority 208 inventories 235–236
sampling risks 192–193 management 7–8, 188 firewalls 304
establishing key activities summary 185–186 fixed costs 230, 233
160–161 expectancy theory 130 flank
esteem needs 129 expenses 221 attack 106
ethical expert power 144 defense 105
classification of decisions external flooding 282
25–26 audit 215, 224 floppies 245
theories 24–25 auditors 4, 10, 222–226 focused differentiation 104
ethics communications 91 followers 106
business 23–24, 97 failure costs 235 follow-up 167–168, 187–
code of 15, 22, 27, extortion 329 189, 356
33–34, 215 extravagant forensic
confidentiality 27–28 living standards 331 audit department 340–
conflicts of interest 28 with truth 332 341
corporate morality 30 auditors 332–334
corporate practices 28 F back-ups 354
culture and 112–113 facilitation 126 evidence 338–342
employee 26 factor endowments 109 examination 340
failure(s) response toolkit 352

410

Internal_Auditing.indb 410 16/04/2015 11:13

 INDEX

formal Generally Accepted hypertext mark-up language

authorities 89 Accounting Practice (html) 303
communications 88 (GAAP) 40, 215 hypertext transfer protocol
groups 116 generic audit process 158, (http) 302
forming of groups 117 162–163
fragmented industries geographical expansion I
113–114 strategy 104 ICQ 71
fraud gifts 27 IDEA 278
audits 153 Gilbreth, F. B. (1868–1924) identification
codes of conduct 335– 123 of fraud 325
336 globalization 107–111, 221 of risks 50–51
context of 325–330 goods IFAC Code of Conduct for
criminal law 326 finished 135–136, 228, Professional Accountants
detection 325, 333–334 230 215
identification 325 lower-priced 106 IFRS 215, 222
internal auditing 336 prestige 106 IIA see Institute of Internal
investigations 343–348 governance Auditors (IIA); IIA Practice
IT 349–356 corporate 5, 7–8, Advisories; Standards for
payroll 137 205–210, 215–219, the Professional Practice
personal indicators 224–225, 237–238 of Internal Auditing
331–332 IT 313 IIA Practice Advisories
prevention 332–335 government 1000-1 8–9
private law 326 auditing 17–18 1100-1 35
process risks 50 departments 229–230 1110-1 35
red flags 330–331 graphical analysis 199 1110.A1-1 35
risk 62 groups 116–120 1120- 1 35
theft and 326 groupthink 118 1130-1 35
triggering of events 332 GTF 14 1130.A1-1 35
fraudulent guerrilla warfare 106 1130.A1-2 36
affiliations 329–330 Guidance Task Force (GTF) 1210-1 15, 87, 95, 190
financial reporting 205, 14 1210.A2-1 325, 340, 345
222 1210.A2-2 325
loans 327 H 1300-1 15
free market system 28–30 hacking 304–305 2010-2 55–56
friendship groups 116 half-duplex communications 2050-2 223
frontal attack 105 252 2100-1 121
ftp 302 Hampel Report 205–206 2100-2 279
functional conflict 119 hand-held devices 281 2100-3 53–54
functionality 272 hardware 243, 254 2100-5 238–239
hazards 49–50 2100-6 243, 265, 288,
G hearsay evidence 339 295, 350
GAAP 40, 215 Hertzberg, Frederick (1923– 2100-8 280
gains 221 2000) 124 2110-2 285
gambling 331 Hertzberg’s theory 130 2120.A1-1 169
game theory 202 Higgs Report 206 2120.A1-1 to A4-1
Gantt, Henry (1861–1919) High Court 337–338 65–66, 225
123 holographic recognition 281 2120.A1-4 222, 224–225
Gantt charts 201 home space 94 2200-1 175
GAS 275 horizontal communication 2210.A1-1 218
general 90 2240-1 79
attack strategies 105– hostile programs 283 2310-1 79–80, 274–275
106 html 303 2440-1 183
controls 255–256 http 302 2500-A1 187
standards of completion human independence and
370–372 element 248 objectivity 34–36
generalised audit software relations school 124–125 purpose of 15
(GAS) 275 resources auditing IIA Standards for the
136–137 Professional Practice
of Internal Auditing

411

Internal_Auditing.indb 411 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

see Standards for the input International

Professional Practice of frauds 349–350 Financial Reporting
Internal Auditing stage 250, 262 Standards (IFRS) 215,
illegal decisions 25–26 terminology 246 222
imitation 106 inspection 82, 138 Standards on Assurance
imitators 106 Institute of Internal Auditors Engagements (ISAEs)
imperative principle 24 (IIA) 215
implementation Code of Ethics 15, Standards on Auditing
control(s) 160, 162 33–34, 215 (ISAs) 215
control self assessment Competency Framework Standards on Related
(CSA) 71 for Internal Auditing Services Engagements
IT systems 266–267 (CFIA) 14, 16 (ISRSs)
project 313–314 development 4 Standards on Review
standards 16 Development and Practice Engagements (ISREIs)
implicit favorite model 128 Aids 14–15, 22 internet 301–309
incident response team 352 mission 4–5 interpersonal roles of
income Practice Advisories see management 115
comprehensive 221 IIA Practice Advisories interrelationships 264
incorporated companies 38 Professional Practices interrogative negotiation
incremental costing 232– Framework 14, 33 141
233 role 4 interviewing 72, 145–147
independence Standards for the intranet security 304–306
audit committee 11 Professional Practice intraorganizational
auditing 5 of Internal Auditing dimension 23
corporate governance see Standards for the intrusion detection 305–
212 Professional Practice of 306
ethics 34–36 Internal Auditing intuition 95
independent vision 4 intuitive decision-making
non-executive directors institutional dimension 23 128
212 Insurance Act 28, 215 inventory
variable 200 intangible asset valuation audits evidence 155
indicator controls 73 56 cycles 135–136
indirect costs 230 integrated test facility (ITF) fraud schemes 333
individualism 109 277 investigations
industries integrity audit evidence 82
declining 114 of data 283 corporate 345–348
emerging 114 ethics 34 fraud 343–348
fragmented 113–114 of information 172 IT fraud 350–356
nature of 113–114 of people 69 investigators 344–345
influenceable risks 55 intellectual property 284 investment by owners 221
informal communications 88 intent to steal 344 investors 209–210
informal groups 116 interactive workshops 73 IOSCO 221
information interest ISACA 74
retrieval software 276 conflict of 28, 328 ISAEs 215
security 297, 309 groups 116 ISAs 215
systems 67 interim reporting 187 Ishikawa, Dr Kaoru (1915–
technology see IT intermittent negotiation 141 1989) 125
informational roles of internal ISO 9000 standard 272–
management 115 audit see audit 273
Information Systems Audit audit charter 8–9, ISREIs 215
and Control Association 362–364 ISRSs 215
(ISACA) 74 auditing see auditing IT
inherent risk 158 auditors see auditors audit approach and
initial response to IT fraud business processes 42 methodology 311–313
353–354 control 13, 56, 66–68, auditing of 155, 243–254
initiation of project 179 226 batch vs online 252–253
innovation 42 control questionnaires communication concepts
in-process project audits (ICQ) 71 253–254
314 failure costs 235

412

Internal_Auditing.indb 412 16/04/2015 11:13

 INDEX

control(s) 74–78, 249– L Magistrates’ Courts 338

252 labor magnetic media 247
fraud 349–356 alienated 29 mainframe 59, 244
governance 313 theory of value 29–30 maintenance
infrastructure 58 language 88–89, 91 disaster recovery plan
micro-based systems 273 LANs 244 289
outsourcing 315–316 lapping 329 factors 130
security architecture laptops 244 making up a story 346–347
59–60 larceny 327 management
systems 249–250, leaders audit process 160–162
259–260, 263–273 market positioning business continuity
ITF 277 104–105 planning 289–290
leadership challenges 126–127
J cost 103 control(s) 67–68
Japanese keiretsu network facilitation 126 costs 234–235
211 management 115 culture 125
JCL 248 styles 128 decision-making 127–128
job learning 42 definition 6, 121
control language 248 learning curves 199–200 ethical 31
costing systems 231 legal executive 7–8, 188
descriptions 384–395 auditing 137, 151 information technology
enlargement 130 compliance 172 248
enrichment 130–131 environments 110, job satisfaction 128
satisfaction 128 237–240 leadership styles 128
joint products 232 issues relating to marketing of risk-based
JSE listings requirements e-commerce 298 internal audit approach
212, 214 liability 297, 309 55–56
judgmental sampling legitimate power 143 motivation 129
191–193, 196 liabilities 221 objectives 170
justice, administration of libel material 284 performance 132
337–338 librarian practices 121–126
tape 257 principles of 123–124
K linear programming 200 process 6–7
kaizen 22 listed companies 221 project 178–182, 313–
Kant 25 listening 143, 145 315
keiretsu network 211 living standards 331 quality concept 125–126
key loans reviews 174
activities 6–7, 160–161 fraudulent 327 risks 54
controls 61 local area networks (LANs) role of 115–116
cryptography 309 244 skills 121–132
performance areas (KPAs) LOD Model 12 stakeholder 31
6–7, 161 logical security controls 249 strategic 95–106, 228
performance indicators logic bombs 282 theory 122–132
(KPIs) 161 log tampering 284 values 128
keyboard 246 losses 221 work stress 130–132
King lower-priced goods 106 managerial
III Report 12, 75 loyalty 26 accounting 227–236
II Report 27, 205, 208, lying decisions 127–128
209, 212–213, 215, 217, detection of lies 347–348 managers
289, 291 by minimization 347 organizational behavior
Report 205–206 by omission 346 115–116
kiting 329 managing by wandering
knowledge M around (MBWA) 126
authority of 90 macro dimension 23 mandatory audit activities
KPAs 6–7, 161 macro-environmental factors 15, 52–53, 176
KPIs 161 98 manufacturing sector 230
macroprocesses of internal marketing
audit 157–160 of risk-based internal audit
approach 55–56

413

Internal_Auditing.indb 413 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

value chain for business monetary unit sampling nntp 302

229 (MUS) 197 noise
market(s) monitor, evaluate and assess as barrier to
attractiveness 102–103 (MEA) 77–78 communication 91
broadening 105 monitoring nominations committee 213
challenger strategy continuous 313 non-
105–106 control(s) 6–7, 67, 160, adaptive IT system 260
controlled 29 162 compliance 238–239
diversification 105 management 115 executive directors 212
free 28–30 project 179 mathematical sampling
niche strategies 106 Monte Carlo simulations 191–192
penetration 104 201 sampling risk 192–193
positioning 104–106 motivation verbal communications
profitability 102–103 job enlargement 130 93–94
regulated 29 job enrichment 130–131 volatile memory 244
Marx, Karl 29–30 theories 129–130 volatile RAM 244
Maslow, Abraham (1908– motivational normal spoilage 232
1970) 124 factors 130 norming stage of groups
Maslow’s hierarchy of needs theory 129–130 117
129 motivation-hygiene theory norms of groups 118
masquerade attacks 283 124
maximum price 29 mouse 246 O
Mayo, Elton (1880–1949) movable objects 343 obedience 26
124 multidrop configuration 253 objectives
MBWA 126 multiple discriminant audit 162
McGregor, Douglas (1906– regression analysis 200 business 6, 162, 263
1964) 125 multiplexer 245 control(s) 162, 165
MEA 77–78 Municipal Finance corporate 170
mean 194–195 Management Act 238 establishing 160–161
median 194 MUS 197 management 170
memory 244 operating 170
memory sticks 245 N performance 6–7,
merchandising sector 230 narrow competitive scope 160–161
meso dimension 23 104 sampling 194
message 88 needs objectivity 5, 34–36
methodology establishment 6, 160–161 observation 82
audit 163 Maslow’s hierachy of Ohmae, Kenichi (1943– )
IT audit approach and needs 129 126
311–313 unsure of 263–264 Ollieism 118
micro user 264 omissions 50
-based systems 273 negatively skewed 195 online
-computers 244 negotiation 141–147 concerns 254
dimension 23 negotiator role 116 data entry 254
-environmental factors 98 networking 90–91 enquiry 254, 276
microcomputer-based network(s) systems 251–252, 254
software 277 address translation 304 update 254
microfiche 247 analysts 248 open IT system 260
microfilm 247 communication concept operating
microwave 246 253 objectives 68, 170
mini-computers 244 monitoring 355 system hardening 304
minimum price 29 news transfer protocol systems 247, 281–282
misrepresentation of (nntp) 302 operational
material facts 326 neutrality of financial activities 67
mixed economy 29 information 220 audits 152, 258–259
mobile defense 105 neutral space 94 operations
mobility, smart 317–318 new market segment 104 controls 257
mode 194 niches 106 exposure 257
models, systems 261 Nielsen Clinton evaluation operators 248, 257
modem 245 155

414

Internal_Auditing.indb 414 16/04/2015 11:13

 INDEX

opportunity costs 49–50, review 6–7, 160, 162 preparation of audit 163–
233 standards 16, 40 164
optical disks 245 performance audits 152 prestige goods 106
organizational performing stage of groups preventative controls 173,
behavior 115–120 117 250
changes 264 peripheral devices 244 prevention
culture 111–112 permanent IT system 260 costs 235
performance 39–40 personal computers (PCs) fraud 333–334
structure 68 244 Prevention of Corruption
Ouchi, W. (1943– ) 125 personal identity numbers Act 28
output (PINs) 280 prevention of fraud 332–
computers 246 personnel controls 257–258 335
frauds 349–350 persuasion 144 price
stage 251, 262 PERT 200–201 differentiation 102–103
outsourcing 218, 233, Peters, Tom (1944– ) 126 discounting 106
315–316 PGP 304 elasticity of demand 101
overreliance on controls physical equilibrium 29
193 evidence 80 maximum 29
Owen, Robert (1771–1858) security controls 249 minimum 29
122 PINs 280 pricing 234
owners plan privacy 279–284, 297, 309
distribution to 221 disaster recovery 287– private
investment by 221 289 companies 38
ownership risk 49 project 180 key 309
planning law 326
P engagement 175–182 proactive
packet analysis 306–307 implementation 266–267 auditing 153
packet-sniffing methodology internal auditing 157–159, role 216
306–307 163–166 probability proportional to
paper 247 IT systems 266–267 size (PPS) 197
paper tape 246 process 176–178 problem-solving 127
paralinguistics 94 project 179, 313–314 process
parallel simulation 278 sampling 194 costing systems 231
parameters 247 strategic 39–40 IT control objectives 262
partnerships 37 plants risks 49–50
password capture 284 retention vs replacement structure of audit 163–
passwords 280–281, 284 233 166
payroll playback of recording 283 processing
auditing 136–137, policies frauds 349–350
155–156 follow-up 188–189 stage 251
fraud schemes 330, 333 polygraph testing 341–342 procurement audits 156
PCs 244 poor social skills 332 production
Pension Funds Act 215 population auditing 136
perceptions 91 characteristics 194 costing of 232
performance size 195 outsourcing 233
areas (KPAs) 6–7, 161 position defense 105 rearranging lines 233
balanced scorecard positively skewed 195 value chain for business
41–44 post-event audit trail 228
defining measurements analysis 306 productivity loss 50
171 post-project audit 314 product(s)
evaluation 6–7, 160, 162, potential for conflict 119 by 232
169–174 power of negotiating parties differentiation 102–104
indicators (KPIs) 161 143–144 joint 232
management 132 PPS 197 life-cycle approach 109
measurement 41–45, predictive value 220 mix 233
171–172 pre-emptive defense 105 pricing 234
objectives 6–7, 40, 46, pre-incident preparations proliferation 106
160–161 351–352 professionalism 8, 33–34
organizational 39–40 preliminary survey 164

415

Internal_Auditing.indb 415 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

professional organizations purchasing fraud schemes regression analysis 200

and associations 3–4 330, 333 regulated markets 29
Professional Practices regulations
Framework 14, 33 Q compliance 172
proficiency 15 QA 11, 15, 19–22, 154 regulatory environment
profitability of market QARs 11, 19–20 237–240
102–103 qualitative related industries 109
program analysis 56 relevance of financial
audit 80–81, 165, quality information 220–221
397–399 assurance 11, 15, 19–22, reliability of information
change controls 249 154 172, 220
control objectives 251– audits 154 remuneration committee
252 concept 125–126 212
inadequate testing 265 control 235–236 replacement of plants 233
results audits 154–155 enhancement 154 replay attacks 283
program evaluation review failures 236 report
technique (PERT) 200– of work 181 basic 185
201 Quality Assurance Reviews detailed findings 186
programmable read-only (QARs) 11, 19–20 distribution of 186–187
memory (PROM) 244 quantitative executive summary
programmers 248 analysis 56 185–186
programming methods 198–200 polishing of 186
languages 276 qua owners 209–210 reporting
linear 200 questioning audit 183–189
project audit evidence 82 control(s) 65–66,
audit 314 fraud 347–348 169–171
closing 179 negotiation 143, 146 financial 220–226
completion 313–314 questionnaires follow-up 187–189
controlling 179 customized 71–72 interim 187
definition 313–314 internal control 71 internal auditing 158,
implementation 313–314 questions 160, 166–168
initiation 179, 269 handling of 94 IT fraud 356
management 178–182, queuing theory 202 requirements
313–315 Vee cycle 272
monitoring 179 R research and development
plan 180 R&D 137–138, 228 auditing 137–138
planning 179, 313–314 RAM 244 value chain for business
scheduling techniques random access memory 228
200–201 (RAM) 244 res gestae statements 339
PROM 244 ratio analysis 200 residual risk 159,
promiscuity rational interaction for moral resistance to change 92
sexual 331 sensitivity (RIMS) 31–32 resource(s)
protocol 252 reactive role 216 allocators 116
proxemics 94 read-only memory (ROM) control(s) and adequacy
PSNs 253 244 of 70
public real-time control self-assessment
companies 39 activity monitoring (CSA) 71
entities 39 307–308 internal auditing 218
key 309 packet analysis 306–307 responses
sector 41, 229–230 receivables 133–134 business continuity
switched networks 253 receiver 89 planning 291–292
Public Accountants’ and reciprocal method of cost to IT fraud 353–354
Auditors’ Act 215 allocation 231 retention
Public Finance Management recommendations 166 of plants 233
Act 1 of 1999 28, 39, records retention 297, 309 of records 297
208, 213–215, 219, 238 recovery records 309
punched cards 246 disasters 284–289 revenue
punctuated-equilibrium fraud 355–356 auditing 133–134
model 117 referent power 144 definition 221

416

Internal_Auditing.indb 416 16/04/2015 11:13

 INDEX

review process 49–50 needs 129

control(s) 70 sampling 192–193 threats 254, 282–284,
financial reporting 225– tolerance 55 297
226 types of 55–56 segregation of duties 69,
performance 6–7, 160, rivalry among firms 99– 297, 309
162 100, 109 selection
post-implementation of role auditee 163
system 270–273 conflict 118 simple random 198
risk identification by expectations 118 systematic 198
analytical 54 identity 118 self-
system-level activity 278 perception 118 actualization needs 129
Vee cycle 272 ROM 244 assessment 17, 70–73
reviews 174 rule utilitarianism 24 review 78
reward power 143 run instructions 247 sender 87–88
rework 232 sensitive analysis 231
Ricardo 108 S service(s)
RIMS 31–32 safeguarding of assets 172, customer 229
ring networks 253 174 mobility 317
Riordan’s Internet privacy samples pricing 234
enhanced mail 304 audit committee charter sector 230
RIPEM 304 360–361 sexual promiscuity 331
risk-based internal audit audit program 397–399 signatures
approach audit report 400–403 checking 81
corporate governance engagement contract 396 digital 309–310, 350
218 general standards of simple
marketing 55–56 completion 370–372 IT system 260
selling of 55 internal audit charter random selection 198
risk(s) 362–364 simple mail transfer protocol
analysis 51–55 job descriptions 384–395 (smtp) 302
analytical review 54 size 192, 195–198 simplex mode 253
appetite 56 working papers 365–369, simulations 201–202, 278
assessment 47–64, 66, 373–383 situational
157–158, 193, 291 sampling 190–198 authority 90
audit 48 sanction theory 125
auditing based 52–53 Vee cycle 272 skewness 195
behavioral 49–50 Sarbanes-Oxley Act 34, skill mix 156
committee 212, 216 207, 215, 219, 223, Skills Development Act 97 of
control 47–48 225–226, 237, 240, 313 1998 23
custodial 49 satisficing model of decision- smartcards 281, 297
definition 47 making 128 smart mobility 317–318
disasters 284 SBU 97 Smith, Adam 25, 29, 31,
effect of 49–50 scanner 246 108
enterprise-wide risk SCARFs 277 Smith Report 206, 214
management (ERM) scatter diagram 199 smtp 302
12–13, 62–64 scheduling techniques sniffers 306–307
factors to consider 52 200–201 social
framework 49 scientific school 122–124 conflict 144
fraud 62 scrap 232 media 318–319
identification 50–51 screen 247 needs 129
IIA Standards for the SDLC 269–273 software
Professional Practice of search engines 303 applications 249
Internal Auditing 53–54 section 21 companies 39 audit 275–277
inherent 48, 158 security security 254
internet security 303– auditing 279–284 systems 249
308 controls 249 sole proprietor 37
management 54 information 309 sound control environment
model 49 internet 303–308 66
nature of 47–48 intranet security 304– source-code review 277
ownership 49 306 spam 282–283

417

Internal_Auditing.indb 417 16/04/2015 11:13

 INTERNAL AUDITING: AN INTEGRATED APPROACH

specifications storming stage of groups designers 248

technical 266 117 development 249,
users 266 strategic 265–273
split-off point 232 analysis 99–102 development lifecycle
spoilage 232 management 95–99, (SDLC) 269–273
spokespersons of 102–106, 228 exposures 268
organizations 115 planning 39–40, 96 implementation planning
sponsor 289, 291 role 216 266–267
spoofing 283 uncertainty 114 inadequate 265
stable IT system 260 Strategic Business Unit micro-based 273
staff (SBU) 97 models 261
competencies 132 strategy(ies) programmers 248
poor attitudes 263 auditing corporate proposals 265–266
stakeholder management 31 139–140 reasons for failure 263–
standard costing 232–234 continuity 291 264
standards control 6–7 requirements 265–266
attribute 16 defensive 105 review 267–268
implementation 16 evaluation 99 software 249
or internal auditing 15–16 formulation 97–98 specifications 266
of performance 16, 40 general attack 105–106 theory 125
Standards for the structure 109
Professional Practice of stratified sampling 197 T
Internal Auditing substance abuse 332 tacit admissions 339
1100 35 substitutes 101 tactical decisions 68, 127,
1110 35 sunk costs 233 170
1110.A1 35 supervisory tactics 142–145, 347
1120 35 board 211 Taguchi’s, Dr Genichi
1130 35 controls 70, 258 (1924– ) 126
1130.A1 35 suppliers’ bargaining power tangible asset valuation 56
1130.A2 36 102 tape librarian 257
1130.C1 36 supply 29 tapes 245
1130.C2 36 supply chain management task groups 116
1310 20 134–135 Taylor, F. W. (1856–1917)
2120 65 support from top 122–123
2130 216 management 263 TCP/IP addresses 302
2210 218 supporting industries 109 team identification for risk
2230 218 Supreme Court of Appeal assessment 57
2500-A1 187 337 technical specifications 266
attribute 16 survey 164 technological uncertainty
compliance 15 suspicion 91 114, 216
corporate governance SWOT analysis 98 technology
215–216 symmetrical cryptography e-commerce 296
implementation 16 309 temporary IT system 260
internal auditing 223 symmetry 195 terminal mobility 317
origins 14 synchronous terminals 245
performance 16 communications 252 testimonial evidence 80
professionalism 8 synergy 97 testing
project management 181 systematic selection 198 audit 166
quality assurance 11 systemic dimension 23 business continuity
risk 53–54 system-level activity 278 planning 293
statistical sampling 192 system(s) control(s) 174
status analysts 248 disaster recovery plan
as barrier to collection audit review 288–289
communication 92 files (SCARFs) 277 inadequate program 265
step-down method of cost communication(s) 88 polygraph 341–342
allocation 231 controls 249, 260–261, test transaction
stiffies 245 268 techniques 277–278
stock exchanges 221 conversion activities 267 test(s)
storages 245 design 269–270 Chi-square tests 198–199

418

Internal_Auditing.indb 418 16/04/2015 11:13

 INDEX

of control systems business 126–127 W

165–166 strategic 114 W3 294, 302
data 277 technological 114 waiting cost 202
transaction techniques uncontrollable risks 55 WANs 59, 245, 253
277–278 underreliance on controls waste 232
theft 193 Waterfall cycle 271
evidence of 343–344 understanding business 6, Watt, James (1769–1848)
fraud and 326 160–161, 290 121–122
of trade secrets 328 undesirable associates 331 weakness
theory(ies) unethical decisions 25–26 power in 144
of absolute advantage unitary board model web see world wide web
108 210–211 (www)
of comparative advantage unplanned work 178 web browsers 303
108 unsolicited orders 327 Weber, Max (1864–1920)
contingency 125 unusual expenses 331 123
current management upstream integration 102 wide area networks (WANs)
125–126 user(s) 59, 245, 253
ethical 24–25 authentication 280–281 working
expectancy 130 changes in requirements objectives 9, 98
Game 202 264 papers 365–369,
Hertzberg’s 130 IT personnel and 264 373–383
management 122–132 mobility 317 workplaces, dysfunctional
motivational 129 requirements 264 50
motivation-hygiene 124 specifications 266 workshops 72–73
queuing 202 unspecified requirements work
situational 125 264 unplanned 178
systems 125 utilitarian school 24 stress 130–132
threats utilities 276 world wide web (www) 294,
to assets 56 301–302, 308
confidentiality 283 V writing techniques 184–185
data integrity 283 valid confessions 339 written
entry barriers 100–101 value-added networks communications 92
security 254 (VANs) 253 reports 184
substitutes 101 value chain for business www 294, 301–302, 308
Three Lines of Defense 12 228–229
throughput frauds 350 values 128
timely nature of financial valuing intangible assets 56
information 221 VANs 253
time management 181 variable
totalitarianism 109 costs 230, 233
Total Quality Control 19 population 195
trade secrets 328 sampling 196
trailers 105–106 Vee cycle 271–273
transactions objectives verbal communications
250–251 93–94
Treadway Commission 112, verification
205 audit evidence 82
treasury audits 156 financial information 220
trend analysis 198 vertical
triggering events for fraud communication 90
332 integration 102–103
triple bottom line 12 viruses 282
trust between negotiating visibility risk factors 53
parties 142–143 visual aids 93
two-tier board model voice 247
210–211 voice recognition 246
volatile memory 244
U
uncertainty see also risk(s)

419

Internal_Auditing.indb 419 16/04/2015 11:13

Internal_Auditing.indb 420 16/04/2015 11:13