Internal Audit Handbook
-
Upload
khangminh22 -
Category
Documents
-
view
1 -
download
0
Transcript of Internal Audit Handbook
Henning Kagermann William Kinney Karlheinz Küting Claus-Peter Weber (Eds.)
Internal Audit HandbookManagement with the
SAP®-Audit Roadmap
In cooperation with:
Corinna Boecker
Julia Busch
Oliver Bussiek
Margaret H. Christ
Petra Eckes
Markus Falk
Penelope Sue Greenberg
Bernhard Reichert
Manfred Wolf
Translated from German by:
Ziggie Keil
123
ISBN 978-3-540-70886-5 e-ISBN 978-3-540-70887-2
DOI 10.1007/978-3-540-70887-2
Library of Congress Control Number: 2007937939
© 2008 Springer-Verlag Berlin Heidelberg
his work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, spe-
ciically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on micro-
ilm or in any other way, and storage in data banks. Duplication of this publication or parts thereof is permitted only
under the provisions of the German Copyright Law of September 9, 1965, in its current version, and permission for
use must always be obtained from Springer. Violations are liable to prosecution under the German Copyright Law.
SAP®, SAP NetWeaver®, ABAP-4® and other SAP products and services mentioned in this text as well as their re-
spective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over
the world. SAP AG is neither the author nor the publisher of this book and is not responsible for its content.
COBIT® (Control Objectives for Information and related Technology) is a registered trademark of the ITGI. he
ITGI is neither the author nor the publisher of this book and is not responsible for its content.
Excel®, Internet Explorer®, Microsot®, PowerPoint®, Windows® and Word® are registered trademarks of Microsot
Corporation in the USA and/or other countries. Microsot Corporation or Microsot GmbH are neither the authors
nor the publishers of this book and are not responsible for its content.
All other names of products and services are trademarks of the respective companies.
COSO IC Cube, Copyright © 1992 and COSO ERM Cube, Copyright © 2001 by the Committee of Sponsoring
Organizations of the Treadway Commission. Reproduced with permission from the AICPA acting as authorized
copyright administrator for COSO.
he use of general descriptive names, registered names, trademarks, etc. in this publication does not imply, even in
the absence of a speciic statement, that such names are exempt from the relevant protective laws and regulations and
therefore free for general use.
Cover design: WMX Design GmbH, Heidelberg
Printed on acid-free paper
9 8 7 6 5 4 3 2 1
springer.com
Professor Dr. Henning KagermannSAP AGDietmar-Hopp-Allee 1669190 WalldorfGermany
Professor William Kinney, Ph.D.McCombs School of BusinessUniversity of Texas at Austin1 University Station B6400Austin, Texas 78712USA
Professor Dr. Karlheinz KütingInstitut für WirtschatsprüfungUniversität des Saarlandes, CampusGebäude B4 166123 SaarbrückenGermany Professor Dr. Claus-Peter WeberInstitut für WirtschatsprüfungUniversität des Saarlandes, CampusGebäude B4 166123 SaarbrückenGermany
V
Preamble by the Institute of Internal Auditors
It’s plain and simple: Internal auditing is anything but plain and simple. It is a rap-
idly changing profession with high standards. Internal auditing is unique to the
organization and culture in which it is performed, and requires an in-depth under-
standing of that organization’s culture, policies, and procedures.
Today’s professional internal auditors more closely resemble coaches and edu-
cators than did their predecessors. hey watch for eiciencies, economies, and ef-
fectiveness and make recommendations for improvement when they ind gaps. In-
ternal auditors assess risks—inancial, operational, strategic, compliance-oriented,
and reputation-related—to ensure an organization’s system of control is strong.
hey evaluate processes and determine what’s working and what’s not. And inter-
nal auditors’ main job function is to help management and the board to meet goals
and objectives.
Such a broad and dynamic profession requires its members to be ever watchful
for new and better ways of doing things. he Insitute of Internal Auditors (IIA) and
he IIA Research Foundation are both committed to enhancing the professional-
ism of internal audit practitioners and elevating the profession all around the world.
his includes expanding the proiciency and performance of internal auditors, as
well as building broad awareness of the value the internal audit activity brings to an
organization and its myriad stakeholders.
Clearly, this handbook is consistent with these two goals. It sets the stage by de-
ining internal auditing, relating to the International Standards for the Professional
Practice of Internal Auditing, and describing recognized frameworks for internal
control and risk management. It explores internal audit methodology and provides
helpful information on scope, integration, analysis, and quality.
Written for management, board members, chief audit executives, and staf inter-
nal auditors, the concepts presented on the pages that follow put the complexities of
internal auditing into language that is understandable and relevant.
Trish Harris
Director, Communications
he Institute of Internal Auditors, Inc.
VII
Foreword
Everything starts with an idea, and this book is no exception. At irst, the various
thoughts and discussions were focused on the original intention to “merely” create
a job introduction for new Internal Audit employees. his plan has since evolved
into a comprehensive, up-to-date presentation of the tasks and challenges facing
Internal Audit, in a format and on a scale hitherto unrivalled in the market.
here are very few units in the company that have been subject to such a ma-
jor change process in recent years as Internal Audit. his applies irrespective of
company size as corporations adapt to developments in information technology,
corporate governance, legal requirements, and global best practices. For large cor-
porations, the change process typically involves restructuring, expanding, and in-
ternationalizing the existing department, while smaller and medium-sized compa-
nies face the challenges associated with setting up such a department for the irst
time. For this reason, we have not produced this book with a speciic audience
or sector in mind. Rather, we have tried to present the idea of Internal Audit so
comprehensively that readers can get from it the information they require for their
particular situations.
he target audience of this handbook could not be more varied, and we hope
that a large cross-section of managers and employees from Internal Audit, compli-
ance, risk, and corporate management will beneit from reading it. Apart from the
auditors themselves, this book should also appeal to those who have contact with
Internal Audit within or outside their own company, with the aim of giving them
insight into the tasks and responsibilities of this department. In this context, it is
our particular concern to eradicate, once and for all, the outdated notion of internal
auditors as controlling box checkers, not much loved by the rest of the company,
and instead to present the highly varied, interesting, and increasingly international
range of tasks of Internal Audit as a navigator in the company. Finally, we hope
this book will make an important contribution to teaching (internal) auditing at
universities.
he introductory information provided in Section A gives a comprehensive
overview of the principles of internal auditing. It places audit work in the overall
context and deals with organizational issues as well as the practice of audit and
consulting work. Section B describes the Audit Roadmap, the process model of
Internal Audit at SAP®. he chapters in Section C provide ictitious, practice-based
examples of how Internal Audit at SAP AG deals with selected audit topics. Section
D revisits some focus areas and special topics for a more detailed discussion.
he summarizing key points at the beginning of each chapter are to give readers
a concise overview of the topics dealt with in the chapter. he same applies to the
enclosed CD containing templates to put speciic elements of theory into practice.
VIII
With the Hints and Tips at the end of most chapters we hope to provide useful im-
pulses for practical audit work.
As mentioned earlier, this handbook is intended to satisfy a variety of users with
diferent information requirements. Nevertheless, the information generally makes
reference to examples from the organizational structure of SAP AG and its internal
audit service provider GIAS (Global Internal Audit Services), although in speciic
cases we depart from company-speciic names and structures to make the informa-
tion more generally accessible. With regard to SAP-speciic terminology and situa-
tions, e.g., the organizational position of Internal Audit under the CEO or reference
to SAP AG’s local subsidiaries, we ask readers to apply the information provided to
their personal situations as required. his also holds for adjustments resulting from
certain company forms and the application to other legal forms of information re-
lating to the German Aktiengesellschat (stock corporation).
his guide incorporates the latest status of discussion, although we have to bear
in mind that the whole topic is subject to constant development. Some issues of the
future have already been touched upon, but will require further development and
consolidation. It remains to be seen how changes will shape the future of Internal
Audit.
As the scale of work suggests, this book could not have been published without
the dedicated eforts of a large team of people, who worked hard over the past few
months to help this project succeed. We would like to say a special thank you to
Margaret Christ, Penelope Sue Greenberg, and Bernhard Reichert for their dedica-
tion in revising and editing the English translation of this handbook, which irst
appeared in German as Handbuch der Revision. hanks also to Ziggie Keil for
translating the work into English. We would also like to acknowledge the original
authors of the German edition: Corinna Boecker, Julia Busch, Petra Eckes, Oliver
Bussiek, Markus Falk, and Manfred Wolf. We also wish to thank Christine Benner
for her organizational work, for producing numerous graphics, and for looking af-
ter the CD design. A word of thanks also to Dorothee Brechtel and Adelheid Röben,
who read and reread each chapter with tireless dedication, contributing to factual
and linguistic quality assurance and making many valuable suggestions. We are
also grateful to the following Internal Audit employees of SAP AG for their work
on speciic chapters: Julio M. Arevalo, horsten Caspari, Önder Güngör, Miang
Ngee Lau, Christian Müller, Mark Scavillo, Maria Eliana Testolin, Zoltan Vagvoel-
gyi, and Kai Zobel. Other departments of SAP AG also gave us plentiful support by
reading the text and providing critical feedback. hanks also to the employees from
Global Communications, Corporate Legal, Corporate Financial Reporting, Global
Risk Management, Global Compliance, HR Business Partner, Project Management
Oice Finance & Administration, Corporate Controlling, Controlling, and Global
Purchase Organization of SAP AG, and the Oice of the CFO. We would like to
thank Dr. Matthias Heiden for coordinating the reviews and for making many valu-
able suggestions. he staf of Springer-Verlag, especially Dr. Werner A. Müller and
Ruth Milewski, deserve our thanks for the excellent and smooth cooperation.
Foreword
IX
We also wish to sincerely thank Trish Harris, Director of Communications at the
Institute of Internal Auditors, for agreeing to write a preamble to this handbook.
We would be delighted if this new handbook enjoyed a positive reception in
both corporate practice and at universities. We look forward to your critical feed-
back and suggestions for improvement, which we will incorporate in our next edi-
tion. Please e-mail any comments to [email protected].
Walldorf, Austin, and Saarbrücken, August 2007
Henning Kagermann William Kinney
Karlheinz Küting Claus-Peter Weber
XI
Note to Users
his internal audit handbook has been written for diferent target audiences and
therefore addresses diferent interest groups. It is comprised of ive sections and
includes a CD with examples and templates. Read in its entirety, the handbook
is a complete guide to a modern internal audit department. However, depending
on your personal knowledge and available time, you may prefer to approach the
content selectively. To this end, each chapter starts with Key Points, which provide
a concise overview of the topics discussed within the chapter. he Hints and Tips
at the end of most chapters are to provide helpful suggestions for day-to-day audit-
work. he following table shows the contents that each section of the guide covers
and lists possible target groups.
Section Contents Target groups
A All interested parties, especially general managers,
Boards of Directors, managers and specialized
employees of Internal Audit
B Description of the SAP®Audit Roadmap
Internal Audit managers and employees
C Operational aspects of
audit execution
Internal Audit employees and operational managers
D Applied specialist
knowledge
Audit employees and interested parties with a high
level of professional knowledge or expertise
E Conclusion All
he included CD provides a visual depiction of the Audit Roadmap at SAP, which is
dealt with extensively in Section B of the guide. he content of the CD is presented
in two diferent modes. With the “View” function, you can display selected topics
from Section B, including the diferent templates used. With the “Edit document”
mode, users can complete templates by entering their own details and then save
them to their own hard disks for subsequent use. For this reason, the CD is particu-
larly valuable for practical audit work.
Finally, this handbook is intended for use by internal audit departments from
around the world. However, when describing Internal Audit and corporate gover-
nance in general, we focus on U.S. rules and regulations. In addition, in the chap-
ters that speciically address SAP practices, we refer to the two-tiered Board system
which is standard in Germany. his two-tiered Board comprises an Executive Board,
which consists of the managing directors, and a Supervisory Board, which consists
of shareholder representatives and employee representatives. However, wherever it
seems expedient we refer to either the “Board of Directors” or only the “Board”.
XIII
Contents
Preamble by the Institute of Internal Auditors . . . . . . . . . . . . . . . . . V
Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VII
Note to Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . XI
List of Abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . XXI
List of Figures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . XXV
A Conceptual Basis of Internal Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1 Nature and Content of Audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1 General Deinition of Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2 Deinition of Internal Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.3 Regulatory and Organizational Framework . . . . . . . . . . . . . . . . . . . . . 7
2 Internal Audit: Meeting Today’s Needs . . . . . . . . . . . . . . . . . . . . . . . . 16
2.1 he Dynamics of the Operating Environment . . . . . . . . . . . . . . . . . . . 16
2.2 Reorientation of the Requirements Proile . . . . . . . . . . . . . . . . . . . . . . . 19
2.3 Formulating the General Audit Objectives and Ways
of Implementing hem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.4 he Charter as Audit Mandate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
2.4.1 Purpose of the Charter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
2.4.2 Main Contents of the Charter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
2.4.2.1 Tasks of Internal Audit at SAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
2.4.2.2 Organizational Foundation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
2.4.3 he Charter as Part of Internal Audit’s Deinition Process . . . . . . . . 35
2.5 Implementing the Audit Mandate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
2.5.1 Internal Audit as an Independent Audit Body for the Whole
Company . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
2.5.2 Internal Audit as a Component of Corporate Governance . . . . . . . . 40
2.5.3 Internal Audit as a Service Unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
2.5.4 Trend toward Audit Management as a Corporate Management
Instrument . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
2.5.5 Internal Audit as a Proit Center Organization . . . . . . . . . . . . . . . . . . . 51
2.6 Internal Audit and the Requirements of SOX . . . . . . . . . . . . . . . . . . . . 53
2.7 Value Added by Internal Audit at SAP . . . . . . . . . . . . . . . . . . . . . . . . . . 58
3 Framework of Internal Audit at SAP . . . . . . . . . . . . . . . . . . . . . . . . . . 60
3.1 SAP’s Global Audit Approach in the Shape of Global Internal
Audit Services (GIAS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
XIV
3.2 Structure of the GIAS Code of Conduct . . . . . . . . . . . . . . . . . . . . . . . . 62
3.3 he GIAS Code of Conduct in Detail . . . . . . . . . . . . . . . . . . . . . . . . . . 65
3.4 Examples Illustrating the Efectiveness of the Code of Conduct . . 69
4 Organizational Structure of GIAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
4.1 Organizational Status within SAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
4.2 Organizational Structure and Responsibilities within GIAS . . . . . . 75
4.3 Structure and Tasks of the Regional GIAS Teams . . . . . . . . . . . . . . . 78
4.4 Structure and Organization of the Audit Teams . . . . . . . . . . . . . . . . . 79
4.5 Employee Proiles in GIAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
4.6 Career Paths and Development Potential . . . . . . . . . . . . . . . . . . . . . . . 85
4.7 he Structure of Timesheets in Internal Audit . . . . . . . . . . . . . . . . . . 88
5 Fundamental Principles of the GIAS Approach . . . . . . . . . . . . . . . 91
5.1 Employee Proiles and their Interaction in the Audit Process . . . . . 91
5.2 Attributes of the Process-Based Approach . . . . . . . . . . . . . . . . . . . . . . 92
5.3 Deinition of Audit Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
5.4 GIAS Target Group Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
5.5 Structure and Content of the Audit Universe . . . . . . . . . . . . . . . . . . . 101
5.6 Audit Challenges in the Global Corporate Environment . . . . . . . . . 104
5.6.1 Basis of an International Orientation . . . . . . . . . . . . . . . . . . . . . . . . . . 104
5.6.2 Overview of Global Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
5.7 GIAS Integration Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
5.8 Identifying Audit-Relevant Facts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
6 Audit Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
6.1 Content Determinants and Formal Determinants . . . . . . . . . . . . . . . 114
6.2 Audit Field Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
6.2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
6.2.2 Management Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
6.2.3 Operational Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
6.2.4 Financial Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
6.2.5 IT Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
6.2.6 Fraud Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
6.2.7 Business Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
6.3 Audit Approaches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
6.4 Audit Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
6.5 Audit Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
6.6 Audit Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
6.7 Cost/Beneit Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
7 Other Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
7.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Contents
XV
7.2 Audit-Related Other Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
7.2.1 Cost-Efectiveness Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
7.2.2 Pre-Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
7.2.3 Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
7.2.4 Implementation Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
7.3 Non-Audit-Related Other Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
7.3.1 Ongoing Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
7.3.2 Internal Consulting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
7.3.3 Project Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
B The SAP®-Audit Roadmap as a Working Basis
for Internal Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
1 General Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
1.1 Structure and Features of the Audit Roadmap . . . . . . . . . . . . . . . . . . 186
1.2 Advantages and Beneits of the Audit Roadmap . . . . . . . . . . . . . . . . 189
2 Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
2.1 Content of Scopes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
2.1.1 Integration and Organizational Structure . . . . . . . . . . . . . . . . . . . . . . 192
2.1.2 Templates and How to Use hem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
2.1.3 Overview of Available Scopes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
2.2 Annual Audit Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
2.3 Audit Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
2.4 Composition and Role of the Audit Team . . . . . . . . . . . . . . . . . . . . . . 208
3 Preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
3.1 Audit Announcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
3.2 Work Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
3.2.1 Standard Structure of the Work Program . . . . . . . . . . . . . . . . . . . . . . . 214
3.2.2 Integration of the Work Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
3.2.3 Process Elements: Risks and Internal Controls . . . . . . . . . . . . . . . . . . 218
3.3 Other Preparation Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
3.3.1 Obtaining Background Information . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
3.3.2 Speciic Training Needs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
4 Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
4.1 Fieldwork Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
4.1.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
4.1.2 Main Fieldwork Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
4.1.3 Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
4.1.3.1 Organizational Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
XVI
4.1.3.2 Methodological Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
4.1.3.3 IT Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
4.2 Use of Working Papers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
4.2.1 Requirements for the Documentation of Fieldwork . . . . . . . . . . . . . 239
4.2.2 Structure and Content of Working Papers . . . . . . . . . . . . . . . . . . . . . . 241
4.2.3 Referencing of Working Papers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
5 Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
5.1 Basics of Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
5.1.1 Professional Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
5.1.2 Integration into the Audit Roadmap . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
5.1.3 Overview of the Main Report Formats . . . . . . . . . . . . . . . . . . . . . . . . . 249
5.1.4 Overview of Report Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
5.1.5 Report Addressees and Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
5.2 Standard Report Package for Audits . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
5.2.1 Audit Report Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
5.2.2 Classiication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
5.2.3 Implementation Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
5.2.4 Management Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
5.2.5 Board Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
5.3 Other Report Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
5.3.1 Memorandum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
5.3.2 Results Presentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
5.4 Periodic Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
5.4.1 Annual Report to the Audit Committee . . . . . . . . . . . . . . . . . . . . . . . . 269
5.4.2 Other GIAS Information Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
6 Follow-Up Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
6.1 Basics of the Follow-Up Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
6.2 Follow-Up Phase in Detail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
6.2.1 Status Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
6.2.2 Follow-Up Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
6.3 Reporting During the Follow-Up Phase . . . . . . . . . . . . . . . . . . . . . . . . 278
6.3.1 Updating the Audit Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
6.3.2 Measuring Audit Outcome . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
7 Special Audit Roadmaps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
7.1 Objectives of Special Audit Roadmaps . . . . . . . . . . . . . . . . . . . . . . . . . 282
7.2 Audit Roadmap for Fraud Audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
7.3 Audit Roadmap for Management Process Audits . . . . . . . . . . . . . . . 287
7.4 Audit Roadmap for IT Audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Contents
XVII
C Examples from Audit Practice at SAP . . . . . . . . . . . . . . . . . . . . . . . . . . 295
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
2 Audit Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
2.1 Overview of the Audit Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
2.2 Tools Needed for the Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
2.3 Auditor Skills . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
2.3.1 he Right Tone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
2.3.2 Professional Auditor Conduct . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
2.3.3 Team Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
2.4 Scopes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
3 Selected Financial Audit Topics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
3.1 Analytical Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
3.2 Trade Accounts Receivable Audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
3.3 Accrued Liabilities Audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
3.4 Trade Accounts Payable Audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
3.5 Revenue Audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
4 Selected Operational Audit Topics . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
4.1 Purchasing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
4.2 Sales Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
5 Combined Audit Topics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
5.1 Subsidiary Audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
5.2 Consulting Project Audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
5.2.1 Classiication of Consulting Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
5.2.2 Audit Preparation and Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
5.2.3 Special Aspects of Consulting Project Audits . . . . . . . . . . . . . . . . . . . 360
5.3 License Audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
5.4 Management Process Audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
5.4.1 Basics of Management Process Audits . . . . . . . . . . . . . . . . . . . . . . . . . 372
5.4.2 Audit Preparation and Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
6 Business Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
7 Global Audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
8 SOX Audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
9 Revenue Recognition Assurance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
XVIII
10 IT Audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
10.1 Basics and System Coniguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
10.2 SAP Workbench Organizer and Transport System . . . . . . . . . . . . . . 413
10.3 Table Access and Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418
10.4 User Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
10.5 Batch-Input Interfaces and Background Processing . . . . . . . . . . . . . 426
D Special Topics and Supplementary Discussion . . . . . . . . . . . . . . . . 431
1 Documentation in Internal Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432
1.1 Basics of Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432
1.1.1 Objectives, Requirements, Sources, and Responsibilities . . . . . . . . . 432
1.1.2 Legal Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
1.1.3 Important Documentation Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435
1.2 Documentation Along the Audit Roadmap . . . . . . . . . . . . . . . . . . . . . 437
2 Cooperation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
2.1 Communication and Information Flow . . . . . . . . . . . . . . . . . . . . . . . . 441
2.2 Global Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
2.2.1 Integration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
2.2.2 Risk Management Along the Audit Roadmap . . . . . . . . . . . . . . . . . . . 446
2.2.3 Risk Management Audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
2.2.4 Internal Audit as Part of the Risk Management Process . . . . . . . . . . 449
2.3 Global Quality Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450
2.4 Corporate Security Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454
2.5 Management and Supervisory Bodies . . . . . . . . . . . . . . . . . . . . . . . . . . 455
2.6 External Auditors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
2.7 External Institutions and Other Interested Parties . . . . . . . . . . . . . . 460
3 Annual Risk-Based Audit Planning . . . . . . . . . . . . . . . . . . . . . . . . . . 463
3.1 Inventory of Possible Audit Topics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
3.1.1 Identiication of Possible Audit Topics . . . . . . . . . . . . . . . . . . . . . . . . . 463
3.1.2 Risk Assessment and Audit Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . 464
3.2 Annual Audit Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
3.3 Execution Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
3.4 Interrelation of Global and Regional Planning . . . . . . . . . . . . . . . . . . 471
4 IT Environment of Internal Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
4.1 Structure of a Global IT Environment of Internal Audit . . . . . . . . . 473
4.1.1 Decentralized Use of IT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
4.1.2 Central Filing Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474
4.1.3 Decentralized Reporting System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476
Contents
XIX
4.1.4 IT Tools for Data Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
4.2 Globally Integrated IT Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479
4.2.1 Requirements on a Fully Integrated IT Solution . . . . . . . . . . . . . . . . 479
4.2.2 Concept for a System Structure of an Integrated IT Solution . . . . . 480
4.2.3 Proposed Solutions in Terms of Corporate Governance
and Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482
5 Quality Assurance for Internal Audit . . . . . . . . . . . . . . . . . . . . . . . . . 485
5.1 Quality Assurance in General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
5.2 Deinition of Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486
5.3 GIAS Quality Assurance Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488
5.4 Process and Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
5.5 Quality Assurance Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
5.6 he GIAS Quality Assurance Program Compared
to the Requirements of the IIA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500
6 Escalation Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502
7 Performance Measurement System . . . . . . . . . . . . . . . . . . . . . . . . . . . 508
7.1 Basic Principles of an Internal Audit Approach Based on Key
Performance Indicators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508
7.1.1 Content, Objectives, and Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508
7.1.2 Structure of the Key Performance Indicators . . . . . . . . . . . . . . . . . . . 510
7.1.2.1 General Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510
7.1.2.2 Selected General Standard Key Performance Indicators . . . . . . . . . 512
7.2 Selected Special Key Performance Indicators . . . . . . . . . . . . . . . . . . . 513
7.2.1 Overall Audit Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513
7.2.2 Audit Survey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519
7.2.3 Follow-Up Rating . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
7.3 Benchmarking Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
7.4 Structure of a Balanced Scorecard Approach . . . . . . . . . . . . . . . . . . . 527
8 Integrated Cost Management (Cost of Internal Audits) . . . . . . . 529
9 Peer Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537
10 Guest Auditors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 542
11 Management of Internal Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547
11.1 Operational Audit Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547
11.2 Monitoring Audit Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548
11.2.1 Audit Performance Record as Part of Performance Management 548
11.2.2 Audit Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 550
XX
12 Marketing of Internal Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553
12.1 Internal Marketing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553
12.2 External Marketing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555
13 Fraud Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557
14 Services Provided by Internal Audit Relating
to the Sarbanes-Oxley Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565
14.1 General Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565
14.1.1 Legal Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565
14.1.2 COSO Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567
14.1.3 Impact of SOX on Internal Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 570
14.2 Integrating SOX Organization and Internal Audit . . . . . . . . . . . . . . . 573
14.2.1 Management of Internal Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573
14.2.2 SOX Lifecycle Process Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577
14.2.3 Roles and Responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 580
14.2.4 Overview of Internal Audit’s SOX Services . . . . . . . . . . . . . . . . . . . . . 583
14.3 Integration along the Audit Roadmap . . . . . . . . . . . . . . . . . . . . . . . . . . 585
14.3.1 SOX Support Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585
14.3.2 SOX Audit Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587
14.3.3 Coordination of SOX Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 590
14.4 Impact of Introducing SOX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 592
E Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595
F Subject Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599
XXI
List of Abbreviations
ABAP Advanced Business Application Programming
(the SAP® programming language)
AG Aktiengesellschat (legal form of a German stock corporation)
AICPA American Institute of Certiied Public Accountants
AktG Aktiengesetz (German Stock Corporation Act)
ARB Accounting Review Bulletin (US-GAAP)
AS Auditing Standard
AUD Australian Dollar
B2B Business to business
BilReG Bilanzrechtsreformgesetz (German Accounting Legislation
Reform Act)
BSC Balanced scorecard
CAE Chief Audit Executive
CIA Certiied Internal Auditor
CD Compact Disc
CEO Chief Executive Oicer
CFO Chief Financial Oicer
CHF Swiss Francs
CIS Contract Information System
COBIT® Control Objectives for Information and related Technology
COSO Committee of Sponsoring Organizations of the Treadway
Commission
COSO ERM COSO Enterprise Risk Management
COSO IC COSO Internal Control
CPI Continuous process improvement
DCGK Deutscher Corporate Governance Kodex (German Corporate
Governance Code)
DDIC Data Dictionary
DSO Days sales outstanding
DVD Digital Versatile Disc
e. g. for example
ed. edition
eds. editors
EITF Emerging Issues Task Force (US-GAAP)
et al. and others
etc. et cetera
EUR Euro
FU Follow-up
XXII
GBP British Pound
GCAF Global Contract Approval Form
GIAS Global Internal Audit Services
(internal audit department at SAP AG)
G/L General Ledger
HGB Handelsgesetzbuch (German Commercial Code)
HIPAA Health Insurance Portability and Accountability Act
HR Human Resources
i.e. that is
ICS internal control system
ID Identiication
IFRS International Financial Reporting Standard(s)
IIA® Institute of Internal Auditors
IIR Deutsches Institut für Interne Revision
(German Institute for Internal Auditing)
Impl. Implementation
ISACA Information Systems Audit and Control Association
ISO International Organization for Standardization
IT Information Technology
J-Sox Japanese Financial Instruments and Exchange Law
KonTraG Gesetz zur Kontrolle und Transparenz im Unternehmensbereich
(German Act on Control and Transparency in Business)
KPI Key Performance Indicator
Mgmt Management
MM Materials Management
NDA Non-disclosure agreement
No. number
NYSE New York Stock Exchange
PC Personal Computer
PCAOB Public Company Accounting Oversight Board
PO Purchase Order
PR Purchase Request
QAR Quality assurance review
QG Quality Gate
Ref. Reference
RRA Revenue Recognition Assurance
SAB Staf Accounting Bulletin (US-GAAP)
SAF Solution Addendum Form
SAP® AIS SAP® Audit Information System
SC Status check
SEC Securities and Exchange Commission
SOP Statement of Position
SOX Sarbanes-Oxley Act
List of Abbreviations
XXIII
SRM Supplier Relationship Management
TPA Technical Practice Aids
TransPuG Transparenz- und Publizitätsgesetz
(German Transparency and Disclosure Act)
UK United Kingdom
U.S. United States (of America)
US-GAAP United States Generally Accepted Accounting Principles
USD US-Dollar
VAT Value-added Tax
vs. versus
WBOT Workbench Organizer and Transport System
ZAR South African Rand
XXV
List of Figures
A Conceptual Basis of Internal Audit
Fig. 1 COSO Cube (ERM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Fig. 2 Functional Position of Internal Audit . . . . . . . . . . . . . . . . . . . . . . . . . 17
Fig. 3 Audit Requirements and Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Fig. 4 Strategic and Operational Objectives . . . . . . . . . . . . . . . . . . . . . . . . . 23
Fig. 5 Integration of Internal Audit in the Management Process . . . . . . 49
Fig. 6 Relevant Requirements of SOX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Fig. 7 GIAS Code of Conduct . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Fig. 8 he GIAS Code of Conduct as a Basis for Audits . . . . . . . . . . . . . . 69
Fig. 9 Global Structure of Internal Audit at SAP . . . . . . . . . . . . . . . . . . . . . 74
Fig. 10 Distribution of Responsibilities at GIAS . . . . . . . . . . . . . . . . . . . . . . 76
Fig. 11 Structure and Tasks by Function within GIAS . . . . . . . . . . . . . . . . . 84
Fig. 12 Process-Based Approach in Internal Audit at SAP . . . . . . . . . . . . . 94
Fig. 13 GIAS Target Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Fig. 14 SAP’s Global Audit Universe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Fig. 15 GIAS Integration Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Fig. 16 Cooperation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Fig. 17 Determining the Audit Method with Content and Formal
Determinants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Fig. 18 Overview of Audit Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Fig. 19 Audits of the Global IT Environment . . . . . . . . . . . . . . . . . . . . . . . . . 134
Fig. 20 Possible Treatment of Fraud by Internal Audit . . . . . . . . . . . . . . . . 138
Fig. 21 Audit Risk Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Fig. 22 Embeddedness of Audit Approaches in the Risk-Based Audit
Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Fig. 23 Relations between Audit Fields and the Audit Approaches
to be Used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Fig. 24 Audit Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Fig. 25 Extent of the Cycle of each Audit Type . . . . . . . . . . . . . . . . . . . . . . . 161
Fig. 26 Other Services of Internal Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Fig. 27 Cost-Efectiveness Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Fig. 28 Comparison of Audit and Review . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
B The SAP®-Audit Roadmap as a Working Basis for Internal Audit
Fig. 1 Structure of the Audit Roadmap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Fig. 2 Core Scope Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
XXVI
Fig. 3 Table of Key Scopes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Fig. 4 Functions to Processes Relationship Matrix . . . . . . . . . . . . . . . . . . . 196
Fig. 5 Processes to Objects Relationship Matrix . . . . . . . . . . . . . . . . . . . . . 197
Fig. 6 Scope in Detail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Fig. 7 Overview of the Planning Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Fig. 8 Audit Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Fig. 9 Audit Announcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Fig. 10 Timing of Audit Announcements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Fig. 11 he Work Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Fig. 12 Positioning of Fieldwork Activities in the Audit Roadmap . . . . . . 224
Fig. 13 Test Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Fig. 14 Work Done Sheet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Fig. 15 Audit Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Fig. 16 Referencing Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Fig. 17 Reporting Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Fig. 18 Audit Report Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Fig. 19 Structure of the Implementation Report . . . . . . . . . . . . . . . . . . . . . . 259
Fig. 20 Management Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
Fig. 21 Board Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
Fig. 22 Priority Board Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Fig. 23 Sub-Phases of the Follow-Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Fig. 24 Follow-Up Report Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Fig. 25 Audit Roadmap for Management Process Audits . . . . . . . . . . . . . . 288
C Examples from Audit Practice at SAP
Fig. 1 Fictitious Example of a Plausibility Check . . . . . . . . . . . . . . . . . . . . 308
Fig. 2 Fictitious Example of Ratio Analysis . . . . . . . . . . . . . . . . . . . . . . . . . 309
Fig. 3 Fictitous Example of Possible Results from an Analysis of Assets
and its Consequences for the Work Program . . . . . . . . . . . . . . . . . . 311
Fig. 4 Fictitious Example of Possible Results from an Analysis
of Liabilities and its Consequences for the Work Program . . . . . . 312
Fig. 5 Fictitious Example of a Possible Result from an Analysis of the
Income Statement and its Consequences for the Work Program 312
Fig. 6 Fictitious Ageing Structure List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Fig. 7 Fictitious Example of DSO Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Fig. 8 Fictitious Example for Calculating a Vacation Accrual . . . . . . . . . 321
Fig. 9 Fictitious Example for Calculating a Bonus Accrual . . . . . . . . . . . 323
Fig. 10 Possible Structure of a Fictitious Open Items List, Broken Down
by Currency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
Fig. 11 Fictitious Consulting Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Fig. 12 Fictitious Project A as of December 31, 2005 . . . . . . . . . . . . . . . . . 361
List of Figures
XXVII
Fig. 13 Fictitious Project A as of March 31, 2006 ater adjustment
to budgeted costs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
Fig. 14 Fictitious Fixed-Price Project B – Project Data . . . . . . . . . . . . . . . . 363
Fig. 15 Fictitious Fixed-Price Project B – Accounting Entries . . . . . . . . . . 363
Fig. 16 Fictitious Time and Material Project C, Option A: Accounting
Entries for Time and Material Projects (Monthly) . . . . . . . . . . . . . 365
Fig. 17 Fictitious Time and Material Project C, Option B: Accounting
Entries for Time and Material Projects (Quarterly) . . . . . . . . . . . . 365
Fig. 18 Excerpt from the Core Scope for License Agreements . . . . . . . . . 369
Fig. 19 Motivation of Parties Involved in Management Process Audits 374
Fig. 20 Responsibilities of Parties Involved in a Business Review . . . . . . . 382
Fig. 21 Control Attribute Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
Fig. 22 Deinition of Control Attribute Values . . . . . . . . . . . . . . . . . . . . . . . . 393
Fig. 23 Internal Controls Maturity Framework . . . . . . . . . . . . . . . . . . . . . . . 395
Fig. 24 Special Parameters for Selecting the Sample Size . . . . . . . . . . . . . . 398
Fig. 25 Quality Gates during Customer Contract Conirmations . . . . . . . 406
Fig. 26 Quality Assurance during Unannounced License Audits . . . . . . . 407
Fig. 27 Standard System Landscape Including Transport Routes . . . . . . . 416
D Special Topics and Supplementary Discussion
Fig. 1 Documentation within GIAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
Fig. 2 Information Flow Matrix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
Fig. 3 Network of Relations between Internal Audit and Risk
Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
Fig. 4 Information Flow Between Internal Audit and External
Auditors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
Fig. 5 Calculating the net audit capacity for new risk-based topics . . . . 468
Fig. 6 GIAS Quality Assurance Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . 489
Fig. 7 Audit Roadmap and Quality Gates . . . . . . . . . . . . . . . . . . . . . . . . . . . 489
Fig. 8 Quality Gates for Scopes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490
Fig. 9 Quality Gates for the Annual Audit Plan . . . . . . . . . . . . . . . . . . . . . . 491
Fig. 10 Quality Gates for the Audit Request . . . . . . . . . . . . . . . . . . . . . . . . . . 491
Fig. 11 Quality Gates for the Audit Announcement . . . . . . . . . . . . . . . . . . . 492
Fig. 12 Quality Gates for the Work Program . . . . . . . . . . . . . . . . . . . . . . . . . 492
Fig. 13 Quality Gates for the Working Papers . . . . . . . . . . . . . . . . . . . . . . . . 493
Fig. 14 Quality Gates for the Drat Report . . . . . . . . . . . . . . . . . . . . . . . . . . . 494
Fig. 15 Quality Gates for the Final Report . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
Fig. 16 GIAS’ Quality Assurance Program vis-à-vis IIA Standard 1300 500
Fig. 17 Escalation Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503
Fig. 18 Diferent Procedures with or without Agreement about Audit
Findings and Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506
XXVIII
Fig. 19 Classiication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
Fig. 20 Rating System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517
Fig. 21 Calculation Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517
Fig. 22 Audit Survey for Standard Audit Engagements . . . . . . . . . . . . . . . . 521
Fig. 23 Points Matrix for the Follow-Up Scoring . . . . . . . . . . . . . . . . . . . . . 523
Fig. 24 Rating Matrix for the Overall Follow-Up Rating . . . . . . . . . . . . . . . 524
Fig. 25 Audit Management Disciplines of Internal Audit . . . . . . . . . . . . . . 548
Fig. 26 SAP Fraud Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558
Fig. 27 Fraud Prevention Model Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 560
Fig. 28 COSO Cube (COSO IC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 568
Fig. 29 SOX Lifecycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578
Fig. 30 Overview of SOX Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 584
Fig. 31 SOX Audit Roadmap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588
�
1 NatureandContentofAudits1.1 GeneralDefinitionofAudit
KeyPoiNts •••
• Duringaudits,an independentpartycompares theexistingconditiontopre-
determinedcriteria(suchasUS-GAAP,orthepoliciesandproceduresof the
organization).
• Auditsservetwoimportantcontrolfunctions.Firstly,theyaredetectivecontrol
mechanismsbywhichauditorsidentifyandinvestigatevariancesordeviations
frompredetermined standards.Secondly, theyareusedaspreventive control
mechnismsbecausetheexpectationofanauditshoulddeterindividualsfrom
engaginginfraudulentinancialreportingormakingcarelesserrors.
• Inthecourseoftheirevaluation,auditorsidentifybusinessrisksandevaluate
theefectivenessandeiciencyofthecontrolsystemsdesignedtoavoid,reduce
oreliminatethoserisks.Auditorsshouldalsobeawareoftheriskoffraudulent
activities.
• heprimarygoalofauditingistoservethecompanybyprovidinganindepen-
dent and objective evaluation of the organization’s adherence to operational,
inancialandcompliancepolicies,guidelinesandregulations.
• Likewise,auditsareperformedtoprotecttheinterestsofthirdparties,suchas
investorsandcreditors.
Ingeneral,auditingisdeinedasasystematicprocessofobjectivelyobtainingand
evaluatingevidenceregardingthecurrentconditionofanentity,area,process,i-
nancialaccountorcontrolandcomparing it topredetermined,acceptedcriteria
andcommunicatingtheresultstotheintendedusers.hecriteriatowhichthecur-
rentstateiscomparedmaybealegalorregulatorystandard(suchastheSarbanes
OxleyAct),orinternallygeneratedpoliciesandprocedures.
Internalcontrolisdeinedas,
“a process afected by an entity’s Board of Directors, management or other personnel
– designed to provide reasonable assurance regarding the achievement of objectives in
the following categories:
(1) reliability of inancial reporting,
(2) efectiveness and eiciency of operations, and
(3) compliance with applicable laws and regulations”(COSO1992).
Further,theInstituteofInternalAuditors(IIA)deinescontrolas,“anyactiontaken
bymanagementtoenhancethelikelihoodthatestablishedobjectivesandgoalswill
beachieved”(Sawyeretal.2003).Controlsmaybepreventive(todeterundesirable
eventsfromoccurring),detective(todetectandcorrectundesirableeventswhich
haveoccurred),ordirective(tocauseadesirableeventtooccur).Acontrolsystem
istheintegratedcompositionofcontrolcomponentsandactivitiesthatareusedby
anorganizationtoachieveitsobjectivesandgoals.
AuditinginGeneralAuditinginGeneral
internalControlinternalControl
�
Audits are part of the overall control system of an organization and provide
several important control functions. Firstly, they can serve as detective control
mechanisms–thatis,throughtheirauditinvestigations,auditorsmayidentifyand
evaluateerrorsoromissions,orvariancesbetweenthecurrentconditionandpre-
determinedcriteria.Secondly,auditscanbeapreventivecontrolmechanism,such
thaterrors,misstatementsandfraudulentactivitiesdonotoccurintheirstplace.
Finally,theresultsofauditsshouldbeusedtoidentifyandproposeanypotential
improvementstotheauditedentity.
Auditsentailcomparingthecurrent,existingconditionofaprocess,organiza-
tion, division or account to predetermined, accepted criteria. A variety of audit
proceduresmaybeused.Auditproceduresaretheactivitiesthattheauditorper-
formstoobtainsuicient,competentevidencetoensureareasonablebasisforthe
audit opinion. Examples of some audit procedures available to auditors include:
observationofpersonnelorprocedures,physicalexaminationofassets,inquiriesor
interviewswithpersonnel,conirmationwithoutsideparties,recomputationorre-
calculationofdata,examinationofdocuments,andanalyticalprocedures.
heinalobjectiveofauditsistopreservetheinterestsofvariousthirdparties,
includinginvestorsandcreditors.Inthisregard,auditsmustcomplywiththestan-
dardsofthethirdpartiesandanyapplicableregulations.Forexample,fromanac-
countingperspective,auditsofinancialreportingmustfocusontheaccuracyof
theorganization’sinancialstatementsandmustbeperformedinaccordancewith
thestandardsofthePublicCompanyAccountingOversightBoard(PCAOB).Al-
ternatively,auditsof internalcontrolsoverinancialreportingprovideanassess-
mentoftherisksandcontrolsrelevanttotheoperationsafectingtheinancialre-
porting process and inancial data and should be based on a formal control
framework, such as the COSO Internal Control Integrated Framework (see
SectionA,Chapter 1.2and1.3). Internalcontrolassessmentsshouldalsobeper-
formedinaccordancewiththeguidanceofthePCAOB.
LiNKsANdRefeReNCes e
• COmmIttEEOFSPOnSOrInGOrGAnIzAtIOnSOFthEtrEADwAyCOm
mISSIOn(COSO).1992.Internal Control Integrated Framework. newyork,ny:AICPA.
• InStItUtEOFIntErnALAUDItOrS.2004.Standards for the Professional Practice
of Internal Auditing. AltamonteSprings,FL:heInstituteofInternalAuditors.
• KEIth,J.2005.KillingtheSpider.Internal Auditor(April2005):25–27.
• mESSIEr, w. F. 2003.Auditing and Assurance Services: A systematic approach. 3rded.
Boston,mA:mcGraw-hill.
• PUBLICCOmPAnyACCOUntInGOvErSIGhtBOArD(PCAOB).2004.Audit-
ing Standard No. 2: An Audit of Internal Control Over Financial Reporting Performed in
Conjunction With an Audit of Financial Statements. http://www.pcaobus.org/Standards/
Standards_and_related_rules/Auditing_Standard_no.2.aspx(accessedmay31,2007).
• rIttEnBErG,L.E.AnDB.J.SChwEIGEr.2005.Auditing: Concepts for a changing
environment.5thed.Boston,mA:hompson.
objectivesofAuditsobjectivesofAudits
AuditProceduresAuditProcedures
PreservingtheinterestsofthirdPartiesPreservingtheinterestsofthirdParties
ConceptualBasisofInternalAudit
NatureandContentofAudits
GeneralDeinitionofAudit
A|1|1.1
�
• rOBErtSOn, J. C. AnD t. J. LOUwErS. 1999. Auditing. 9th ed. Boston, mA:
Irwin/mcGraw-hill.
• SAwyEr,L.,m.DIttEnhOFEr,AnDJ.SChEInEr.2003.Sawyer’s Internal Audit-
ing.5thed.AltamonteSprings,FL:heInstituteofInternalAuditors.
• SEArS,B.2002.Internal Auditing Manual.newyork,ny:warren,Gorham&Lamont.
1.2 DefinitionofInternalAudit
KeyPoiNts •••
• Internalauditingisanindependent,objectiveassuranceandconsultingactivity
designedtoassesstheefectivenessofthecontrolenvironment,addvalue,and
improveanorganization'soperations.
• Inthepast,InternalAuditwasregardedasmerelyfocusedoninancialandac-
countingmatters,buttodayitsrolehasdevelopedtoincludeactiveriskandcon-
trolevaluationsandisconsideredintegraltothecorporategovernanceprocess.
• heinternalauditfunctionispartoftheinternalmonitoringsystemoftheor-
ganizationandthereforeshouldbepositionedwithintheorganizationsuchthat
theindependenceofinternalauditorscanbeguaranteed.Ideally,InternalAudit
shouldreport functionally to theAuditCommitteeof theBoardofDirectors
andadministrativelytotheChiefExecutiveOicer(CEO)oftheorganization.
• Generally,aninternalauditisamulti-stepprocessaimedatdeterminingwhether
existingprocessesandprocedures(thecondition)complywithapplicablerules
andregulations(thecriteria)ordeviateinanywayfromthesecriteria.
• he Committee of Sponsoring Organizations of the treadway Commission
(COSO) established the concepts and criteria that an internal audit function
shouldfollowinpracticalterms.
heInstituteofInternalAuditors(IIA),whichistheinternationalprofessionalor-
ganizationthatoversees internalauditguidance,certiication,education,andre-
search,deinesinternalauditingas:
[…] an independent, objective assurance and consulting activity designed to add value
and improve an organization’s operations. It helps an organization accomplish its ob-
jectives by bringing a systematic, disciplined approach to evaluate and improve the
efectiveness of risk management, control, and governance processes. (IIAStandards
fortheProfessionalPracticeofInternalAuditing,Glossary)
heIIA’sdeinitiondemonstratesthetransformationthatInternalAudithasun-
dergoneinrecentyearswithregardtoitsroleandhowitisperceived.Inthepast,
InternalAuditwasregardedasamanagementsupportfunctionthatgenerallyfo-
cusedoninancial andaccountingmatters.now its rolemay includeactive risk
management,which–alongwithtraditionalauditing–isanintegralpartofthe
corporategovernanceprocess.InternalAuditno longerfocusesonlyontransac-
iiAdeinitioniiAdeinition
transformationofinternalAudit
transformationofinternalAudit
�
tionsthatoccurredinthepasttodeterminewhethercontrolsystemswereefective.
today’s internalauditorsalso lookaheadto identify thepotential risks thatmay
adverselyafecttheorganizationandtoevaluatethecontrolmechanismsthatwill
avertorminimizethem.moreover,theactivitiesofinternalauditorsarenolonger
limitedstrictlytoaudittasks;managementconsultingisnowconsideredanimpor-
tantandexpandingroleforinternalauditors.hus,wheninternalauditorsidentify
areasforimprovementinthecourseoftheirregularauditwork,theywillalsosug-
gestrecommendationsastohowtheorganizationcanimproveitsoperations.
Internalauditsallowmanagementtodelegateitsoversightfunctiontotheinter-
nalauditdepartment.Inlargercompaniesmanagementcannotperformtheover-
sightfunctionitselfforseveralreasons,including,
• growingcomplexityoftheoperatingenvironmentduetoautomateddatapro-
cessing,
• increaseddecentralizationinphysicallocationanddecision-makingasaresult
ofglobalizationorinternationalization,and
• itslackofexpertiserequiredtoconducteicient,high-qualityaudits.
InternalAudit ispartof the internalmonitoringsystemofanorganization.his
systemcomprisesallmonitoringmeasuresandprecautionsputinplacewithinthe
companytosecureassetsandguaranteetheaccuracyandreliabilityoftheaccount-
ing system. his task is managed with objective-based and compliance-focused
comparisonsbetweentheexistingconditionandtheacceptedcriteria,asrequired
byallapplicablepolicies,regulations,andlaws.
Inrecentyears,internalcontrolhasbecomeincreasinglyimportant.hisisevi-
dencedinthenumerouslaws,regulationsandstandardsthatnowrequirethator-
ganizationshaveaninternalauditfunctionoraninternalcontrolreview.Severalof
themostinluentialrequirementsaredescribedfurtherinSectionA,Chapter1.3.
Generally,aninternalauditisamulti-stepprocessaimedatdeterminingwhether
existing processes and procedures (the condition) comply with predetermined
rulesandregulations(thecriteria)ordeviateinanywayfromthisstandard.Firstly,
toperformaninternalaudit,theauditorsmustidentifyandunderstandthecriteria
to which the condition must be compared. Secondly, internal auditors collect
evidenceregardingtheexistingcondition.hirdly,InternalAuditorsanalyzeand
evaluate the evidence. Analysis and evaluation may include (among other
activities):
• observationofprocessesandprocedures,
• inquiryofkeyparticipantsintheprocesses,
• comparisonofcurrentperiodinformationwithprioryearinformation,
• comparisonofcurrentinformationwithbudgetsandforecasts,
• comparisonofcurrentactivitieswithapprovedpoliciesandprocedures,
• samplingandtestingtheactualperformancetothedesiredperformance,
• utilizing computer assisted audit tools to review, compare and analyze large
amountsofdata.
supportforCorporateManagementsupportforCorporateManagement
systematicPositioningofinternalAuditsystematicPositioningofinternalAudit
internalAuditintheContextofLegalRequirements
internalAuditintheContextofLegalRequirements
internalAuditProcessinGeneralinternalAuditProcessinGeneral
A|1|1.2ConceptualBasisofInternalAudit
NatureandContentofAudits
DeinitionofInternalAudit
�
Fourthly,basedonthisanalysisandevaluation,InternalAuditorsdrawconclusions
abouttheefectivenessofthecontrolsystemsandtheextenttowhichthecurrent
conditionmeetstherequiredcriteria.Finally,theresultsoftheworkandthecon-
clusionsdrawnbytheauditorarecommunicatedtotherelevantparties(audited
units,managementetc.)alongwithanynecessaryrecommendationsforimprove-
mentintheformofanauditreport.Itismanagement’sresponsibilitytoactupon
theresultsofanauditor’sevaluation.
Aninternalauditisgenerallyconductedbyateamofauditors(i.e.,morethan
oneauditor).As internalauditsvary insizeandcontent, thesizeof the internal
auditteamsworkingoneachauditalsoluctuate.Oneoftheauditorsactsasteam
leadwhoisresponsibleforplanningandoverseeingtheaudit,aswellascommuni-
catingwiththeauditees,whileotherauditteammembersexecutetheauditactivi-
ties(fortheorganizationofauditteams,seeSectionA,Chapter4.4).
Atertheinternalaudit,theresultsandindingsarereportedtotheAuditCom-
mittee,seniormanagement,andthemanagerresponsiblefortheauditedunit.he
resultsarealsosharedwiththeemployeesconcerned.Asnecessary,otherparties
withinterestsintheauditmaybeinformedoftheresults;thesepartiesmayinclude
creditors,strategicpartnersandexternalauditors(forreportingoncompletedau-
dits,seeSectionB,Chapter5).
he Committee of Sponsoring Organizations of the treadway Commission
(COSO)hasdeinedcriteriaforauditsonwhichtheworkofInternalAuditshould
bebased.COSOis“a private-sector organization dedicated to improving the quality
of inancial reporting through business ethics, efective internal controls, and corpo-
rate governance”(seewww.coso.org).
COSOprovidescriteriaforestablishinginternalcontrolandevaluatingitsef-
fectiveness.Further,COSOdeineskeyconceptsthatexplainthepurposeandper-
formanceofinternalcontrolasfollows:
• Internal control is a process. It is a means to an end, not an end in itself.
• Internal control is afected by people. It’s not merely policy manuals and forms, but
people at every level of an organization.
• Internal control can be expected to provide only reasonable assurance, not absolute
assurance.
• Internal control is geared to the achievement of objectives in one or more separate
but overlapping categories. (www.coso.org/key.htm)
HiNtsANdtiPs ;
• heinternalauditfunctionshouldremainindependentfromallotherdepart-
mentswithintheorganization.hisallowsinternalauditorstomaintainobjec-
tivityastheyperformtheirauditactivities.
• Internal auditors should familiarize themselves with their organizational po-
sitionwithinthecompanyandwhennecessary,clearlycommunicate to their
AuditteamAuditteam
ReportingReporting
CosoCoso
KeyCosointernalControlConcepts
KeyCosointernalControlConcepts
�
auditeeshowtheyitintheorganizationandwhattheirprimaryserviceistothe
organization.
• InternalAuditmustmeettheneedsoftheorganization.herefore,theorganiza-
tion’sstrategy,objectives,andstructuremustbeunderstoodbeforedetermining
howInternalAuditwillitintoit.
LiNKsANdRefeReNCes e
• COmmIttEE OF SPOnSOrInG OrGAnIzAtIOnS OF thE trEADwAy
COmmISSIOn (COSO). 1992.InternalControl Integrated Framework.newyork,ny:
AICPA.
• COmmIttEEOFSPOnSOrInGOrGAnIzAtIOnSOFthEtrEADwAyCOm
mISSIOn(COSO).2004.Enterprise Risk Management Integrated Framework.newyork,
ny:AICPA.
• InStItUtEOFIntErnALAUDItOrS.2004.Standards for the Professional Practice
of Internal Auditing. AltamonteSprings,FL:heInstituteofInternalAuditors.
• KEIth,J.2005.KillingtheSpider.Internal Auditor(April2005):25–27.
• mESSIEr, w.F. 2003.Auditing and Assurance Services: A Systematic Approach. 3rd ed.
Boston,mA:mcGraw-hill.
• rEDDInG,K.,P.SOBEL,U.AnDErSOn,etal.2007.Internal Assurance and Consult-
ing Services.AltamonteSprings,FL:heInstituteofInternalAuditors.
• rIttEnBErG,L.E.AnDB.J.SChwEIGEr.2005.Auditing: Concepts for a Changing
Environment.5thed.Boston,mA:hompson.
• rOBErtSOn, J. C. AnD t. J. LOUwErS. 1999. Auditing. 9th ed. Boston, mA:
Irwin/mcGraw-hill.
1.3 RegulatoryandOrganizationalFramework
KeyPoiNts •••
• Internalauditsaresubjecttoalargenumberofregulatoryandorganizational
requirements.recentnotableregulationsandguidancehavebeendevelopedin
theUS,Germany,UK,Canada,Japan,China,andhongKong.
• Independenceofbothinternalandexternalauditorsismoreimportantthanever
before.herefore,InternalAuditshouldbeanindependentstafdepartment.
• heinternalauditfunctioncaneitherbecentralizedordecentralizedbasedon
theneedsoftheorganization.
Auditsaresubjecttoavarietyofregulatoryandorganizationalconditions.regula-
torystandardshaveundergoneparticularlyrapiddevelopmentinrecentyearsasa
resultofseveralnewlegislativeinitiatives.
overviewoverview
A|1|1.3ConceptualBasisofInternalAudit
NatureandContentofAudits
RegulatoryandOrganizationalFramework
�
Anumberofnewregulationshavebeenpassedinrecentyears,whichafectnot
onlyexternalauditing,butalso the internalaudit function.manystandardsand
legalrequirementsnowaddresstheinternalauditprocessdirectly,ortheinternal
control structureoforganizations.For the internal audit function, the following
laws,standardsandguidanceprovidethemostexplicitdirectives(detailsregarding
internalauditandinternalcontrolareprovidedbelow):
• UnitedStates:
■ SarbanesOxleyActof2002(SOX),
■ nySEListingStandards,
■ COSOInternalControlIntegratedFramework,
■ COSOEnterpriseriskmanagementIntegratedFramework,
■ COBIt®ControlObjectivesforInformationandrelatedtechnology.
• Germany:
■ ActonControlandtransparencyinBusiness(KontraG),
■ GermanCorporateGovernanceCode(DCGK),
■ transparencyandDisclosureAct(transPuG),
■ AccountingLegislationreformAct(BilreG).
• UnitedKingdom:heturnbullreport:InternalControlrequirementsofthe
CombinedCode.
• Canada:CanadianSecuritiesAdministrationrules.
• Japan:FinancialInstrumentsandExchangeLaw.
• China:CodeofCorporateGovernance.
• hongKong:
■ rulesGoverning theListingofSecuritieson theStockExchangeofhong
KongLimited,
■ rulesGoverningtheListingofSecuritiesontheGrowthEnterprisemarket
oftheStockExchangeofhongKongLimited.
heSarbanes-OxleyActof2002(SOX)wasenactedbytheUnitedStatesCongress
in response to severalmajoraccounting scandals in2001and2002.heexplicit
purposeoftheActisto“protectinvestorsbyimprovingtheaccuracyandreliability
ofcorporatedisclosuresmadepursuanttothesecuritieslaws”(USCongress2002).
heActisapplicabletoallpubliclyregisteredcompanieslistedonU.S.stockex-
changesandunderthejurisdictionoftheU.S.SecuritiesandExchangeCommis-
sion(SEC).hisincludesanyforeignirmthatislistedonaU.S.stockexchange.
SOXhasseveralsections,themostimportanttoInternalAuditaresection302,re-
quiringtheCEOandCFO(ChiefFinancialOicer)tocertifythevalidityofthei-
nancialstatements,section404,whichrequiresthatmanagementassessandreport
ontheefectivenessofthe internalcontrolsoverinancialreportingandthatthe
independentexternalauditorattesttothatassessment,andsection806,whichpro-
tects employees, known as whistleblowers, who report fraudulent behavior (see
SectionA,Chapter2.6andSectionD,Chapter13).
RegulatorystandardsRegulatorystandards
soXsoX
�
newyorkStockExchange(nySE)FinalCorporateGovernancerulesrequire
thatalllistedcompanieshaveaninternalauditfunctionto“providemanagement
andtheauditcommitteewithongoingassessmentsofthecompany’sriskmanage-
ment processes and system of internal control” (nySE 2003). Compliance with
nySElistingstandardshasbeenmandatorysincenovember2003.
heCOSOInternalControlIntegratedFramework(IC)wasdevelopedin1992
toprovideamodelforevaluatinginternalcontrolsandisrecognizedasthestan-
dardagainstwhichorganizationsshouldmeasuretheefectivenessoftheirinternal
controlsystems.COSOdeinesinternalcontrolas:
A process, efected by an entity’s board of directors, management and other personnel,
designed to provide reasonable assurance regarding the achievement of objectives in
the following three categories:
• efectiveness and eiciency of operations,
• reliability of inancial reporting,
• compliance with applicable laws and regulations (COSO 1992).
COSOdeinesinternalcontrolasconsistingofiveinterrelatedcomponents:
• controlenvironment,
• riskassessment,
• controlactivities,
• informationandcommunication,and
• monitoring.
COSO’sbroaddeinitionofcontrolmarksasigniicantdeparturefromtheprevi-
ouslyheldnotionthatInternalAuditshouldbeconcernedonlywithretrospective
audits of inancial and accounting data. Instead, Internal Audit’s responsibilities
includeinternalcontrolsoverstrategyandoperatingefectivenessandregulatory
compliance,aswellasreliabilityofinancialreporting(COSO1992).Formorein-
formationonCOSOICanditsrelationtoSOXseeSectionD,Chapter14.1.2.
morerecently,in2003,COSOreleasedaframeworkforenterpriseriskmanage-
ment(Erm)thatencompassesandenhancesCOSOIC.COSOdeinesErmas:
A process, efected by an entity’s Board of Directors, management and other personnel,
applied in strategy setting and across the enterprise, designed to identify potential events
that may afect the entity, and manage risks to be within its risk appetite, to provide
reasonable assurance regarding the achievement of entity objectives (COSO2003).
An ongoing Erm approach helps management efectively deal with uncertainty
and associated risk and opportunity throughout the organization, and therefore
helpstheorganizationachieveitsobjectives.heCOSOErmmodelisillustrated
usingacube,whichshowshowtheobjectives, internalcontrolcomponentsand
organizationlevelsareinterrelated.
COSOErmexpandsupon theobjectives set forth in the IC frameworkand
providesfourcategoriesforanorganization’sobjectives:
• strategic,
• operations,
NyseListingstandardsNyseListingstandards
CosoiCCosoiC
CosoeRMCosoeRM
CosoeRMCubeCosoeRMCube
ConceptualBasisofInternalAudit
NatureandContentofAudits
RegulatoryandOrganizationalFramework
A|1|1.3
10
• reporting,and
• compliance.
Further,COSOErmdescribeseight interrelatedcomponentsthatare integrated
withinthemanagementprocess:
• internalenvironment,
• objectivesetting,
• eventidentiication,
• riskassessment,
• riskresponse,
• controlactivities,
• informationandcommunication,and
• monitoring.
COSOErmclearlyafectstheentireorganizationatalllevels:theentityasawhole,
eachdivision,allbusinessunits,andanysubsidiaries(COSO2004).
heCOBIt®(ControlObjectivesforInformationandrelatedtechnology)frame-
workisparticularlyusefulinanorganizationwithastronginformationtechnology
environment.heCOBIt®frameworkwasissuedandismaintainedbytheInfor-
mation Systems Audit and Control Association (ISACA). COBIt® supplements
CoBit®CoBit®
Objective Setting
Su
bsi
dia
ry
Bu
sin
ess
un
it
Div
isio
n
En
tity
-Lev
el
Risk Assessment
Risk Response
Control Activities
Information & Communication
Monitoring
Internal Environment
Strate
gic
Operatio
ns
Reporting
Complia
nce
Fig.1 COSOCube(ERM)
AdaptedfromSOX-Online,http://www.sox-online.com/coso_cobit_coso_cube-new.html
Copyright©2001bytheCommitteeofSponsoringOrganizationsforthetreadwayCommis-
sion
11
COSOandSOXbyfocusingonthegovernanceofItresourcesandprocesses.Itis
especially helpful because it provides a framework and supporting tool set that
bridgescontrolrequirements,technicalissuesandbusinessrisks(formoreinfor-
mationonCOBIt®seeSectionA,Chapter6.2.5).
heGermanActonControlandtransparencyinBusiness(Gesetz zur Kontrolle
und Transparenz im Unternehmensbereich – KonTraG)wasintroducedin1998with
theaimofeliminatingpotentialweaknessesintheinternalcontrolsystemsinGer-
manpubliccompanies,includingintheinternalandexternalauditfunctions.his
wasachievedprimarilyberedeiningtherolesofExecutiveBoardandSupervisory
Board(whichfunctioninlieuoftheBoardofDirectorsinGermancorporations),
aswellastheroleoftheexternalauditors.hekeystipulationrequirestheExecu-
tiveBoardtoensure thatanadequateriskmanagementsystemandanadequate
internalauditfunctionareinplace.hislawmarkstheirsttimethattheinternal
auditfunctionhasbeencodiiedinGermanlaw,thusrecognizingitsplaceasan
integralpartoftheinancialreportingsystem.
heGermanCorporateGovernanceCode(DCGK),whichwasestablishedin
2005,doesnotrefertotheinternalauditfunctiondirectly,butitdoesobligethe
SupervisoryBoardofacompanytosetupanAuditCommittee.hisCommitteeis
taskedprimarilywithissuesofaccountingandriskmanagementincludingthebud-
getingandmonitoringoftheexternalauditors.hechairmanoftheAuditCom-
mittee “shall have specialist knowledge and experience in the application of ac-
counting principles and internal control processes” (Government Commission
GermanCorporateGovernanceCode2006).hisestablishesthebasisforcoopera-
tionbetweentheAuditCommitteeandInternalAudit.
Asaresultof theGermantransparencyandDisclosureAct(2002) theStan-
dardsoftheGermanCorporateGovernanceCodehavebeenincorporatedintolaw.
hus Executive Boards of listed companies must conirm annually whether the
companycomplieswiththerecommendationsoftheCommissionoftheGerman
Corporate Governance Code and state which recommendations have not been
implemented.
he German Accounting Legislation reform Act of 2004 (BilReG – Bilanz-
rechtsreformgesetz)hasmadeasigniicantcontributiontostrengtheningtheinde-
pendenceof theexternalauditors.Speciically,sections319and319aof theHan-
delsgesetzbuch (hGB - German Commercial Code) list a number of advisory
servicesthattheexternalauditorsarenotallowedtoperformforacompanyifthey
auditthecompany.hisconceptcanalsobeappliedtoInternalAudit.here,too,the
consultingfunctionhasgainedimportanceinrecentyearsandnowformsanim-
portant part of Internal Audit’s responsibilities. On the other hand, however, all
internalauditworkalsomustcomplywiththepostulateofindependence.Ifaclose
relationshipbetweenauditingandconsultingisregardedasinappropriateforexter-
nalauditorsandisnotpermittedforthisreason,itmustbeassumedthatsucha
relationship could also damage Internal Audit’s efectiveness if auditor indepen-
denceisnotguaranteedandconlictsofinterestarise.
KontraG(Germany)KontraG(Germany)
GermanCorporateGovernanceCode(dCGK)
GermanCorporateGovernanceCode(dCGK)
GermantransparencyanddisclosureAct(transPuG)
GermantransparencyanddisclosureAct(transPuG)
GermanAccountingLegislationReformAct(BilReG)
GermanAccountingLegislationReformAct(BilReG)
ConceptualBasisofInternalAudit
NatureandContentofAudits
RegulatoryandOrganizationalFramework
A|1|1.3
1�
IntheUnitedKingdomtheturnbullreport(InternalControlrequirementsof
theCombinedCode)requiresthattheBoardofDirectors“maintainasoundsys-
temof internalcontrol tosafeguardshareholders’ investmentandthecompany’s
assets.”Annually,directorsmustconductareviewoftheefectivenessoftheinter-
nalcontrolsystem,includingallcontrols(inancial,operationalandcompliance)
and risk management, and must report this evaluation to shareholders. Further,
companieswithoutinternalauditfunctionsmustperiodicallyassesstheirneedfor
such a function. In general, the Combined Code requires that listed companies
disclosehowtheyapplytheprinciplesinthecode(includingthoserelatedtointer-
nalcontrols)andconirmthattheycomplywiththecodeor–wheretheydonot
comply–issueanexplanationforthatdeviation.heCombinedCodeonCorpo-
rateGovernancewasoriginallyissuedinJuneof1998andrevisedin2005(Institute
ofCharteredAccountantsinEnglandandwales2005).
In 2004, the Canadian Securities Administrators developed rules to improve
investorconidence.herulesrequirethedevelopmentofan independentAudit
Committee,thathasawrittencharterandcommunicatesdirectlywiththeinternal
auditfunction(CanadianSecuritiesAdministrators2004).
InJapan,theFinancialInstrumentsandExchangeLaw,legislationsimilartothe
U.S.SarbanesOxleyAct,wasdevelopedin2006.hislaw,nicknamedJ-Sox,isef-
fectiveforiscalyearsbeginningonoraterApril2008.Standardsdevelopedbythe
Business Accounting Council of the Financial Services Agency require all listed
companiesinJapantoprepareandsubmitinternalcontrolreportsbasedonman-
agement’s evaluation of internal controls over inancial reporting. J-Sox has a
broaderdeinitionofinancialreportingthanUSSOX,whichincludesotheritems
disclosedinSecuritiesreportsthatuseinancialstatementdata.Further,company
managementmustevaluatecontrolsatanyailiatesthatareconsolidatedunderthe
equity-methodofaccounting.Internalcontrolsaretobeevaluatedusingaformal
controlframeworksuchastheJ-Soxframework,whichisbasedupontheCOSOIC
framework.Finally,theauditormustreportonmanagement’sevaluationofinternal
controls.
heCodeofCorporateGovernanceforListedCompaniesinChinawasdevel-
opedbytheChinaSecuritiesregulatoryCommissionin2001.hecoderequires
thatonethirdofthemembersoftheBoardofDirectorsbeindependentandsug-
geststhe(optional)appointmentofanAuditCommittee.hemajorityoftheAudit
Committeemembersmustbeindependentandonemembermustbeainancial
expert.heprincipalresponsibilitiesof theAuditCommittee includeoverseeing
theinternalauditfunction(ChineseSecuritiesregulatoryCommission2001).
herulesGoverningtheListingofSecuritiesontheStockExchangeofhong
Kong Limited and the rules Governing the Listing of Securities on the Growth
EnterprisemarketoftheStockExchangeofhongKongLimitedwereestablishedto
ensureinvestorconidenceinthemarket.heserulesrequirethatlistedcompanies
establishanAuditCommitteewhoseresponsibilitiesincludeoverseeingtheinan-
cialreportingsystemandinternalcontrolprocedures.Forlistedcompanieswithan
theturnbullReport(UK)theturnbullReport(UK)
RulesoftheCanadiansecurities
Administration
RulesoftheCanadiansecurities
Administration
financialinstrumentsandexchangeLaw
(Japan)
financialinstrumentsandexchangeLaw
(Japan)
CodeofCorporateGovernanceforListed
CompaniesinChina
CodeofCorporateGovernanceforListed
CompaniesinChina
RulesGoverningtheHongKongstock
exchanges
RulesGoverningtheHongKongstock
exchanges
1�
internalaudit function, theAuditCommitteemust reviewandmonitor Internal
Audit’sefectivenessandensureithassuicientresources.Further,theAuditCom-
mitteemustreporttoshareholdersaboutitsreviewofinternalcontrolefectiveness
annually(hongKongExchange2007).
IIAStandard1100clearlystatesthattheorganization’s internalauditfunction
mustbeindependent,andinternalauditorsshouldbeobjectiveinperformingtheir
work.Independenceisachievedthroughorganizationalstatusandobjectivityand
isadecisivefactorinensuringthatinternalauditorscanperformtheirtasksinline
withrequirements.heChiefAuditExecutive(CAE)shouldreporttoalevelwithin
theorganization thatallowsInternalAudit toachieve independence. Ideally, the
CAEshouldreport functionally totheAuditCommitteeandadministratively to
theCEOoftheorganization.Further,theCAEshouldhavedirectandunrestricted
communicationwiththeBoardofDirectorsandAuditCommittee.Speciically,the
CAEshouldregularlyattendBoardofDirectorsmeetingsandshouldhavetheop-
portunitytomeetprivatelywiththeAuditCommittee.Independenceisstrength-
enedwhentheCAEisappointedandterminatedbytheBoardofDirectors,not
management.
tomaintainindependence,theinternalauditfunctionshouldbemanagedas
aseparatestafdepartmentwithouttheauthoritytomanageordirectemployeesof
otherunits.hisensuresthatInternalAuditdoesnotauditanyprocessesorsce-
nariosthatithasbeeninvolvedincreating.Inaddition,thisorganizationalstruc-
ture also enhances the standing of Internal Audit within the organization as all
employeesofthecompanyacceptandrespectthisdepartmentandtheworkitdoes.
Asanindependentdepartment,InternalAuditcanevaluateoperationsandprovide
recommendations for improvement, but cannot implement them. Implementing
InternalAudit’srecommendations,aswellasdesigningandimplementingcontrol
solutions,istheresponsibilityofmanagement.
InternalAuditmustdecidewhethertoestablishacentralizedoradecentralized
internalauditfunction.hisdecisiondependsonthespeciicneedsoftheorganiza-
tion.CentralizedinternalauditservicesaremanagedandcontrolledbyoneInter-
nalAuditmanagementteamwithoneauditplanfortheentirefunction.heaudit
activities, tools and reporting methods are standardized for the entire function.
Adecentralizedinternalauditfunctionmaybeorganizedintomultipledivisions,
eachofwhichhastheauthoritytodevelopindividualauditplans,designdifering
audit techniques and division-speciic reporting procedures. Alternatively, some
organizationsmayuseahybridinternalauditdepartmentwithcharacteristicsof
both centralized and decentralized internal audit functions. SAP’s internal audit
departmentforexampleisacentrallyorganizedstafdepartmentwithadecentral-
ized,regionalstructure,i.e.withteamsinGermany,theUnitedStates,Singapore,
andJapan(seeSectionA,Chapter4).
iiAstandard1100iiAstandard1100
stafdepartmentstafdepartment
Centralizationvs.decentralizationofinternalAuditservices
Centralizationvs.decentralizationofinternalAuditservices
ConceptualBasisofInternalAudit
NatureandContentofAudits
RegulatoryandOrganizationalFramework
A|1|1.3
1�
HiNtsANdtiPs ;
• Beforebeginninginternalauditactivities,theauditorsshouldbeawareofany
laws,regulationsorapplicablestandardsthatrelatetothespeciicauditobjec-
tives.Forglobalorganizations,thismayincludeinternationalguidance.
LiNKsANdRefeReNCes e
• Aktiengesetz (AktG) vom 6. September 1965 zuletzt geändert durch Artikel 13 des Gesetzes
vom 5. Januar 2007. http://bundesrecht.juris.de/bundesrecht/aktg/gesamt.pdf (accessed
may31,2007).
• BUSInESS ACCOUntInG COUnCIL. 2007. Standard for Implementation of Evalu-
ation and Audit for Internal Control over Financial Reporting. http://www.fsa.go.jp/en/
news/2007/20070420.pdf(accessedmay31,2007).
• CAnADIAnSECUrItIESADmInIStrAtOrS.march29,2004.New Rules Promote
Investor Conidence, Change Issuers’ Disclosure and Governance practices.Pressrelease.
• ChInESE SECUrItIES rEGULAtOry COmmISSIOn. 2001. Code of Corporate
Governance for Listed Companies in China.http://www.ecgi.org/codes/documents/code_
en.pdf(accessedmay31,2007).
• COmmIttEE OF SPOnSOrInG OrGAnIzAtIOnS OF thE trEADwAy
COmmISSIOn (COSO). 1992.InternalControlIntegrated Framework.newyork,ny:
AICPA.
• COmmIttEEOFSPOnSOrInGOrGAnIzAtIOnSOFthEtrEADwAyCOm
mISSIOn(COSO).2004.Enterprise Risk Management Integrated Framework.newyork,
ny:AICPA.
• FInAnCIAL SErvICES AGEnCy. 2006. New Legislative Framework for Investor
Protection: Financial Instruments and Exchange Law. http://www.fsa.go.jp/en/policy/
iel/20060621.pdf(accessedmay31,2007).
• GesetzzurEinführung internationalerrechnungslegungsstandardsundzurSicherung
derQualitätderAbschlussprüfung(Bilanzrechtsreformgesetz–BilreG)vom4.Dezem-
ber2004.BundesgesetzblattI65(9.12.2004):3166–3182.http://www.bmj.bund.de/media/
archive/834.pdf(accessedmay31,2007).
• Gesetz zur Kontrolle und transparenz im Unternehmensbereich (KontraG) vom 27.
April1998.BundesgesetzblattI24(30.04.1998):786–794.http://217.160.60.235/BGBL/bg-
bl1f/b198024f.pdf(accessedmay31,2007).
• Gesetz zur weiteren reform des Aktien- und Bilanzrechts, zur transparenz und Pub-
lizität (transparenz- und Publizitätsgesetz) vom 19. Juli 2002. Bundesgesetzblatt I 50
(25.07.2002): 2681–2687. http://217.160.60.235/BGBL/bgbl1f/bgbl102s2681.pdf (accessed
may31,2007).
• GOvErnmEnt COmmISSIOn GErmAn COrPOrAtE GOvErnAnCE CODE.
2006. German Corporate Governance Code as amended on June 12, 2006 (convenience
translation).http://www.corporate-governance-code.de/eng/download/E_CorGov_End-
fassung_June_2006.pdf(accessedmay31,2007).
1�
• hOnG KOnG EXChAnGE. 2007. Rules Governing the Listing of Securities on the
Growth Enterprise Market of the Stock Exchange of Hong Kong Limited.http://www.hkex.
com.hk/rule/gemrule/GEm-App15%20(E).pdf(accessedmay31,2007).
• InStItUtEOFChArtErEDACCOUntAntSInEnGLAnDAnDwALES.2005.
Turnbull Report – Internal Control Guidance for Directors on the Combined Code.London:
heInstituteofCharteredAccountantsinEnglandandwales.
• InStItUtEOFIntErnALAUDItOrS.2007.International Standards for the Profes-
sional Practice of Internal Auditing.http://www.theiia.org/guidance/standards-and-prac-
tices/professional-practices-framework/standards/standards-for-the-professional-prac-
tice-of-internal-auditing(accessedmay31,2007).
• InStItUtEOFIntErnALAUDItOrS.2002.Practice Advisory 1100-1: Independence
and Objectivity.AltamonteSprings,FL:heInstituteofInternalAuditors.
• nEw yOrK StOCK EXChAnGE. 2003. Final NYSE Corporate Governance Rules.
http://www.nyse.com/pdfs/inalcorpgovrules.pdf(accessedmay31,2007).
• PrOtIvItI.2007.J-Sox Flash Report – Japanese Guidelines for Interal Control Reporitng
Finalized – Diferences in Requirements Between the U.S. Sarbanes-Oxley Act and J-Sox.
http://www.protiviti.jp/downloads/lashreport/JSOX_Flash_report0221E.pdf (accessed
may31,2007).
• PUBLICCOmPAnyACCOUntInGOvErSIGhtBOArD(PCAOB).2004.Audit-
ing Standard No. 2: An Audit of Internal Control Over Financial Reporting Performed in
Conjunction With an Audit of Financial Statements. http://www.pcaobus.org/Standards/
Standards_and_related_rules/Auditing_Standard_no.2.aspx(accessedmay31,2007).
• PUBLIC COmPAny ACCOUntInG OvErSIGht BOArD (PCAOB). 2005. Staf
Questions and Answers: Auditing Internal Control over Financial Reporting. http://www.
pcaob.org/standards/staf_questions_and_answers/2005/01-21.pdf (accessed may 31,
2007).
• rEDDInG,K.,P.SOBEL,U.AnDErSOn,m.hEAD,S.rAmAmOOrtI,AnDm.
SALAmASIK.2007.Internal Assurance and Consulting Services.AltamonteSprings,FL:
heInstituteofInternalAuditors.
• rIttEnBErG,L.E.AnDB.J.SChwEIGEr.2005.Auditing: Concepts for a changing
environment.5thed.Boston,mA:hompson.
• SAwyEr,L.,m.DIttEnhOFEr,AnDJ.SChEInEr.2003.Sawyer’s Internal Audit-
ing.5thed.AltamonteSprings,FL:heInstituteofInternalAuditors.
• SEArS,B.2002.Internal Auditing Manual.newyork,ny:warren,Gorham&Lamont.
• USCOnGrESS.2002.Sarbanes-Oxley Act of 2002. 107th Congress of the United States of
America. HR 3763.washingtonDC:GovernmentPrintingOice.
ConceptualBasisofInternalAudit
NatureandContentofAudits
RegulatoryandOrganizationalFramework
A|1|1.3
16
2 InternalAudit:MeetingToday’sNeeds2.1 TheDynamicsoftheOperatingEnvironment
KeyPoINTs •••
• Internal Audit is inluenced by a variety of factors, including regulatory and
legalrequirements,internalexpectations,andcompetitors.InternalAuditcan
andmustmeetthesefactorswithlexibilityandinaccordancewithcompany
objectivesandthestandardsestablishedbytheprofessionalinstitutes.
• heexternalenvironmentandinternalfactorsdemandthatinternalauditfunc-
tionsareintegratedwithinthebusinessprocessesoftheorganization.
Tobeaviableglobalcompetitorintoday’sbusinesscommunity,organizationsmust
juggleconstantlyevolvingoperationalprocesses,amultitudeofvarying legalre-
quirementsandregulations,andtheincreasingdemandsofinternationalbusiness
relationships.Whiletraditionalbusinessactivities,suchasdeliveringqualityprod-
uctsandservices,continuetobedecisiveprerequisitesforbusinesssuccess,global
marketfactorsmustalsobecarefullyconsidered.Duetothecomplexityofthein-
ternationalenvironment,organizationsfacestringenttime,resourceandcostcon-
straints thataremore signiicant thaneverbefore.Operating inaglobalmarket
provides organizations with exciting opportunities and immense beneits. How-
ever,italsointroducesrisksthatmustbecarefullymanaged.
Tocompeteintheglobalmarketplace,organizationsmustcomplywithrapidly
evolving internationalbusiness regulations, includinginancial reporting regula-
tions,political,environmental,healthandsafetyprovisions,andhumanrightsre-
quirements,amongmanyothers.heseinternationalrequirementsareparticularly
importantwhenorganizationsoperate inmultiplenationswithdiferentcultural
norms,expectations,andbehaviors.Forexample,thereisincreasingfocusoflegal
standardsonconsistent,auditableigures.OnesuchlegalstandardistheSarbanes
OxleyActof2002(SOX)intheU.S.SOXrequiresthatanyorganizationlistedon
aU.S.StockExchange(regardlessofitsnationality)complywithstrictruleswhich
exposemanagementanddirectorstouniquechallengesandrisksastheyoversee
operationsandreporting.
Inadditiontothemanyexternalrequirementsthatorganizationsmustsatisfy,
internalfactors,suchasorganizationaldesignandcomplexity,impacttheday-to-
dayactivitiesofacompany.hedetailedorganizationandworklowstructuresof
acompanyareinluencedbyitsstrategicobjectives,theskilllevelsofitsemployees,
the information and communication systems it uses, and the availability of re-
sources necessary to meet its objectives. Further, as an organization grows and
changes,theinterpersonaldynamicswillchangeaswell,whichcanhaveastrong
impactonitscorporatecultureandcontrolenvironment.
Allofthesefactorsimpactthedesignofacompany’sbusinessfunctions,either
directlyorindirectly.Moreover,thecontinuingevolution,expansionandrealign-
Globalorientation
Globalorientation
InternationalRequirementsInternational
Requirements
InternalDesignFactorsInternalDesignFactors
organizationalRealignment
organizationalRealignment
17
mentoftheoperatingenvironmentafectnotonlytheproductivebusinessfunc-
tions,butalsoallsupportingunits,suchastheaccountingandlegaldepartments.
InternalAuditmustalsoadapttotheevolvinggoalsandobjectivesof individual
companydivisionsand/ortheentireenterpriseandmustbeabletorecognizethe
newrisksthatemergeastheorganization’sgoalschange.
Astheorganizationcontinuestoevolve,managingbusinesschangeprocessesbe-
comesanecessaryprerequisiteformaintainingtheenterpriseasagoingconcern.
hisobjectivemustbepursuedwithappropriate risk evaluationandmitigation,
andtherelevant internalcontrolsmustbedeined.Speciicsteps inthebusiness
changeprocessmayinclude:extendingtheorganizationalstructuretoincludenew
subsidiaries,linesofbusinessorcustomerbases,addingnewprocessesorchanging
theexistingonestobettermeetthestrategicobjectivesoftheorganization,rede-
ployingemployeestonewareasofresponsibility,andevendevelopingnew,oten
global,guidelinesandworkinstructions.Eachoftheseactivitiesmustberatedwith
regardtoitsinherentrisksbeforeitisimplemented.hatis,theorganizationmust
considerthelevelofriskthatexistswithinanactivityintheabsenceofaninternal
TakingRiskintoAccountTakingRiskintoAccount
Management tools
Corporate ManagementDirectreport
Audit Management
ManagerialAccounting
Structure Processes Communication
Planning FinancialAccounting Internal Audit
Global Requirement Levels
Multinational
cooperationand
structures
Strategic
innovations
Comprehensive
information/process
management
ComplianceTeam Legal
ServicesManage-ment
EmployeeRepresen-tatives
HumanResources
Security
RiskManage-ment SOX
Reporting
I tn ernalAudit
Fig. 2 FunctionalPositionofInternalAudit
ConceptualBasisofInternalAudit
InternalAudit:MeetingToday’sNeeds
TheDynamicsoftheOperatingEnvironment
A|2|2.1
18
controlsystem.heresultofthisriskanalysisformsthebasisforimplementingap-
propriatecontrolsandanalyzingtheirriskmanagementefectiveness.
InternalAuditcanprovidesupportineachstepofthechangemanagementpro-
cess.Ultimately,theobjectiveremainstoevaluateandverifythatoperationalpro-
cessescomplywithregulatorystandardsandorganizationalrequirementsandare
performedeicientlyandefectively.Additionally,InternalAuditcanactasanin-
ternaladvisorandoptimizationagentineverystageofenterprisechange,thanksto
itsrichcollectionofknowledgeandexperience.InternalAuditcanassistandpro-
videadvicefordratingguidelinesandindesigningworkandprocessinstructions,
andcansupportriskassessments.InternalAuditcanthereforebeseenasacom-
binedauditandconsultingfunctionwiththepurposeofoptimizingenterprisepro-
cesses.However,thisrolemustbeclearlydescribedanddeinedwithregardtoau-
ditrequirementsandintereststoensurethatInternalAuditremainsindependent.
HINTsANDTIPs ;
• IfInternalAuditreceivesinformationaboutsigniicantchangestooperational
processes,itisbeneicialtoworkwiththeemployeesinchargeofimplementing
thesechangestoensurethatthecontrolenvironmenthasbeenconsidered.
• Wheninternalstructuresandprocessesareredesigned,InternalAuditshouldofer
itscooperativeassistanceandadvicetoensureatimelytransferofknow-how.
• E-mailsaboutnewguidelines,articlesincorporatemagazines,newsinthepress,
onTV,andonradio,aswellasinformationfromexternalandinternalpartners
canbeusedassourcesofinformationaboutthechangedenvironment.
LINKsANDReFeReNces e
• AnDErSOn,U.AnDA.DAHlE.2006.Implementing the Professional Practices Frame-
work.2nded.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• CASCArInO,r.AnDS.VAnESCH.2005.Internal Auditing: An Integrated Approach.
lansdowne,SA:JutaandCo.
• COMMITTEEOFSpOnSOrIngOrgAnIzATIOnSOFTHETrEADWAyCOM-
MISSIOn (COSO). 2003. Enterprise Risk Management Framework. new york, ny:
AICpA.
• DElOACH, J. 2000.Enterprise-wide Risk Management: Strategies for Linking Risk and
Opportunity. london:FinancialTimesManagement.
• InSTITUTEOFInTErnAlAUDITOrS.2006.Standards for Professional Practice.Al-
tamonteSprings,Fl:heInstituteofInternalAuditors.
• MOEllEr,r.2004.Sarbanes-Oxley and the New Internal Auditing Rules.Hoboken,nJ:
Wiley&Sons.
• SAWyEr,l.,M.DITTEnHOFEr,AnDJ.SCHEInEr.2003.Sawyer’s Internal Audit-
ing.5thed.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• SEArS,B.2002. Internal Auditing Manual.newyork,ny:Warren,gorham&lamont.
RoleofInternalAuditRoleofInternalAudit
19
2.2 ReorientationoftheRequirementsProfile
KeyPoINTs •••
• Duetotheconstantlychangingbusinessenvironment,InternalAuditisfaced
withrapidlyevolvingrequirements,towhichitmustrespondefectively.
• Majorrequirementsincludeinternationalorientation,afullystandardizedau-
ditmethodthatcapturesthefullcomplexityofbusinessactivities,andexternal
demandssuchasnewregulationandcapitalmarketrequirements.
Traditionalaudits,suchasevaluationsoftheaccountingandthepurchasingfunc-
tions,willcontinuetobeanimportantfocusofInternalAudit.However,duetothe
constantly changing environment described in Section A, Chapter 2.1, Internal
Audit also faces continuously evolving requirements and responsibilities, to
which it must respond efectively. he following main requirements can be de-
ined:
• Itisnecessarytohaveinternationallystandardizedpoliciesandproceduresfor
internalaudit services toguaranteegloballyuniformaudit contentandaudit
methodsfortheentireorganization.
• heinclusionofinternationalaccountingstandards,especiallytheUnitedStates
generallyAcceptedAccountingprinciples (US-gAAp)and the International
Financial reporting Standards (IFrS), as well as other legal provisions and
guidelines,suchasnationalandinternationalcorporategovernanceprinciples
andSOXdemandahighlevelofexpertiseinavarietyofareas.
• Anincreasingdegreeofinteractionbetweenbusinessprocessesrequiresanin-
tegrativedesignforauditprocedures,ultimatelyinvolvingalllevelsandareasof
managementandallenterpriseunits.Eitherindividuallyorcombined,perfor-
manceindicators,basicprinciples,companypolicies,guidelines,organizational
structuresandprocesses,andindividualbusinessobjectsareareastobeaudited
byInternalAudit.
• Corporate-wideandcomplexenterpriseworklowsrequiretheestablishmentof
comprehensiveinternalcontrolsystems,aswellastheirintegrationintheinan-
cialreportingcycle.Further,ariskmanagementsystemmustbeestablishedthat
iscapableofidentifyingandaddressingbusinessrisks,andofmitigating,man-
aging,andmonitoringthemthroughthoseappropriatecontrols.
• Increasingly,internalandexternalinformationsystemsarenetworkedresulting
ingreaterinterdependencebetweenbusinessactivities.Mitigatingtheresulting
riskpotentialrequirescomprehensiveauditconceptsforinformationtechnol-
ogy.Auditingtheseareasinvolvesanalyzingbothbusinessandtechnicalsystem
details,andrequiresconsiderationofthediferentperspectivesofallinvolved
parties.
• Demandsfor“bestpractice”solutionsrequireInternalAudittoexpandbeyond
its traditionalauditingactivities intoconsultingandotherservices.hismay
NewRequirementsNewRequirements
GlobalorganizationGlobalorganization
LegalFrameworkLegalFramework
complexAuditTopicscomplexAuditTopics
InternalcontrolsystemsInternalcontrolsystems
NetworkingNetworking
BestPracticesolutionsBestPracticesolutions
ConceptualBasisofInternalAudit
InternalAudit:MeetingToday’sNeeds
ReorientationoftheRequirementsProile
A|2|2.2
20
includesupportingmeasuresthateliminatecontrolweaknesses,aswellaspar-
ticipatinginfollow-upprocesses(seeSectionB,Chapter6).
• Asorganizationsconductbusiness inavarietyof international locations, it is
increasinglycommon for internal auditors toperformauditsoutsideof their
homecountry.Suchauditsarenotonlychallenginganddiicult tocomplete
duetoinherentdiferencesinculture,politicalenvironment,andbusinessprac-
ticesofdiferentcountries,buttheyalsomayrequireincreasedemployeelexi-
bilityandmotivation.
• heareasorprocessestobeauditedareselectedbasedonthecontinuousassess-
mentofrisksandcontrolsofvaryingbusinessworklows.hismeansthatspon-
taneousad-hocaudits,intendedtoensurebusinessoperations,arecarriedout
alongside pre-planned, standard, periodic (usually annual) audits. hus, to
managebothemployees’capabilitiesand theauditneedsof theorganization,
lexibleplanningsystemswitheasilyadjustableparametersareessential.
he increasing demands on Internal Audit require speciic audit tools, which in
turnarealsosubjecttocontinuousadjustmentandreinementwithregardtotheir
type,extent,andqualitativepurpose.hefollowinghandbookisintendedprimar-
ilytodescribeindetailthedesignanduseoftheseaudittools.
Ingeneralterms,theaudittoolscanbesummarizedasfollows:
• A global organizational structure with centralized lines of reporting helps to
ensurethefast,uniform,directexecutionofauditsalongastandardizedprocess
model.
• Aninternallyconsistentprocessmodelwillhelpguaranteetheconsistencyof
agloballystandardizedauditapproach.
• globally coordinated planning uses risk assessment techniques to involve all
decisionmakers(totheextentnecessary).
• globallystandardizedauditcontentandworkprogramsprovideacost-eicient
foundationforaudits,withoutlimitingthepossibilitytoadapttoindividualre-
quirements.
• he collaborative audit approach combines the internal audit function with
othercompliancefunctionswithintheorganization,suchastheriskmanage-
mentfunctionandtheinternalcontrolsystem(ICS).
• heformationofaudit-speciicteamsallowstheassignmentofdiferentnum-
bersofauditorswithdiferentskilllevelstospeciictasks,dependingonthesize
andcomplexityoftheauditinquestion.
• Aformalfollow-upprocessallowstheimplementationoftherecommendations
madebyInternalAudittobemonitoredindividually.
FlexibleAuditAssignments
FlexibleAuditAssignments
FlexibleAuditPlansFlexibleAuditPlans
VolumeofRequirementsVolumeofRequirements
AuditToolsAuditTools
21
HINTsANDTIPs ;
• Documentingadescriptionofallindividualauditareasandkeyrisksisusefulto
ensurethatallmajorinluencingfactorsaretakenintoaccount.
• Efective, suicient communication among all audit participants ensures that
everyonehas thesameunderstandingof the inluencing factors thatmustbe
considered.
• Anexternalexchangeofinformation,utilizingallavailablemedia,willhelpIn-
ternalAuditdevelopacompletepictureoftheexistingenvironment.
• Internal Audit should review all major audit instruments periodically (e.g.,
throughapeerreview)toguaranteetheirconsistency.
LINKsANDReFeReNces e
• CASCArInO,r.AnDS.VAnESCH.2005.Internal Auditing: An Integrated Approach.
lansdowne,SA:Juta.
• COMMITTEEOFSpOnSOrIngOrgAnIzATIOnSOFTHETrEADWAyCOM-
MISSIOn(COSO).2004.Enterprise Risk Management Integrated Framework.newyork,
ny:AICpA.
Fig. 3 AuditRequirementsandTools
ConceptualBasisofInternalAudit
InternalAudit:MeetingToday’sNeeds
ReorientationoftheRequirementsProile
A|2|2.2
22
• InSTITUTEOFInTErnAlAUDITOrS.2006.IIA Standards for Professional Practice.
AltamonteSprings,Fl:heInstituteofInternalAuditors.
• InSTITUTEOFInTErnAlAUDITOrS.2001.Practice Advisory 1000.C1-1: Principles
Guiding the Performance of Consulting Activities of Internal Auditors. AltamonteSprings,
Fl:heInstituteofInternalAuditors.
• InSTITUTEOFInTErnAlAUDITOrS.2002.Practice Advisory 1000.C1-2: Additional
Considerations for Formal Consulting Engagements.AltamonteSprings,Fl:heInstitute
ofInternalAuditors.
• InSTITUTE OF InTErnAl AUDITOrS. 2005.Practice Advisory 1130.A1-2: Internal
Audit Responsibility for Other (Non-Audit) Functions.AltamonteSprings,Fl:heInsti-
tuteofInternalAuditors.
• SAWyEr,l.,M.DITTEnHOFEr,AnDJ.SCHEInEr.2003.Sawyer’s Internal Audit-
ing.5thed.AltamonteSprings,Fl:heInstituteofInternalAuditors.
2.3 FormulatingtheGeneralAuditObjectives
andWaysofImplementingThem
KeyPoINTs •••
• hestrategicobjectivesoftheorganizationaretoguaranteecompliance,opera-
tionalefectivenessandeiciency,andtheaccuracyandreliabilityofinancial
reporting.
• InternalAuditmustalignitselfrigorouslywiththeseobjectivesbypositioning
itselfaccordinglywithintheorganizationandcreatingabasisforimplementing
theauditmodel.
• Informationlows,highqualiicationrequirements,theprocessmodel,andthe
audituniverseareonlyafewoftheinstrumentsthatcanbeusedtomeetthese
generalobjectives.
Buildingonthebasic,generallyaccepted,auditobjectivesofagloballyoriented
internalaudit function, thereareavarietyof individual, taskspeciicobjectives
thatInternalAuditmustaddress.However,thischapterwilldealwiththegeneral
objectivesofInternalAudit–thatis,thosethatarevalidforallorganizations.his
focusiscriticalbecausethegeneralobjectiveframeworkprovidesthefoundation
forderivingtheauditmandate,theauditprinciples,andtheauditprocessmodel
andrelateddetailedworkinstructions,aswellasidentifyingthetask-speciicob-
jectives.
InternalAudit’sobjectivesandactivitiesmustbealignedwiththestrategicob-
jectivesoftheorganization.hesethreeprimaryobjectivesoftheorganization,as
deinedintheCOSOInternalControlFramework(seealsoSectionA,Chapter1.3
andSectionD,Chapter14.1.2),aretoensure:
• compliancewithlawsandregulations,
FoundationforAuditMandate
FoundationforAuditMandate
Mainstrategicobjectives
Mainstrategicobjectives
23
• reliabilityofinancialreporting,and
• operationaleiciencyandproitability.
Anadditionalobjective,safeguardingofinternalcontrols,maybesubsumedunder
theseorganizationalobjectives–alternatively, someorganizationsconsider it an
independentobjective.generally,InternalAuditmustorganizeitsauditactivities
basedontheprinciplethatthepurposeofallauditactivitiesisultimatelytoattain
thesemainstrategicobjectives.InternalAuditandtheorganizationshoulduserisk-
basedmonitoringtosupporttheachievementoftheseobjectives(seeSectionA,
Chapter6.3).
providingan independentassessmentofbusinesspractices’compliancewithap-
plicable lawsandregulations isoneof themost importantobjectivesof Internal
Audit. his basic objective inluences many task-speciic objectives. Compliance
requirementsaredrivenbyexternallegalandregulatoryrequirements,professional
practices, contractual relationships with partners and customers and all internal
guidelines, instructions, and process descriptions. he compliance objective is
closelylinkedwiththeobjectiveofensuringaccurateandreliableinancialreport-
ing,whichalsoentailslegalandregulatoryrequirements.
compliancecompliance
Strategic objectives
Measure:
Organizational
status of IA
Further
Measures
Further
Measures
Further
Measures
Measure:
Audit Universe
Measure:
Process model
Operational objectives
Compliance
withlawsand
regulations
Business
processe�-
ciencyand
effectiveness
Trueandfair
viewpresen-
tedby�nan-
cialreporting
Information
�ow
Information
security
Q uali�ed
employee
team
Risk
monitoring
Safeguarding
theICS
Imp
lem
en
tati
on
Fig. 4 StrategicandOperationalObjectives
ConceptualBasisofInternalAudit
InternalAudit:MeetingToday’sNeeds
FormulatingtheGeneralAuditObjectivesandWaysofImplementingThem
A|2|2.3
24
hesecondstrategicobjectiveoftheorganization,andaccordingly,ofInternal
Audit,istoevaluatethecontrolswhicharetoensuretheaccuracyandreliabilityof
inancial reporting.legalandregulatoryrequirementsmandate thatallbusiness
andinancialinformationbeincorporatedtoproduceasetofiguresanddisclo-
suresinvestorsandcreditorscanusetounderstandthecurrentstateoftheorgani-
zation.IntheU.S., theSarbanes-OxleyAct, incombinationwiththerulesofthe
publicCompanyAccountingOversightBoard(pCAOB),furtherrequiresthatall
oftheprocessesthatafecttheinancialreportingofanorganizationbesuiciently
controlledtoensurethatinancialreportsarefreefrommaterialmisstatementand
fairlypresenttheinancialconditionoftheorganization.Inthisregard,theprovi-
sions of SOX have set a trend for the future. According to EU sources, similar
guidelinescanbeexpectedforEuropeancompaniesfollowingtheintroductionof
theInternationalFinancialreportingStandards(IFrS).
Ensuringoperationaleiciencyandefectivenessisanotherimportantorgani-
zationalobjective.processesthatareessentialtoensuretheaccuracyofinancial
reportingmustbeclearlydocumentedandresponsibilitiesmustbedeined.Inter-
nal Audit must ensure that the organization actually performs all essential pro-
cesses. Internal Audit may also assist in developing and evaluating performance
andproitabilitygoalsandimplementingbestpracticesintheorganization.Tothis
end,InternalAuditcanperformbenchmarkingstudiesandidentifybestpractices
fromotherorganizationsandhelpassessthefeasibilityofimplementation.Internal
Auditcannotberesponsibleforimplementingthesebestpractices,butcanprovide
thisinformationtomanagementwhomustmakethedecisionofwhetherornotto
implementnew,improvedprocesses.
Toensure that theorganizationachieves itsobjectives, InternalAudit should
engageinrisk-basedmonitoringofallunitsandprocessesthatarepartoftheaudit
universe,whichisthesumofallbusinessunitsorprocessesidentiiedaspossible
auditareas.Itisbecomingincreasinglyimportanttoensurearisk-basedauditap-
proachisused,notleastduetoincreasinglegalandstatutoryrequirements.Forthis
reason,allphasesoftheauditprocessshouldidentifyandconsidertheriskfactors
ofauditobjects.
Anotherobjectivecloselyassociatedwiththerisk-basedapproachistheevalua-
tionoftheorganization’sinternalcontrolsystem.Althoughthistaskisnotnewfor
InternalAudit,emerginglegalrequirementsforefectivecontrolsystemshavein-
creaseditsimportance.Allenterpriseunitsandprocesslowsshouldbesubjected
totheinternalcontrolsystem.Asaresult,thekeyperformanceindicatorsbuiltinto
theinternalcontrolsystemprovideidealbenchmarksforInternalAudittousedur-
ingtheirauditactivities(seeSectionD,Chapter7).
To meet all these objectives, certain organizational and qualiication-related
prerequisitesmustbe fulilled.For example, the internal audit functionmustbe
integratedinintra-companyinformationlowswithoutrestriction.Toensurethat
deined objectives are achieved, the entire department must align itself with the
AccuracyandReliabilityofFinancialReporting
AccuracyandReliabilityofFinancialReporting
operationaleiciencyandefectiveness
operationaleiciencyandefectiveness
RiskMonitoringRiskMonitoring
safeguardingInternalcontrols
safeguardingInternalcontrols
InformationFlowInformationFlow
25
respectiveauditrequirementsatanearlystage.hisappliestoboththeone-time
communicationoforganizationalorcontent-relateddevelopmentsandtheperma-
nentexchangeoftheauditcontentwithcomplementarydepartments,suchasrisk
Management.
herequirementforbalancedinformationisextremelyimportantforinternal
auditservices.Auditresultsmustbeadequatelycommunicatedtotheappropriate
parties, including management. Accordingly, Internal Audit is part of an enter-
prise-widemanagementinformationsystem,whichreinforcesitsroleasamanage-
menttool(seeSectionA,Chapter2.5.4).
Ultimately,thequaliicationsandlexibilityofeachauditorarekeyprerequisites
forreachingtheobjectivesdescribedabove.Auditorsmustdemonstrateexpertise
and strong communication skills. Additionally, they must exhibit organizational
lexibilityandtheabilitytocompleteassignedtasksefectivelyandontime,inorder
toachievetheirdesignatedobjectives.
Moreover,ahighlyprofessionalprocessmodelisalsoveryimportanttoguaran-
teeconsistentaudits(seeSectionBfordetails).hismodelmustsatisfyalltheo-
reticalrequirementsofmodernauditworklowsintheformofamultilevelphase
structure.Flexiblereportingstructures,anininitelyadaptablesystemofworking
papers(seeSectionB,Chapter4.2),aswellasotherformsofdocumentationare
onlyafewcharacteristicsofdecision-orientedauditmodels.Boththeformalrules
andindividualcustomizationoptionsmustberepresentedineachindividualphase
oftheauditprocess.
Anotherprerequisiteformeetingstrategicauditobjectivesisthedeinitionof
comprehensive audit topics and the audit universe. A detailed description (or
Scope)mustbecreatedforeachareaidentiiedwithintheaudituniverse(seeSec-
tionB,Chapter2.1).Itconsistsofthespeciicprocesses,organizationalobjectives,
guidelines,risks,internalcontrolsandbenchmarksforeachauditarea.Bycompil-
ingthisinformation,InternalAuditcreatesauniformdatabaseforgloballyconsis-
tentaudits.
heorganizationalpositioningofInternalAuditinproximitytotheBoard,as
well as to theAuditCommittee, creates thenecessary independencerequired to
performtheassignedtasks(seeSectionA,Chapter1.3).Majorcharacteristicsofthis
relationshipincludeclearlinesofcommunicationandopportunitiesforspontane-
ous,impartialexchangesbetweentheparties.regardlessofwhoInternalAuditre-
portstoadministratively(e.g., theCEO),InternalAuditmusthavedirect,unen-
cumberedaccesstotheAuditCommittee.
Inadditiontothemainaudit-relatedobjectives,InternalAuditcanalsopursue
otheroperational,non-audit-relatedobjectives. Involvement in internalprojects,
expertreviewsofnewlydesignedsolutions,aswellastheactiveinitiationofsolu-
tionsteps,suchasdevelopingguidelines,illustratethecomplexityofthetaskport-
folioofinternalauditservices(seealsoSectionA,Chapter7).
InformationsecurityInformationsecurity
AuditorQualiicationsAuditorQualiications
ProcessModelProcessModel
AuditUniverseAuditUniverse
organizationalstatusorganizationalstatus
otherAuditobjectivesotherAuditobjectives
ConceptualBasisofInternalAudit
InternalAudit:MeetingToday’sNeeds
FormulatingtheGeneralAuditObjectivesandWaysofImplementingThem
A|2|2.3
26
LINKsANDReFeReNces e
• AnDErSOn,U.AnDA.DAHlE.2006.Implementing the Professional Practices Frame-
work.2nded.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• AUMAnn,r.2006.AMultipurposeManual.Internal Auditor. (August2006):23–27.
• CASCArInO,r.AnDS.VAnESCH.2005.Internal Auditing: An integrated approach.
lansdowne,SA:JutaandCo.
• COMMITTEE OF SpOnSOrIng OrgAnIzATIOnS OF THE TrEADWAy
COMMISSIOn (COSO). 1992.InternalControl Integrated Framework.newyork,ny:
AICpA.
• COMMITTEEOFSpOnSOrIngOrgAnIzATIOnSOFTHETrEADWAyCOM-
MISSIOn(COSO).2004.Enterprise Risk Management Integrated Framework.newyork,
ny:AICpA.
• FrASEr,J.AnDH.lInDSAy.2004.Twenty questions directors should ask about inter-
nal audit.Toronto,CA:nationallibraryofCanadaCataloguinginpublication.
• InSTITUTEOFInTErnAlAUDITOrS.2001.Practice Advisory 1000.C1-1: Principles
Guiding the Performance of Consulting Activities of Internal Auditors.AltamonteSprings,
Fl:heInstituteofInternalAuditors.
• InSTITUTEOFInTErnAlAUDITOrS.2002.Practice Advisory 1000.C1-2: Additional
Considerations for Formal Consulting Engagements.AltamonteSprings,Fl:heInstitute
ofInternalAuditors.
• InSTITUTE OF InTErnAl AUDITOrS. 2002.Practice Advisory 1110-2: Chief Audit
Executive Reporting Lines.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• InSTITUTE OF InTErnAl AUDITOrS. 2005.Practice Advisory 1130.A1-2: Internal
Audit Responsibility for Other (Non-Audit) Functions.AltamonteSprings,Fl:heInsti-
tuteofInternalAuditors.
• InSTITUTEOFInTErnAlAUDITOrS.2001.Practice Advisory 2330-2: Recording In-
formation.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• nEW yOrk STOCk EXCHAngE. 2003. Final NYSE Corporate Governance Rules.
http://www.nyse.com/pdfs/inalcorpgovrules.pdf(accessedMay31,2007).
• prICEWATErHOUSECOOpErS. 2005.Audit Committee Efectiveness – What works
best.3rded.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• pUBlICCOMpAnyACCOUnTIngOVErSIgHTBOArD(pCAOB).2004.Audit-
ing Standard No. 2: An Audit of Internal Control Over Financial Reporting Performed in
Conjunction With an Audit of Financial Statements.http://www.pcaobus.org/Standards/
Standards_and_related_rules/Auditing_Standard_no.2.aspx(accessedMay31,2007).
• pUBlIC COMpAny ACCOUnTIng OVErSIgHT BOArD (pCAOB). 2005. Staf
Questions and Answers: Auditing Internal Control over Financial Reporting. http://www.pcaob.
org/standards/staf_questions_and_answers/2005/01-21.pdf(accessedMay31,2007).
• SAWyEr,l.,M.DITTEnHOFEr,AnDJ.SCHEInEr.2003.Sawyer’s Internal Audit-
ing.5thed.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• SEArS,B.2002.Internal Auditing Manual.newyork,ny:Warren,gorham&lamont.
27
• SWAnSOn, D.2006.heInternalAuditFunction,fromStepzero.Compliance Week.
(December2006):69.
• U.S.COngrESS.2002.Sarbanes-Oxley Act of 2002. 107th Congress of the United States of
America. HR 3763.WashingtonDC:governmentprintingOice.
2.4 TheCharterasAuditMandate
2.4.1 PurposeoftheCharter
KeyPoINTs •••
• heInternalAuditcharterestablishesthefundamentalrequirementsdeinedby
theBoardofDirectorsandtheAuditCommittee.
• hecharterprovidesthefoundationforregularself-analysisofInternalAuditto
determinetheextenttowhichthedeclaredobjectivesaremet.
herequirementsforInternalAuditaredetailedinaclearlydeinedauditmandate
fromtheBoardofDirectorsandtheAuditCommittee.hismandateislaiddown
intheInternalAuditcharterandrelectsbothgeneralandcompany-speciicexpec-
tationsofthesetwobodies,whichhaveadecisiveinluenceonInternalAudit.
he purpose of the Internal Audit charter is to formally document the audit
mandateandthepowersitgrantstocarryoutinternalauditactivitiesonbehalfof
theBoardofDirectorsandtheAuditCommittee.hechartershouldbewrittenin
accordancewiththeIIAStandards forprofessionalpracticeofInternalAuditing
(hereaterIIAStandards).hecharterdeinestheframeworkwithinwhichInternal
AuditcanactindependentlyandshouldensurethatInternalAudit’sresponsibilities
donotlimititsobjectivity.Furthermore,thechartershouldestablishthefunctional
andadministrativereportinglinesofInternalAuditandspecifythatInternalAudit
hasdirect,unencumberedaccesstotheAuditCommittee.heAuditCommittee
shouldreviewandapprovethecharterannuallyandappropriatemodiicationsto
the charter should be made as the roles and responsibilities of Internal Audit
evolve.
Inaddition,thecharterservesasthefoundationfortheannualauditplan,which
iscoordinatedwiththeBoardofDirectorsandtheAuditCommittee(seeSection
B,Chapter2.2).Asnecessary,theannualauditplanwillbeamendedsuchthatthe
planaddressesspeciicauditrequests(seeSectionB,Chapter2.3).heAuditCom-
mitteeshouldreviewtheplannedactivitiesof InternalAudit toensure that they
adequatelyaddresstherisksfacedbytheorganization.
Withacarefullydevelopedauditmandateandcharter,theBoardofDirectors
canfulillitsresponsibilityforestablishinganefectiveinternalauditfunctionand
deiningitsduties.heBoardofDirectorsmustensurethatInternalAuditcomplies
withtheauditmandateandcharter.
AuditMandateAuditMandate
chartercharter
AnnualAuditPlanAnnualAuditPlan
ResponsibilitiesoftheBoardofDirectorsResponsibilitiesoftheBoardofDirectors
ConceptualBasisofInternalAudit
InternalAudit:MeetingToday’sNeeds
TheCharterasAuditMandate
A|2|2.4
28
InternalAudit’sresponsibilityforfulillingtheauditmandateisparticularlyap-
parentinthatthedepartmentcarriesoutitsauditactivitiesusingastandardized
process, making its own activities veriiable as well. Any arbitrary or unjustiied
activityispreventedbythisstandardizedprocess.Clearlyorganizedstructuresand
decision-makingprocessesensurethattheauditedunitsareevaluatedaccordingto
apredeinedprocess.husthecharterrepresentsagenerallinkbetweentheBoard
ofDirectorsandAuditCommittee,theauditee,andInternalAudit.
Accordingly,thechartershouldalsobeperceivedasabenchmarkprovidingan
ongoingevaluationofauditactivities.regularcomparisonoftherequirementspos-
tulatedinthecharterwiththeauditactivitiesisabsolutelyessentialtoensurethat
InternalAuditfulillstheresponsibilitiesentrustedtoitbytheBoardofDirectors.
Asfurtherexpectationsareraisedamongotherpartiesandmanagementlevels,ad-
ditionalrequirementsforInternalAuditmayariseatanytime,andultimately,may
beaddedtotheformalcriteriaofthecharter.
HINTsANDTIPs ;
• Checkthetasksformulatedinthecharterperiodically,andrevisethemasnec-
essary.
• To clarify the work of Internal Audit and the audits it performs, refer to the
responsibilitiesandtasksdeinedinthecharter.
• hecharterisalsosuitableasabasisfordiscussionwithexternalunits,regard-
ingthetasksandsigniicanceofInternalAudittodayandinthefuture.
• If the tasksof InternalAuditareextendedorchanged, thecharter shouldbe
usedtoformalize/codifythecorrespondingresponsibilities.revisethecharter
ifnecessary.
LINKsANDReFeReNces e
• AnDErSOn,U.AnDA.DAHlE.2006.Implementing the Professional Practices Frame-
work.2nded.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• AUMAnn,r.2006.AMultipurposeManual.Internal Auditor. (August2006):23–27.
• CASCArInO,r.AnDS.VAnESCH.2005.Internal Auditing: An integrated approach.
lansdowne,SA:JutaandCo.
• COMMITTEEOFSpOnSOrIngOrgAnIzATIOnSOFTHETrEADWAyCOM-
MISSIOn (COSO). 2003. Enterprise Risk Management Framework. new york, ny:
AICpA.
• FrASEr,J.AnDH.lInDSAy.2004.Twenty questions directors should ask about inter-
nal audit.Toronto,CA:nationallibraryofCanadaCataloguinginpublication.
• HErMAnSOn, D. r. AnD l. E. rITTEnBErg. 2003. Internal audit and orga-
nizational governance. In: BAIlEy Jr., A. D., A. A. grAMlIng, AnD S. rAMA-
MOOrTI, EDS.2003.Research Opportunities in Internal Auditing.AltamonteSprings,
Fl:heInstituteofInternalAuditors.
standardFramework
standardFramework
ThecharterasaBenchmark
ThecharterasaBenchmark
29
• InSTITUTEOFInTErnAlAUDITOrS.2001.Practice Advisory 1000-1: Internal Au-
dit Charter.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• InSTITUTEOFInTErnAlAUDITOrS.2001.Practice Advisory 1000.C1-1: Principles
Guiding the Performance of Consulting Activities of Internal Auditors.AltamonteSprings,
Fl:heInstituteofInternalAuditors.
• InSTITUTEOFInTErnAlAUDITOrS.2002.Practice Advisory 1000.C1-2: Additional
Considerations for Formal Consulting Engagements.AltamonteSprings,Fl:heInstitute
ofInternalAuditors.
• InSTITUTE OF InTErnAl AUDITOrS. 2002.Practice Advisory 1110-2: Chief Audit
Executive Reporting Lines.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• InSTITUTE OF InTErnAl AUDITOrS. 2005.Practice Advisory 1130.A1-2: Internal
Audit Responsibility for Other (Non-Audit) Functions.AltamonteSprings,Fl:heInsti-
tuteofInternalAuditors.
• prICEWATErHOUSECOOpErS. 2005.Audit Committee Efectiveness – What works
best.3rded.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• SAWyEr,l.,M.DITTEnHOFEr,AnDJ.SCHEInEr.2003.Sawyer’s Internal Audit-
ing.5thed.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• SWAnSOn,D.2006.heinternalauditfunction,fromstepzero.Compliance Week.(De-
cember2006):69.
2.4.2 MainContentsoftheCharter
2.4.2.1 TasksofInternalAuditatSAP
KeyPoINTs •••
hemajortasksofInternalAuditatSApare:
• verifyingcomplianceofbusinessprocessesandinancial reportingwithpoli-
cies,laws,andregulations,
• ensuringanintegratedcorporategovernanceapproachthroughouttheorgani-
zation,
• maintaining a clearly structured reporting system, including company-wide
analyses,and
• providingsupporttooptimizebusinessprocessesandestablishnewguidelines.
Foundedin1972,todaySApisoneoftheworld’sleadingprovidersofbusinesssot-
ware.Measuredintermsofitsmarketcapitalization,theSApgroup,withitsabout
100 subsidiaries, is the world’s third largest independent sotware provider. SAp
employsmorethan39,300peopleatsalesanddevelopmentlocationsinmorethan
50countriesthroughoutEurope,theMiddleEast,Africa,theAmericas,andAsia-
paciic.SApisheadquarteredinWalldorf,germany.Itscorebusinessistheprovi-
sionoflicensesforSApsotwaresolutions.SApalsomarketsmaintenance,consult-
sAP:ThecompanysAP:Thecompany
A|2|2.4ConceptualBasisofInternalAudit
InternalAudit:MeetingToday’sNeeds
TheCharterasAuditMandate
30
ing,andtrainingservicesrelatedtoitssotwaresolutions.hecompanycooperates
closelywithitspartnersfordevelopingandmarketingitssolutionsportfolio.
SApAg,apubliccompany,istheparentcompanyoftheSApgroup(thegroup)
andhasvariousroleswithintheconsolidatedgroup:
• Itactsasaholdingcompanyforthegroup.
• ItownsmostoftheSApsotwarerights.SApAgthereforeprimarilygenerates
revenue from licensing fees, which its subsidiaries remit to SAp Ag for any
sotwareandmaintenancethesubsidiariesselltocustomers.Italsodirectlyor
indirectlypaysforthecostsofsotwaredevelopmentinthegroup.
• SApAgemploysmostofthedevelopment,service,andsupportstafwhowork
forthegroupingermany.
• Invariouscountries,SApAgexecutessotwarelicenseagreementsdirectlywith
customers.
SApAg,asagermanstockcorporation,hasatwotieredBoardofDirectors,with
an Executive Board, made up of managing directors, and a Supervisory Board,
madeupofshareholderrepresentativesandemployeerepresentatives.heSupervi-
sory Board oversees and appoints the members of the Executive Board and ap-
provesmajorbusinessdecisions.SAp’sinternalauditdepartment,globalInternal
AuditServices(gIAS),isastafdepartmentoftheExecutiveBoardthatoperates
throughout theSApgroupandreportsdirectly to theCEO.gIASisan integral
managementinstrumentinthepursuitandachievementofthegroup’scorporate
goals.Byprovidingindependentevaluationsofbusinessactivitiesandothercon-
sultingservices,gIASmakesasubstantialcontributiontoriskanalysisandman-
agement for theentireSApgroupand to thedevelopmentandmonitoringofa
functioninginternalcontrolsystem.gIASisorganizedasaglobaldepartmentwith
teamslocatedatvarioussitesthroughouttheworld(formoreontheorganizational
structureofgIAS,seeSectionA,Chapter4).
SAp’sInternalAuditcharterdeinesgIAS’tasks,organization,andresponsibili-
ties.hecharterisdividedintotheactualauditmandate,andfurtherexplanations
oftheorganizationalandinformationalarrangementsofgIASandissignedbythe
CEOandtheChairmanoftheAuditCommittee.Whiletheirstpartofthecharter
emphasizes theexpectationsof thesignatories, thesecondpartrelects thebasic
minimumrequirementsformeetingtheobjectivesofInternalAudit.
AtSAp,gIASpredominantlyfocusesonthetasksdeinedinthecharter.Inad-
dition,tasksmaybeaddedorchangedonacase-by-casebasisduetoSAp’sdynamic
internalprocesses,theevolvingbusinessenvironment,andnewregulatoryrequire-
mentssuchasSOX.hischapterreferstothediferenttasksonlybriely;theyare
discussedinmoredetaillaterinthetext.gIASconductsbothscheduledandad-
hocauditsinvolvingtheissuesofinance,businessprocesses,informationtechnol-
ogy,fraud,externalbusinessrelationships,andmanagement,inadditiontomore
specializedtopics.Tomaintainstandardsacrossthesediferentauditields,theAu-
dit roadmap, gIAS’ standard process model for conducting audits, is to be fol-
lowedatalltimes(seeSectionB,Chapter1.1).
sAPAGsAPAG
GlobalInternalAuditservices
GlobalInternalAuditservices
structureofthecharterstructureofthecharter
AuditsAudits
31
Duringitsaudits,gIAScooperateswithotherdepartmentsintheimplementa-
tionofcorporategovernancerequirements,coordinatingalltheindividualactivi-
tiesrequiredtomeetitsobjectives.gIAS’indings,inparticular,mayresultinthe
need todeineadditionalguidelines,policiesandproceduresorexpandexisting
ones.gIASregardsitasitsdutytoinitiatesuchdocumentsandaccompanytheir
developmentaspartofcomprehensivecorporategovernance.
In particular, gIAS investigates whether laws and regulations have been fol-
lowed, including those relating to inancial reporting requirements applicable to
SAp.Inthiscontext,theprimarygoalistoensurethatalltransactionsthatafectnet
income or equity are properly recorded and recognized according to US-gAAp
whichisSAp'sprimaryaccountingregime.Ofcourse,allotherbusinesstransac-
tionsarealsosubjecttointernalaudits.
gIAS isalso responsible forauditing the riskmanagement systematSAp. In
germany,theGesetz zur Kontrolle und Transparenz im Unternehmensbereich (kon-
Trag – german Act on Control and Transparency in Business) sets speciic re-
quirementsforriskmanagement(seeSectionA,Chapter1.3fordetails).heirst
activity related to these duties is the implementation and application of the risk
managementsystemitself,whichinvolvestestingtheextenttowhichtheorganiza-
tional prerequisites, personal responsibilities, and process-related activities and
documentsareavailabletorecordtherisksinthecompanycorrectlyandadequately.
Inaddition,gIASmustreporttherisksidentiiedinitsindingstotheresponsible
riskmanager.Acoordinatedprocedureisusedtoensurethattheserisksaretracked
andcontrolledjointlybygIASandtherelevantriskManagementemployees(see
SectionD,Chapter2.2oncooperationwithriskManagement).
Duringtheiraudits,gIASalsoevaluatescompliancewiththeSApCodeofBusi-
ness Conduct for Executive Board members and employees. his evaluation in-
volvesbothregularbusinesstransactions,suchasthepurchasingdepartment’sven-
dorrelationships,andspecialactivitiessuchassponsoringsportingevents.
gIAS’ responsibilities also include the use of a diferentiated audit reporting
system to convey the main audit results to the responsible persons reliably and
promptly(seeSectionB,Chapter5).Allrecipientsmustbeinformedoftheresults
oftheauditworksuicientlyandwiththerequireddegreeofdetail,usingvarious
reportingformats.
Ifnecessary,gIAScanalsoassistindesigningnewormodiiedbusinesspro-
cesses, functioning as either an additional or the sole consulting unit. However,
gIAS must perform consulting activities in compliance with the IIA Standards
(1000.C1-1)toensurethepreservationofindependenceandobjectivity.Inaddition,
gIAScanalsoassistwithcertainin-processissues,andactasareviewpartner(see
SectionA,Chapter7).
InternalAuditmustalwaysbeinformedwhenthereisclearevidenceorjustiied
suspicionoffraud.Suchcasescaninvolvefactsthathavealreadybeenprovenor
suspicions.ItisuptogIAStoinvestigateandanalyzethefactsandtoidentifythe
persons involved by itself or together with the corporate legal department. It is,
however,alsopossibletocallinexternalsupportoraskotherSApdepartmentsfor
corporateGovernancecorporateGovernance
complianceofFinancialReportingcomplianceofFinancialReporting
RiskManagementsystemRiskManagementsystem
compliancewithcodeofBusinessconductcompliancewithcodeofBusinessconduct
AuditReportingsystemAuditReportingsystem
consultingTasksconsultingTasks
FraudPreventionandInvestigationFraudPreventionandInvestigation
ConceptualBasisofInternalAudit
InternalAudit:MeetingToday’sNeeds
TheCharterasAuditMandate
A|2|2.4
32
assistance in such cases (see Section D, Chapter 13). In accordance with the IIA
Standards(1210.A2)andtheStatementonInternalAuditingStandardsno.3,Inter-
nalAuditorsmayconductorparticipateinfraudinvestigationsinconjunctionwith
lawyers,investigators,securitypersonnel,andotherinternalorexternalspecialists.
Further,InternalAuditshouldassesstheallegedfraudtodetermineifcontrolsneed
to be implemented or enhanced, to design audit procedures to identify similar
fraudsinthefuture,andtomaintainsuicientknowledgeoffraud.Toavoidthe
occurrenceoffraud,InternalAuditshouldalsoexamineandevaluatetheadequacy
oftheorganization’sfraudpreventionsystem,performfraudriskassessments,as-
sess theadequacyofcommunicationsystemsandevaluatemonitoringactivities.
gIAS,forexample,performspreventiveauditstorevealpotentialfraudcasesorto
identifyriskconstellations,whichmay leadtoapotentialmisuse inthesenseof
fraudulentactivity.
Inaddition,gIASpromotesandinitiatesacompany-wideexchangeofideasfor
theongoingdevelopmentofsuccessfulmethodsandpracticesthattheauditorsob-
servewithintheframeworkoftheiractivities.Tothisend,gIASmustcatalogand
communicate these best practices centrally. Enterprise-wide benchmarking with
internalkeyigures,aswellaskeyiguresandrecordsfromotherdepartmentsand
auditedunits,promotestheexchangeofempiricalknowledgeandthereforesup-
portstheongoingoptimizationofbusinessactivities(seeSectionD,Chapter7on
theInternalAuditperformancemeasurementsystem).
HINTsANDTIPs ;
• Beforetheaudit,theauditorsmustclarifywhethertheauditrequestneedstobe
amendedorforwardedtoanotherareaofresponsibilitywithinthecompany.
• Auditorsmustbeawareoftheultimategoaloftherequestedorplannedaudit
activitiesandofthespeciiedtaskareaatalltimes.
• Auditorsmustconsiderwhoelsemayneedtobeinvolvedintheplannedaudit.
InternalAuditcanworkinconjunctionwithotherinternaldivisionsorconsul-
tantstoefectivelyandeicientlyexecuteaudits.
LINKsANDReFeReNces e
• AnDErSOn,U.2003.AssuranceandConsultingServices.In:BAIlEyJr.,A.D.,A.A.
grAMlIngAnDS.rAMAMOOrTI,EDS.2003.Research Opportunities in Internal
Auditing.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• AnDErSOn,U.AnDA.DAHlE.2006.Implementing the Professional Practices Frame-
work.2nded.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• CASCArInO,r.AnDS.VAnESCH.2005.Internal Auditing: An Integrated Approach.
lansdowne,SA:JutaandCo.
• InSTITUTEOFInTErnAlAUDITOrS.2001.Practice Advisory 1000-C1.1: Principles
Guiding the Performance of Consulting Activities of Internal Auditors.AltamonteSprings,
Fl:heInstituteofInternalAuditors.
exchangeofIdeasexchangeofIdeas
33
• InSTITUTEOFInTErnAlAUDITOrS.2006.Practice Advisory 1210.A2-1: Auditor’s
Responsibilities Relating to Fraud Risk Assessment, Prevention and Detection.Altamonte
Springs,Fl:heInstituteofInternalAuditors.
• SAWyEr,l.,M.DITTEnHOFEr,AnDJ.SCHEInEr.2003.Sawyer’s Internal Audit-
ing.5thed.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• SWAnSOn, D.2006.heInternalAuditFunction,fromStepzero.Compliance Week.
(December2006):69.
2.4.2.2 OrganizationalFoundation
KeyPoINTs •••
• heInternalAuditchartermust identify thebasicorganizational framework,
including documentation of the organizational structure, the audit organiza-
tion,andthenecessarycommunicationprocesses.
• heobjectiveoftheregulations,whichresultfromtheactualauditmandate,is
toachievebindingrequirementsbytheBoardofDirectorsandtheAuditCom-
mitteefortheestablishmentofanefectiveinternalauditfunction.
heInternalAuditchartershouldgiveanextendeddescriptionoftheactualaudit
mandateprovidingtheproceduralfoundationfortheauditactivitiesperformedby
InternalAudit.heinclusionofthispracticalinformationinthecharteraccentu-
atestheintentionoftheBoardofDirectorsandAuditCommitteetotakeaccount
of the organizational requirements of Internal Audit and support the necessary
measures.
However,althoughtheBoardofDirectorsinitiatestheestablishmentofInternal
Audit, itassignsallresponsibilities forplanningandactivitiesdirectly tothede-
partment,andthustotheCAE.hisindividualisresponsibleforensuringthatboth
theorganizationalandprocess-relatedelementsof InternalAuditareadequately
establishedwithinthecompany.
Indetail,thecharterforInternalAuditatSApdeinesthefollowingparameters
forfunctioninginternalauditservices:
• hedescriptionoftheorganizationalstructureofgIASincludesthestructureof
thedepartmentitself,itspositionwithintheorganizationandtheresponsibili-
tiesof its employees.BecauseofgIAS’sclose relationshipwith theExecutive
Board(themembersofwhicharecomparabletothemanagingmembersofthe
BoardofDirectors),itshouldbecomecleartoeveryoneintheorganizationthat
gIAS is aglobal, centrallymanageddepartment.Additionally, the increasing
importanceofgIAS’rolewillresultinconsiderableauthorityforSAp’sregional
auditteams.hisdecentralizationoforganizationandresponsibilityaswellas
company-wideprocessstandardizationareofhighestprioritytotheExecutive
Board.
ProceduralFoundationProceduralFoundation
RoleoftheBoardofDirectorsRoleoftheBoardofDirectors
charterParametersatsAPcharterParametersatsAP
organizationalstructureorganizationalstructure
A|2|2.4ConceptualBasisofInternalAudit
InternalAudit:MeetingToday’sNeeds
TheCharterasAuditMandate
34
• FromtheExecutiveBoard’sperspective,thisformoforganizationclariiesthe
responsibilitiesoftheCAE,thusclearlydelegatingresponsibilityfortheexecu-
tionofauditactivitiestotheCAE.heInternalAuditcharterprovidesthenec-
essaryauthorityforthisdelegation.Aqualiiedstafstructuremustbedeined
to implement the individualmeasures,with thediferentpositions stafedby
individualswithdistinctlevelsofexpertiseandexperience.However,itispos-
sibletoestablishmaintasksandcompetenciesforallauditors,regardlessoftheir
individualexperience(seeSectionA,Chapter4.5).heseareasarealsospeciied
inthecharterasatypeofextendedprerequisiteforsuccessfulauditwork.
• Detailsoftheorganizationofauditworkaredescribedintheformalauditpro-
cedures,thegeneralrequirementsfortheactualieldwork,andproceduresfor
reportingauditresults.Basedonthecharter,thisorganizationprovidesaframe-
workwhichensuresthattheauditsarewellplanned,skillfullyexecutedandwell
organizedsotheycanwithstandqualityassurancereviewsatanytime.
• hevariednatureandcomplexityofthetasksathandrequiresalargemeasure
ofboth inter-and intradepartmentalcommunication.he internalcoordina-
tionprocessesserveprimarily toensure thesmoothlowof theaudits them-
selvesandtheconceptualevolutionofInternalAudit.gIAS’sglobalorganiza-
tion, with its various teams, demands an adequate communication system,
whichisdocumentedinthecharterasarequirementforgIAS.
• heregularcross-departmentalcommunicationprocessesconsistmainlyofco-
operationbetweengIASandtheExecutiveBoard,theAuditCommittee,risk
Management,theexternalauditors,andotherexternalinstitutions,suchasthe
IIA.FromtheExecutiveBoard’sperspective,theserelationshipsareadecisive
elementforanefectiveinternalauditfunction.Asaresult,thecharteraccord-
ingly establishes these communication channels and relationships as an ex-
tendedorganizationalrequirementorattribute.
heframeworkforInternalAuditatSApdescribedaboveelucidatestheExecutive
Board’sdemandsfortheimplementationofanefectiveinternalauditfunction.Based
onthedocumentedrequirementsandspeciicinterrelations,theExecutiveBoard
candischargeitsresponsibilitiesbyreferringtotheaboveframeworkparameters.
HINTsANDTIPs ;
• Whenindoubt,auditorsshouldcompareeachauditrequestwiththecontents
ofthecharter.
• hechartershouldbeusedasabasisfordisputeresolution.
LINKsANDReFeReNces e
• AnDErSOn,U.AnDA.DAHlE.2006.Implementing the Professional Practices Frame-
work.2nded.AltamonteSprings,Fl:heInstituteofInternalAuditors.
stafstructurestafstructure
AuditProceduresAuditProcedures
coordinationProcesscoordinationProcess
cooperationcooperation
FrameworkFramework
35
• CASCArInO,r.AnDS.VAnESCH.2005.Internal Auditing: An integrated approach.
lansdowne,SA:JutaandCo.
• HErMAnSOn,D.r.AnDl.E.rITTEnBErg.2003.Internalauditandorganizational
governance.In:BAIlEyJr.,A.D.,A.A.grAMlIngAnDS.rAMAMOOrTI,EDS.
2003.Research Opportunities in Internal Auditing.AltamonteSprings,Fl:heInstituteof
InternalAuditors.
• InSTITUTEOFInTErnAlAUDITOrS.2001.Practice Advisory 1000-1: Internal Au-
dit Charter.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• prAWITT,D.2003.ManagingtheInternalAuditFunction.In:BAIlEyJr.,A.D.,A.
A.grAMlIngAnDS.rAMAMOOrTI,EDS.2003.Research Opportunities in Inter-
nal Auditing.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• prICEWATErHOUSECOOpErS. 2005. Audit Committee Efectiveness – What works
best.3rded.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• SAWyEr,l.,M.DITTEnHOFEr,AnDJ.SCHEInEr.2003.Sawyer’s Internal Audit-
ing.5thed.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• SWAnSOn,D.2006.heinternalauditfunction,fromstepzero.Compliance Week.(De-
cember2006):69.
2.4.3 TheCharterasPartofInternalAudit’sDefinitionProcess
KeyPoINTs •••
• ToensurethatInternalAuditisuptodate,aclearlystructuredprocessfordein-
ingthepurpose,authority,andresponsibilityofthefunctionisnecessary.
• Itisessentialthatallstepsofthisdeinitionprocessaresubjecttoregularevalu-
ationandareamendedasappropriate.
• Becauseof the rapidlychangingenvironment, InternalAuditmust recognize
anypotentialchangeassoonaspossiblesothat it ispromptlytranslatedinto
appropriateauditactivities.
heinformationprovidedinthepreviouschaptersshowsthattheprocessofdein-
ingthepurpose,authority,andresponsibilityofInternalAuditfollowsalogically
organizedstructure.First,themajorobjectivesforinternalauditingservicescanbe
derived from the objectives of the organization described above (see Section A,
Chapter2.3).InternalAuditthendevelopsanaudituniversecoveringallrisksaf-
fectingtheorganization.hisprocessstepmustincludeallexpectations,bothinter-
nalandexternal.hisaudituniverseprovidestheframeofreferenceforformulat-
ingthebasicauditactivities.Withtheseauditactivities,InternalAuditachievesthe
requirementsoftheauditmandate,andthecharter.Astherisksfacingtheorgani-
zationarecontinuouslyevolving,InternalAuditmustregularlyevaluatewhether
thespeciiedrequirements,identiiedauditareas,anddeinedgoalsandtasksstill
correspondtotherelevantrisks(seeSectionD,Chapter2.2).
DeinitionProcessDeinitionProcess
ConceptualBasisofInternalAudit
InternalAudit:MeetingToday’sNeeds
TheCharterasAuditMandate
A|2|2.4
36
hedeinitionprocessforInternalAuditprovestobedynamicinnature,which
mustbecarefullyconsidered.Adherencetooutdatedauditgoalsandtaskswillnot
onlyharmtheeiciencyoftheauditwork,butmayalsodemotivateInternalAudit
stafandauditees.Clearandconsistentcommunicationisparticularly important
formaintainingthenecessarylexibility.Exchangeofinformation,meetings,pre-
sentations,andpublicationswillhelpallthoseinvolveddevelopanincreasedap-
preciationforevolvingauditactivities.
heclearstructureofthedeinitionprocesswillprovideanend-to-endordinal
framework forboth the establishmentand the furtherdevelopmentof theaudit
model.Althoughthedetailsofthedeinitionprocessarecompany-speciic,thefol-
lowinggeneralrulesapply:
• All external inluencing factors, suchas internationalinancial reportingand
process standards,aswellasbusiness-lawand labor-relatedpolicies,mustbe
analyzedregularlyandtheauditprocessmustbeadaptedasnecessary.
• hecatalogofinternalandexternalrequirements(e.g.,organizationalpolicies
andregulatoryrequirements,respectively)mustbeevaluatedforcompleteness
and,whennecessary,extendedwithinternationaland/orcompany-speciiccom-
ponents(forexample,inthecaseofmajorreorganizationsoracquisitions).
• hestrategic,operational,reporting,andcomplianceobjectivesoftheorganiza-
tionmustbecarefullyconsideredtoensurethatInternalAudit’saimsaresuf-
icienttofacilitatetheattainmentoftheseorganizationalgoals.
• he basic objectives of Internal Audit must be examined critically both with
regardtochangedornewrequirementsandexternallydeinedguidelinesand
standards(e.g,fromtheInstituteofInternalAuditors).
• hechartermustbeupdatedregularly.
• Allbasicoperationalauditelements,suchasorganizational/stafstructures,au-
ditexecutionandcommunication,mustbeexaminedcriticallyandadaptedif
necessary.
Takentogether,thesemeasureswillresultinacriticalanalysisofthecharteratleast
everytwoyears.newrequirementsfromtheBoardofDirectorscanbeintegrated
concurrentlywiththisanalysis.Further,duringtheanalysisandrevalidationofthe
charter,theCAE,BoardofDirectors,andAuditCommitteecanassesstheneedfor
additionalresourcesforauditandconsultingservices.hiscyclicaldeinitionpro-
cessisessentialtoInternalAuditanditswork,toensurethatongoingchangesin
theframeworkconditionsareultimatelyrelectedintheauditsaswell.
HINTsANDTIPs ;
• Analyzeanddocumentchangestolegalandinternalregulationsimmediately
withregardtotheirefectsonauditcontent.
• hedeinitionprocessmustbeunderstoodasawhole,(i.e.,examinationsand
changesmustalwaysbeconsideredasasinglestep)becausetheauditassump-
tionsmayotherwisebeincomplete,outdatedorobsolete.
DynamicDeinitionProcess
DynamicDeinitionProcess
structureoftheDeinitionProcess
structureoftheDeinitionProcess
criticalAnalysiscriticalAnalysis
37
LINKsANDReFeReNces e
• AnDErSOn,U.AnDA.DAHlE.2006.Implementing the Professional Practices Frame-
work.2nded.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• AUMAnn,r.A.2006.MultipurposeManual.Internal Auditor (63:4):23–27.
• CASCArInO,r.AnDS.VAnESCH.2005.Internal Auditing: An Integrated Approach.
lansdowne,SA:JutaandCo.
• HErMAnSOn, D. r. AnD l. E. rITTEnBErg. 2003. Internalauditandorganiza-
tionalgovernance.In:BAIlEyJr.,A.D.,A.A.grAMlIngAnDS.rAMAMOOrTI,
EDS.2003.Research Opportunities in Internal Auditing.AltamonteSprings,Fl:heInsti-
tuteofInternalAuditors.
• InSTITUTEOFInTErnAlAUDITOrS.2001.Practice Advisory 1000-1: Internal Au-
dit Charter.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• InSTITUTE OF InTErnAl AUDITOrS. 2001. Practice Advisory 2010-2: Linking
the Audit Plan to Risks and Exposures.AltamonteSprings,Fl:heInstituteofInternal
Auditors.
• prICEWATErHOUSECOOpErS. 2005. Audit Committee Efectiveness – What works
best.3rded.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• SAWyEr,l.,M.DITTEnHOFEr,AnDJ.SCHEInEr.2003.Sawyer’s Internal Audit-
ing.5thed.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• SWAnSOn,D.2006.heinternalauditfunction,fromstepzero.Compliance Week.(De-
cember2006):69.
2.5 ImplementingtheAuditMandate
2.5.1 InternalAuditasanIndependentAuditBody
fortheWholeCompany
KeyPoINTs •••
• InternalAuditmustcarryoutstandardizedauditsgloballyandindependently.
Organizationalstandardsandproceduresfordoingsomustbedeveloped.
• Othermeasuresarealsoneededtoproperlyestablishaninternalauditfunction
thatisactivethroughouttheorganization.Internalcost/beneitanalysesandthe
generalpositioningofInternalAuditwithinthecompanyshouldalsobedocu-
mented.
• InternalAuditmustbeable towork independentlyandobjectively.Onepre-
requisiteforindependenceisanappropriateorganizationalpositionwithinthe
company.
hecontentsof InternalAudit’smandatedescribed inSectionA,Chapter2.4.2.1
mustbeimplementedappropriately.Indoingso,InternalAuditcanconsiderdifer-
entapproachesandpointsofview.Wewillirstexaminethe“corebusiness”ofcon-
ductingaudits.ToguaranteeInternalAudit’sindependenceintermsofformand
corecompetenciesofInternalAuditcorecompetenciesofInternalAudit
A|2|2.5ConceptualBasisofInternalAudit
InternalAudit:MeetingToday’sNeeds
ImplementingtheAuditMandate
38
content,anumberofproceduresandorganizationalguidelinesmustbedeinedin
detail.FromtheBoardofDirectors’perspective,thefollowingmainaspectsmust
beaddressed:
• heorganizationalstructureofInternalAudit.hismaybedeinedbyfunction,
region/country,lineofbusiness,etc.
• InternalAudit’spositionwithintheorganization,suchthatthedepartmentis
abletomaintainindependenceandtheauditorsareabletocarryouttheirre-
sponsibilitiesobjectively.Ideally,thisincludesreportingadministrativelytothe
CEOandfunctionallytotheAuditCommittee.
• hedeinitionoftheentireauditprocess,includingallinternalstandardsand
qualityassuranceactions.
• Descriptionofallrelevantauditields(e.g.operationalaudits,inancialaudits)
andtheareaswithintheauditields.
• Deinitionofallreportingpathsandthecontentofauditreports.
• Scenariosforextraordinaryauditrequirementsoractivities.
• liaisonwithotherinternalandexternalcomplianceunits,suchasriskmanage-
mentandexternalauditors.
AnotherimportantresponsibilityistoboostawarenessofandappreciationforIn-
ternalAuditthroughouttheorganization.Adialogueshouldbeinitiatedthatem-
phasizestheadvantagesofestablishinganinternalauditdepartmentandthebeneits
derivedfromsuchadepartmentandthatexplainstheexistingneedsandlegalre-
quirements for internal audit services. his can take place through information
events,internalmailingsandmemos,auditsurveys,andapresenceonthecompany
intranetandwillhelpavoidtheimpressionthatInternalAuditismerelyanendin
itselfanddoesnotaddvaluetotheorganization.Indeed,thisdiscussionshouldfo-
cusonInternalAudit’sroleintheprotectionandadvancementoftheorganization.
heroleofprotectingthecompanyhasgainednewimportancesincetheenact-
mentofSOXintheU.S.InternalAuditisamostlikelyliaisonbetweentheindepen-
dentexternalauditorsandthecompanyinregardtocompliancewithinternalcon-
trol system requirements. Internal auditors play a crucial role in ensuring the
accuracyoftheinancialreportingsystem.
ItisessentialthatInternalAuditremainindependent.InternalAuditmustbe
enabled to work independently and free from pressure to ensure it can meet its
objectives,includingassistingtheworkoftheexternalauditor.IIAStandard1100
clearlystatesthattheinternalauditingactivitiesofanorganizationmustbeinde-
pendent. Independence, which refers to the audit function itself, is necessary to
ensurethattheinternalauditorscanbeobjective.Individualinternalauditorsare
considered objective when they have an “impartial, unbiased attitude and avoid
conlicts of interest” (IIA Standard 1120). To be independent, the internal audit
functionmustbeappropriatelypositionedwithinthecompany.heIIAStandards
donotspeciicallyprovideappropriatereportingstructures;rather,eachorganiza-
tionmustmakethisdeterminationitself.However,ataminimum,theChiefAudit
Executive(CAE)shouldreporttoanindividualintheorganizationwithsuicient
Appreciationwithintheorganization
Appreciationwithintheorganization
LiaisontoexternalAuditors
LiaisontoexternalAuditors
MaintainingIndependence
MaintainingIndependence
39
authority to promote independence and ensure broad audit coverage, adequate
considerationofengagementcommunicationsandthatappropriateactionistaken
onengagementrecommendations.Ideally,theCAEshouldreportfunctionallyto
the Audit Committee, Board of Directors or other appropriate governing
authorityandadministrativelytotheChiefExecutiveOiceroftheorganization.
heinternalauditdepartmentneedssuicientresourcestomeetitsobjectives.
Withregardtoauditindingsandrecommendations,InternalAuditcanprovide
amanagementconsultingfunction,whichgoesbeyondprovidingassurance.When
providingconsultingservicestooperationalmanagement,auditresultsthatrequire
fastandeicientimplementationmustbeconsidered.Sometimesitmaybenecessary
tofamiliarizethemanagerinchargewiththeappropriateimplementationoptions.
Whentherecommendationsareimplemented,operationaldetailsmustbeiden-
tiied,organizedandcertaintymustbereachedthattherecommendationsarein
linewithexistingornewlycreatedguidelines.Atthisstage,InternalAuditotenhas
theroleofprovidingongoingsupport,eitherbysharingitsknowledgeandexperi-
ence,orbyactingasdiscussionpartnerwhocanassessandoptimizesuggestedso-
lutions.
Ultimately,InternalAuditperformsadualrole.Itmustexistasapartoftheor-
ganization,yetnotbelongingtothatorganizationinanactualoperationalsense.
Despiteitsindependence,InternalAuditisandwillremainapartofthecompany.
hisappliestobothpurelytechnicalaspectsandpersonalrelationshipswithem-
ployeesfromotherareas.Ultimately,InternalAuditmustcommunicateanimage
thatcorrespondstothisdualrole:auditingwiththegoalofachievingawin-win
situationforeveryoneconcerned.Accordingly,anauditmandatefromtheBoardof
Directorsisalwaysassociatedwiththechallengeofconductingauditsbymutual
consent,toboostthetrustofallinvolved.ItmustbeclearthatInternalAuditdoes
notconductauditstocriticize,butinsteadtobringaboutconstructiveandforward-
lookingimprovements.
hisresultsinanewself-imageforInternalAudit.Complexcircumstancesde-
mandingahighdegreeofspecializedknowledgeandhighlyqualiiedstafonthe
one side, and increasingly public demonstrations of responsibility by corporate
managementontheother,willgiveInternalAuditabalancedpositionbetweenthe
variousparties.Toachievethis,InternalAuditmusthaveclearprinciples,distinct
processes,andatransparenttaskspectrum.Withthisfoundation,itwillbeableto
meettheincreasingpressureofpursuingitsindependentauditmandate,whiletak-
ingdiferinginterestsintoaccount.
HINTsANDTIPs ;
• InternalAuditshouldconsiderhowotheremployeesperceivethecurrentand
futureroleofcompliance,corporategovernance,etc.andcompareittohowthe
departmentpresentsitself.
• InternalauditorsshouldshareideasforimprovingauditmethodswithInternal
Auditmanagement.
ManagementconsultingFunctionManagementconsultingFunction
operationalsupportoperationalsupport
InternalAudit’sDualRoleInternalAudit’sDualRole
self-Imageself-Image
ConceptualBasisofInternalAudit
InternalAudit:MeetingToday’sNeeds
ImplementingtheAuditMandate
A|2|2.5
40
LINKsANDReFeReNces e
• AnDErSOn,U.AnDA.DAHlE.2006.Implementing the Professional Practices Frame-
work.2nded.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• CASCArInO,r.AnDS.VAnESCH.2005. Internal Auditing: An integrated approach.
lansdowne,SA:JutaandCo.
• CHApMAn,C.2001.raisingtheBar.Internal Auditor(April2001):55–59.
• HUgHES,p.2004.WhyInternalAuditorsAudit.he CPA Journal(February2004):15.
• InSTITUTEOFInTErnAlAUDITOrS.1997.InternalAuditIndependence.Journal
of Accountancy(January1997):8.
• InSTITUTEOFInTErnAlAUDITOrS.2001.Practice Advisory 1000-1: Internal Audit
Charter.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• InSTITUTEOFInTErnAlAUDITOrS.2001.Practice Advisory 1000.C1-1: Principles
Guiding the Performance of Consulting Activities of Internal Auditors.AltamonteSprings,
Fl:heInstituteofInternalAuditors.
• InSTITUTEOFInTErnAlAUDITOrS.2002.Practice Advisory 1000.C1-2: Additional
Considerations for Formal Consulting Engagements.AltamonteSprings,Fl:heInstitute
ofInternalAuditors.
• InSTITUTE OF InTErnAl AUDITOrS. 2005.Practice Advisory 1130.A1-2: Internal
Audit Responsibility for Other (Non-Audit) Functions.AltamonteSprings,Fl:heInsti-
tuteofInternalAuditors.
• MUTCHlEr, J., S. CHAng AnD D. prAWITT. 2001. Independence and Objectiv-
ity: A Framework for Internal Auditors.AltamonteSprings,Fl:heInstituteofInternal
Auditors.
• SAWyEr,l.,M.DITTEnHOFEr,AnDJ.SCHEInEr.2003.Sawyer’s Internal Audit-
ing.5thed.AltamonteSprings,Fl:heInstituteofInternalAuditors.
2.5.2 InternalAuditasaComponentofCorporateGovernance
KeyPoINTs •••
• Internal Audit supports compliance within the corporate governance frame-
workintwosigniicantways.First,InternalAuditisanintegralcomponentof
thebusinessmonitoringsystem.Second,itsieldworkresultsinawidevariety
of informationthatcanbeused toensureand improve theawarenessofand
adherencetocompliancerequirements.
• InternalAudit’sresponsibilitiesincludetheexaminationofinancialreporting
andprocesscontrols,case-speciicindividualaudits(especiallyincaseofsus-
pected loss to thecompanyorbasedonaspeciicrequest fromtheBoardof
Directors),theinitiationofguidelinesandworkinstructions,andclosecoop-
erationwithriskManagement,theexternalauditors,and–ifnecessary–the
AuditCommittee.
41
In recentyears, the increasingdiscussionaboutcorporategovernancehashada
variety of efects on corporate institutions and management. he impacts range
fromthecreationofnewcorporateunits,suchasriskManagement,tomodiica-
tionsofexistingfunctions.heglobalorientationofcompaniesotengoeshand-in-
handwithincreasednoticebythegeneralpublic.Ifacompanyisrepresentedin
internationalmarkets,theinternalandexternalethicaldemandsonthecompany
andonitsmanagersshouldnotbeunderestimated.Inthiscontext,adiscussionof
possibleliabilityofthepeopleresponsibleisinevitable.
Asaresult,theimportanceofcompliantinancialreportingandprocesslows,
internalcontrolandriskmanagementsystems,andevenbusinessfunctionssuchas
managementaccountingandauditing,isalsoincreasingrapidly.Inparticular,In-
ternalAuditcanprovideimportantinformationtocontrolandlimitliability,mak-
ingtheriskofunexpectedlosseseasiertocontrol.
heintroductionofSOXhascompelledorganizationstonetworkallcompany
functionsinvolvedincomplianceandriskmanagement.Asaresultofthenewlegal
framework,theexchangeofinformationforensuringenterprise-widecompliance
hadtobegiventheappropriatepriority.InternalAudit is involvedintheoverall
corporategovernanceapproachinavarietyofways.heindividualrelationships
canbedescribedasfollows:
• AsanauditbodyoftheBoard,InternalAuditassumestaskswhichallowthe
Boardtodelegateitsresponsibilitieswithregardtoitsiduciaryandgovernance
responsibilities.hisincludestasksaimedatensuringdirectcompliancewitha
corporategovernancecode(e.g.,compliancewithrulesofconduct).
• InternalAuditconductsnumerousieldworkactivitiestopromoteasolidfocus
onthecomplianceofinancialreporting.Itthuscontributessigniicantlytopro-
vidingreliableinformation,particularlywithregardtoaccurate,completeand
transparentannualinancialstatements.
• Auditingtheinternalcontrolsystem(ICS)includesbothprocessevaluationson
asamplebasisduringindividualauditsandsystematiccomplianceteststopre-
parethedisclosuresstipulatedbySOX(seeSectionC,Chapter8).
• Bymonitoringtheriskmanagementsystem,togetherwiththeriskmanagement
function,ifoneexists,mutuallyexchanginginformationaboutidentiiedrisks,
andtrackingthemjointly,InternalAuditfurtherpromotesitsintegrationwithin
thecorporategovernanceframeworkofacompany.
• Tocomplywithrulesandenforceindividualmeasures,itisusuallynecessaryfor
theBoardofDirectorstoenactappropriateguidelinesandinstructions.Inthis
context,InternalAuditisresponsibleforrecognizingthisneedandprompting
theresponsibledepartments to formulate theseprinciples.heobjective is to
createaframeworkofguidelinestoenable(ormakeiteasierfor)management
tocontrolandtestcomplianceasanelementofcorporategovernance.
• Communication between Internal Audit and the Board of Directors helps to
strengthentheroleofInternalAudit.Tothatend,thenewyorkStockExchange
(nySE)listingStandardsrequirethattheAuditCommitteemeetinprivatewith
corporateGovernancecorporateGovernance
InformationProvidedbyInternalAuditInformationProvidedbyInternalAudit
LegalFrameworkandIntegrationintocorporateGovernance
LegalFrameworkandIntegrationintocorporateGovernance
AuditBodyoftheBoardAuditBodyoftheBoard
complianceofFinancialReportingcomplianceofFinancialReporting
AuditingtheInternalcontrolsystemAuditingtheInternalcontrolsystem
MonitoringtheRiskManagementsystemMonitoringtheRiskManagementsystem
GuidelinesandInstructionsGuidelinesandInstructions
BoardofDirectorsBoardofDirectors
ConceptualBasisofInternalAudit
InternalAudit:MeetingToday’sNeeds
ImplementingtheAuditMandate
A|2|2.5
42
theCAEperiodically.hesemeetingsmayrelatetotheindingsofauditscon-
ductedortotherequirementsthatarisedirectlyfromtheworkoftheBoard.
• hereareanumberofoptionsforcooperationwithexternalauditors.heind-
ingsofongoingauditscanbeexchangedregularly.Inaddition, internalaudit
reportsmustbemadeavailabletotheexternalauditors.Undercertaincircum-
stances,further-reachingcooperationcouldalsobefeasible,(e.g.withregardto
revenue recognition programs or external auditor reliance on the work per-
formed by Internal Audit for SOX compliance in accordance with Auditing
Standardno.5).
• Ultimately,InternalAudit’sreportsprovideawidevarietyofinformationthat
allowstheBoardofDirectorsandmanagementtoinitiateorperformactivities
aimed at compliance with corporate governance principles on a case-by-case
basis.heseactivitiesrangefromday-to-daybusiness,suchasindividualstaf
issues,throughfundamentalbusinessmatterssuchasinancingformajorcapi-
talexpenditureprojectsorproblemsrelatedtocompetitionlaw.
OnefunctiontakesonaspecialroleintheabovecatalogofInternalAudit’stasks
andfunctionswithregardtoenforcingandcomplyingwithcorporategovernance
requirements:AuditsoftheICStoavoiddeliberateorunintentionalabuseresulting
inlossesfortheenterprise.SafeguardingtheICSisthereforeanimportantpartof
almostanyinternalaudit.Examplesofinternalcontrolsarethesegregationofdu-
ties, data matches, and plausibility checks on data entries. A distinction can be
drawnbetweenacontinuousandadiscontinuousapproach.heaimofallinternal
controlsisultimatelytopreventoridentifygapsanderrorsasfaraspossible.Inter-
nal controls are a process-integrated form of monitoring, while Internal Audit
worksprocess-independently.Inthisregard,InternalAudithasagenuinemonitor-
ing role, which means that the control systems installed in enterprise processes
mustbetestedindetailforcompletenessandefectiveness.hesetestsincludeeval-
uatingsuitablesamples.ItisimportanttonotethatInternalAuditisnotresponsible
forensuringthatthecontrolsintegratedintotheprocessesareactuallyapplied.his
is thetaskof theemployeeormanagerresponsible for theprocess.Especially in
globalcompanies,thecontrolprocessesshouldbeimplementedwithanetworked
ITsolution.hisinturnmeansthatInternalAuditmustmakeprovisionsforthese
horizontalprocessesinitsauditsbyconductingthemglobally.
SOXhasincreasedtheimportanceofinternalcontrolsbecausetheyformoneof
the cornerstones of this act. A clearly documented process structure not only
identiiestheinternalcontrols,butalsolinksthemtotheapplicablerisksandthe
inancial accounts afected, and the relevant company processes. Whereas in a
traditional ICS, compliance audits primarily test whether the accounting docu-
ments(includingaphysicalinventoryandthemeasurementofassetsandliabilities)
complywiththelaw,theprovisionsofSOXaremuchmorefar-reaching,because
they consider every process that is in any way relevant to inancial reporting.
Financial reporting compliance has therefore expanded from a focus on the ac-
countingdocumentonlytoincludetheunderlyingprocesses.hisentailschanges
externalAuditorsexternalAuditors
InformationFunctionInformationFunction
AuditingtheInternalcontrolsystem
AuditingtheInternalcontrolsystem
signiicanceofsoXsigniicanceofsoX
43
to the audit approach Internal Audit uses for auditing the ICS (see Section C,
Chapter8).
HINTsANDTIPs ;
• Auditieldworkshouldalwaysintegrateinformationrelatedtocompliance,risk
management,andinternalcontrols.
• Duringauditpreparation,examineeachauditstepwithcomplianceinmind.
• Takenoteofandforwardtotheindividualsorentitiesresponsibleanyinforma-
tionregardingtheneedtocreate,extend,orchangeinternalcompanyguide-
linesidentiiedduringieldwork.
• InternalAuditmustalsoreportanyinformationdiscoveredregardingactualor
suspectedfraudtotheappropriatebodies.
LINKsANDReFeReNces e
• BEASlEy,M.,AnDD.HErMAnSOn.2004.goingBeyondSarbanes-OxleyCompli-
ance:FivekeystoCreatingValue.he CPA Journal(June2004):11–13.
• BrOMIlOW,C.,BErlIn,B,AnDJ.AnDErSOn.2005.SteppingUp.Internal Audi-
tor(December2005):52–57.
• BrUnE,C.2004.EmbracingInternalControls.Internal Auditor(June2004):75–81.
• CASCArInO,r.AnDS.VAnESCH.2005.Internal Auditing: An Integrated Approach.
lansdowne,SA:JutaandCo.
• COlBEr, J.2002.FurnishingaContext for InternalAuditing.he CPA Journal (May
2002):34–38.
• COMMITTEEOFSpOnSOrIngOrgAnIzATIOnSOFTHETrEADWAyCOM-
MISSIOn(COSO).2004.Enterprise Risk Management Integrated Framework.newyork,
ny:AICpA.
• HArrIngTOn, C. 2005. he Value proposition. Journal of Accountancy (September
2005):77–81.
• InSTITUTEOFInTErnAlAUDITOrS.2003.Internal Audit Reporting Relationships:
Serving Two Masters. AltamonteSprings,Fl:heInstituteofInternalAuditors.
• InSTITUTE OF InTErnAl AUDITOrS.2002.Practice Advisory 1110-2: Chief Audit
Executive Reporting Lines.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• kAplAn,S.,AnDJ.SCHUlTz.2006. he Role of Internal Audit in Sensitive Commu-
nications.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• kEInATH,A.,AnDJ.WAlO.2004.AuditCommitteeresponsibilities.he CPA Jour-
nal (november2004):22–28.
• lAngEr,D.AnDpOpAnz,T.2006.SustainableCompliance.Internal Auditor(Feb-
ruary2006):54–58.
• MCCOllUM, T.2006.Ontheroadtogoodgovernance.Internal Auditor (October
2006):40–46.
• pArkInSOn,M.2004.AStrategyforprovidingAssurance.Internal Auditor(December
2004):63–68.
A|2|2.5ConceptualBasisofInternalAudit
InternalAudit:MeetingToday’sNeeds
ImplementingtheAuditMandate
44
• prICEWATErHOUSECOOpErS. 2005.Audit Committee Efectiveness – What works
best.3rded.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• pUBlICCOMpAnyACCOUnTIngOVErSIgHTBOArD(pCAOB).2004.Audit-
ing Standard No. 2: An Audit of Internal Control Over Financial Reporting Performed in
Conjunction With an Audit of Financial Statements.http://www.pcaobus.org/Standards/
Standards_and_related_rules/Auditing_Standard_no.2.aspx(accessedMay31,2007).
• pUBlIC COMpAny ACCOUnTIng OVErSIgHT BOArD (pCAOB). 2005. Staf
Questions and Answers: Auditing Internal Control over Financial Reporting. http://www.
pcaob.org/standards/staf_questions_and_answers/2005/01-21.pdf (accessed May 31,
2007).
• rITTEnBErg,l.2002.lessonsforInternalAuditors.Internal Auditor(April2002):32.
• rITTEnBErg, l.2006.InternalControl:noSmallMatter.Internal Auditor(October
2006):47–51.
• SAWyEr,l.,M.DITTEnHOFEr,AnDJ.SCHEInEr.2003.Sawyer’s Internal Audit-
ing.5thed.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• STErnBErT, r. AnD D. pOJUnIS. 2000. Corporate governance. Internal Auditor
(December2000):34–39.
2.5.3 InternalAuditasaServiceUnit
KeyPoINTs •••
• Inadditiontotraditionalauditactivities,InternalAuditcanoferotheraudit-
relatedandnon-audit-relatedservices.
• hemostimportantconcernisthattheseotherservicesmustnotcauseInternal
Audittoviolatetheprinciplesofindependenceandobjectivity.
• Most important is thedecisionofwhether InternalAudit isauthorized,able,
andwillingtocarryoutotherserviceactivities.hisdecisionwillinvolveacer-
tainamountofself-determination,aswellasconsiderationofthespeciicbusi-
nessenvironment.
Service activities performed by Internal Audit can create signiicant value for a
companysinceInternalAudithaswide-rangingexperienceandcompany-speciic
knowledge.SuchcompanyspeciicknowledgegivesInternalAuditacompetitive
advantageoverexternalconsultants,whichmightenableInternalAudittoprovide
serviceorconsultingactivitiesatalowercost.
InternalAuditisincreasinglycarryingoutotherservices,inadditiontoitstra-
ditionalauditservices.heseotherservicescanbediferentiatedintoaudit-related
andnon-audit-relatedservices(formoreinformationonotherservicesperformed
byInternalAuditseeSectionA,Chapter7).hediferentiationbetweenthetwo
typesoftasksisimportantbecauseeachrequiresadiferentlevelofcommitment
andhasadiferentimpactontheindependenceoftheinternalauditfunction.
expertiseexpertise
otherservicesotherservices
45
Audit-related services include pre-investigations, reviews, cost-efectiveness
analysis, and implementation support. hese services usually do not impact In-
ternalAudit’sindependence.When,forexample,InternalAuditprovidessupport
for the implementation of audit recommendations, the auditee is still ultimately
responsiblefortheimplementationofthoserecommendations.Asaresult,nocon-
lictofinterestbetweenauditingandimplementationsupportwillariseundernor-
malcircumstances.
Whenconsideringwhethertoofernon-audit-relatedservices,InternalAudit
mustansweronefundamentalquestion:DoesInternalAudithavetheauthority,the
abilityandthewilltoperformnon-audit-relatedactivitiesandifso,towhatextent?
InternalAudit isauthorized todosoas longas its independencewithregard to
auditactivitiesismaintained.Serviceactivitiesmustnotinluencedecisions,obser-
vations,recommendationsorindingsinconnectionwithieldworkatanystageof
theauditprocessandtheauditors’objectivitymustnotbecompromised.prerequi-
sitesforachievingthisimpartialityarethetargetedselectionoftheinvolvedaudi-
tors,coordinationofaudit topics,andadherencetoanobjectiveauditapproach.
non-audit-relatedservices,suchasconsultingandprojectmanagementservices,
mustbeconsidereddiferently.IfInternalAudit’sexpertiseisneeded,theauditor
whocarriesouttheseactivitiescannotbethesameindividualresponsibleforsub-
sequentauditsoftheareas.DecisivefactorsindeterminingwhetherInternalAudit
shouldcarryoutotherserviceactivitiesareitsspeciicpositionwithinthecompany
andthestrategicdirectionthattheBoardofDirectorsgivestotheinternalaudit
function.TakingonotherserviceactivitiesmustbesubjecttoapprovalbytheBoard
ofDirectors.Toavoidconlictsofinterest,theAuditCommitteeaspartoftheBoard
shouldsetunambiguousrulesthatspecifywhichserviceactivitiestheinternalaudit
functionisallowedtocarryout.
heextenttowhichInternalAuditisabletoperformconsultingactivitiesde-
pendsonthetechnicalknowledgeavailablewithinthedepartmentandtheamount
oftimeavailabletoperformtheseactivities.Otherfactors,suchasconlictsofinter-
estandorganizationalpoliciesalsoneedtobeconsidered.Dealingwiththequestion
ofwhetherInternalAuditwishestoperformnon-audit-relatedactivitiesmayinvolve
adiscussionaboutInternalAudit’sself-imageandstrategy.Forthereputationand
statusofInternalAuditwithinacompany,itmaybebeneicialtocomplementthe
corecompetencyofauditingwiththeseotherservices.Extendingtherangeofactivi-
tieswillenhanceexposuretotheBoardofDirectors,tomanagement,andeventually
toallemployees.hedownsideisthattoomuchinvolvementcanpotentiallyafect
thereputationandstatusoftheinternalauditdepartmentwithexternalauditors.
Ultimately,theextenttowhichanindividualauditoriswillingtocarryoutnon-
audit-relatedserviceactivitieswilldependonthatindividualandhisorhersuperi-
orsinadditiontoanyrulessetbytheBoardofDirectors.Togethertheymustdecide
onacase-by-casebasiswhethertheauditorinquestioniswillingandabletoper-
formthesetasks.heavailabilityoftargetedsupportanddevelopmentprograms
shouldopennew,interestingperspectivesforindividualcareerdevelopment.
Audit-RelatedservicesAudit-Relatedservices
Non-audit-relatedservices:MaintainingIndependence
Non-audit-relatedservices:MaintainingIndependence
Know-Howandself-ImageKnow-Howandself-Image
PersonalQualiicationPersonalQualiication
ConceptualBasisofInternalAudit
InternalAudit:MeetingToday’sNeeds
ImplementingtheAuditMandate
A|2|2.5
46
HINTsANDTIPs ;
• Supportingmeasuresareveryusefulwhenimplementingtheauditrecommen-
dationsastheyconveyanadditionaldegreeofacceptance.
• Auditorsshouldeachdecideindividuallywhetherandtowhatextenttheywant
toconsiderperformingnon-audit-relatedserviceactivities.heirpersonalde-
velopmentprogrammustbealignedbasedonthisdecision.
• Intheoverallplanning, theCAEshouldschedulenon-audit-relatedactivities
inharmonywiththedepartment’stargetsandtheindividualgoalsofeachem-
ployee.
• AuditsmustonlyrelatetomattersthatInternalAuditwasnotdirectlyinvolved
increating.
• InternalAuditmustkeepabrief,ongoingrecordofservicesitperforms.
• InternalAuditshouldaimtobillatleastpartofthenon-audit-relatedservices
performed.
LINKsANDReFeReNces e
• AnDErSOn,r.AnDS.lEAnDrI.2006.Unearththepowerofknowledge.Internal
Auditor(October2006):58–64.
• AnDErSOn, U. 2003. Assurance and Consulting Services. In: A. D. BAIlEy, A. A.
grAMlIngAnDS.rAMAMOrrTI(EDS.).Research Opportunities in Internal Au-
diting.AltamonteSprings,Fl:InstituteofInternalAuditorsresearchFoundation.
• AnDErSOn,U.AnDA.DAHlE.2006.Implementing the Professional Practices Frame-
work.2nded.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• grOSS,J.2006.ControlConsciousness.Internal Auditor(April2006):32–35.
• InSTITUTEOFInTErnAlAUDITOrS.2001.Practice Advisory 1000.C1-1: Principles
Guiding the Performance of Consulting Activities of Internal Auditors.AltamonteSprings,
Fl:heInstituteofInternalAuditors.
• InSTITUTEOFInTErnAlAUDITOrS.2002.Practice Advisory 1000.C1-2: Additional
Considerations for Formal Consulting Engagements.AltamonteSprings,Fl:heInstitute
ofInternalAuditors.
• InSTITUTE OF InTErnAl AUDITOrS. 2005.Practice Advisory 1130.A1-2: Internal
Audit Responsibility for Other (Non-Audit) Functions.AltamonteSprings,Fl:heInsti-
tuteofInternalAuditors.
• MCDOnAlDS,p.2003.Staingtoday’sInternalAuditFunction.Internal Auditor (De-
cember2003):46–51.
• rAzzETTI,E.2003.InternalAuditing.Consulting to Management14(December2003):
34–37.
• rICHArDS,D.2001.ConsultingAuditing–ChartingaCourse. Internal Auditor (De-
cember2001):30–35.
• rOBITAIllE,D.2004.World-ClassAuditandControlpractices.Internal Auditor(Feb-
ruary2004):74–81.
47
• rOTH,J.2003.HowdoInternalAuditorsAddValue?Internal Auditor (February2003):
33–37.
• SAWyEr,l.,M.DITTEnHOFEr,AnDJ.SCHEInEr.2003.Sawyer’s Internal Audit-
ing.5thed.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• SEArS,B.2002.Internal Auditing Manual.newyork,ny:Warren,gorham&lamont.
• WAlkEr, p., W. SHEnkIr, AnD T. BArTOn. 2002. Enterprise Risk Management:
Putting it All Together.AltamonteSprings,Fl:heInstituteofInternalAuditors.
2.5.4 TrendtowardAuditManagement
asaCorporateManagementInstrument
KeyPoINTs •••
• Asaresultofchanges in legal requirementsandexternalguidelines, Internal
Auditcurrentlyhastheopportunitytodevelopfromretrospectiveauditingto
becomeafuture-orientedmanagementinstrument.
• Fromariskandcontrolperspective,InternalAuditcanbecomeanintegralpart
ofallphasesofthecorporatemanagementprocess.Inaddition,theauditpro-
cessmodeltypicallycontainsalltheessentialstagesofthecorporatedecision
process.
Over time, theroleof InternalAudithaschanged fromstrictlyan“investigative
function”toacorporatemanagementinstrument.InternalAudithasreceivedrela-
tivelylittleattentioninthepast.Sinceitseiciencyandefectivenesswerenotraised
ascoreissues,itwaswidelyperceivedasadepartmentof“boxcheckers.”However,
increased focusoncorporategovernanceand the introductionofnew laws (e.g.
SOX)havetriggeredachangeinattitudes.heincreasingimportanceoftranspar-
encyandreliabilityhasledtoanenhancementofInternalAudit’sstandingbecause
itrepresentsaninstrumenttohelpachievetheseobjectives.ForInternalAudit,this
presentsanopportunitytomovepastperformingonlyretrospectiveauditworkto
a more integrative, process-oriented, forward-looking and global model. On the
basisoftheseelementsofintegration,focusonthefuture,andinternationality,In-
ternalAuditcanexpanditspositionasacorporatemanagementinstrument.here
areseveralfactsthatexemplifythisdevelopment:
• IndividualInternalAuditfunctionsareassignedtothebasicphasesofthecor-
poratemanagementprocess.
• he corporate management process of setting objectives, planning, control,
monitoring,andinformationisusedwithinInternalAudit.
• hereisachangefrompurelyretrospectivetofuture-orientedauditing.
DevelopmentofInternalAuditDevelopmentofInternalAudit
ConceptualBasisofInternalAudit
InternalAudit:MeetingToday’sNeeds
ImplementingtheAuditMandate
A|2|2.5
48
hephasesofthebasiccorporatemanagementanddecisionprocess,whichareset-
tingobjectives,planning,control,monitoring,andinformation,canbematchedto
therelevantprocessesinInternalAudit,almostonaone-to-onebasis.
• Corporateobjectivesalsohaveanimpactontheauditobjectivesandcontentsof
InternalAudit.Forexample, ifamainobjectiveof thecompanyis toexpand
foreignbusinessactivities,InternalAuditwill,toacertainextent,auditthepro-
cessesoftheunitsafectedbyinternationalactivities.Conversely,insightsgath-
eredasaresultofauditworkmayalsohaveaninluenceoncorporateobjectives.
Forexample,ifanauditidentiiesalackofinternalguidelinesandinstructions,
thismaybetranslatedintoamanagementobjectivetoimproveexistingpolicies
andprocedures.
• Acompany’splanning,whichissometimesperformedinstagesasobjectivesare
beingdeined,mayhaveamajorimpactonInternalAudit’sannualauditplan.
EvenifInternalAuditgenerallyconductsitsplanningindependentlyandwitha
riskfocus,itshouldtakethecompany’sstrategicandoperationalobjectivesinto
consideration.Forexample,iftheobjectiveistosupportthedevelopmentofa
newproduct, it is logical that InternalAuditwouldcarefullyevaluatequality
controlandintellectualpropertyrequirements.
• hecompany’sbusinessactivitiescanalsobecontrolledwithInternalAudit’s
involvement.hecapacitiesavailableforad-hocauditscanbeusedatshortno-
ticetomakeorvalidatecertainexecutivedecisions.heresultsoftheauditsin-
cludedintheannualauditplanmay,inturn,alsoinluencecorporatecontrol,
becausetheauditresultsaremadeavailabletomanagementimmediately.
• Inlinewiththewell-developedfollow-upauditprocess,monitoringthecorrec-
tionofauditindingsisbecomingincreasinglyimportant(seeSectionB,Chap-
ter6).hisprocessofimplementationmonitoringisintendedtoensurethatthe
recommendationsofInternalAuditarerespectedandimplemented.Implemen-
tationmonitoringmaybecloselyrelatedtothespeciicfunctionsofothercon-
trolunits,suchasManagementAccounting,socooperationwithsuchunitswill
bemutuallybeneicial.
• heintegrationofauditresults intothecorporate-wide informationprocess is
themostimportantinterfacewiththecompany’sothermanagementinstruments.
InternalAuditprovidesreportsforallrelevantlevelsofmanagement,including
theBoardofDirectorsandtheAuditCommittee.Dependingontheircontent,
thesereportsmaybeusedasinputforBoardresolutions,orformthebasisfor
operationalimplementationinstructionsforlowerlevelsofmanagement.
hesecondfactthatunderlinesInternalAudit’sdevelopmenttowardacorporate
managementinstrumentisthatInternalAudit’sorganizationincreasinglyresem-
blesthatofastrategicbusinessunit.Fromplanning,preparation,andimplementa-
tionthroughreportingandfollow-upaudits,theoperationalleveloftheInternal
Audit’sprocessmodelcontainsalltheessentialstagesofthemanagementprocess.
Becauseofitsphasemodel,thismeansthat,inpurelyformalterms,InternalAudit
Integrationintothecorporate
ManagementProcess
Integrationintothecorporate
ManagementProcess
objectivesobjectives
PlanningPlanning
controlcontrol
MonitoringMonitoring
InformationInformation
UseofthecorporateManagementProcessUseofthecorporate
ManagementProcess
49
isamanagementinstrumentinitsownright.Asingleauditrequestcanbehandled
accordingtothesamerulesasanyotherstrategicdecisiontool.
hethirdaspect is InternalAudit’sevolutionfromareactiveperspective that
focuses on past and present events toward a proactive, future-oriented manage-
mentinstrument.henatureofauditsisbecomingincreasinglypreventive,which
meansthattheirresultscanimpactthecorporatedecisionprocessingeneralorin
relationtoindividualcases.preventiveauditsworkwithassumptions,trends,search
functionsandcriteria,aswellasprobabilitiesandapproximations.Inaddition,au-
dit-relevant parameters, such as thresholds, criteria catalogs, statistical distribu-
tionsandanymethodthatproduceskeyvariables,maybeusedtocreateasystem
ofearlyindicators.Oncecertainthresholdsarereached,InternalAudit(automati-
callyormanually)triggerstheappropriateieldwork.hiscreatesacontinuousim-
provementprocess,whichperformsitsownchecksandcontrols.
End-to-end integration of the audit process into the corporate management
processcompletes the shit towardauditmanagement.his turns InternalAudit
intoanintegralpartofthecorporatemanagementprocess,whichcangiveriseto
synergies.Most importantly, InternalAudit supports thecorporatemanagement
processinallitsphases,butwithoutbecominganoperationalpartofthisprocess
and thusrunning theriskof losing its independence.hediagrambelowshows
howInternalAuditisintegratedinthemanagementprocess.
HINTsANDTIPs ;
• EventhoughitisusefulandnecessarytointegrateInternalAuditintothecor-
poratemanagementprocess,itsindependencemustbepreserved.
ProactiveAuditFocusProactiveAuditFocus
IntegrationoftheAuditProcessIntegrationoftheAuditProcess
Fig. 5 IntegrationofInternalAuditintheManagementProcess
ConceptualBasisofInternalAudit
InternalAudit:MeetingToday’sNeeds
ImplementingtheAuditMandate
A|2|2.5
50
• he management process and management goals guide internal audit activi-
ties,becausemanagementactionsgreatlyafectcompanyrisks.Inaddition,by
focusingonmanagementactivities internalauditorscan identifyareaswhere
theycanaddmostvaluebygeneratingadditionalinformationandguidancefor
management,andbyprovidingassurance.Whenperformingtheirwork,audi-
torsshouldthusnotlimittheiractivitiestoworkingthroughtheauditschedule,
butalsofocusontopicsthatrequireproactiveauditprocedures.
LINKsANDReFeReNces e
• AlBIzEr,g.,J.CASBEll,AnDD.MArTIn.2003.InternalAuditOutsourcing.he
CPA Journal(August2003):38–42.
• CASCArInO,r.AnDS.VAnESCH.2005.Internal Auditing: An Integrated Approach.
lansdowne,SA:JutaandCo.
• CHApIn, C. AnD A. CyTrAUS. 1994.reinventingtheInternalAuditprocess.Ohio
CPA Journal(February1994):37–40.
• COMMITTEEOFSpOnSOrIngOrgAnIzATIOnSOFTHETrEADWAyCOM-
MISSIOn(COSO).2003.Enterprise Risk Management Framework.newyork:AICpA.
• DElOACH, J. 2000.Enterprise-wide Risk Management: Strategies for Linking Risk and
Opportunity.london:FinancialTimesManagement.
• gIll,J.2005.Believeitornot…theinternalauditorisyourbestfriend.Chartered Ac-
countants Journal (April2005):51–52.
• grAy,g.2000.Changing Internal Audit Practices in the New Paradigm: he Sabarnes-
Oxley Environment. AltamonteSprings,Fl:heInstituteofInternalAuditors.
• gUpTA, p. 2001. Internal Audit Reengineering: Survey, Model, and Best Practices. Al-
tamonteSprings,Fl:heInstituteofInternalAuditors.
• MOEllEr,r.2004.ManagingInternalAuditinginapost-SOAWorld.he Journal of
Corporate Accounting & Finance(May/June2004):41–45.
• rICHArDS, p. 1995. InternalAuditvs.lineManagement:AWin/WinSituation.CPA
Journal (July1995):63–66.
• rOTH,J.2002.Adding Value: Seven Roads to Success.AltamonteSprings,Fl:heInsti-
tuteofInternalAuditors.
• SAWyEr,l.,M.DITTEnHOFEr,AnDJ.SCHEInEr.2003.Sawyer’s Internal Audit-
ing.5thed.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• SEArS,B.2002.Internal Auditing Manual. newyork,ny:Warren,gorham&lamont.
• SErVAgE,J.2006.policyandgovernance.Internal Auditor(August2006):83–87.
• SMITH,g.1999.WhyInternalAuditingMustChangetoSurvive.he Journal of Corpo-
rate Accounting & Finance(May/June2000):11–15.
51
2.5.5 InternalAuditasaProfitCenterOrganization
KeyPoINTs •••
• Without exception, Internal Audit must be eicient in the resources it con-
sumes.
• Budgetsmustbeeicient,auditsmustbecost-efective,andvariancesmustbe
continuouslymonitoredandevaluated.
• Ifeconomiceiciencyisextendedtoincluderevenue,billingoptionsarisefor
serviceandconsultingactivities.
• AnotherstepcouldinvolveexpandingInternalAudittobeacompetencecenter.
hiswouldallowInternalAudittooferbillableservicestothirdpartiesandto
generaterevenue.
likeallotherdepartments,InternalAuditissubjecttothebasicrulesofbusiness.
hismeansthatexistingresourcesmustbedeployedinatargeted,results-maximiz-
ingmannerandauditsmustbeperformedcost-consciouslyandwithintheassigned
budget.However,deadlineandcontent-relatedissuescanrequirespecialoraddi-
tionalauditengagements.Insuchcases,themanagementofInternalAuditmust
ensurethat,despitetheseadditionalactivities,budgetlimitsareadheredtoornec-
essaryadjustmentsexplained.
heCAEisresponsiblefortheentireprocessofinancialcontrolwithinthein-
ternalauditarea,althoughtheCAEcanalsoincludehisorhermanagementteam
inthisresponsibility.Employee-relatedandaudit-relatedbudgetsformthecoreof
cost-centerplanning.Importantconsiderationsincludetraininganddevelopment,
travelexpenses,aswellasaudit literature,costs forexpertopinions, the involve-
mentofexternalspecialists,andattendanceatconferences.Budgetsaredrawnup
withinanannualbudgetingframeworkandarebasedonthenumberofplanned
auditsaswellasexpectedad-hocauditsandspecialprojects.heactualcostscanbe
allocatedfortheentireauditdepartmentordividedintoregionalauditteams.Itis
alsoconceivabletoallocateaudit-relatedbudgets,especiallytoglobalauditsorau-
ditsexpectedtotakealongtime.hisapproachwouldrequireallcoststobeallo-
catedand–totheextentpossible–activitiestobetracedtotherespectiveaudit
engagement. Separate budgets for audit-related and non-audit-related services
wouldallowformorespeciiccostallocation.Allocatingcostsmakesitpossibleto
carryoutperiodiccostvarianceanalysesforthecostcentersatanystageduringthe
iscalyear,andtomonitorwhetherindividualauditsmeettheirbudgets.Variance
analysiscouldprovideareliablebasisforfutureplanning(formoredetailsoncost
management,seeSectionD,Chapter8).
hiscost-basedassessmentofInternalAuditcanbeextendedtoaresults-ori-
entedproitcenteraccounting.Inthiscase,however,InternalAuditmustensure
thattheauditsarenotunderpressuretogeneraterevenue.hisalsomustbere-
UseofResourcesUseofResources
BudgetPlanningBudgetPlanning
ProitcenterProitcenter
A|2|2.5ConceptualBasisofInternalAudit
InternalAudit:MeetingToday’sNeeds
ImplementingtheAuditMandate
52
lectedintheproitandlossbudget,inthatproitcanonlybeexpectedfrom“ser-
vice” activities. As a result, the activities of Internal Audit may be divided into
“compulsory”activitiesthatcannotbebilledand–ifpossible–billableserviceac-
tivities.hesettlementmethodcanbetailoredtotherespectivetargetgroup:Inter-
companycosttransfersforinternalcustomers,andinvoicesforexternalcustomers.
InternalAuditreceivesrevenueforitsactivitiesinbothcases.heobjectivecould
betoextendthebasisonwhichtheeconomiceiciencyofInternalAuditismea-
sured with regard to budget compliance, or to earn a contribution margin. Of
course,additionalorsupplementaryrevenueandproitplanning–withthecorre-
spondingextendedvarianceanalysis–willbeneededaswell,incontinuationofthe
budgetplanningandcostvarianceanalyses.
Ultimately,thisresultsinInternalAuditalsobeingdeinedasakindofservice
andcompetencecenterforauditsandotherrelatedservices.Asaresult,Internal
Auditwouldalsobecapableofoferingitsservicestoexternalcustomersasanex-
tensionofitsbusinessactivities.Jointprojectsinthisregardwouldmakenearlyany
extensionofcorecompetencies–andthusbusinessactivities–feasible.Asaresult,
InternalAuditcouldperformservicesthatgofarbeyondthetypicalauditmandate,
yetarealwaysderivedfromitscorecompetencies.
HINTsANDTIPs ;
• Before thestartofanaudit, theauditors shouldensure that suicientbudget
fundsandresourcesareavailableforthenecessarymeasures.
• Detaileddocumentationofallcostsincurredisessentialtoenableaccuratecost
analysis.
• Allexpendituresandworktimesbytheauditorsshouldberecordedforeach
auditrequestforstatisticalandperformancepurposesandforpotentialrevenue
generation.
LINKsANDReFeReNces e
• AnDErSOn,U.2003.AssuranceandConsultingServices.In:BAIlEyJr.,A.D.,A.A.
grAMlIngAnDS.rAMAMOOrTI.(Eds.).2003.Research Opportunities in Internal
Auditing.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• AnDErSOn,r.AnDA.DAHlE.2006.Implementing the Professional Practices Frame-
work.2nded.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• CASCArInO,r.AnDS.VAnESCH.2005. Internal Auditing: An integrated approach.
lansdowne,SA:JutaandCo.
• InSTITUTEOFInTErnAlAUDITOrS.2001.Practice Advisory 1000.C1-1: Principles
Guiding the Performance of Consulting Activities of Internal Auditors. AltamonteSprings,
Fl:heInstituteofInternalAuditors.
• InSTITUTEOFInTErnAlAUDITOrS.2002.Practice Advisory 1000.C1-2: Additional
Considerations for Formal Consulting Engagements. AltamonteSprings,Fl:heInstitute
ofInternalAuditors.
serviceandcompetencecenter
serviceandcompetencecenter
53
• InSTITUTE OF InTErnAl AUDITOrS. 2005.Practice Advisory 1130.A1-2: Internal
Audit Responsibility for Other (Non-Audit) Functions. AltamonteSprings,Fl:heInsti-
tuteofInternalAuditors.
• InSTITUTEOFInTErnAlAUDITOrS.2001.Practice Advisory 2010-1: Planning.Al-
tamonteSprings,Fl:heInstituteofInternalAuditors.
• InSTITUTE OF InTErnAl AUDITOrS. 2001. Practice Advisory 2010-2: Linking
the Audit Plan to Risk and Exposure. Altamonte Springs, Fl: he Institute of Internal
Auditors.
• SAWyEr,l.,M.DITTEnHOFEr,AnDJ.SCHEInEr.2003.Sawyer’s Internal Audit-
ing.5thed.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• SEArS,B.2002.Internal Auditing Manual.newyork,ny:Warren,gorham&lamont.
2.6 InternalAuditandtheRequirementsofSOX
KeyPoINTs •••
• InternalAuditprovidesauditresultswhichmanagementcanuseassupporting
inputtohelpitmeetitsSOXcertiicationrequirements.
• Inatechnicalconsultingcapacity,InternalAuditcanbeinvolvedinpreparing
thedocumentationoftheprocessesandinternalcontrolsandinensuringthe
qualityofthisdocumentation.
• SOXimpactstheactivitiesofInternalAuditintwoareasinparticular:inancial
reportingandthebusinessprocessesrelatedtoinancialreportingandtheiras-
sociatedinternalcontrols.
• EnsuringSOXcomplianceisaseparateanddistinctauditobjectiveforInternal
Audit.
he provisions of SOX, including the detailed interpretations provided by the
pCAOB,areintendedtohelpensurecompliantinancialreportingforcompanies
listedonU.S.stockexchangesandtheirsubsidiaries.hefocusisonthoseareasof
acompanythataremostpronetodeliberatemisstatementsandproitmanipulation
(i.e.,inancialreportingandtheinternalcontrolsoftheunderlyingcorebusiness
processes).
SOXhasseveralprovisionsthatareofspeciicrelevancetointernalauditorsand
forinternalcontrolingeneral.
• heChiefExecutiveOicer(CEO)andChiefFinancialOicer(CFO)mustcer-
tifyeachquarterlyandannualreportiledbytheorganization(Section302).he
certiicationindicatesthatthesigningoicershavereviewedthereportandthat,
basedontheirknowledge,thereportfairlypresentstheinancialconditionof
theorganizationanddoesnotincludeanyerrors,omissionsandisnotintended
tomisleadinvestors.Further,thecertiicationsigniiesthatthesigningoicers
areresponsibleforestablishingandmaintaininginternalcontrolsrelatedtoi-
objectivesofsoXobjectivesofsoX
soXProvisionssoXProvisions
section302section302
ConceptualBasisofInternalAudit
InternalAudit:MeetingToday’sNeeds
InternalAuditandtheRequirementsofSOX
A|2|2.6
54
nancialreportinganddisclosureandforperforminganannualassessmentof
thoseinternalcontrols.hesigningoicersarealsoresponsiblefordisclosingall
signiicantdeicienciesinthedesignoroperationoftheinternalcontrolsand
anyfraudthatinvolvesmanagementoremployeeswithasigniicantroleinthe
organization’sinternalcontrols.
• Eachannualreportmustincludemanagement’sassessmentoftheefectiveness
oftheinternalcontrolstructureandproceduresoftheorganizationrelatingto
inancial reporting (Section 404). he pCAOB, established by SOX, has pro-
videdspeciicguidancetotheindependentauditorsregardingtherequirements
fortheevaluationofmanagement’sassessmentofinternalcontrolsinAuditing
Standards(AS)2.However,itshouldbenotedthatthepCAOBhasestablished
revisedguidance(AS5)whichincludestheeliminationoftheexistingrequire-
mentthattheindependentauditorevaluatemanagement’sinternalcontrolas-
sessmentprocess.herevisedguidancerequiresonlythattheauditortestthe
internal controls directly to determine their efectiveness, without evaluating
management’assessmentprocess.
• SOXalsoguaranteeswhistleblowerprotectiontoensurethatemployeesareable
toreportinformationregardingpotentialviolationsoftheAct,anySECrules,or
anyactivitiesrelatingtofraudagainsttheshareholderswithoutfearofadverse
consequences (Section 806). Speciically, the act ensures that whistleblowers
cannotbedischarged,demoted,suspended,threatened,harassed,ordiscrimi-
natedagainstiftheychoosetoreportpotentialviolations.hisprovisionapplies
speciically to the internal audit function because in some organizations it is
InternalAudit’sresponsibilitytoreceiveandprocessanyreportedviolationsand
investigatetheallegations.Alternatively,manyorganizationsmayalignwhistle-
section404section404
section806section806
Management Auditor
Process: Continuous improvement of internal controls
Assess
control
design&
remediate
issues
Attestand
report
Document
processesand
controls
Scoping&
set-up
SOX: Section Requirements SAP solution
302
404
806
Internalcontrolmanagementtool
Internalcontrolmanagementtool
ReporttoAuditCommittee
Fig. 6 RelevantRequirementsofSOX
55
blowerprotectionunder the legaldepartmentandmayuse InternalAudit to
assistininvestigationsofallegations.
CompaniesthatfallunderSOXmustintegratetherelevantsetsofrulesintotheir
corporateprocesses.hemostsigniicantprovisionofSOXforinternalauditorsis
therequirementthatinancialstatementauditsnowsystematicallyincludeanalysis
ofbusinessprocessesrelatedtotheinancialstatementsandtherelevantinternal
controls.Inamultistageprocedure, thefunctionsoftheindividualprocesssteps
mustbeanalyzed,therisksmustbeidentiied,andtheinternalcontrolsmustbe
deinedandlinkedaccuratelytotheappropriateinancialaccounts.hisrequires
thatallprocessstepsbedocumentedindetailandupdatedannuallyaspartofan
internalcontrolevaluation.
A number of business units with varying responsibilities are included in the
SOXprocesses.Togetherwithmanagement,theprocessownerscarrytheprimary
responsibilityfordeiningtheprocessesandrespectivecontrols.Ultimately,man-
agementdeclaresitselfresponsiblefortheoverallfunctioningofallprocesssteps
andtheappropriatecontrolsbycertifyingunderpenaltyofperjurytheaccuracyof
theinancialstatementsandthesystemthatgeneratedtheseinancialstatements.
Asastafdepartment,InternalAuditcantakeontwodistinctroleswithregard
toSOX.First,whenthesystemis implemented, it isnecessary toensure thatall
signiicantprocesseshavebeenfullyrecordedanddocumentedincompliancewith
therules,includingdocumentationofallinternalcontrolsandthewaytherisksare
linkedtoinancialaccounts.InternalAuditcanprovidesupportbyadvisingoperat-
ingunitsonthebasisofitsauditexperience.Initially,thisfunctionshouldbeviewed
independentlyof auditing; it isusedaspreparation for subsequentauditsof the
internalcontrolsystem.
hesecondroleofInternalAuditistoperformitsactualieldwork.Oneoption
istoregardtheissueofSOXprocesscontrolsasaseparateaudittopic,examining
theentiresequenceofstepsthatleadtoensuringSOXcompliance.hisincludes
theresponsibilities, thequality,and timelinessof thedocumentation,examining
selected core business processes, testing samples of individual internal controls,
andtheentireinformationlowbetweentheinvolvedparties,includingconsulta-
tionandcooperationwiththeexternalauditors.AS2andAS5fromthepCAOB
provideguidancefortheexternalauditorsregardingtheextenttowhichtheymay
relyonthisworkperformedbyInternalAudit.
heexaminationoftheindividualprocessstepsisinturndividedintoseveral
sub-steps:analyzingtheprocessstepsandtheassociatedinternalcontrols,anden-
suringthequalityofthedocumentation.Someoftheseauditactivitiesmayinvolve
agreatdealofwork,especiallywhennewoperatingunitsparticipateintheSOX
documentationfortheirsttimeorcomprehensivechangeshavebeenmadetoin-
dividualprocesses.histypeofauditrequiresamodiiedversionofInternalAudit’s
processmodel(seeSectionD,Chapter14.3.2).
SOXisalsoimportantforInternalAuditinrelationtootherauditobjects,such
as local subsidiaries, internal projects, and initiatives, where the special require-
NewRulesasaResultofsoXNewRulesasaResultofsoX
ProcessResponsibilityProcessResponsibility
supportforImplementingthesystem
supportforImplementingthesystem
ensuringsoXcomplianceensuringsoXcompliance
examiningtheProcessstepsexaminingtheProcesssteps
ImpactonstandardandspecialAuditsImpactonstandardandspecialAudits
ConceptualBasisofInternalAudit
InternalAudit:MeetingToday’sNeeds
InternalAuditandtheRequirementsofSOX
A|2|2.6
56
mentsmustbedirectlyintegratedintotheieldwork.Testingtheinternalcontrols
in particular should lead to SOX compliance. he testing procedures are either
documented in Internal Audit’s own working paper templates or in the original
SOXprocessdocumentationandmaybeusedastestevidenceifnecessary.particu-
larlyorganizational changesor improvementson thebasisofpreliminaryaudits
shouldbeincludedintheworkprogram.
InternalAuditisobligatedtogatheranddocumentsuicientevidencethatthe
internalcontrolsarefunctioning.Inaddition,theBoardofDirectorsmustassessthe
company’sSOXcomplianceandconcludethattheinternalcontrolsareefective.
hereisnodoubtthatSOXwillhaveasustainedimpactontheauditworkof
InternalAudit.hishasanumberofpositiveefects.First,itmakesitcompulsory
tofullydocumentthecorebusinessprocessesrelatedtoinancialreporting,includ-
ingtheirefectsontheaccountingsystem.hisisbeneicialforInternalAuditbe-
causeitcanstructureitsworkprogramsonthebasisofexistingdocumentation,
thereforemakingprocessesandinternalcontrolsmoreaccessibletoaudits.Second,
itmakestherecommendationsmadebyInternalAuditbinding,becausetheyno
longerrelatepurelytointernalprocessissues,butevidenceoftheefectivenessof
internalcontrolsmustbeprovidedtoexternalinancialstatementusersaspartof
themanagement’sreportontheefectivenessoftheinternalcontrolstructure.
heresultsoftheSOXdocumentationmayalsoaddconsiderablevaluebeyond
theactualauditwork.Acomparisonoftheauditedandtestedprocessesandcon-
trolsapplyingstandardizedcriteriamakesiteasiertodeineoptimizedprocessesas
standardsorbenchmarks.Suchbenchmarksareexcellentforuseinaknowledge
andexperiencedatabasewhenbackedupbytherelevantdocumentationandsce-
nariosofdiferentprocedures.ItshouldbeInternalAudit’sresponsibilitytoiden-
tifyandsharetheseoptimizedprocessesbecausetheirexposuretomanydiferent
organizationalunitsgivesthemthebestoverviewofallprocessalternatives.
ApartfromthesefundamentalquestionsaboutInternalAudit’sroleandinvolve-
mentintheSOXprocesses,therearefurthertasksthatariseinthiscontext.Other
tasksmayincludetheintroductionofamanagementcodeofethics,thepreparation
ofreportsfortheAuditCommittee,andinvolvementindevelopingareportingsys-
temoninternalcontrols.InthecontextofSOX,InternalAuditalsomustdealwith
informationreceivedaboutfraudandensureadequatecooperationwiththeexter-
nalauditorsandothercompliancefunctionssuchasriskManagement.
HINTsANDTIPs ;
• TaketherequirementsofSOXintoaccountwhenpreparingforoperationalau-
dits.
• Considerintegratingtheassessmentofselectedcontrolsintotheauditsteps.
• AdedicatedauditscenarioshouldbeconstructedfortheSOXcompliancepro-
cess.
• Use theSOXdocumentationasa startingpoint to identifypossibleareas for
processimprovements.
evidenceoftheFunctioningofInternal
controls
evidenceoftheFunctioningofInternal
controls
ImpactofsoXontheAuditWorkofInternal
Audit
ImpactofsoXontheAuditWorkofInternal
Audit
AddedValueofsoXDocumentation
AddedValueofsoXDocumentation
FurtherImpactonInternalAudit
FurtherImpactonInternalAudit
57
LINKsANDReFeReNces e
• AnOnyMOUS.2005.rebalancingInternalAuditintheSarbanes-OxleyEra.he CPA
Journal (november2005):17.
• D’AqUIlA,J.2004.TallyingtheCostoftheSarbanes-OxleyAct.he CPA Journal(no-
vember2004):6–9.
• DIgrEgOrIO,D.,AnDp.CArrUTH.2002.heImpactoftheSarbanes-OxleyActof
2002onManagementandAuditCommittees.Journal of Accounting and Finance Research
(Fall2004):111–119.
• DOUglAS, B. 2005. A guide to Section 404 project management. Internal Auditor
(June2005):61–67.
• DrEXlEr, p. 2006. Could Sarbanes-Oxley Beneit non-SEC registrant Audits? he
CPA Journal (June2006):6–9.
• EDElSTEIn,S.2004.Sarbanes-OxleyCompliancefornonacceleratedFilers.he CPA
Journal (December2004):52–59.
• FArgHEr,n.,AnDA.grAMlIng.2005.TowardsImprovedInternalControls.he
CPA Journal(June2005):26–29.
• FArrEll, J. 2003. A Broad View of Section 404. Internal Auditor (August 2003):
88–89.
• gEIgEr,M.,AnDp.TAylOr.2003.CEOandCFOCertiicationsofFinancialInfor-
mation.Accounting Horizons (December2003):357–368.
• grEEn, J. 2006. Section 404 for Small Caps. Journal of Accountancy (March 2006):
67–70.
• MArDEn. r., r. EDWArDS, AnD W. STOUT. 2003. he CEO/CFO Certiication
requirement.he CPA Journal(July2003):36–44.
• MATyJEWICz, g. AnD J. D’ArCAngElO. 2004. BeyondSarbanes-Oxley.Internal
Auditor(October2004):64–72.
• MCElVEEn,M.2002.newrules–newChallenges.Internal Auditor(December2002):
40–47.
• MIllEr, r. AnD p. pASHkOFF. 2002. regulations under the Sarbanes-Oxley Act.
Journal of Accountancy(October2002):33–36.
• O’BrIEn,p.2006.reducingSOXSection404ComplianceCosts.he CPA Journal(July
2006):26–28.
• OWEnS, D. 2006. Implementing Sarbanes-Oxley Act Section 404. he CPA Journal
(April2006):6–9.
• pUBlICCOMpAnyACCOUnTIngOVErSIgHTBOArD(pCAOB).2004.Audit-
ing Standard No. 2: An Audit of Internal Control Over Financial Reporting Performed in
Conjunction With an Audit of Financial Statementshttp://www.pcaobus.org/Standards/
Standards_and_related_rules/Auditing_Standard_no.2.aspx(accessedMay31,2007).
• pUBlIC COMpAny ACCOUnTIng OVErSIgHT BOArD (pCAOB). 2005. Staf
Questions and Answers: Auditing Internal Control over Financial Reporting. http://www.
pcaob.org/standards/staf_questions_and_answers/2005/01-21.pdf (accessed May 31,
2007).
ConceptualBasisofInternalAudit
InternalAudit:MeetingToday’sNeeds
InternalAuditandtheRequirementsofSOX
A|2|2.6
58
• pUBlICCOMpAnyACCOUnTIngOVErSIgHTBOArD(pCAOB).2004.Audit-
ing Standard No. 5: Proposed Auditing Standard – An Audit of Internal Control over Finan-
cial Reporting that is Integrated with an Audit of Financial Statements. http://www.pcaob.
org/rules/Docket_021/2006-12-19_release_no._2006-007.pdf(accessedMay31,2007).
• rAMOS, M. 2004. Section404ComplianceintheAnnualreport.Journal of Accoun-
tancy (October2004):43–48.
• rITTEnBErg,l.AnDp.MIllEr.2005.hegoodnewsaboutCompliance.Internal
Auditor (June2005):55–60.
• SHEIkH, A., AnD A. WAllACE. 2005. heSarbanes-OxleyCertiicationrequir-
ment:Analyzing theComments.he CPA Journal – Special Auditing Issue (november
2005):36–42.
• SOBEl,p.2006.BuildingonSection404.Internal Auditor(April2006):38–44.
• SpIllAnE, D.2004. pCAOBEnforcement:WhattoExpect.CPA Journal (September
2004):32–35.
• TArAnTInO,A.2006.Manager’s Guide to Compliance.Hoboken,nJ:Wiley&Sons.
• USCOngrESS.2002.Sarbanes-Oxley Act of 2002. 107th Congress of the United States of
America. HR 3763.WashingtonDC:governmentprintingOice.
2.7 ValueAddedbyInternalAuditatSAP
KeyPoINTs •••
• InternalAudit’sguidingprinciple,itsmission,speciiesthemandatewithregard
totheaddedvaluethatistobecreatedbyitsactivities.
• hemainareaswherevalueisaddedarecompliance,improvementstoprocess
security(especiallywithregardto internalcontrols),andtheeicient, target-
orientedutilizationoftheriskmanagementsystem.
• InternalAuditdeliversadditionalbeneits, in that itaims to improvespeciic
aspectsofbusinessprocesses,suchascommunicationlinks.
IfwesummarizetheattributesofgIASwithregardtotheobjectivesformulatedfor
thisdepartmentandthetasksinvolvedintheauditmandate,wegetavariedpicture
ofcontentsandforms.Acentralissueistheall-encompassingbasicprincipleofIn-
ternalAuditandthevalue itadds to thecompany.hemainguidingprincipleof
InternalAuditatSApisformulatedinthemissionofgIAS:hemissionistoensure
thatallactivitiesoftheglobalSApgroupcomplywiththepolicies,guidelines,and
proceduresdeinedbymanagement.hemainareaswherevalueisaddedarecom-
pliance, improvements to process security, especially with regard to internal con-
trols,andtheeicient,objective-orientedutilizationoftheriskmanagementsystem.
SimilartothepreviousdescriptionsoftheobjectivesandtasksfacedbygIAS,
thismissiononceagainhighlightsthediferentlevelsonwhichInternalAuditcan
beintegratedintocompanyprocesses.heirstlevelisclearlyaimedatcompliance
MissionandAddedValue
MissionandAddedValue
compliancewithRegulations
compliancewithRegulations
59
withalltypesofinternalandexternalguidelinesandregulations,toensureproper
businessoperations.Here,InternalAuditaddsvalue inthesenseofreliabilityof
informationgeneratedinthebusinessprocessesandinancialreporting.
Onasecondlevel,gIAScooperatescloselywiththeriskmanagementdepart-
mentinordertoidentifybusinessrisksandsuggestwaysofkeepingtheseriskstoa
minimum.hisalsoaddsvaluetothecompany.hetargetgroupofthisinforma-
tionismanagementatanylevel,butparticularlystrategicmanagement,whichis
ultimatelyresponsibleforcontrollingallbusinessrisks.
InternalAuditcanaddsigniicantvaluebydevelopingandsharingoptimized
processsolutions(“bestpractices”)toimproveinternalcontrols.Asaresult,opera-
tionalmanagement,aswellastheindividualdepartments,canidentifysigniicant
potentialforimprovementoptions.
herearestillotherareaswhereInternalAuditaddsvalue:Improvedinforma-
tionandcommunicationlows,reliabilityandtrustinthesecurityandstabilityof
the organization, and the certainty that any inappropriate behavior will be ad-
dressedthroughtargetedinvestigation.Inthelongterm,thesebeneitswillresultin
increasedconidenceamongemployeesthatarbitraryactionsandlackofsecurity
havenoplaceinthebusinessenvironment.InternalAuditultimatelycontributesto
anethicalcorporatecultureforthegoodofallemployees.
AnotherimportantaddedvalueregardingtheincreasingglobalizationofSApis
theprinciplefairandimpartialworkperformedbyInternalAudit.Itrelectsthe
trustthatanyproblemthatoccurswithintheglobalcorporateorganizationwillbe
solvedaccordingtostandardizedprocedures,andirrespectiveofspeciicindividu-
als. his awareness will help improve mutual trust among employees, as well as
trustinmanagement–especiallyintheExecutiveBoard.
HINTsANDTIPs ;
• heoverallbeneitprovidedbyInternalAuditcanbehighlightedinmeetings
anddocumentationbypointingoutthenecessityofbusinessoptimization,for
thegreaterpurposeofcompanysustainabilityandcompetitiveadvantageinthe
market.
RiskManagementRiskManagement
Best-PracticesolutionsBest-Practicesolutions
corporateculturecorporateculture
equalTreatmentequalTreatment
ConceptualBasisofInternalAudit
InternalAudit:MeetingToday’sNeeds
ValueAddedbyInternalAuditatSAP
A|2|2.7
60
3 FrameworkofInternalAuditatSAP3.1 SAP’sGlobalAuditApproachintheShape
ofGlobalInternalAuditServices(GIAS)
KeyPoIntS •••
• hemissionstatementexpressesthebasicdeinitionofGIAS’fundamentalac-
countability.
• heglobalauditapproachofInternalAuditatSAPrequiresthatinternational
circumstancesaretakenintoconsideration.
• Allcultural,legal,statutory,andwork-relateddiferenceshavetobetakeninto
account,anddiferentinterpretationsofauditingmustbeconsideredwhenop-
eratinginaninternationalenvironment.
• Inaddition,allorganizationalprerequisitesandprocedureshavetobedeined
foreachauditsothattheyagreewithallparticipants’perceptionofaudits.
hemissionstatementisakeyelementofGIAS’sdeinitionofitself.hestatement
speciiesthecoremandateofInternalAudit,providesabasicdeinitionofthede-
partment’s fundamental responsibility and is based on a common perception of
auditing.hefollowingtwoobjectivesarethecoreofthemissionstatement:
• thattheSAPGroupcomplieswithstatutoryandlegalrequirementsaswellas
internalguidelinesandinstructions,and
• thatInternalAuditstrivestoaddvaluebyproposingmanagementandorgani-
zation-related solutions and giving information and recommendations about
internalcontrolsandbusinessrisks.
Itisimportantthatthemissionstatement,asadeinitionofInternalAudit’srespon-
sibilities,isappliedasaglobalstandardbyallGIASteams.hestatementprovides
globalguidancewhichleadstoasharedunderstandingofallprocesses,responsi-
bilities,andvalues.hemissionstatementrepresents the linkbetweentheGIAS
Principles and the Charter since it deines the fundamental tasks and forms the
basisfortheresultingbusinessmandate.
heglobalstructureofGIASgivesrisetoanumberofchallengestoimplement-
ing the mission statement. Cultural diferences are one of the biggest challenge.
Bothauditorsandauditeesdealwithauditsdiferently,dependingontheircultural
backgrounds.Whiletherearemanycountriesthatdealwiththeprocessinasys-
tematic,distancedmanner,auditsandtheirindingscanhaveamuchdiferent–
evenpersonal–signiicanceinotherculturalcontexts(e.g.,inAsia).Accordingly,
interpersonaldealingsandthecommunicationofpositiveornegativereportsmust
bestraightforwardandtothepoint,andadaptedtoregionalandculturalhabitsif
necessary.Itisthereforecrucialtoshowahighdegreeofsensitivityindealingwith
both fellow employees and other parties (for example, employees of the audited
unit,externalauditors,andpartners).
MissionStatementMissionStatement
GlobalStandardGlobalStandard
CulturalDiferencesCulturalDiferences
61
A second major challenge is the synchronization of the audit methodology.
Whileinsomecountriesitispossibletoachieveobjectivesquicklythroughinter-
viewsormeetings,inothercountriesitmaybemorebeneicialtoderivetherele-
vantauditfactsbystudyingavailabledocuments.Diferingstylesofcommunica-
tion and discussion, diferences in report styles, and divergent procedures for
implementingrecommendationsmakeastandardizedapproachdiiculttoachieve.
Itisthereforeimportanttoselectmethodsandprocedureswithcomparabilityin
mind.Astandardizedglobalprocessmodelthatspeciiesabindingframeworkis
helpful inmeeting these requirements (seeSectionB). Inaddition, themanage-
mentstructureofInternalAuditmustensurethatanadequatequalityassurance
systemisimplementedandpracticed.Inparticular,thedocumentsusedbyInternal
Auditmustbeharmonized.
Inglobalaudits,theaudittopictakesprecedenceoverauditorsandregions,i.e.,
co-workersfromdiferentregionsformateamforthedurationoftheaudit(see
SectionA,Chapter6.4).Diferenttimezonesanddiferentpersonalcircumstances
result innewchallengestoauditteams.heglobalhandlingoftheoverallaudit,
especiallythecoordinationandpreparationoftheauditresults,requiresintensive
(and oten unscheduled) time reserves and needs to be considered in the audit
planning.
Regularmeetings,conferences,andjointeventsheldbyGIAShelptocreatea
teamspirit,whichmakesiteasiertoovercomeconlictsandtoreachaconsensuson
potentiallydivisiveissues.Duetothelongdistances,diferenttimezones,andre-
source schedules involved, however, such gatherings have to be planned well in
advanceor,ifheldspontaneously,withalimitednumberofparticipants.
Inaddition to the issuesdescribedabove, InternalAuditmay faceadditional
challengesthatmightposeathreattoauditexecution.hereisalwaysthepossibil-
itythatanefectiveauditmaybecomplicated–orevenmadeimpossible–byun-
forseenevents(e.g.,politicaldevelopments,inclementweather,anddisasters),per-
sonalrequirements,orchangingbusinessneeds.Asaresultofsuchoccurrencesan
auditormaynotbeavailableintime(oratall),whichmayinturnrequirechanges
intheorganizationoftheaudit.Accordingly,auditshavetobeplannedwithsui-
cientleadtimeandcontingencyplansasfarasresourcesareconcerned.
HIntSAnDtIPS ;
• Before auditors start working in a diferent country, they should familiarize
themselveswiththelocalcultureandcustoms.
LInKSAnDReFeRenCeS e
• Bell,S.AnDM.nARz.2007.MeetingtheChallengesofAgeDiversityintheAgeof
DiversityintheWorkplace.he CPA Journal(February2007):56–59.
• FInne,T.2005.CastingaWidenet.Internal Auditor(August2005):29–33.
SynchronizationofAuditMethodologySynchronizationofAuditMethodology
teamworkDuringGlobalAuditsteamworkDuringGlobalAudits
teamBuildingteamBuilding
DangertoeicientAuditexecutionDangertoeicientAuditexecution
ConceptualBasisofInternalAudit
FrameworkofInternalAuditatSAP
SAP’sGlobalAuditApproachintheShapeofGlobalInternalAuditServices(GIAS)
A|3|3.1
62
• leRe, J.AnDK.PoRTz.2005.ManagementControl.SystemsinaGlobaleconomy.
he CPA Journal(September2005):62–64.
• o’ReGAn,D.2001.Auditing International Entities: A Practical Guide to Objectives, Risks,
and Reporting.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• RICAuD, J. 2006. Auditing Cultural Diversity. Internal Auditor (December 2006):
57–61.
3.2 StructureoftheGIASCodeofConduct
KeyPoIntS •••
• heGIASCodeofConductrepresentsaframeworkofrulesofpersonalcon-
duct,auditprinciples,andethicalprinciples.
• hepurposeoftheGIASCodeofConductistohelpguaranteeastandardized
conductofInternalAudit,bothinternallyandexternally,indiferentauditsand
indiferentregions.
• external guidelines by professional associations or internal guidelines devel-
opedbyotherdepartmentsorothersetsofrulesmaybeusedasabasisforthe
Code.
• each internal audit department should deine its own rules, guided by com-
pany-speciicconditionsandrequirements.
heGIASCodeofConducthastwoobjectives.heirstobjectiveistodeinegener-
allyapplicablenormsofbehaviorforallaspectsandprocessesofanauditor’swork.
heGIASCodeofConduct is intendedasa toolandguide forauditors in their
dealingswithcolleagueswithinthecompanyandwithexternalpartners.ForInter-
nalAudittobeperceivedasacommitted,reliabledepartmentitsemployeesmust
conductthemselvesfairly,professionally,andwithmoralintegrityinallaspectsof
business.InternalAuditcanonlyfulillitstaskifitisguaranteedthatallaspectsof
anauditarehandledobjectively.Inordertooperatewithintheremitsofitsrole,the
departmenthastomakesurethatitlivesuptotheexpectedlevelsofhonesty,integ-
rity,andtransparencyinallrespects.
hesecondobjectiveoftheGIASCodeofConductistocreateagloballyuni-
formauditapproach.GiventhevarietyoftasksandculturesinwhichGIASem-
ployeesoperate,thereisaneedthatallauditorscomplywithcertainstandardsdur-
ing their ieldwork. he GIAS Code of Conduct creates such uniform process
standards.
heIIAhaspublishedaCodeofethicstofurtherpromoteanethicalculturein
theprofession.heIIACodeofethicshastwoessentialcomponents:
• principlesthatarerelevanttotheprofessionandpracticeofinternalauditing,
and
objectiveofaCodeofConduct
objectiveofaCodeofConduct
organizationalCoherence
organizationalCoherence
IIACodeofethicsIIACodeofethics
63
• rulesofconductthatdescribebehaviornormsexpectedofinternalauditors.
heserulesprovideguidanceininterpretingtheprinciplesforpracticalapplication.
everyinternalauditdepartmentshoulddeineabindingCodeofConductbuilt
on such guidance as provided by the IIA or other professional organization but
adapttheguidancetocompany-speciicneeds.heGIASCodeofConductdraws
onguidancefromthefollowingsources:
• the ethical guidelines of the leading professional organizations (e.g., IIA and
AICPA),
• generalrulesandlegalrequirements(e.g.,countryorsectorspeciicrules),
• SAP’sowncorporateguidelines(e.g.,CodeofBusinessConductandcorporate
governancerules).
DeiningtheCodeofConductDeiningtheCodeofConduct
Ethics guidance from
professional organizations
(e.g., IIA, AICPA)
Ethics guidance from SAP
(e.g., Code of Business
Conduct, corporate
governance standards)
GIAS Code of Conduct
Internal
Audit
Range of services
Rules of Conduct GIAS Principles
Integrity
Empathy and understanding
Reliability
Sense of responsibility
Trustworthiness
Attention to detail
Compliance
Productivity
Security
Innovation
Audit Principles
Ethical Principles
Independence
Diligence
Fairness
Authority
Cultural awareness
Objectivity
Social acceptability
Fig. 7 GIASCodeofConduct
A|3|3.2ConceptualBasisofInternalAudit
FrameworkofInternalAuditatSAP
StructureoftheGIASCodeofConduct
64
heGIASCodeofConductcloselyresembles theCodeofethicsof theIIAand
breaksdownintotwomaincategoriesofindividualstandards(formoredetailssee
SectionA,Chapter3.3):
• heRulesofConduct,whichdeinethebehaviorrulesforInternalAuditand
provideguidancetoensurethe integrityofeachindividualauditor.herules
includeattributesrelevanttoeachinternalauditemployee,suchasattentionto
detailandreliability,whicharerequirementsthatarealsolaidoutinSAP’sCode
of Business Conduct. In addition, more audit-speciic conduct requirements,
suchassensitivityandunderstanding,ortrustworthiness,arealsodeined.
• heGIASPrinciples,whichincludebothauditandethicalprinciples,relateto
thedepartmentinitsentiretyandapplytothepracticeofinternalauditing.
InternalAuditisrequirednotonlytocomplywithitsowncodeofconduct,butalso
toperform its functionasa stafdepartmentof companymanagement.his in-
cludesthattheyrigorouslyinvestigateanyreportedcontraventionsoftheCodeof
BusinessConduct,whichappliestoallemployees.Inthecontextofinternational
inancialreportingandtheevermorestringentcontrolrequirementstoensurethat
processesarecompliant,thisisanincreasinglyimportanttask.
HIntSAnDtIPS ;
• Analyzeallauditactivitiescriticallytoestablishwhetherornottheyareconsis-
tentwiththeInternalAuditCodeofConduct.
• Discussdoubtfulauditactivitieswiththeauditlead.Itmayproveexpedientto
obtainspeciicwrittenpermission.
• Documentthereasonsforaparticularcourseofactionespecially if theaudit
stepsseemtobeinconsistentwiththeCode.
LInKSAnDReFeRenCeS e
• AnDeRSon,D.2002.ChangingaCultureofentitlementIntoaCultureofMerit.he
CPA Journal(november2002):16.
• BAGGeTT,W.2003.CreatingaCultureofSecurity.Internal Auditor(June2003):37–41.
• BAGGeTT, W. 2007. 7 Criteria for ethics Assessments. Internal Auditor (December
2007):65–69.
• BeRnARDI,R.AnDC.lACRoSS.2005.CorporateTransparency:CodeofethicsDis-
closures.he CPA Journal(April2005):34–37.
• BlAnK,D.2003.AMatterofethics. Internal Auditor(February2003):26–31.
• elIASon, M. 1999. Compliance plus Integrity. Internal Auditor (December 1999):
30–33.
• FInAMoRe,C.2005.CommonGood,CommonSense.Internal Auditor(August2005):
35–38.
RulesofConductandGIASPrinciples
RulesofConductandGIASPrinciples
StafDepartmentofCompanyManagement
StafDepartmentofCompanyManagement
65
• GRACe,S.AnDJ.HAuPeRT.2006.HowtoMakeanethicsProgramWork.he CPA
Journal(April2006):66–67.
• InSTITuTe oF InTeRnAl AuDIToRS. 2006. Code of Ethics. http://www.theiia.
org/guidance/standards-and-practices/professional-practices-framework/code-of-eth-
ics/code-of-ethics---english/(accessedMay31,2007).
• JennInGS, M. 2003. he Critical Role of ethics. Internal Auditor (December 2003):
46–51.
• MeSSMeR, M. 2001. Capitalizing on Corporate Culture. Internal Auditor (october
2001):38–45.
• RIon,M.AnDR.GeBInG.1999.DoingtheRighthing.Internal Auditor(December
1999):33–35.
• VAnWIJK,e.2004.IfyIndependence.Internal Auditor(october2004):81–83.
3.3 The GIASCodeofConductinDetail
KeyPoIntS •••
• WhiletheethicalandAuditPrinciplesintheGIASCodeofConductdeinethe
practiceofauditing,theRulesofConductprovideguidancefortheactivitiesof
individualauditors.
• heGIASCodeofConductplaysanimportantroleinthecareeranddevelop-
mentplanningwithinthecompany.
hestructureoftheGIASCodeofConductoutlinedinthepreviouschapterdistin-
guishesbetweentheGIASPrinciplesandtheRulesofConduct.heRulesofCon-
ducttakeaccountofthefactthatauditingrequirescertainpersonalcharacteristics
intermsofconductandpersonalattitude.hemostimportantpersonalcharacter-
isticsinclude:
• integrity,
• empathyandunderstanding,
• reliability,
• senseofresponsibility,
• trustworthiness,and
• attentiontodetail.
heserulesofconductmustbeanintegralpartofthepersonalityproileofeach
auditor.
heGIASPrinciplesconsistoftwogroups:theethicalPrinciplesandtheAudit
Principles(seeSectionA,Chapter3.2).heethicalPrinciplesare:
• independence,
• discretionandconidentiality,
• objectivity,
RulesofConductRulesofConduct
ethicalPrinciplesethicalPrinciples
ConceptualBasisofInternalAudit
FrameworkofInternalAuditatSAP
TheGIASCodeofConductinDetail
A|3|3.3
66
• fairness,
• diligence,
• socialacceptability,
• authority,and
• culturalawareness.
heprincipleof independence isvital forInternalAudit.GIAS’ independence is
grantedbytheCAe’shighlevelaccesstocompanymanagement.AtSAPAG,the
CAe reports directly to the Ceo and should meet directly twice a year – or as
needed–withtheAuditCommittee.heCAemayalsomeetwiththeSupervisory
Board,whichoverseestheexecutiveBoard.hisformoforganizationalautonomy
ensures thenecessary independenceofauditsandpreventsothercompanyunits
fromexercisingundueinluenceonGIAS.
hereisaspecialrelationshipoftrustbetweentheauditrequestor,theauditee,
and GIAS. Data and facts discovered by or disclosed to the auditors during the
course of the audit must be kept conidential. only under exceptional circum-
stancesmaydisclosurebejustiiedforlegalreasons(e.g., inthecaseofpoliceor
publicprosecutorinvestigationsorasrequiredbytheSeCorotherregulatorybod-
ies).Suchdisclosurehastobecoordinatedwiththeauditrequesterandthelegal
department.
objectivityreferstostrictimpartialityonthesideoftheauditorsandisvitalto
ensurehigh-qualityaudits.Auditorsmustnotallow themselves tobe inluenced
bypersonalsympathiesorantipathies,subjectiveopinionsofotheremployees,or
by interventionsofhigher-rankingpersons.Auditorsneed tobeaware thatper-
sonaljudgmentcanbeconsciouslyandunconsciouslybiased.Reviewsofindings
byotherauditorsandcriticalevaluationofone’sworkcanhelptoensureobjectivity
injudgment.
Closelylinkedtotheprincipleofobjectivityistheprincipleoffairness.Fairness
includesthatauditorsdisplayappropriateconducttowardallthoseinvolvedinan
audit, that they integrate them adequately, report correctly, and objectively deal
withtheauditresultsanddocuments.Inaddition,everyauditorisobligedtonotify
theauditeeoftheconsequencesofanyimproperactionsandactivities.
Diligenceinauditingandreportingisanabsoluteprerequisitetoensureahigh
qualityaudit.Auditorsmuststriveforrigorandextentoftheirauditsatalevelthat
allowsthemtomakehigh-qualityandobjectivecommentsontheauditindings,to
thebestoftheirknowledgeandbelief.Toensureahighlevelofdiligenceauditors
needtomaintainahighandup-to-datelevelofknowledge.
Inanageofformalandinformalnetworks,GIASmustensurethattheaudits,
andtheimplementationoftheirindings,aresociallyacceptable.Auditactivities
mustnotresultinencouragingorexacerbatinganyexistingsocialtensions.
GIAShastoactwithauthoritywhennecessaryandwhendeemedtobeinthe
bestinterestofthecompany.WheneverGIASactsonitsowninitiative,thefunda-
IndependenceIndependence
DiscretionandConidentialityDiscretionandConidentiality
objectivityobjectivity
FairnessFairness
DiligenceDiligence
SocialAcceptabilitySocialAcceptability
AuthorityAuthority
67
mentalnatureandcontentoftheaudithavetobeagreedwiththeCeoirstorthe
AuditCommitteeiftheauditconcernsactivitiesoftheCeo.Aspartof itsaudit
mandate,GIASisauthorizedtocarryoutall thenecessaryactivitiesandrequest
documents without consultation with those involved or their line managers. All
auditeeshavetocomplytothebestoftheirknowledgeandbeliefwiththisproce-
dure.GIAScanactonitsownauthoritywithregardtodoingsofallmanagement
levels,sothatthesetauditmeasuresareatalltimessupportedbytheorganization
asawhole.
Anotherethicalprincipleisculturalawareness.InglobalcompanieslikeSAP,
nationalandculturalinluencesplayamajorrole.heincreasinginterdependence
betweenculturesmustthereforebetakenintoaccountintheauditprocess.Consid-
eringculturaldiferencesinvolvesauditteamsaswellasauditees.Mutualrespect
foreachotherandtoleranceofdiferentculturesandwaysofthinkingareanes-
sentialprerequisiteforsuccessfulaudits.
InadditiontotheaboveethicalPrinciples,theGIASPrinciples,aslaidoutin
theGIASCodeofConduct,includethefollowingpracticalAuditPrinciples:
• compliance,
• productivity,
• security,and
• innovation.
oneof themajor tasksofGIAS is tomonitorbusinessprocesseswith regard to
compliancewithregulations.helargenumberofexistingregulations,directives
and rules set a very wide-ranging and continually growing framework for audit
content and processes. In addition, requirements of countries where stocks are
listedonpublicexchangesapplyalsotooperationsabroad.
Costsandbeneitsmustbeweightedagainsteachotherindesigninganaudit.
hismeansthatmethodsandresourcesmustbeusedtobestservetheintended
purposeandbudgetsshouldnotbeexceeded.
Moreover,auditactivitiesmustbedesignedinsuchawaythattheyarenotdet-
rimentaltosecurityinterests.Anymeasuresregardedasapotentialthreattosafety
andsecuritybythesecuritydepartmentmustalwaysbediscussedwiththosere-
sponsible. In addition, audit recommendations, and their implementation must
considersecurity-relatedcriteria.
Asacorporateauditdepartmentforoneoftheworld’sleadingsotwarecompa-
nies,GIAShasauniqueopportunitytouseinnovativetechnicalsolutionsforthe
department’s internalprocesses, andhas toensure thatbestpossibleuseofSAP
solutionsismadewithintheGroupasawhole.
AuditorsmuststrictlyabidebytheabovePrinciplesandRulesofConduct in
theirdailywork.hemanagementofthedepartmentshouldensurethattheserules
arealwaysobserved.heGIASCodeofConductmustberegularlyreviewedand
adapted.
CulturalAwarenessCulturalAwareness
AuditPrinciplesAuditPrinciples
ComplianceCompliance
ProductivityProductivity
SecuritySecurity
InnovationInnovation
GeneralConclusionsGeneralConclusions
Conceptual BasisofInternalAudit
FrameworkofInternalAuditatSAP
TheGIASCodeofConductinDetail
A|3|3.3
68
heGIASCodeofConductisimportantinthecontextofpersonalcareerplan-
ning,becauseitisessentialthatauditorsexhibittheattributeslaidoutintheCode
inorder toadvancewithin thedepartmentand theorganization(seeSectionA,
Chapter4.6).
HIntSAnDtIPS ;
• Whenfacedwithpersonalattacksoraccusations,referencetotheGIASCodeof
Conductcanhelpauditorssupporttheiractions.
• Makesurethatnoauditactivitiesareinconlictwiththerulesandprinciplesof
theCodeofConduct.
• eachoftheauditor’stasksmustbereviewedforcompliancewiththeGIASCode
ofConduct.
LInKSAnDReFeRenCeS e
• ColSon,R.2004.CPA’sResponsibilities:ArticleIVobjectivityandIndependence.he
CPA Journal(June2004):80.
• CooPeR,C.2003.oneRightPath.Internal Auditor(December2003):52–57.
• HelPeRT,A.2006.CultivatingaloyalWorkforce.Internal Auditor(December2006):
66–72.
• HuBBARD,l.2005.AHigh-PoweredAuditor.Internal Auditor(February2005):26–27.
• InSTITuTe oF InTeRnAl AuDIToRS. 2006. Code of Ethics. http://www.theiia.
org/guidance/standards-and-practices/professional-practices-framework/code-of-eth-
ics/code-of-ethics---english/(accessedMay31,2007).
• InSTITuTeoFInTeRnAlAuDIToRS.2001.Practice Advisory 1100-1: Independence
and Objectivity.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• InSTITuTe oF InTeRnAl AuDIToRS. 2001. Practice Advisory 1120-1: Individual
Objectivity.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• InSTITuTeoFInTeRnAlAuDIToRS.2001.Practice Advisory 1130-1: Impairments
to Independence or Objectivity.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• InSTITuTe oF InTeRnAl AuDIToRS. 2001. Practice Advisory 1200-1: Proiciency
and Due Professional Care.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• InSTITuTe oF InTeRnAl AuDIToRS. 2001.Practice Advisory 1210-1: Proiciency.
AltamonteSprings,Fl:heInstituteofInternalAuditors.
• InSTITuTe oF InTeRnAl AuDIToRS.2001.Practice Advisory 1220-1: Due Profes-
sional Care.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• MCDonAlD,P.2006.heQuestforTalent.Internal Auditor(June2006):72–77.
• MuCHleR, J.2001.Independence and Objectivity: A Framework for Internal Auditors.
AltamonteSprings,Fl:heInstituteofInternalAuditors.
PersonalemployeeDevelopment
PersonalemployeeDevelopment
69
3.4 ExamplesIllustratingtheEffectivenessoftheCodeofConduct
KeyPoIntS •••
• heGIASCodeofConductandtheauditors’personalexpertiseandjudgment
formthebasisforInternalAuditactivities.
• In conlict situations, it is useful to consult with other employees, primarily
withinInternalAudit,butalsoinotherdepartments.
• Sometimesitisexpedienttoinvolveahigherhierarchylevel.
heAuditPrinciples,ethicalPrinciples,andRulesofConductcollectivelyformthe
basisfordesigningtheauditorganizationandthereforehaveasigniicantinluence
ontheorganizationandworklowstructurewithinInternalAudit.
heictitiousexamples,givenbelow,showhowtheGIASCodeofConductcanbe
appliedtoscenariospronetoconlictduringauditactivities.
employeesotenapproachInternalAuditwithreportsofshortcomingswithin
thecompany’sorganization.especiallyunsolicitedinformationhastobeexamined
very carefully for factual accuracy. he following ictitious example emphazises
this.AseniormanagerapproachesaGIASemployee,accusingthehumanresources
departmentresponsibleforhisunitofbeingincompetentandunabletoworkwith
GIASCodeofConductasaBasisforAuditsGIASCodeofConductasaBasisforAudits
PracticalexamplesPracticalexamples
InformationProvidedbyemployeesInformationProvidedbyemployees
GIAS Code of Conduct
Organizational framework and processes
Ethical
Principles
Audit
Principles
Rulesof
Conduct
Processmodel
TeamsAnnualauditplan
ManagementOperationalFinancialITFraudBusiness
PreparationPlanning ReportingExecution Follow-up
Fig. 8 TheGIASCodeofConductasaBasisforAudits
A|3|3.4ConceptualBasisofInternalAudit
FrameworkofInternalAuditatSAP
ExamplesIllustratingtheEfectivenessoftheCodeofConduct
70
asimplespreadsheetprogramtocalculatebonuses.hemanageralsocriticizesthe
lackofsupportthathisdivisionreceivesfromthehumanresourcesdepartment.
Since the accusations are quite serious, the auditor has to establish whether the
managerissimplyupsetaboutasinglecalculationerror,orwhetherthereisasys-
tematicfailureoftheinternalcontrols.Ifthereissuchafailure,InternalAudithas
toinvestigatethematteraspartofthenextscheduledaudit,orinveryurgentcases
conductanad-hocaudit.heexampleshows the importanceofbeingobjective,
anddiligentandmaintainingconidentialityandtrustworthiness.
heopen,team-basedcorporatecultureatSAPmeansthatemployeesforgeand
maintaincloseworkingrelationshipswitheachother, sometimesevenonaper-
sonallevel.Insomecases,suchrelationshipsareextendedintotheemployees’pri-
vatelives,sothatthequestionarisesastowhentheystartimpairingtheobjectivity
thatisrequiredprofessionally.hisquestionisgenerallyrelevantforallemployees,
butinviewoftheneedtojudgemattersobjectively,itisespeciallyimportantfor
InternalAudit.
hefollowingictitiousexamplemayillustratethispoint:AGIASauditorand
anemployeeofthelicenseadministrationdepartmenthavebeenfriendssincethey
both startedworking forSAPand tookpart in the sameemployee introduction
program.Aterawhile,theGIASauditordiscoversduringaroutineinternalaudit
that there are serious non-compliances in the license department, for which his
friendsharesa largepartof theresponsibility.AlthoughInternalAuditdoesnot
blameanynamedindividuals,thereportedshortcomingsclearlypointtotheper-
sonresponsible.
Ifthereareclosepersonaltiesbetweentheauditorandtheauditee,theauditor
shouldincertaincasesdeclineparticipationintheauditduetobias.hisapplies
particularlytoGIASemployeeswhohavejoinedInternalAuditfromotherdepart-
ments.heseemployees shouldnotparticipate inauditsof their formerdepart-
ment,althoughtheyusuallyhaveexcellentexpertiseintheareabeingaudited.If
theirparticipationisunavoidable,otherteammembersshouldbeinvolvedinthe
auditandinformulatingauditindingsandrecommendationstoensureobjectivity
andindependence.
hefollowingmaybeusedasguidancefordiicultsituations:
• Checktheplausibilityofdocumentsorexplanationswithprofessionalskepti-
cismandcommonsense.
• Report any real or perceived conlicts of interest immediately to supervisors
and,ifpossible,excuseyourselffromauditswheresuchconlictsoccur.
• Ifpossible,resolvethesituationinquestionwithintheauditteambyconsult-
ingwithcolleaguesandusingtheirexperienceanddiferentprofessionalback-
grounds.
• Monitorthesituationoveracertainperiodoftimetofollowupthedevelop-
ment.
• Document more serious problems, including relevant discussions and deci-
sions,sothattheproblemanditssolutioncanbereviewedlater.
• Ifnecessary,reportthesituationtoInternalAuditmanagement.
InterpersonalRelationshipsInterpersonalRelationships
FictitiousexampleFictitiousexample
PossibleSolutionPossibleSolution
ConductGuidelinesConductGuidelines
71
Byitself,aCodeisnotabletopreventunethicalbehavior.Allemployeesarerespon-
siblefortheirownprofessionalactionsandhavetodecidehowtodealwithdiicult
situations.However,rulesandcodesofconducthelpcreateawarenessandofera
frameworkandguidelinesinethicallyambiguoussituations.
HIntSAnDtIPS ;
• Auditors should have the courage to do what they regard as the right thing,
whileobservingtheCodeofConduct.
• GIAShascreatedaspecialRoadmapforinvestigatingfraud.Itcontainsthenec-
essarystepstobetakenwhenemployeesreportcontraventionsoftheSAPCode
ofBusinessConduct.
• AICPAhasdesignedadecision tree tohelpauditorsind theappropriate re-
sponseincasesofconlict.
LInKSAnDReFeRenCeS e
• AICPA. 2006. Ethics Decision Tree. www.aicpa.org/pubs/cpaltr/sept2002/business/
busind1.htm(accessedMay31,2007).
• AICPA. 2006. Ethics Decision Tree. www.aicpa.org/pubs/cpaltr/sept2002/business/
busind2.htm(accessedMay31,2007).
IndividualResponsibilityIndividualResponsibility
Conceptual BasisofInternalAudit
FrameworkofInternalAuditatSAP
ExamplesIllustratingtheEfectivenessoftheCodeofConduct
A|3|3.4
72
4 OrganizationalStructureofGIAS4.1 OrganizationalStatuswithinSAP
KeyPOIntS •••
• AtSAP,InternalAuditisastafdepartmentthatreportsdirectlytotheCEO.
• ItiscrucialthattheorganizationofInternalAuditatSAPrelecttherequirements
associatedwiththeglobalresponsibilitiesthattheExecutiveBoardbears.
• hecombinationofglobalresponsibilityandregionalstructureenablesInternal
Audittolexiblycarryoutawidevarietyoftasks.
• Atthesametime,thisapproachcreatesadditionalopportunitiestouseInternal
Audit’sexistingglobalknow-how.
SAPAGisaGermancorporationunderthetwo-tierBoardstructureaslaidoutin
theGermanStockCorporationAct.SAPAGthereforehasanExecutiveBoardwith
managingdirectorsandaSupervisoryBoard,whichoverseestheExecutiveBoard
and which consists of shareholder representatives and employee representatives.
SAP’sInternalAuditisacorporategovernanceinstrumentandastafdepartment
theheadofwhichreportsdirectlytotheCEO.Asacorporatedepartment,itper-
formsservicesforallbusinessunitsandregionsoftheentireSAPGroup.hisre-
sultsinanumberofrequirementsintermsofprocessesandorganization.
GIASisamanagementinstrumentthatisestablishedtohelpensurethatallthe
liability,supervisory,andadministrativedutiesoftheExecutiveBoardwithregard
tocorporategovernancearemet.BecausetheExecutiveBoardmustdemonstrate
itsuniversal,all-encompassingawarenessofthecompany,GIAShastoworkunder
thisapproachwithoutrestrictionandwiththenecessaryauditvolumes.Notopic,
process,region,orresponsibilitycanbeallowedtobeexcludedfromtheaudituni-
verse (see Section B). he unit structure, distribution of tasks, and overall audit
coordinationhavetobealignedwiththerequirementthatInternalAuditprovide
globalassurance.
GIAS’SAP-widefocusentailsaseriesofcharacteristicstypicalofcentrallyorga-
nizedandgloballyoperatingcorporateauditorganizations:
• heirstcharacteristicisthestructureofInternalAudit.hedepartmentisor-
ganizedasahorizontalandindependentpartoftheSAPGroup.heregional
distributionof teamshas to relect the importanceof the respectivebusiness
unitsandsizeoftheindividualregions.Personalpreferencesfordeploymentare
important,butshouldnotprevailoveroperationalrequirements.Althoughitis
centrallymanaged, InternalAudithasadecentralized, regional structure.All
regionalteamsreporttotheCAE,whointurnreportstotheCEO.hisprotects
alltheorganizationalunitsofInternalAuditagainstundueexternalinluence.
hestructureofGIASiscomplementedwithcross-regionalteams(suchasthe
so-calledSOX-team).heyoperateindependentlyonthegloballevelandreport
directlytotheCAE.
GIASasCorporateAuditGIASasCorporateAudit
GlobalAssuranceGlobalAssurance
CharacteristicsofaCorporateAudit
Organization
CharacteristicsofaCorporateAudit
Organization
StructureStructure
73
• hesecondcharacteristicisthedeinitionandmonitoringofcentralbusiness
processeswithinInternalAudit.GIAShasdeinedGroup-wideauditstandards
thatmustbefollowedbyallregions.hesestandardsensurecomparability,uni-
formity,plausibility,andveriiabilityofindingsanddocumentation.Central-
izedreportinglinesensurethatthesestandardsarefollowed,particularlywith
regardtoculturalandpersonalmodiications.
• GIAShasamultilevelreportingsystem.hehighestaggregatedreportinglevel
istheBoardsummary(seeSectionB,Chapter5.2.5).hereportsforoperational
management, Corporate Risk Management, and the Executive Board are de-
rivedfromtheindividualauditreports.hismultilevelreportingstructurelies
withintheresponsibilityofInternalAudit:Alltypesofreportsintheentireor-
ganizationmustbepreparedconsistently,correctly,andfreeofinluencebyex-
ternalparties.hisallowstheExecutiveBoardtoobtainadditionalandmore
detailedinformationofissuesraisedintheBoardsummarydowntoindividual
indingsifnecessary.
• heCAEcoordinatestheoverallauditplanningprocess(fordetails,seeSection
B,Chapter2;SectionD,Chapter3).Inthisplanningprocess,theregionalteams
canname,rate,andprioritizetheirsuggestedtopics.heseinputstogetherwith
amultilevelriskanalysisleadtoaplanningproposal,whichisthencoordinated
anddiscussedwiththeCEO.hiscentralizedplanningapproachensuresthat
theglobalrisklandscapeisadequatelyrelectedintheannualauditplan.
• heinclusionofadditionalaudittopicsinresponsetoauditrequestsmadeby
individualdepartmentsissubjecttocentralizedapprovalandcoordination.In
general,everyorganizationalunitandeveryemployeecansubmitsuchanaudit
request.heserequestsaresubject tocentralizedassessmentandapprovalby
theCAEandareagreedwiththeCEO.hismaintainsInternalAudit’sindepen-
denceandplanningautonomy.
• Duetotheincreasinglyglobalfocusofbusinessactivities,thecentralcoordina-
tionofinterregionalauditsiscontinuallygainingimportance,forbothauditsof
theorganizationitselfandauditsoftheactualbusinessenvironment(majorcus-
tomers,forexample).Incasesofinterregionalaudits,centralizedcoordination
withtheExecutiveBoard,thecorporatedepartments,andthelocalpersonsin
chargeisimmenselyimportant.
• Auditworkgeneratessigniicantfactualknowledgeandpotentialforefective
and eicient solutions to business problems. his knowledge must be made
availableonaglobalscale,bothforInternalAuditandforallotherorganiza-
tionalunits.AcentralizedcoordinationandorganizationofInternalAudithelps
tomakebestpracticesolutionsavailableinadatabasethatismaintainedbyIn-
ternalAudit.Suchacollectionofdatashouldbeadministeredandmaintained
centrallyforalldepartmentsandcompaniesworldwide.
• InternalAuditisalsoincreasinglycalledupontoconductbenchmarkinganaly-
ses.Forsuchatask,acentralizedauditdepartmenthastheabilitytocentrally
manage,maintain,andanalyzecomparativedata.
DeinitionandMonitoringofCentralBusinessProcesses
DeinitionandMonitoringofCentralBusinessProcesses
MultilevelReportingMultilevelReporting
CentralizedCoordinationbytheCAeCentralizedCoordinationbytheCAe
InclusionofAdditionalAudittopicsInclusionofAdditionalAudittopics
CentralCoordinationofInterregionalAuditsCentralCoordinationofInterregionalAudits
FactualKnowledgeandSolutionApproachesFactualKnowledgeandSolutionApproaches
BenchmarkingBenchmarking
ConceptualBasisofInternalAudit
OrganizationalStructureofGIAS
OrganizationalStatuswithinSAP
A|4|4.1
74
• An additional characteristic of centrally organized audit departments is that
knowledgeresourcescanbeallocatedtoimportantaudit-relatedandnonaudit-
related service/consulting activities (see Section A, Chapter 7). Regardless of
whethersuchtasksinvolvesupportingthedratingofguidelines,reviewsofcen-
tral internal projects, or accompanying implementation measures, the use of
audit-speciicexperienceincombinationwitharegionalpresencewillensure
optimalworkresults.Conversely,itwillgivesubsequentauditsavaluablehead
startwithregardtoknow-how.
heigurebelowshowstheglobalstructureofGIASwithintheSAPGroup:
ServiceandConsultingActivities
ServiceandConsultingActivities
GlobalStructureGlobalStructure
Fig. 9 GlobalStructureofInternalAuditatSAP
75
HIntSAnDtIPS ;
• CommunicationchannelsandprocedureswithinInternalAuditshouldbede-
signedtofacilitatetheexchangeofsolutionsandtheoptimizationofcommon
procedures.
• Itisveryimportanttoinvolveregionalauditstafinthecentralizedexchangeof
information.
4.2 OrganizationalStructureandResponsibilitieswithinGIAS
KeyPOIntS •••
• InternalAuditatSAPactsasacentrallyorganizeddepartmentwithadecen-
tralizedmanagementstructure.hemanagementstructure isregional,which
resultsinalargedegreeofauditresponsibilitybeingdelegatedtotheindividual
regionalteams.
• heregionalAuditManagersensurethatauditsareproperlyexecutedandcom-
plywiththeauditorganization.
• Aclearlystructuredcommunicationandmeetingstructuresupportstheworld-
wideharmonizationofGIASacrossallregionalteams.
• heCAEbearsoverallresponsibilityforInternalAuditandmaintainscontact
withothergovernancebodiessuchastheAuditCommittee.
InternalAuditatSAPisaglobaldepartmentwithteamsinGermany,theUnited
States,Singapore,andJapan.heindividualteamsprimarilycoverauditrequire-
mentsintheirrespectiveregions:
• he team in Germany carries out all audits in Europe, the Middle East, and
SouthAfrica,aswellasthoseattheparentcompanySAPAG.
• heteamintheUnitedStatesisprimarilyresponsibleforauditsinNorthand
SouthAmerica.
• heteaminSingaporecoversauditsinAsiaandthePaciicregion,excluding
JapanandKoreabutincludingAustraliaandNewZealand.
• heteaminJapanconductsallauditsinJapanandKorea.
Allauditsarebasedonauniform,jointlycoordinatedannualauditplan.Asaudit
requirementsarebecomingincreasinglyglobal,moreandmoreauditteamswith
auditorsfromdiferentregionsareformed.Workingtogethermayeither involve
exchangingauditorstoprovidesupport,toshareexperiences,andtooptimizeau-
dits,orestablishingspeciicauditteamswhohandleasingletopicworldwide,either
simultaneouslyorinstagesatdiferentlocations.
teamsWithinGIASteamsWithinGIAS
MixedAuditteamsMixedAuditteams
ConceptualBasisofInternalAudit
OrganizationalStructureofGIAS
OrganizationalStructureandResponsibilitieswithinGIAS
A|4|4.2
76
heigurebelowplacestheglobaldistributionoftaskswithinGIASintheover-
allcontextofauditworkonagloballevel.hischapterandthefollowingchapters
providedetailsofthedistributionofresponsibilitiesasshowninthediagram.
Regionalteamsconsistofauditorsfromvariousdisciplinesandwithdiferentlevels
ofexperience.hedetailedcontrolof these teams is theresponsibilityof there-
gionalAuditManager,whoisresponsiblefortheteambothdisciplinarilyandfunc-
tionally.Disciplinarysupervisionincludesallissuesthatconcerntermsofemploy-
mentandperformanceappraisal.Functionalsupervisionencompassesprofessional
supervisionindaytodayonthejoboperations.Allissuesthatregionalteamsface
aredecidedindirectcoordinationwiththeresponsibleAuditManager.heonly
exceptionsareescalatedissuesandtasksorobjectivesthatafecttheentiredepart-
ment.Insuchcases,theregionalAuditManagerinvolvestheCAEasthesuperior
linemanager.
Regular meetings of the Audit Managers and the CAE help to reinforce the
managementprocessandreportingstructure.Atthesemeetings,theAuditManag-
GlobalResponsibilitiesofGIAS
GlobalResponsibilitiesofGIAS
RegionalteamStructureRegionalteamStructure
MeetingStructureMeetingStructure
Executive Board
Global audit management
Regional audit management
Fig. 10 DistributionofResponsibilitiesatGIAS
77
ersandtheCAEdiscussandclarifyallcurrentissuesandfuturetasks.Inaddition,
weeklybilateralconferencesareheldbetweeneachindividualAuditManagerand
theCAE.hegoalofthesemeetingsistoclarifyspeciicissuesthatemergeduring
audits,aswellastojointlyidentifynew,additionalauditrequirementsandtopics
relevanttothedepartment.
heannualdepartmentmeetingsrepresentanotherimportantevent.Atthese
meetings,alldepartmentemployeesfromthediferentregionsmeetinoneplace
forseveraldaystodiscussandcoordinateunresolvedissuesfromaudits,alongwith
conceptstheyhavedevelopedandfuturetasksandobjectives.hesemeetingshave
theadditionalbeneitofsupportingdepartment-wideintegration.heyprovidean
importantsocialbeneit,sincetheyallowtheteamcolleaguesfromdiferentregions
togettoknoweachotherwhichlaysthefoundationforfuturejointauditactivities.
AtSAP,theCAEisresponsiblefortheoverallmanagementofthedepartment.
hismeanstheCAEindividuallycoordinatesallregionalteamsandprovidesman-
agementsupporttoensurethatauditproceduresarestandardizedgloballyandthat
globalauditsareproperlycoordinated.heCAEalsomaintainsdirectcontacttoall
higherauthorities,includingtheExecutiveBoard,theSupervisoryBoard,andthe
AuditCommittee.Inaddition,theoverallglobalresponsibilityfordealingswithall
otherinternalandexternalpartiesandcontactslieswiththeCAE.
Inparticular,theCAEmeetsregularlywiththeCEOtodiscussallthemajoris-
suesfacedbyInternalAuditwithregardtobothday-to-dayactivitiesandthebasic
focusofaudittasks.heseregularlyheldmeetingsareveryimportantfortheover-
allauditworkbecausedecisionsregardingadditionalaudits–aswellassigniicant
measures following from completed audits – are made there. Regularly updated
minutesprovideareliablerecordofwhattheCEOandtheCAEhaveagreedupon.
heAuditCommittee,whichisacommitteeofSAP'sSupervisoryBoard,also
receivesanauditreportonceayear,whichcontainsinformationonallimportant
audit-relatedevents.heCAEpresentstheresults,discussesopenquestions,and
ieldssuggestionsinameetingwiththemembersoftheAuditCommittee(seealso
SectionB,Chapter5.4.1).
Asaresult,theCAEhastomanageseveraldiferentplanninglevels:
• overallresponsibilityforthehorizontalcoordinationoftheregionalteams,
• furtherdevelopmentofthedepartmentonagloballevel,
• mainpointofcontactforallexternalpartiesanddepartments,
• reportingtoExecutiveBoard,SupervisoryBoard,andAuditCommittee,and
• department-widetasksaimedatimprovinginternalorganizationandcommu-
nication.
HIntSAnDtIPS ;
• Duringtheaudit,informationlowtotherespectiveAuditManagerand/orthe
CAEmustbeensured.Whenindoubt,informationshouldbesenttobothpar-
ties.
AnnualDepartmentMeetingsAnnualDepartmentMeetings
OverallManagementOverallManagement
RegularMeetingswiththeCeORegularMeetingswiththeCeO
AnnualReporttotheAuditCommitteeAnnualReporttotheAuditCommittee
PlanningLevelsPlanningLevels
ConceptualBasisofInternalAudit
OrganizationalStructureofGIAS
OrganizationalStructureandResponsibilitieswithinGIAS
A|4|4.2
78
• Regular informal meetings with team colleagues and other regional teams
shouldbeheldtoexchangeexperiencesandinformation.
LInKSAnDReFeRenCeS e
• MARKS, N. 2004.SafeguardingAuditorObjectivity. Internal Auditor (October2004):
37–41.
• BAlKARAN,l.2007.ASolidReportingline.Internal Auditor(February2007):96.
• INStItUtE OF INtERNAl AUDItORS. 2001. Practice Advisory 1110-1: Organiza-
tional Independence.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• INStItUtEOFINtERNAlAUDItORS.2001.Practice Advisory 2020-1: Communica-
tion and Approval.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• INStItUtE OF INtERNAl AUDItORS. 2001. Practice Advisory 2060-1: Report-
ing to Board and Senior Management.AltamonteSprings,Fl:heInstituteof Internal
Auditors.
• INStItUtEOFINtERNAlAUDItORS.2002.Practice Advisory 2060-2: Relationship
with the Audit Committee.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• JOSCElyNE, G. 2004. Balancing Relationships. Internal Auditor (February 2004):
35–36.
• tARR,R.2002.Builttolast.Internal Auditor(December2002):28–33.
4.3 StructureandTasksoftheRegionalGIASTeams
KeyPOIntS •••
• heregionalteamsareoperationalauditunits.heypossessahighdegreeof
responsibility.
• AuditManagersareinchargeofregionalteamsandresponsibleforteam-speciic
needs.
• Amajorfocusofregionalteamsisregionalconsiderationforcompanyspeciics
andculturalpractices.Achievingthisgoalrequiresintegratingtheinformation
channelsoftherespectiveregion.
Regionalteamsareresponsiblefortheproperandfullexecutionofallscheduled
andad-hocauditsintheirregion.Inthisprocess,theylargelyworkautonomously
–thatmeans,theycanscheduleandperformallthemeasuresrequiredforproper
auditexecution.Suchwide-rangingfreedomisanessentialprerequisiteforensur-
ingthatInternalAuditcanaccommodateregionalandculturalpractices.
heregionalteamsconsistofanAuditManagerandanumberofauditorswith
diferingareasofexpertiseandlevelsofexperience.Normally,eachregionalteam
willhaveatleastanInternalAuditor,aSeniorAuditor,andaGlobalAuditor(see
SectionA,Chapter4.5).However,itisuptotheAuditManagertomatchtheteam
compositionwiththerequirementsoftheregion.
ResponsibilitiesoftheRegionalteams
ResponsibilitiesoftheRegionalteams
CompositionoftheRegionalteam
CompositionoftheRegionalteam
79
Asidefromtheircorebusinessofconductingaudits,eachteamisfacedwitha
varietyofindividualchallenges.Onechallengebeyondtheactualauditsistocover
the“classic”serviceactivities,aswellasadditionalactivitiessuchasconsulting,etc.
(seeSectionA,Chapter7).Someactivitiesariseasaresultofregionalpracticesand
canincludeparticipationinmanagementmeetings,discussionswithexternalpar-
ties, and cooperation with operating units or other company/audit bodies. Such
activitiesusuallyinvolvespeciiccooperationandareotenbasedonprofessional
relationshipsdevelopedatasinglelocation.hisformofembeddednessinthere-
gionalorganization,togetherwithinformalnetworking,cancreatevaluableinfor-
mationchannelsforInternalAuditthatacentralizeddepartmentwouldinddii-
cultorimpossibletoachieve.
heAuditManager’sresponsibilitiesincludebudgetplanning,costcontrol,the
general linemanagement,andcoordinationofbroader issues resulting fromthe
team’swork.Forthesetasks,coordinationwiththeCAEwillbejustasimportantas
consultationwiththecentralcorporatedivisionsandotherregions.
Despite their independence, the regional audit units remain tied together as
partoftheGIASdepartment.hisguaranteestwothings:auniform,Group-wide
auditapproachtoieldworkandtheactualon-timeperformanceofaudits.Auditors
from diferent regions are oten involved in time-critical or special audits. Such
audits require the planning skills of both the involved Audit Managers and the
CAE.
Itisparticularlyimportantfortheregionalauditteamstoalsobeintouchwith
thecompany’slocalbusinessmanagers.toensurethis,GIAShastocommunicate
withlocalmanagersregularlyandincludelocalmanagementinitsieldwork.Such
cooperationwillsigniicantlyboostthewillingnessofthelocalmanagerstotakethe
initiativeandinvolveInternalAudit.
HIntSAnDtIPS ;
• Collectandcatalogrecommendationsregardingauditsandtheirorganization.
• Auditorshavetomakesurethatallinformationfromtheirregionalteamsisalso
availabletotheAuditManagerandotherGIAScolleagues.
4.4 StructureandOrganizationoftheAuditTeams
KeyPOIntS •••
• Anaudit teamis formedforeachaudit.Eachaudit teamconsistsofauditors
withtherequiredspeciicexpertiseandrelevantexperience.
• GIASdiferentiatesbetweenlocal,regional,andglobalaudits.
• heauditlead,thepersoninchargeoftheauditteam,isresponsibleforensur-
ingthatauditsareperformedcorrectly,completely,ontimeandtothedeined
extent.
ChallengesFacedbytheRegionalteamChallengesFacedbytheRegionalteam
ResponsibilityoftheAuditManagerResponsibilityoftheAuditManager
GIASnetworkGIASnetwork
InformationexchangeBetweenRegionalteamsandManagement
InformationexchangeBetweenRegionalteamsandManagement
ConceptualBasisofInternalAudit
OrganizationalStructureofGIAS
StructureandOrganizationoftheAuditTeams
A|4|4.4
80
• heauditlead'sresponsibilityextendsoverallauditphases,includingplanning
andreporting.
• Securingtheorganizationofallnecessaryieldworkisalsoundertheresponsi-
bilityoftheauditlead.
• heauditteamcarriesouttheauditinaccordancewiththeworkprogramand
thetasksthatareallocatedwithinit.Formalandinformalcoordinationshould
takeplaceregularlysinceit isessential forachievingacomprehensiveassess-
mentofallrelevantaspectsoftheauditanduniformityofauditresults.
Becauseeachauditisanindividualactivity,auditshaveproject-likecharacteristics.
heseproject-likecharacteristicsaredeterminedonthebasisofcriteriasuchasthe
audit’suniqueness,timelimits,theclearlydeinedauditrequest,andspeciiccon-
tent-related and organizational objectives and planning. As a result, elements of
projectcontrolshouldbeappliedtoaudits.
Auditteamsareformedforeachindividualaudit.Anauditisusuallyperformed
by at least two auditors at any time; a single auditor is only used in exceptional
cases.Itisotennecessarytoincludemorethantwoauditorsintheauditteam.
heauditteamshouldhaveabalancedcompositionatalltimes.Auditorsare
assignedtoateamonthebasisoftherequiredskillsandexperience,aswellasavail-
abilityandregionalorpersonalsuitability.All levelsofexperiencecanberepre-
sentedinanauditteam,fromInternalAuditorthroughSeniorAuditortoGlobal
Auditor.heteamisusuallycomprisedofmemberswithawiderangeofqualiica-
tionlevels(seeSectionA,Chapter4.5).
heimportanceofbeingabletorapidlyformefectiveauditteamsfromdifer-
entlocationswillcontinuetoincrease,becauseauditorswithspeciicexpertisecan-
notpermanentlybekeptinreserveinallregions,andbecauseauditorsusuallysign
upforlocalworkandmaythusbeunavailable(atleastforsometime)forinterre-
gionalassignments.heAuditManagersandtheCAEshoulddemonstrateacon-
siderateapproachinassigningemployeesbecauseinterregionalassignmentsusu-
ally result in a signiicant increase in each individual auditor’s workload. his
increaseinworkloadmustbetakenintoconsiderationbyregionalschedules,for
examplethroughindividual,audit-speciictimeaccountsorblankettimereserves.
Anauditleadisnominatedforeachauditteamastheteamleader.heauditlead
isresponsible for thetechnicalcoordinationof theaudit,andthusfor theentire
processlowinaccordancewiththeGIASprocessmodel.Inaddition,theauditlead
isresponsibleforbothverifyingthequalityandensuringtheformalstructureofall
documentation.Ultimately,theauditleadhastoensurethattheauditreportissup-
ported by working papers and completed on schedule. Putting diferent report
componentstogetherandsynchronizingtheresultstoformaconsistentopinion
arealsotheresponsibilityoftheauditlead.Incaseofdiferencesofopinionregard-
ingaspeciictopic,theauditleadhastoensurethatauditorswithdiferentopinions
ultimatelyreachaconsensus.heauditleadalsohastocoordinateallaudit-related
externalcommunication,whichincludesresponsibilityformanagingappointments
withtheauditedparties,aswellascoordinatingcommunicationwithalltheindi-
theAuditasaProjecttheAuditasaProject
numberofAuditorsnumberofAuditors
LevelsofQualiicationwithintheAuditteamLevelsofQualiicationwithintheAuditteam
theOrganizationofAuditAssignments
theOrganizationofAuditAssignments
AuditLeadAuditLead
81
viduals indirectly involved in the audit. All these responsibilities together mean
thattheauditleadplaysakeyroleinthecontrolandmonitoringoftheentireaudit.
Efectiveschedulingandcoordinationoftheinformationlowamongauditorsare
majorprerequisitesauditleadshavetomeettoensureasuccessfulaudit.
hebasicstaingoftheauditteamisdeterminedduringtheoperationalexecu-
tionplanning(seeSectionB,Chapter2.4andSectionD,Chaper3.3).Duringplan-
ning, the available resources are assigned to the time intervals of the scheduled
audits.heassignmentsarepreliminaryatthispoint.heyareinalizedwhenthe
actualauditsareannounced,oratthelatestwhentheoperationalpreparationfor
theauditbegins.Bythispoint,themembersoftheauditteam,aswellasthetasks
theyareassignedtoandthetimethatisallocatedforeachaudittopic,mustbede-
termined indetail.heaudit team’sworkprogrammust clearlydeine theaudit
objective,therespectiveaudittopics,theieldworktobeperformed,thetimelines,
andallinternalandexternaldependencies.
Duringanaudit,theauditleadmustensurethattheauditteammeetsregularly
(orwheneverrequired)toexchangeinformationandtodiscussproblemsandthe
progressof theaudit.Exchangingworkingpapers,supportingeachotherduring
ieldwork,andprovidingmutualbackingforauditindingswillhelptoformateam
spiritamongauditteammembers.Otheractivitiesthatsupportteamworkarethe
jointpreparationofopeningandclosingmeetings,reciprocalchecksofreportcom-
ponents, the joint analysis of interim results, and preparation of the next audit
steps.
Regional audits may be conducted by auditors from diferent regions (then
knownasmixedteams).ByexchangingpersonnelbetweendiferentGIASteams,
the auditors learn about professional development opportunities and mutually
beneitfromexperienceandknow-how.hecompositionoftheauditteamisthus
aimedatoptimallycoveringthelocalandregionalauditrequirements.
Incontrasttoregionalaudits,globalauditsarealwaysconductedbyteamsthat
arecomprisedofmembersfromdiferentregions.Asaresult,thetopicoftheglobal
audit dominates the structure of the team, which means individual auditors are
selectedandassignedonthebasisoftheirspeciicknowledgeandexpertise.With
suchanapproach,globalissuescanbeauditedwithglobalrepresentationindifer-
entcountries,eitheratthesametimeorinseveralstagesovertime.Itiscrucialthat
wheneverpossible,globalauditsfollowasimilarteamstructureaslocalorregional
audits.
Auditteamsusuallyretaintheiroriginallyplannedcompositionthroughoutthe
entireaudit.However,unscheduledchangesarepossible,whenspontaneousevents
suchaspersonalcircumstancesornewissuesorshitsinemphasisariseduringan
audit.
HIntSAnDtIPS ;
• Audit teams should be selected based on rational aspects and with personal
knowledgeandabilitiesinmind.
StaingofAuditteamsStaingofAuditteams
teamworkteamwork
RegionalAuditsRegionalAudits
GlobalAuditteamsGlobalAuditteams
Short-termReassignmentofAuditteams
Short-termReassignmentofAuditteams
A|4|4.4ConceptualBasisofInternalAudit
OrganizationalStructureofGIAS
StructureandOrganizationoftheAuditTeams
82
• Aconsistentlyhighlevelofknowledgeamongtheauditteamwillalloweicient
andreliableauditexecution.Achievingthislevelofknowledgewillrequirecom-
mensurate,constant,andcoordinatedtraininginaudit-speciicsituations.
• Interculturalaspectsandculturaldiferencesaswellasculturalknowledgeand
languageskillsshouldbetakenintoaccountwhencomposingauditteams.One
aimshouldbetominimizeburdensfromteamcompositionsuchastravel.
4.5 EmployeeProfilesinGIAS
KeyPOIntS •••
• heCAEisresponsibleforaholisticorientationofthedepartment.hisinvolves
makingsurethatInternalAuditfollowsguidelinesandproceduresthatareuni-
formthroughoutthecompany,toensureeiciency,comparability,andquality.
• heCAEisalsoresponsibleforbasicstrategyandthestructureofthedepart-
ment.
• hetasksofInternalAuditrequireavarietyofdiferentjobproileswithinthe
department.hedesignoftheseproileshastobetransparentanduniform,and
mustincludebothtechnicalandmanagement-relatedaspects.
• hediferentproilesoftheauditorscontainkeytasksthatshouldbethebasic
foundationforallfunctionaldescriptions.
• Inaddition,eachindividualjobdescriptioncontainsfurther-reachingrequire-
ments,bothtechnicalandmanagement-relatedinnature.
hefollowingfunctionsbyhierarchyexistintheGIASdepartment:
• CAE,
• AuditManager,
• GlobalAuditor,
• SeniorAuditor,and
• InternalAuditor.
hefunctionslistedabovedescribeacareerpathandaredocumentedinaperson-
neldevelopmentconcept.Importantelementsofthisconceptincludetherelevant
jobproileswhichlayoutthetasks,responsibilities,andauthority,aswellasexper-
tiseandknowledgerequirementsforeachfunction.Withintheframeworkofthe
jobproiles,adevelopmentplanshouldbedrawnupforeachjobowneraccording
totheemployee’sindividualqualiicationandperformance.herefore,everystep
uponthecareerpathrelectsthepersonalexperienceoftheauditoralsowithregard
toprofessionalandleadershipqualiications.Eachjobproileshouldbedocumented
separately.Suchdocumentationcanbeusedforinternalandexternaljobadvertise-
ments.Jobdescriptionsshouldbeavailabletoallemployeesthroughtheintranet.
FunctionsFunctions
PersonnelDevelopmentConcept
PersonnelDevelopmentConcept
83
heCAEisresponsiblefordevelopingtheglobalstrategicdirectionofthede-
partmentandauniversalauditstrategy,whichinvolvesthefollowing:
• implementingasecureorganizationalstructureforthedepartment,
• assumingcomprehensivemanagementresponsibility,
• creatingandimplementingageneralpersonneldevelopmentstrategy,
• managingGIASasaninternational,multiculturaldepartmentofdiferentteams,
withallstaf-relatedrequirements,
• developingprocesslowswithininternationallyrecognizedauditstandards,
• creatinganannualauditplaninclosecoordinationwiththeCEOandtheAudit
Committee,
• recordingandanalyzingauditrequestsduringayear,
• overallcoordination,monitoring,andqualitycontroloftheauditsperformed,
includingcommunicationofauditresultstotheExecutiveBoard,
• managingandmonitoringofescalationprocesseswithregardtoauditengage-
ments,
• representingthedepartmentatinternalandexternalevents,
• interfacetoandcooperationwithinternalandexternalparties,
• supportingtheenterprise-widedeinitionofguidelines,and
• deinitionandapplicationofkeyperformanceindicatorswithintheframework
ofglobalbenchmarking.
heCAEcansuggestauditsathisorherowninitiative,aswellasinitiateauditsin
areaswherethereisgroundforsuspicion.
Allemployeesmusthaveauniformlevelofexpertiseandskillswithregardto
theGIASauditapproach.hestructuremappedoutinthecareerpathbelowshows
themainadditionalareasofactivityforeachpositionlevel,brokendownbyem-
ployeeproile.
hegeneraltasksintheauditorproiles(irstthreelevels)canbesummarizedas
follows:
• preparingandcarryingoutscheduledandunscheduledauditsfromallareasin
accordancewithauditprinciplesandprocessguidelines,
• communicationofauditresultsthroughtheappropriatereportinglevels,
• monitoringandcontrollingthefollow-upprocess,includingfurthersupport,if
necessary,inimplementingrecommendationsresultingfromanaudit,
• closecooperationwithotherdepartments,suchasRiskManagement,aswellas
externalpartnerstoclarifytheauditcontentandmonitorauditresults,
• supportindevelopingbestpracticesolutions,bothfortheauditprocessandin
supportofotherdepartmentsandareas,
• ratingandanalysisofinternalprocesscontrolsandbusinessareasexposedto
risk,particularlywithregardtoregularaudits,andifapplicablealsoincoordi-
nationwiththeafecteddepartments,and
• supportindesigningguidelinesandgeneralagreementsasrequirementsforin-
dividualbusinessunitsortheentirecompany.
ActivityAreasoftheCAeActivityAreasoftheCAe
IndividualCharacteristicsIndividualCharacteristics
KeytasksofAuditorsKeytasksofAuditors
ConceptualBasisofInternalAudit
OrganizationalStructureofGIAS
EmployeeProilesinGIAS
A|4|4.5
84
SeniorAuditorsare,inadditiontotheabovecoretasks,involvedinspecialorad-
hocaudits.Inmostcases,theyalsoserveasauditleadsresponsibleforlocaland
regionalaudits.
GlobalAuditorsareresponsibleforgloballyrelevantaudittopics.heyeither
representthesetopicsasinterregionaltechnicalauditorsinallassociatedaudits,or
assume the roleofglobalaudit leads.hismeans that theyare inchargeofcol-
leaguesfromdiferentregionsinasingleauditteam.
Audit Managers are the regionally responsible heads of organizational audit
units,whichareorganizedascostorproitcenters.AuditManagersbearfullre-
sponsibilityfortheirregionalteam,intermsofdisciplineandfunction.AuditMan-
agers serveas autonomous regional audit executives,but their activities are also
centrally alignedandirmlyembedded in theoverallGIASdepartment through
globalintegration.
Amajorconsiderationofallproilesisthefactthattheyshouldmerelybeseen
asaformalframework.Everyemployeemustbeabletoperformassignedfunctions
AdditionaltasksforSeniorAuditors
AdditionaltasksforSeniorAuditors
AdditionaltasksforGlobalAuditors
AdditionaltasksforGlobalAuditors
AdditionaltasksforAuditManagers
AdditionaltasksforAuditManagers
PersonalDevelopmentPersonalDevelopment
Fig. 11 StructureandTasksbyFunctionwithinGIAS
85
individually.herequirementsintheproilesrepresentminimumstandardsneeded
toensuretheorganizationalandprofessionalqualityofInternalAudit.tasksand
responsibilitiescanbeextendedandintensiiedatanytime,dependingonpersonal
abilityandinterests.Suchchangesneedtoberelectedineachindividualemploy-
ee’spersonaldevelopmentplanning.
HIntSAnDtIPS ;
• Internal auditors should make sure their job descriptions are complete and
makesuggestionsforupdates,aswellasdiscussadditionalorchangesintasks
withtheappropriatemanager.
• Employeesshouldalsobewillingtoperformtasksthatlieoutsidetheirjobde-
scriptionsanddocumentsuchactivities.Basedonthisdocumentation,thetype
andextentoftheiractivitiescanbeexaminedcritically,permittingalternative
assignmentsandnewareasofresponsibilitytobeconsidered.
• he requirements of any position should be discussed with the responsible
manager.
• Comparisonwith similar jobproiles inother companieswillhelp recognize
potentialforchangesandimprovementsinproiles.
LInKSAnDReFeRenCeS e
• INStItUtEOFINtERNAlAUDItORS.2001.Practice Advisory 2000-1: Managing the
Internal Audit Activity.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• INStItUtEOFINtERNAlAUDItORS.2001.Practice Advisory 2040-1: Policies and
Procedures.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• INStItUtEOFINtERNAlAUDItORS.2001.Practice Advisory 2050-1: Coordination.
AltamonteSprings,Fl:heInstituteofInternalAuditors.
• INStItUtEOFINtERNAlAUDItORS.2001.Practice Advisory 2050-2: Acquisition of
External Audit Services.AltamonteSprings,Fl:heInstituteofInternalAuditors.
4.6 CareerPathsandDevelopmentPotential
KeyPOIntS •••
• heGIASjobproilesareassignedtodiferentcareerlevels.AllGIASfunctions
arethereforelinkedwitheachotherandformthefoundationforacontiguous
careerpath.
• Basedon this careerpath,performance feedbackmeetings takeplace for the
purpose of performance measurement and development planning. During
thesemeetings,speciicmeasuresaredeinedtoeithermaintainanattainedjob
levelorprepareforadvancementtothenextcareerlevel.
ConceptualBasisofInternalAudit
OrganizationalStructureofGIAS
CareerPathsandDevelopmentPotential
A|4|4.6
86
• hedecisivefactorineachauditor’sprofessionaldevelopmentiseachindividu-
al’scommitment.hecombinationofanemployee’scommitmentandthesup-
portoftheCAEortheAuditManagerguaranteethatcareerdevelopmentplan-
ningisoptimizedandtranslatesintoprofessionaladvancement.
• InadditiontodevelopmentopportunitieswithinInternalAudit,alternativeca-
reerpathsoutsideofGIASbutwithinthecompanyarepossible.
heGIASfunctionslistedinthepreviouschapterareintegratedintoaprototypical
contiguous, transparentcareerpath.hejobdescriptions foreachpositionform
theessenceoftheGIAScareerpath(seeSectionA,Chapter4.5).hejobproileslist
alltheprerequisites,technicalknowledge,andpersonalcharacteristicsrequiredin
ajobowner.EveryInternalAuditemployeemustbeassignedtooneoftheseposi-
tions;otherwise,conscientiousperformancemeasurementanddevelopmentplan-
ningwillnotbepossible.
Eachcareerlevelisdescribedby:
• therequiredlevelofknowledgeandskills,
• thelevelofqualityandquantityshownintheexecutionoftasks,documentedby
ongoingperformancemeasurement,
• theextentofresponsibility,and
• acceptanceandcomprehensionofactivitiesbothwithinandoutsideofGIAS.
Dependingonregionalcircumstances,thediferentcareerlevelscanbearranged
individuallyinoneormorepaygrades.hepaygradestructureisthereforedifer-
entiatedbyregionandbyperformancelevel.Respectiveperformancelevelsshould
beassignedtocorrespondinggroupsworldwide.
hedevelopmentpotentialofeachindividualemployeehastobeidentiied,tak-
ingtheprototypicalcareerpathasafoundation.Intheannualperformancefeed-
backmeeting,theperformanceofeachindividualauditorandmanagerismeasured,
analyzed,anddocumentedjointly.Globallyuniformstandarddocuments,suchas
theGIASappraisalform,areavailableforthepurposeofmeasurement,analysis,
anddocumentation,andhelprecordbothqualitativeandquantitativeaspectsof
auditwork.Importantfactorsthatareincludedarethenumberandtypeofaudits,
theirquality,andanyspecialtasksperformed.hediferentactivitylevelscreatea
balanced record of current performance capability and recognized development
ields.
he professional development of an auditor initially involves identifying and
eliminatingknowledgedeicitsandacquiringskills.hesemeasuresareintendedto
establishormaintaintherequiredskillsleveloftheauditorconcerned.Iftheobjec-
tiveistoprepareanauditorfornewtasks,adevelopmentplanmustbeestablished
forthenextstepintheGIAScareerpath.Suchaplancombinesdiferenttraining
aspects, such as improvement of technical skills ranging from international ac-
counting to knowledge of modern audit practices, but also language skills and
JobProileWithinGIASJobProileWithinGIAS
DescriptionofCareerLevels
DescriptionofCareerLevels
PayGradesPayGrades
DevelopmentPotentialDevelopmentPotential
DevelopmentPlanofIndividualAuditors
DevelopmentPlanofIndividualAuditors
87
personalabilitiessuchassocialbehavior,teamworkability,etc.Suchskillacquisi-
tiongoalsaresummarizedannuallyinthepersonaldevelopmentplanandmoni-
toredbytherespectiveauditortogetherwiththelinemanager.
Fortheindividualauditor,newskillacquisitiontargetsmayresultinneworad-
ditionalaudittopics,obtainingaprofessionalcertiication,temporaryparticipation
inspecialaudits,globalaudits,andinternalprojectsoreveninmovingtoadiferent
region.Alloftheseactivitiessigniicantlyexpandthehorizonoftheindividualand
createagoodfoundationforprofessionaladvancement.Obtainingaprofessional
certiication,suchastheCIA,CPA,CISA,orCSOXdesignation, isastepthat is
particularlysuitedtoimproveproiciencyandtosignaladherencetoexternalethi-
calandprofessionalstandards.
Auditorswhoreachtheirdevelopmentgoalsontimeandperformtheirdaily
dutiessatisfactorilycanexpecttoattainthenextlevelintheircareerpathatme-
dium-termintervalsofonetothreeyears.hedegreeofpersonalcommitmentof
eachindividualemployeeisakeyfactorinthisadvancement.hequestionasto
whether a career takes a more technical turn or is more management-oriented
withintheGIAScareerpathislargelydeterminedindividually.
AsidefromdevelopmentopportunitieswithinGIAS,auditorsalsohavetheop-
tionofassumingtechnicalormanagerialresponsibilitiesinotherpartsofSAP.Due
tothewiderangeofexperienceandknowledgeacquiredduringauditwork,Inter-
nalAuditrepresentsanidealqualiicationplatformforworkinginnumerousother
areasofthecompany,particularlyinbusinessadministrationdepartmentsorother
staffunctions.heGIASemployeedevelopmentsystemsupportsindividualswho
wishtopursuesuchopportunities.
Alternatively,duetothemanifold,ever-changingtasksitfaces,GIAScanofer
excitinglong-termperspectivestoqualiiedemployees.Itistheresponsibilityofall
GIASmanagerstoemphasizethiscontinually,andtoconvincetheindividualaudi-
torofitsvalidity.However,employeeshavetodecideforthemselveswhetherthe
long-termfocusonauditworksuicientlymotivatesthem,orwhethertheyarein-
terestedinotherenterpriseareas.
HIntSAnDtIPS ;
• Duringtheyear,InternalAuditstafshouldverifytheirachievementofobjec-
tives, pose critical questions regarding further education requirements, and
discuss topicalquestions regarding theirdevelopmentdirectlywith their line
managers.
• Deiningpartialandobjectivegoalsmakesiteasiertomonitorachievement.
• Auditorsshouldaccepttasksthatarenotnecessarilypartof theirowncareer
focus.
• Careeraspectsshouldnotbethefocusofdailywork,butconsideredinmedium
tolongtermplanning.
DevelopmentStepsDevelopmentSteps
CareerPathCareerPath
DevelopmentOpportunitiesDevelopmentOpportunities
FuturePerspectivesFuturePerspectives
ConceptualBasisofInternalAudit
OrganizationalStructureofGIAS
CareerPathsandDevelopmentPotential
A|4|4.6
88
LInKSAnDReFeRenCeS e
• HElPERt,A.2006.CultivatingaloyalWorkforce.Internal Auditor(December2006):
66–72.
• MCDONAlD,P.2006.heQuestfortalent.Internal Auditor(June2006):72–77.
4.7 TheStructureofTimesheetsinInternalAudit
KeyPOIntS •••
• timesheetsfulillanumberoftasks.Mostimportantly,theyareacrucialplan-
ningtoolindrawingupareliableauditplanforeachauditor.Othertasksare
performanceanalysisandcostingcontrol.
• timesheetsprovideinformationataglancesuchasrelevanttotalsforeachaudi-
tor,andaggregatediguresfortheentiredepartment.
• Onthebasisofsuchinformationandstandardtimerequirementsforindividual
phasesoftheAuditRoadmapaccuratetimevaluescanbecalculatedforeach
auditstatus.
• timesheetscanalsobeusedasabasisfordiscussionbetweenemployeeandline
managerinperformancefeedback.
InternalAuditisaproject-baseddepartment.Insuchdepartments,itisnecessary
toidentifyandstructuretheavailableworkingtimeforthefollowingreasons:
• tokeepthetotalvolumeofeachtimecomponent,suchasnetworkingtime,
productivityandcapacityutilization,aswellassickleaveandvacationdaysac-
tuallytaken,etc.,uptodate.Currentinformationonthenetnumberofworking
daysavailableisthebasisforschedulingindividualaudits.
• Standardtimescanbeusedtodeterminethetotalnumberofauditsthatcanbe
executedbyeachauditorandthewholedepartment.
• Bybudgetingtimeandusingstandardtimes,astaingplanbasedontheca-
pacity for theentiredepartmentcanbecreated.Suchaplanshouldcoverall
auditorswithdiferentlevelsofexperienceandknowledge,andshouldtakeinto
considerationplannedandunplannedabsences.
• Creatingastaingplanmakesiteasiertoplanandmonitortheauditsasawhole
aswellasthephasesoftheGIASprocessmodel(seeSectionB),becausetheplan
identiieshowtimeisallocatedwithineachaudit.
• Basedonthestaingplan,averageswithinandacrossauditcategoriescanbede-
terminedforinternalandexternalbenchmarking.heseaveragescanberelated
tootherkeyigures(e.g.performanceindicatorsfrompreviousyearsorfrom
other internal audit departments). Performance ratios form the basis for ad-
ditionalreportsonthedepartment’sefectivenessandeiciency(seeSectionD,
Chapter7).
needtoIdentifyandStructureAvailable
Workingtime
needtoIdentifyandStructureAvailable
Workingtime
89
• Inaddition,informationonthestructureandcompositionofindividualassign-
mentsfacilitatesconiguringauditswithregardtotimeavailable,reducingthe
risk that the complexity of an audit may make it impossible to execute it in
time.
• Carefultimeplanningiscloselylinkedtothepossibilitytobilldepartmentsfor
certainauditactivitiesorservices,becausetimespentonsuchprojectscanbe
determined.heabilitytodeterminetimespentandthecostofsuchtimeopens
upcompletelynewpossibilitiesforinternalandexternalcharging.
• timeplanningalsohelpstodeterminethedepartment’stotaloutput.Manage-
mentcancreateverydetailedreportsbybreakingdownauditcategories into
individualaudits,activities,etc.Inaddition,bycalculatingtrendsandcorrela-
tions, it ispossible to forecast futureperformanceproiles, todetermineem-
ployeeproductivityforindividualemployees,andtoidentifyfuturestaingre-
quirements.
herearemanywayshowcapacity-basedtimesheetscanbedeveloped.hemost
feasibleoptionistousecomparablemodelsfromotherdepartmentsthathaveproj-
ect-relatedactivities.
Anemployee’stotalannualcapacityisaround220to240workingdays,lessan
amountofnon-productivetimesuchastraining,vacation,andmeetings.Basedon
experience,a totalofaround160to180productiveauditordays isavailableasa
basisforplanningforeachemployee.
henext step is tocompilea timeproile foreachaudit status,basedon the
Audit Roadmap, using averages and experience values. According to the Audit
Roadmap,abasicaudit(seeSectionA,Chapter6.6)requiresonaverage24days.
Given,forexample,160productiveauditordays,anauditorcanexecuteonaverage
6.5basicauditsayear.Bystandardizingthetimerequiredforstatuschecksandfol-
low-ups(seeSectionB,Chapter6),thetotalnumberofactivitiespossibleperem-
ployeeandyearcanbecomputedusingasimpleequivalencecalculation.Basedon
ourexperience,afeasibleworkloadis,onaverage,fourbasicaudits, fourfollow-
ups, and four audit status checks per year and employee (see Section A,
Chapter6.6).
Ad-hocauditsposeaspecialproblemwithregardtotimeplanningbecausedue
tothespecialrequirementsofsuchauditsthereareusuallynostandardvaluesto
baseanyplanningon.Acceptable standardvaluescanbeestimatedusingvalues
frompreviousad-hocengagements,otherplannedauditsorbymakingreasonable
estimates.
timesheetscanalsobeusedasaperformancefeedbacktool.heyformabasis
forbuildingamutualunderstandingbetweenemployeeandlinemanager.Sucha
sharedreferenceframeworkmakesiteasiertodiscussandagreeonissuessuchas
capacity utilization, exceeded deadlines, schedule changes, or team reorganiza-
tions.
DevelopmentofatimesheetDevelopmentofatimesheet
CalculatingAuditorDaysCalculatingAuditorDays
CreationoftimeProilesforAuditCategoriesCreationoftimeProilesforAuditCategories
ProblemofAd-HocAuditsProblemofAd-HocAudits
UseoftimesheetsinemployeeManagementUseoftimesheetsinemployeeManagement
ConceptualBasisofInternalAudit
OrganizationalStructureofGIAS
TheStructureofTimesheetsinInternalAudit
A|4|4.7
90
HIntSAnDtIPS ;
• Allemployeesshoulddiscusstheirannualtimeplanningwiththeirlineman-
agerandreceiveanexplanationofthescheduledtimes.
• Duringanaudit,aseparaterecordofunusualeventsthathadanimpactonthe
actualauditingtimeshouldbekept.
LInKSAnDReFeRenCeS e
• HUBBARD,l.2000.AuditPlanning.Internal Auditor (August2000):20–21.
• INStItUtEOFINtERNAlAUDItORS.2001.Practice Advisory 2200-1: Engagement
Planning.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• RIFE,R.2006.PlanningforSuccess.Internal Auditor(October2006):25–29.
91
5 FundamentalPrinciplesoftheGIASApproach5.1 EmployeeProfilesandtheirInteractionintheAuditProcess
KeyPoIntS •••
• Employeeproilesprovideformalrequirementsintermsoftheindividualfunc-
tionsatGIAS.
• Indeterminingformalrequirementsitisimportanttodistinguishbetweendis-
ciplinaryandtechnicalrequirementsononesideandsocialandpersonalre-
quirementsontheother.
• Amixofvariousskillsisnecessarytoensurethatauditsareincompliancewith
internationalauditprinciples.
SectionA,Chapter4.5providesdetailsofindividualjobdescriptionsatGIAS.he
successofInternalAudit’sworkcanonlybeguaranteedifthedepartmenthasem-
ployeesthatitthejobproiles.Indeterminingwhatskillsemployeesshouldhave
andwhatrequirementsshouldbe included inproiles the followingdisciplinary,
technical,andsocialfactorsshouldbeconsidered:
• Disciplinaryfactorshavetobegivenconsideration.heirstdisciplinaryfactor
is the internal audit department’s disciplinary structure. It ensures to a great
extent compliancewithaudit standardsand sets anaction framework that is
mandatoryforallauditsandforeachemployee.heseconddiscipliningfactor
istheannualauditplan.Compliancewiththisplanisanimportantelementof
disciplinarycontrol.
• Anotherfactorthathastobegivenconsiderationisqualityassurance.Quality
assuranceprocedures(fordetails,seeSectionD,Chapter5)deineindetailwho
isresponsibleforthesupervisionandcontrolofeachauditphase.Inadditionto
content,deadlinesandformalcriteriamustalsobecontrolled.hecontroltasks
usuallyinvolvetheauditlead,theresponsibleAuditManager,and,ifappropri-
ate,theCAE(seeSectionA,Chapter4.5).
• Aninternalauditor’ssocialskillsneedtobeconsideredwhenillingafunction.
hewaypeoplecontributeonapersonallevelcanbecriticalforhowtheyinter-
actwith theircolleaguesandwithemployees fromotherdepartments.Com-
municationskills,anabilitytointegrate,andaconstantfocusonsolutionsare
indispensablebehaviorpatterns.
• InternalAudit’sabilitytocooperateisanotherimportantaspect.Cooperationis
importantindealingwithbothtechnicalandpersonalcausesofauditindings
inanatmosphereoftrust.hepersonalwillingnessofemployeestocooperate
andapositiveattitudetointeractionwithothersisakeyfactor.
• Successfulauditworkneedsawellfunctioninglowofinformation.Although
franknessandclarityareotentheonlywaystoresolveissues,itissometimes
necessarytowithholdoranonymizeinformation.Anonymityisespeciallyim-
portantwhenconidentiality,personaldataprotection,orcompanyinterestsare
employeeProilesemployeeProiles
DisciplinaryStructureDisciplinaryStructure
QualityAssuranceQualityAssurance
SocialSkillsSocialSkills
AbilitytoCooperateAbilitytoCooperate
InformationexchangeInformationexchange
ConceptualBasisofInternalAudit
FundamentalPrinciplesoftheGIASApproach
EmployeeProilesandtheirInteractionintheAuditProcess
A|5|5.1
92
atstake.However,conidentialityrequirementsshouldnothaveanimpacton
theaccuracyofauditresults.Whenconidentialityisconcerned,sensitivityis
required.InternalAudit’sobligationtomaintainconidentialitymustneverbe
compromised.
• Anotheraspect in formulatingproiles is interculturalexposureofeach indi-
vidualGIASemployee.Considerationofsuchexposureisimportantespecially
wheremixedauditteamsaredeployedorglobalauditsinvariouscountriesare
conducted.Itisimportanttorealizewhatanauditmeansinaparticularcultural
group,whatimportanceisattachedtoit,andwhatpersonalconclusionseach
individualdrawsfromit.
HIntSAnDtIPS ;
• Auditorsshouldobtaininformationinadvanceonhowaudittasksaredistrib-
uted ingeneral andmake sure thatduring theauditprocess theaudit team’s
competencymixadequatelymatchesrequirements.
• In addition, auditors should get an idea of the special competencies of their
auditcolleagues.
• Auditorsshouldtrytoavoidintersectingresponsibilities.Gethelpfromtherel-
evantlinemanagerifnecessarytoresolveorclarifyconlicts.
5.2 AttributesoftheProcess-BasedApproach
KeyPoIntS •••
• heauditsconductedbyGIASareincreasinglybeingorganizedasprojects.
• Akeyrequirementfororganizingauditsasprojectsisastandardizedandclearly
structuredprocessmodel.hisprocessmodelhastobedeinedinitsindividual
projectphases.
• Mainauditphasesareplanning,preparation,execution,reporting,andfollow-
up.Everyaudithastofollowthesephaseswithdiferingdegreesofintensity.
• Ithastobegenerallyacceptedthattheprocessmodelwithallitsstandardre-
quirementsmustbefollowedinallauditsasfaraspossible.
helargevarietyofaudittopics,andtheneedtomakeauditsplannable,controlla-
ble,andcomparablerequireaprojectapproachtoaudits.Aclearprocessmodelis
averyusefultoolforimplementingaprojectapproachbecauseitallowsplanning
andperforminganauditseamlesslyfrombeginningtoend.Aprocessmodelhasto
bebasedonastandardizedapproachthatcoversallstandardrequirements,andit
canbeusedforeveryauditandindividuallyadaptedasnecessary(fordetails,see
SectionB).
InterculturalCooperationInterculturalCooperation
ProjectApproachProjectApproach
93
hestandardprocessmodelofGIAS,theAuditRoadmap,comprisesthefollowing
phases:
• Planning,
• Preparation,
• Execution,
• Reporting,and
• Follow-up.
PleaserefertoSectionBforadetaileddescriptionofeachphase.hischapterex-
plainsthereasonsforandtheadvantagesofhavingaprocessmodel.
he project character of audits is an important reason for having a standard
processmodel.Astandardizedprocessensuresthatproject-relevantrequirements
canbeimplementedeasierbyprovidingasequentialmodelofallnecessaryaudit
phases,fromplanningthroughexecutiontopreparingtheauditreportandfollow-
up activities. Such a model helps to make sure that audits can be reviewed and
monitored.However,theindividualphasesonlyprovidetheframeworkfortheau-
ditstepsconcerned.heincludedworkingpapers,standardreporttemplates,op-
erationalwork instructions,andrecommendationsareofmajor importance,be-
causetheyincreasetheauditreliabilityofeachindividualInternalAuditemployee.
hereareveryfewprocessstepsthattheprocessmodeldoesnotdeine,atleastin
outline.Providingacomprehensivemodelfacilitatescomparingindividualaudits
witheachotherandintegratingthemintoabenchmarkingconcept.Bothprocess-
relatedkeyperformance indicatorsandresults-basedvaluescanbeused forkey
performanceindicator(KPI)analysis(seeSectionD,Chapter7).
Aprocess-basedapproachalsofacilitatesthecoordinationofindividualaudi-
tors.Meetingkeydeadlines inaudits,knownasmilestones, requiresaproactive
project-basedemployeemanagement.heprocessmodelprovidesan indispens-
ablebasictoolforsuchaproactivemanagement.heclearlystructuredphasesand
their substructures allow Internal Audit management to monitor deadlines, de-
ployment, and reporting, and therefore, to perform comprehensive and sensible
auditmanagement.
Aprocessmodelopensupthepossibilityforperformance-basedincentivesys-
tems.Rewardsshouldbegivenwhenamilestoneissuccessfullycompleted.Amile-
stone is successfully completed if all activities required in terms of the standard
processmodel,plusanyadditionalactivitiesneeded,havebeenperformedtothe
requiredlevelofqualityandwithintheagreedtimeframe.
Phase-basedqualityassuranceoftheauditprocessaspartoftheprocessmodel
considerablyenhancestheeiciencyofaudits.Approvaltoproceedtothenextau-
ditstepshouldonlybegivenwhenqualityassurancehasbeenperformed(forde-
tails, seeSectionD,Chapter5).Aprocessmodelguaranteesanapproach that is
consistentacrossallauditphases,whilealsoprovidingconsiderablesupportinen-
suringthecompletenessofthequalityassuranceprocess.
AuditRoadmapAuditRoadmap
AuditRoadmapasWorkingBasisAuditRoadmapasWorkingBasis
CoordinationofAuditorsCoordinationofAuditors
Performance-BasedAuditexecutionPerformance-BasedAuditexecution
Phase-BasedQualityAssurancePhase-BasedQualityAssurance
ConceptualBasisofInternalAudit
FundamentalPrinciplesoftheGIASApproach
AttributesoftheProcess-BasedApproach
A|5|5.2
94
hefollowingdiagramshowstheinterrelationswithintheprocess-basedInter-
nalAuditapproach.ItalsolaysouttheGIASRoadmap,whichistheworkingbasis
forInternalAuditatSAP.
AprocessbasedauditmodelcreatesthebasisforacomprehensivereviewofInter-
nalAudit.Suchareviewcanbe in the formofapeerreview,which isacritical
evaluationofworkbyindependentcolleaguesofsimilarstanding(seeSectionD,
Chapter9)andofersInternalAudittheopportunitytofacescrutinybyacommit-
teeofoutsideexperts.Aspartofsuchareviewallprocessstepsmustbemadeavail-
abletoexternalthirdpartiesforinvestigation.heprocessmodelprovidesacom-
prehensiveoverviewof the importantperformancefactorsofInternalAuditand
helpstostructure,plan,andperformpeerreviewsinaneicientmanner.heclear
structureoftheprocessmodelsimpliiesreviewsbecauseassessmentcriteriacanbe
unambiguouslyassignedtotherelevantphasesandprocesssteps.Inaddition,any
improvementpotentialcanbepinpointedaccuratelyandaddressedonthebasisof
clearresponsibilities.
Lastbutnotleast,aprocess-basedapproachprovidestheperfectbasistodevelop
oremployITsolutions.Becausethecontentandsequenceofstepsareaccurately
described,manyoftheprocedurescanbeautomated(seeSectionD,Chapter4).
HIntSAnDtIPS ;
• Everyemployeeshouldhaveathoroughunderstandingoftheelementsofthe
GIAS process model. he process model should be applied consistently, and
particularlytheprojectapproachshouldbeimplementeduniformly.
Process-BasedApproachProcess-BasedApproach
PeerReviewPeerReview
IntegratedSoftwareSolution
IntegratedSoftwareSolution
Fig. 12 Process-BasedApproachinInternalAuditatSAP
95
• Standardsshouldberegularlyassessedwithregard toappropriateness,and if
necessary recommendations should be made for optimization. It is useful to
reviewotherproceduresimplementedatoicialinstitutions,othercompanies,
orothersuitablesourcestoidentifyimprovementpotential.
• Alwaysensurethateachphaseiscompleteandobservethemilestoneswithre-
gardtoassuringcontentquality.
• hereshouldbearegularexchangeofviewsandideaswiththoseresponsible
regardingtheadvantagesanddisadvantagesofthecurrentprocessmodel.
5.3 DefinitionofAuditContent
KeyPoIntS •••
• Foraneicientandstandardizedauditexecution,auditsmustbeclearlydeined
inwhattheycover.
• Uniform content of audits is achieved by deining audit areas and providing
informationonauditcontent.AtSAP,suchadeinitionisdoneinScopes,which
aredocumentsdescribingstandardauditcontent.
• hedeinitionofstandardauditcontentgivesauditors theopportunitytofa-
miliarizethemselvesasquicklyaspossiblewithnewandcomprehensiveaudit
topics on the basis of standardized procedures. Familiarity with the relevant
Scopesisparticularlyimportantbecauseintensiveexposuretothematerialto
beauditedisanessentialprerequisiteforasuccessfulaudit.
• Inaddition,auditsperformedonthebasisofScopescanbecomparedeasier
withregardtoworkperformedandresultsachieved.
AtSAP,auditcontent is systematicallystructuredonthebasisofcomprehensive
standarddocumentsknownasScopes.hesedocumentsareimportanttoolsused
toperformeicientandefectiveaudits.hecontentofeachauditield(e.g.opera-
tional audits) is deined in a number of Core Scopes (e.g. Purchasing) which in
turn are broken down into several Key Scopes (e.g. Purchase Order, Goods Re-
ceipt).Scopescontaindetailedinformationabouttheauditarea,includingthepro-
cesses,procedures,risks,andcontrolsystems(seeSectionB,Chapter2.1).Scopes
canhavediferentlevelsofcomplexitydependingontheaudittopic.Forexample,
theauditofanentiredepartment,suchaspurchasing,orofacorporatefunction,
suchasmanagement,requiresamuchmorecomprehensivedescriptionthanthe
auditofcreditcardexpenses.hescopingphase,whichprecedestheactualexecu-
tionoftheaudit,requiresauditorstofamiliarizethemselvesindepthwiththeaudit
matter.
SectionB,Chapter2.1describesthecontentofScopesindetail.Here,weonly
pointoutthatthecreationofScopesinvolvesamulti-stageprocedure,inwhichall
thefactsandthecontentofanauditareaarecapturedanddescribedaccordingtoa
ScopesScopes
CreationofScopesCreationofScopes
ConceptualBasisofInternalAudit
FundamentalPrinciplesoftheGIASApproach
DeinitionofAuditContent
A|5|5.3
96
standardstructure.hefollowingdimensionscanbeusedtomapalmostallaudit-
relevantinformation:
• frameworkssetbyguidelines,rules,andwritteninstructions,
• organizationalunitsinthecompany,
• processesthatmaptheinteractionbetweenfunctions,and
• individualprocess-relatedobjectsasthesmallestoperationalunits.
Inthecontextofanintegratedprocessmodel,thestandardizeddescriptionofaudit
contentbasedonScopespresentsanumberofimportantadvantages:
• Astandardizedandforward-lookingdescriptionofauditcontentallowsaudi-
tors to familiarizethemselves indepthwiththematerial tobeaudited inad-
vanceoftheactualaudit,thusgivingthemafoundationoftheaudittopic.his
gives themtheopportunity todealwith theauditareas,both inrelationtoa
speciicauditandindependentlyofanaudit.
• hedescriptionanddeinitionofauditcontentspeciiesnotonly thecurrent
conditionbutalsothedesiredidealcriteriasothatInternalAudit’srequirements
arealreadyincludedintheScopes.Whentheactualauditisperformed,thecur-
rentandthedesiredconditionarecompared,thusensuringtheefectivenessof
theieldwork.hismeansthatexistingprocessesandguidelinesarenottheonly
benchmark forauditindings,butare supplementedby thecomparisonwith
idealdesiredcriteria.
• hestandardizeddescriptionofauditcontentalsomakesauditsandtheassoci-
atedcostseasiertoplanandtocontrol.hisallowsIntenalAudittocreate,edit,
andanalyzeauditassignmentscheduleswithregardtostaingrequirementsfor
theauditstobeperformed,andthetimetobeallocated.Athoroughdescription
alsofacilitatesprovidingevidenceforcostsincurredorjustifyingtheneedfor
additionalresources.
• Standardauditcontentisstoredinacentraldatabaseandisavailabletoallem-
ployeesofInternalAudit.heavailabilityofsuchstandardizedcontentensures
thatallauditorsalwaysrefertothesameScopes,becauseScopesareimportant
prerequisitesforpreparingtheworkprogram(seeSectionB,Chapter3.2).Itis
importanttolinktheauditcontentwiththeindividualstepsoftheauditexecu-
tion,sothatworkprogramsareultimatelybasedonstandardizedcontent,which
guaranteesthateachauditiscompliant,complete,reliable,andtransparent.
hespeciiccontentofeveryauditmustbeaccuratelyplannedanddescribed.here
are,however,anumberofauditsthecontentofwhichcanonlybepartially,ornot
atall,standardized.Examplesincludespeciicone-timeaudits(e.g.,theauditofa
speciicpartnership)andauditsthatariseadhocandareirmlylinkedtospeciic
circumstances.Althoughitispossibletoprovidegeneralcontentdescriptionsfor
suchaudits,thespeciicsofsuchauditsotenevolveduringtheactualauditprepa-
rationsasaresultofadvanceanalysisandpreparatoryinterviews.Inaddition,there
areauditsoftopicsthathavenotbeencoveredbeforeorthataresubjecttonon-
AdvantagesofScopesAdvantagesofScopes
Standardized,Forward-LookingDescription
Standardized,Forward-LookingDescription
CurrentConditionandDesiredCriteria
CurrentConditionandDesiredCriteria
GreatereaseofPlanningGreatereaseofPlanning
StandardAuditContentStandardAuditContent
SpeciicAuditContentSpeciicAuditContent
97
disclosure obligations. In such cases, the audit content can only gradually be
plannedasinformationbecomesavailable.
Developingstandardizedauditcontentshouldbeseenaspartofahighlyinte-
gratedprocess.AuditindingscanbeusedasfeedbackfordevelopingScopesfur-
ther.hismeansthateachScopeissubjecttoongoingchangetriggeredbytheaudit
process itself. Inaddition,Scopesshouldbereviewedregularlybasedondiscus-
sions with experts from within and outside the internal audit department and
adaptedwhennecessary.
HIntSAnDtIPS ;
• CheckScopesforcompletenessanddiscussanyshortcomingswithemployees
responsibleforthedailyoperationsoftheauditarea.
• InternalAuditshouldhaveregulardiscussionsaboutthecontentandstructure
oftheScopes.RegularfeedbackonindividualScopeswillensurethatScopesare
currentandofhighquality.
LInKSAnDReFeRenCeS e
• InSTITUTEOFInTERnALAUDITORS.2001.Practice Advisory 2210-1: Engagement
Objectives.AltamonteSprings,FL:heInstituteofInternalAuditors.
5.4 GIASTargetGroupStructure
KeyPoIntS •••
• InternalAudit isaninteractivepartofacorporate-widecommunicationpro-
cess.Forthisreason,itcollaborateswithalargenumberofinternalandexternal
targetgroups.
• Inaddition topurelyexchanging information,particularly in the formof re-
ports,individualcasesmayrequireadditionalcooperation,suchasjointdevel-
opmentofsolutions.
• ReportinglinesforInternalAuditlargelyfollowtheorganizationalstructureof
thecompany,whichmeansthattheAuditCommitteeinparticularandtheCEO
arethemainfocusofthereportingsystem.
• Otherinternaltargetgroupsalsohavetobeprovidedwithdiferentinforma-
tion.Itisimportanttoinvolvethediferenttargetgroupsintheauditprocess
accordingtotheAuditRoadmap.
• heinformationprovidedbyInternalAuditisalsousedbyalargenumberof
externalgroups:Externalauditorsarethemostimportantpartners,butmany
othertargetgroupshavetobeconsideredtoo.
HighlyIntegratedProcessHighlyIntegratedProcess
A|5|5.4ConceptualBasisofInternalAudit
FundamentalPrinciplesoftheGIASApproach
GIASTargetGroupStructure
98
hereisalargenumberofgroupsthateithermakeauditrequeststoGIASorthat
havetobetakenintoaccountwheninformationonauditsisgiven.Beforeconduct-
ingaudits,thesegroupsmayhavetobeconsultedaspartofthepreparationprocess.
Atertheaudit,itisimportantthatcommunicationwiththesegroupsnotonlyin-
cludesinformationaboutauditoutcomes,butalsoinformationonoptimizedbusi-
ness processes. his results in cooperation models for Internal Audit which are
describedindetailinSectionD,Chapter2.
SeparatingGIAS’stargetgroupsintointernal,external,andotherunitsprovides
thefollowinginternaltargetgroups,whicharerankedbyimportanceinthe“re-
portinghierarchy”:
• AuditCommitteeandSupervisoryBoard,
• ExecutiveBoardandCEO(ortheBoardmemberincharge),
• corporatemanagement,
• regionalmanagement/seniormanagement,
• localmanagement/departmentalmanagement,
• employeesresponsible.
heSupervisoryBoardmustbeinformedofextraordinaryauditsandauditind-
ings,anditmustbeincludedinimportantdecisions,suchastheauditplanningfor
theyear.heSupervisoryBoard'sAuditCommitteereceivesanannualstatusreport
fromInternalAudit,whichcoversallauditsthathavebeenperformed,signiicant
indingsandactions,specialprojectsandinitiatives,aswellasallbasicinformation
aboutGIAS.heAuditCommitteecanmakeauditrequestsdirectly,whichwould
leadtoadditionalcommunication(seeSectionB,Chapter2.3).
heExecutiveBoardandtheCEO,asthechairmanoftheExecutiveBoard,are
thehighestinternaldisciplinaryunitthatreceivesinformationonauditindings.In
additiontoadetailedauditreport,GIASpreparesaBoardsummary(seeSectionB,
Chapter5.2.5),whichoutlinesthemostimportantauditindingsandresults.he
Boardsummarycontains informationthat isrelevanttotheExecutiveBoard,or
thatrequiresaBoarddecisionorBoardaction.Atregularmeetingsheldat least
onceamonth,theCAEandtheCEOanalyzeauditindings,follow-upresults,and
potentialescalationcasesanddetermineifanyimmediatestepsneedtobetaken.In
addition,theothermembersoftheExecutiveBoardmustbedirectlyinformedof
anyimportantindings.hisreportingsystemallowsfortimelyandinformeddeci-
sionstobetakenasaresultofauditindings.
Globalcorporateauditdepartmentsshouldmaintainclosecontactwithother
globalunits,forexample,CorporateFinancialReporting.hereisotenanin-depth
exchangeofinformationonauditplanningandresults.InternalAuditcanprovide
valuable support to other departments for the preparation of global guidelines.
GIAScanalsobecontactedregardingtheimplementationplanningofglobalstrat-
egiesatthelevelofoperational(local)businessunits.
Regionalandseniormanagementareusuallydirectlyafectedbyinternalaudits.
Auditindingsshouldbecommunicatedtooperationalmanagerswhoareafected
CooperationModelsCooperationModels
InternaltargetGroupsInternaltargetGroups
SupervisoryBoardandAuditCommittee
SupervisoryBoardandAuditCommittee
executiveBoardandCeo
executiveBoardandCeo
CorporateManagementCorporateManagement
RegionalManagement/SeniorManagement
RegionalManagement/SeniorManagement
99
bythem.hesemanagersshouldbegiventhechancetorespondtoauditindings.
Regionalandseniormanagementarechargedwithimplementingtheindingsof
InternalAuditunderarea-speciicaspects.
Formostauditindings,localanddepartmentalmanagementisultimatelyre-
sponsibleforimplementingGIAS’recommendations.hisreportinglevelincludes
thoseresponsibleforensuringthatallguidelinesanddirectivesarestrictlyobserved
inday-to-dayoperations.Localanddepartmentalmanagementarethereforeex-
tensivelyandactively involved in theauditingprocess, forexamplebyattending
openingandclosingmeetings.Inrelationtotheirareasofresponsibility,theyare
fullyanswerableforimplementingactionsthatresultfromaudits.Closecoopera-
tionwiththesemanagersgivesInternalAudittheopportunitytohaveapositive
efectonoperationalandprocessstructures.
heemployeesafectedbytheauditwiththeirfunctionsanddutiesprovidethe
mainpointofreferencefortheaudit.Duringtheentireauditprocess,theemploy-
eesattheoperationallevelaretheauditors’actualcontactpersons.Oncetheaudit
hasbeencompleted,theauditeesareresponsibleforactivelyimplementingneces-
saryactionsinconsultationwiththeirmanagers.Employeesafectedbyanaudit
shouldbeabletomakesuggestionsatanytime,toobtainadvice,andtoworkwith
auditors in an open, communicative atmosphere. his cooperation at ieldwork
levelensuresthatallauditindingscanleadtoappropriateandagreedactions.
heexternaltargetgroupscanbebrokendownintoexternalauditbodiesand
otherexternalcooperationpartners,suchascustomersandsuppliers.
GIASandtheexternalauditorshavenumerousjointoroverlappingresponsi-
bilities,whichrequireregularanddetailedexchangesofinformationandexperi-
ence(fordetails,seeSectionD,Chapter2.6).heexchangeofauditreports,opin-
ions,concepts,andday-to-dayissues,inadditiontothediscussionofsolutionsto
problems discovered in audits, lends special signiicance to the cooperation be-
tweenGIASandexternalauditors.hemorecloselythetwopartiesworktogether
inaccountingmatters,riskandinternalcontrolmanagement,andinauditingin
general,thebettertheguaranteeoftheintegrityoftheaccountingsystemandthe
efectivenessofcontrols.
Adiferentiatedreportingsystemiscriticaltoeicientcooperation.Duetothe
generalobligationoftheExecutiveBoardtodiscloseandrevealallfactsandcir-
cumstanceswhicharerelevantfortheinancialstatements,externalauditorsshould
begivendirectaccesstorelevantindingsandrecommendationsmadebyInternal
Audit.Toencouragecooperation,internalauditorsshould,ifpossibleimmediately
forwardall reportsdirectly to theexternalauditors.Bydoingso, theycanavoid
duplicationofworkandadditionalcosts.
Professional associations (e.g. the IIA) and standards setters can also be re-
gardedasexternaltargetgroupsofInternalAudit.Inthisregardacompanyhasto
examinetowhatextentinformationfromInternalAuditcouldandshouldbemade
availabletobeusedasthebasisfornewstatutes.Inaddition,indingsandrecom-
mendationsfromindividualauditscanbeusedtodeinebest-practicesolutions.
LocalManagement/DepartmentalManagement
LocalManagement/DepartmentalManagement
employeesemployees
externaltargetGroupsexternaltargetGroups
externalAuditorsasexternalAuditBodyexternalAuditorsasexternalAuditBody
ImportanceoftheReportingSystemfortheexternalAuditors
ImportanceoftheReportingSystemfortheexternalAuditors
ProfessionalAssociationsProfessionalAssociations
ConceptualBasisofInternalAudit
FundamentalPrinciplesoftheGIASApproach
GIASTargetGroupStructure
A|5|5.4
100
Generalconcepts,e.g.,forbenchmarkingorperformanceratingonthebasisofkey
performance indicators, can also be developed in cooperation with professional
associationsorwithacademia.
Tovaryingdegrees,InternalAuditalsoconsultswithotherexternalcontactson
acase-by-casebasis.hisoteninvolvestheexchangeandassessmentofpapersand
documents,orotherformsofcooperationbefore,during,orateranaudit.Cus-
tomersandsuppliersare importantpartnerswithwhominformationcanbeex-
changed.Anyexchangeofinformation,however,requireslegalsafeguardsforthe
companysuchasnon-disclosureagreements.
Otherimportantcontactandtargetgroupsincludebanksandinsurancecompa-
nies, legalirms,or taxconsultants,andanyrelevantpublicserviceagencies, in-
cludingthepoliceanddistrictattorneys’oices.Inregardtolegalinformationre-
quirementsInternalAudittogetherwithlegalcouncilshouldbeinvolvedindrawing
upacompany-widedocumentretentionpolicythatconsiderslegalrequirements
fordocumentretentionandinformationexchange.
hefollowingdiagramgivesageneraloverviewofInternalAudit’spossibletar-
getgroupsasexplainedabove.
HIntSAnDtIPS ;
• AuditorsshouldtesteachprocessstepalongtheAuditRoadmapfor involve-
mentoftherelevanttargetgroupsandensurethatallthenecessaryinformation
isavailableandallpartiesconcernedhavebeenadequatelyinformed.
otherexternalCooperationPartners
otherexternalCooperationPartners
othertargetGroupsothertargetGroups
GeneraloverviewGeneraloverview
Internal External Other
GIAS target groups
professionalassociations
Fig. 13 GIASTargetGroups
101
5.5 StructureandContentoftheAuditUniverse
KeyPoIntS •••
• InternalAuditpossessesavastarrayofknowledge.Poolingthisknowledgein
acomprehensivesystemresultsinanaudituniversethatcomprisestheprocess
model,auditcontent,indingsandrecommendations,keyperformanceindica-
tors,anddocumentationcomponents.
• heprocessmodelandtheauditcontentdealwiththemethodologyandcon-
tent-relateddesignofaudits.
• Inthebroadestsense,indings/recommendationsandkeyperformanceindica-
torsareusedforevaluatingandanalyzingauditsofanydimensionorperiod.
• Documentationofauditsguaranteesafullycompliantauditapproachbycreat-
ingprimarydocuments(i.e.,documentsdirectlyrelatedtoauditobjects)aswell
assecondarydocumentsthatprovideadditionalinformationavailable.
• henextstepthatfollowsadeinitionoftheaudituniverseisthecreationofan
auditportalaspartofanintegratedauditmanagementsolution.
heaudituniverse,asdeinedatSAP,istheentiretyofallpractice-related,allthe-
ory-based,andconceptualapproachesforinternalauditservices.hisdeinitionis
broader,thantheonecommonlyusedintheinternalauditingliterature.Itisinour
opinionimportanttodevelopathoroughunderstandingofauditandcommunica-
tionsoptions,beforeauditapproachesandmeansforresultscommunicationshould
bedeined.Componentsof theaudituniverseasdeinedatSAPare theprocess
model,theauditcontent,indingsandrecommendations,keyperformanceindica-
tors,anddocumentation.heaimofthisbroaddeinitionistoshowthatdiferent
aspectsofinternalauditingcombineintoacomprehensive,harmonioussystem.As
shownbelow,allaspectshavemeaningfulrelationswitheachotherandareimpor-
tantindescribingindetailanindividuallyadaptableapproachthatyieldsuniformly
highqualityauditresultsforaglobalauditdepartment.
heaimofSAP’saudituniverseistoprovideacomprehensivedocumentation
of tasks and requirements for Internal Audit. his includes descriptive elements
suchasanaudithandbookandaCharteradoptedbytheExecutiveBoard,plusthe
entireAuditRoadmapdocumentation,includingallstandardtemplates.Inaddi-
tiontotheprimaryauditdocumentation,allsecondarydocumentationofupstream
anddownstreamareasmustalsobeincluded.hiscomprisesallpoliciesandguide-
linessetbytheExecutiveBoardandothermanagementlevels,plusdetailedwork
instructions of operational units. Another important area is the comprehensive
documentation of processes, including all information on internal controls, risk
assignment, and inancial accounts. his documentation might be linked to the
internal control management tool which is used for the SOX processes. Further
documentation that shouldbe included isqualityguidelinesof individual areas,
externalqualityguidelines,andanyaudit-relevantlaws,directives,andstatutes.All
secondarydocumentationshouldbelinkedelectronicallywiththeaudituniverse.
DeinitionDeinition
objectiveofFullyComprehensiveDocumentation
objectiveofFullyComprehensiveDocumentation
ConceptualBasisofInternalAudit
FundamentalPrinciplesoftheGIASApproach
StructureandContentoftheAuditUniverse
A|5|5.5
102
hestructureoftheaudituniverseiscomplex,sinceitintegratesdiferentaspects.
Detailedinformationrelatingtoeachareaisprovidedinthesubsequentchapters.
Atthisstagewewillonlyprovideageneraloverviewofthestructure.
hemainaddresseesoftheaudituniverseareallInternalAuditemployeesand
managers.Inaddition,allmembersofcorporatemanagementandtheAuditCom-
mittee,plusthepartiesinvolvedinparticularauditsandtheirmanagement,maybe
consideredusers.heaudituniversealsoprovidesacomprehensivesourceofinfor-
mationonieldworktoallinterestedcolleagues,managers,orevenexternalpart-
ners,providedthattheapplicableaccessrestrictionsareobserved.
heaudituniversebreaksdownintothefollowingmaincomponents:theAudit
Roadmap, the knowledge database, documentation, and the fundamentals. he
processmodelisamethod-basedapproach.hedesignoftheAuditRoadmapre-
lectsthedynamiccharacterofthismulti-phasemodel.It is importanttoensure
thatallproceduralanddocumentation-basedapproachesandcontentatanylevel
ofdetailareavailableasstandardreferenceforaudits.heuseofstandardmethods
guarantees thatallauditswith their respectivecontentarebasedonaconsistent
proceduralmodel.
heaboveiscloselyrelatedtodevelopingScopes(seeSectionA,Chapter5.3).
Scopesdeinestandardsandareavailableinadvancetoprovideguidanceformost
audits.Scopesensurethatstandardmethodsareusedinconjunctionwithstandard
contentinmostaudits,allowingforahighdegreeofeiciencygainsduringield-
overviewoverview
AddresseesAddressees
StandardMethodsintheProcessModel
StandardMethodsintheProcessModel
StandardContent:Scopes
StandardContent:Scopes
Fig. 14 SAP’sGlobalAuditUniverse
103
work. Individualadjustmentsandadditionswill,however,benecessary foreach
audit.Suchadaptationsareusuallymadeintheworkprogram.Ifitisnotpossible
torelatetheaudittostandardizedScopes,aScopemaybecreatedincrementally.
Alternatively,aScopethatisclosesttotherequirementsofthespeciicauditmaybe
adapted.If theScopecanbereused, itcanbesubmittedasastandardforfuture
audits.
Findingsandrecommendationsmadeduringaudits forman importantbasis
for further steps in the audit process, e.g., follow-ups. However, all information
gainedduringanauditandfollow-upworkcanalsobeusedtopursueotherobjec-
tives.Forinstance,suchdatacanbeusedforperformancemeasurement,toprovide
informationontheeiciencyofauditsandtheimplementationoftheindingsin
theorganization.Informationonindingsandrecommendationscanalsobeincor-
poratedinaknowledgedatabase.Suchadatabasecanbeusefultodocumentind-
ingsandimplementationmeasureswithregardtorecommendations.Itcouldalso
beemployedtodevelopoptimizedprocesssolutionsandKPIstructures.Database
modelscanhelpanalyzedatausingavarietyofdiferentcriteria.Findingsandrec-
ommendations can be updated in sequence, which allows tracking their signii-
canceandfrequencyovertime.
Adatabaseofindingsandrecommendationscouldformthecollectivebasisfor
any key performance indicator analysis, which allows comparing diferent as-is
situationsandtheirmeasurementagainstidealorto-besituations.KPIanalysiscan
beusedtomeasureInternalAudit’sperformance,toperformproitabilityanalyses
forindividualauditobjects,andtocompilesummaryreportsonallauditedunits
overacertainperiod.Adatabasealsoallowsperformingtime-seriesanalysisusing
statisticaltoolsandgeneratingforecasts(e.g.,howmanyindingsareexpectedfora
certainauditvolume).hisinformationcanbeusedtoidentifytrendsregardinga
company’s quality awareness and to determine on this basis quality-enhancing
measuresbyintroducingappropriateorganizationalstructures.Allsucharithmetic
andstatisticalalgorithmsshouldbeincludedintheaudituniverse.
he audit universe manifests itself in a comprehensive data and information
pool.hispoolisnotfortheexclusiveuseofInternalAudit.Itshouldbemadeac-
cessibletoallemployeesandpartiesinvolvedintheauditaswell.Toensuresafe-
guardingofconidentialinformation,accessauthorizationrulesshouldbeimple-
mented.Keywordindicesanddirectaccessviaanysearchitemareasessentialin
designingthedatabaseasarecomprehensivelinksbetweeninformationintheda-
tabase.Aspartofaninternetapplication,theaudituniversecanprovideaccessto
anyamountofexternal information,e.g. fromconferencesoraudit institutes. In
addition, theaudituniversecanbeusedonananonymizedbasis tosupport the
exchangeofinformationbetweencompanies.
Anadvancedversionofanelectronicaudituniversecouldtakeontheformof
an audit portal, which is a networked internal audit application. Such a portal
should be an important component of an even more extensive corporate gover-
nanceorcomplianceportal,whichcontainsacompany’soverallcompliancesys-
UseofAuditResultsUseofAuditResults
totalofAllKeyPerformanceIndicatorsandComparisons
totalofAllKeyPerformanceIndicatorsandComparisons
DataandInformationPoolDataandInformationPool
AuditPortalAuditPortal
A|5|5.5ConceptualBasisofInternalAudit
FundamentalPrinciplesoftheGIASApproach
StructureandContentoftheAuditUniverse
104
tem.Inanevermoredynamicbusinessworld,thereisanincreasingneedtomake
useofthistypeoffullyintegratedinformationplatforms.Itisthefastestandmost
eicientwaytosupplementInternalAudit’sknowledgeandinsightswithadditional
factsandinformationanddeliverittotheunitsconcerned.
HIntSAnDtIPS ;
• AssessallinformationwithregardtoitssigniicanceforInternalAuditandwith
aviewtoinclusionintheaudituniverse.
• Establishbeforeeachauditwhetherandtowhatextentthereisinformationrel-
evanttotheauditintheaudituniverse.
• Exchangeinformationwithcolleaguesandexternalpartiesaboutthequalityof
theaudituniverseandthedatastoredtheresothatsuggestionsandimprove-
mentscanbeincorporatedintheaudituniverseonanongoingbasis.
• Toensurethatacomprehensiveinformationsystemisuser-friendly,itisneces-
sarytotailorcontent,ITandsystemsupporttodiferentusergroups.
LInKSAnDReFeRenCeS e
• REzAEE,z.,W.FORDAnDR.ELAM.2000.Real-TimeAccountingSystems.Internal
Auditor(April2000):62–67.
5.6 AuditChallengesintheGlobalCorporateEnvironment
5.6.1 BasisofanInternationalOrientation
KeyPoIntS •••
• InternalAuditshouldendeavortobalancetheinterestsofallpartiesinvolvedin
anaudit.
• Incaseofconlictsofinterest,itisimportantforauditorstoadoptanimpartial
positionandseekguidancefromauditmanagement.
• To build trustful long term cooperation, diferences in cultural backgrounds
shouldbeconsideredwhenannouncingauditindings.
InternalAuditfacesspecialchallengesinaglobalenvironment.heirstofthese
challengesisthepositionofInternalAuditwithintheorganization.hefactalone
that GIAS reports administratively to the CEO necessitates great care in how it
dealswiththis“directlineofinformation.”Internalauditorsshouldnotderiveany
tangibleorformaladvantagesfromtheirrelationshipwiththeCEOandtheExecu-
tiveBoard.Ataninternationallevel,thisperceptionmaybefurtherexacerbatedby
cultural diferences. he relationship of the international subsidiaries with com-
InternalPositionInternalPosition
105
panyheadquartersisadeterminingfactorinhowmuchattentionisbeingpaidto
InternalAudit.hisassessment isconsiderablyreinforcedby theauditmandate,
whichdeinestheremitofInternalAudit.hemandateauthorizesthedepartment
to conduct audits. Internal Audit must use these powers very carefully. neither
threatsnorhastilyscheduledauditsareappropriatemeansofachievingobjectives
orgettingdecisionsapproved.hefactthatInternalAudithasanunrestrictedaudit
mandateshouldnotplayaroleinday-to-dayworkordiscussions,andtheuseof
thesepowersshouldbelimitedtoexceptionalcircumstances.
InternalAuditisoteninvolvedin,oratleastafectedby,conlictsofinterest.It
isofutmostimportanceforauditorstoadoptanimpartialpositioninsuchcases.
Evenifthatmaypossiblyputthematadisadvantageintheirefortstoobtaininfor-
mation,strictimpartialityisabsolutelyessential.hisdoesnotmeanthatInternal
Auditcannotmakeuseofinformalsourcesorcommunicationchannels.Informal
sourcesareotencrucialinobtainingimportantinformation.Toindtherightbal-
ancebetweenrelyingonformalandinformalsources,particularlyinternationally,
isasigniicantchallengeforeachindividualauditorandforthemanagersrespon-
sible.
Maintaining impartiality and balancing sources is closely related to Internal
Audit’scontinuousefortstobalancetheinterestsofallpartiesinvolvedinanaudit.
InternalAuditdependsonaninteractivelowofinformation.Hence,theinforma-
tionobtainedmayonlybeusedproactively foraudits,not toobtainanykindof
advantage.SucharestrictionisimportantbecauseeventhehintthatInternalAudit
maybe takingadvantageof informationmustbeavoided.Underglobalaspects,
thischallengetakesonaspecialsigniicancebecausethediferentculturalgroups
amongwhichInternalAuditworkshaveverydiferentwaysofconductingbusi-
ness.heauditors’independencemustnotbejeopardized.
Anotherspecialaspectofaglobalcorporateenvironmentistheincreasingspeed
and frequency of changes mentioned earlier (see Section A, Chapter 2.1). In re-
sponsetothat,theplanningofanauditshouldbebasedonsoundknowledge,al-
thoughthecurrentspeedofchangeotenmakesitveryhardtobeuptodateatall
times.However,masteringthischallengehasalmostcometobeexpectedofInter-
nalAudit.Bringingtogetherknow-howfromdiferentsourcesisessentialinbuild-
ingtheauditskillsandauditexpertisenecessarytodealwithahighauditdensity
andalargenumberofdiferentaudittopics.Possessingthenecessaryexpertiseand
competencewillhelpinternalauditorsgainacceptancewithinthecompany.
hewayauditindingsareaddressediscriticalinensuringthatInternalAuditis
acceptedbyallparties.Althoughauditorshavetoapplyacertainamountofsensi-
tivity,theyalsohavetoaddressandtrackauditindingswithrigor.Auditorsmust
neverpresenttheindingsfromapositionofcondescension,butaimtoreachgen-
eralagreement.Establishingandcommunicatingauditindingscarriesagreatpo-
tentialforconlict.Itisthereforeimportantthatallinvolvedpartiesdotheirutmost
toseparatethefactualfromthepersonallevel.Tobuildlongtermtrustfulcoopera-
InternalAuditImpartialityInternalAuditImpartiality
ContinuousBalancingofInterestsContinuousBalancingofInterests
technicalexpertisetechnicalexpertise
DealingwithAuditResultsDealingwithAuditResults
ConceptualBasisofInternalAudit
FundamentalPrinciplesoftheGIASApproach
AuditChallengesintheGlobalCorporateEnvironment
A|5|5.6
106
tion,diferentculturalbackgroundshavetobetakenintoconsiderationwhenan-
nouncingauditindings.hisrelatesnotonlytotheindingitself,butalsotothe
wayinwhichitiscommunicated,i.e.,whethermeetingsareheldonlywiththeau-
ditees,oriflinemanagersarepresent,whetherextensivediscussionstakeplace,and
howauditindingsaredocumented.
LInKSAnDReFeRenCeS e
• O’REGAn,D.2001.Auditing International Entities: A Practical Guide to Objectives, Risks,
and Reporting.AltamonteSprings,FL:heInstituteofInternalAuditors.
5.6.2 OverviewofGlobalChallenges
KeyPoIntS •••
• Internalauditdepartmentsthatworkonaglobal levelhavetomastera large
numberofdiferentexternalandinternalchallenges.
• heexternalfactorsmaybetakenintoaccounteitherbyapplyingexternalrules
orspeciicinternalguidelinesandprinciples.
• he internal global challenges afect the structures and processes of Internal
Auditinalmostallareas.Decentralizationaspectshavetobeconsideredinthis
context.
• Auditsofoutsourcedcorporatefunctionsparticularlyincross-borderunitsarea
signiicantadditiontothetasksofagloballyactiveinternalauditdepartment.
hischapteraddressesthecomplexityofinternationalchallengesthatglobalcom-
paniesandglobalinternalauditdepartmentsface.Suchchallengescanbebroken
downintotwogroups,whichareexternalandinternalchallenges.
hemainexternalchallengesare:
• Environmentswithdiferent infrastructuralcharacteristics,varyingeconomic
policies and diverse cultures, social landscapes, and mentalities: hese fac-
torsaretakenintoconsiderationbycreatinganappropriatecompany-political
frameworkandbysettingsuitableemploymentcontractstandardsandcodesof
conduct.
• Diferentlocallanguages:hisproblemisaddressedbymaintainingastandard-
izedterminologythroughoutthecompanyandbyusinganinternationallyac-
ceptedworkinglanguage(e.g.,English).
• Diferentjurisdictions,individualguidelines,complianceprinciples,anddifer-
entstatutesandarticlesofincorporationforInternalAudit:hesediferences
arerelectedingenerallegalprinciples,inanciallegislation,standards,guide-
lines,andauditstatutes.heproblemisaddressedbyprovidingaccesstocom-
petentadvisorsandbymakingthisinformationavailabletoemployees.
ComplexityofGlobalChallenges
ComplexityofGlobalChallenges
externalChallengesexternalChallenges
107
hemaininternalchallengesandhowtheyaremetare:
• Heterogeneous audit landscapes which are addressed by using global audit
structures, a global distribution of tasks, and a globally standardized process
model.
• Decentralizedmanagement structuresmustbe relected in suitable reporting
linesforauditreports,appropriateescalationpaths,globallyorganizedinforma-
tionandcommunicationlows,andagloballybasedbenchmarkingsystem.
• heonlysuitableresponsetoregionallyspeciicauditrequirementsisacompre-
hensiveInternalAuditproductandserviceportfolioandcooperationwithall
otherauditingunits.
• Regionaldiferencesinbusinesspracticeshavetobebalancedbyimplement-
ingpoliciesandguidelines,globalcompliancestrategies,byharmonizingaudit
procedures,andbyintegratingriskmanagement.
• heresponsetoregionallydiferentrequirementsintermsofprofessionaland
socialqualiicationsofauditorsisgloballyalignedcareerplanningandaglob-
allystandardizedcareerpathinInternalAudit.
• An appropriate organization of internal processes (e.g. distributing audit an-
nouncements,organizingtheaudit,distributingauditreports,aswellascom-
pilingtheannualauditplananddeterminingbudgetigures)canhelpcounter
efectsofadecentralizedInternalAuditstructure.
• DiferentITstructurescanbeovercomebyimplementingaprocess-basedcen-
trallyorganizedordecentralizedITlandscapeandaninternet-basedauditpor-
tal.
• heriskofindividualandthereforedivergingauditinterpretationsinindividual
regionscanbereducedwithcomprehensivedocumentationinanaudithand-
book.
hereareotherglobalrequirementsthataglobalinternalauditdepartmenthasto
master.Duetothedynamicenvironment,theserequirementsaresubjecttocon-
stantchange.Examplesinclude:
• peerreviewsandauditsurveys,
• cooperationmodels,e.g.,withexternalauditors,
• specialglobalprocessmodels,e.g.,forfraudorinformationtechnology,
• globalresponsibilityfortopicsinthecontextofScopes,
• globalmanagementconferences(whereconidentialitymustbeguaranteed),
• globalproitcenterorganization,
• globalstructuresforregularmeetingsanddiscussions,
• globaltrainingprograms,
• globaldiversity,and
• globalinitiativesandinternalprojects.
Anotherfocuswithregardtoglobalizationmaybetheauditofoutsourcedunits.
Increasingglobalizationmeansthatservicesareotenoutsourcedinternationally,
InternalChallengesInternalChallenges
otherGlobalChallengesotherGlobalChallenges
outsourcingoutsourcing
A|5|5.6ConceptualBasisofInternalAudit
FundamentalPrinciplesoftheGIASApproach
AuditChallengesintheGlobalCorporateEnvironment
108
andtheoutsourcedunitsmaybelinkedtotheorganizationindiferentways(rang-
ingfromcompletethird-partyrelationshipsthroughsharedservicecenterstoout-
sourcingtoasubsidiaryorpartner).hechallengeliesinInternalAudit’sabilityto
conductinternationalauditsacrosscompanies.heparticularfeatureofsuchau-
ditsisthatcooperationonbusinessprocessesmayincludeoutsourcedunitsaswell
asunitswithinthecompany.hismeansthatprocesses,accountingsystems,infor-
mation technology, etc. may have to be audited across company and country
boundaries. Audits across such boundaries may entail diferent time zones and
multiculturalinterests,whichmeansthatmanyoftheinternalandexternalchal-
lengeslistedaboveparticularlyapplytothesetypesofaudits.
HIntSAnDtIPS ;
• Auditorsmustinformthemselvesaboutthecountryinwhichtheauditistobe
conducted.
• ItisimportanttogetasmuchinformationaspossibleabouthowInternalAudit
isperceivedinacertainculture.
• Itisagoodideatoestablishpersonalcontactsbeforeanaudit.
• Donottrytoworkagainstthecultureofthecountryduringtheaudit.
LInKSAnDReFeRenCeS e
• LERE,J.,AnDK.PORTz.2005.ManagementControl.SystemsinaGlobalEconomy.
he CPA Journal(September2005):62–64.
• O’REGAn,D.2001.Auditing International Entities: A Practical Guide to Objectives, Risks,
and Reporting.AltamonteSprings,FL:heInstituteofInternalAuditors.
• RICAUD, J. 2006. Auditing Cultural Diversity. Internal Auditor (December 2006):
57–61.
5.7 GIASIntegrationModel
KeyPoIntS •••
• heGIASintegrationmodelisintendedtohelpobserveallimportantandnec-
essaryframeworkparametersandassignmentsduringeachaudit.
• BasedontherelevantphaseoftheAuditRoadmap,thenecessaryservicetypes
havetobeidentiied,andbasedonthat,theauditields,cooperationpartners,
andtheinformationtobeexchangedhavetobedeined.
• AlthoughGIASfollowsanindependentauditprocess,itisultimatelyintegrated
intotheoverallbusinessactivities.
hemaindisciplinesofInternalAuditinteractwitheachother.heseinteractions
arethefocusoftheGIASintegrationmodelshownbelow.notethatpermanentand
BasisoftheGIASIntegrationModel
BasisoftheGIASIntegrationModel
109
eveninevitablerelationshipsexistwithinthelevels.heremaybeanumberofde-
pendenciesbetweentheindividuallevels,whichhavetobetakenintoaccountas
fullyaspossibleduringtheentireauditprocess.
heauditprocessisatthecoreoftheGIASintegrationmodel,asrepresentedbythe
innercircle. It isstandardprocedureforeachaudit thateachphaseof theAudit
Roadmap,asmappedintheringaroundthe“auditprocess,”iscompletedinfull.
Exceptionsfromthisruleoccurinad-hocauditsorservices,butsuchexceptions
requireexpressconsultationwiththoseresponsibleandmustbethoroughlydocu-
mentedwithreasonswhysuchanexceptionoccurred.
hecontentofeachactivityofaphase,oreachphaseinitsentirety,isaimedat
certainInternalAuditservicetypesasincludedinthenextlevelofthediagram.It
isalsopossibletobundleelementsofdiferentservicetypesinonephase.Forex-
ample,eveniftheplanningandpreparationphaseisforanauditonly,auditactivi-
CoreoftheGIASIntegrationModelCoreoftheGIASIntegrationModel
ContentAssignmentofIndividualPhasesContentAssignmentofIndividualPhases
Fig. 15 GIASIntegrationModel
ConceptualBasisofInternalAudit
FundamentalPrinciplesoftheGIASApproach
GIASIntegrationModel
A|5|5.7
110
tiescanlaterbechangedintoareview,orareviewcanbeadded(SectionA,Chapter
7.2.3explainsthediferencebetweenanauditandareview).
Inturn,eachGIASservicetypeisrelatedtothenextlevel,whichisthemain
auditields(seeSectionA,Chapter6.2).hismeansthat,inthecourseofayear,one
orseveralaudits,preliminary investigations, reviewsetc.can,andnormallywill,
takeplaceinallauditields.
However,manyauditsdonotrelatetoonlyoneauditieldbutmayincludeele-
mentsfromtwoorevenmoreields,whichcanleadtoanincreaseinthecomplex-
ityofaudits.Forexample,itisotendiiculttoseparateinancialfromoperational
audits.Fraudandmanagementauditsarealsootenintermingledwithotheraudit
ields.Ifsuchoverlappingoccurs,itmaybepossibletocombinediferentsub-audit
requestsintoasinglegeneralaudit.
hecomplexityoftheGIASintegrationmodelincreasesfurtherifthelastlevel,
whichisthepartiesafectedbytheaudit,isincludedintheanalysis.Someofthese
companyunitsperformoperationalactivities,suchasglobalinitiativesforintro-
ducingandmonitoringnewproductsorservices.Buttheyalsoperformaudit-re-
latedactivities,eitheraspartoftheiroperationaldutiesorseparately,e.g.,quality
management.
TwoconclusionsbecomeobviouswhenlookingattheouterlevelsoftheGIAS
integrationmodel:
• Internal Audit’s mandate to conduct independent and comprehensive audits
doesnotchange.Ultimately,allothercorporateunitsareprimarilypartoftheir
ownorganizationalunits,andthewaytheyworkisstronglyinluencedbytheir
practicalneedsandtasks.InternalAudit,bycontrast,hastodetachitselffrom
allunit-relatedpreferencesandviewstobeabletoactfromaperspectivethat
considersthecompanyinitsentirety.
• nevertheless,InternalAuditisstillinterrelatedwithothercorporateunitsand
in many respects it is necessary for Internal Audit to consult and exchange
viewswiththem.hismayrelatetovariousissues,suchasidentifyingauditfocus
areasoravoidingredundanciesandincorrect interpretations intheorganiza-
tion.
AuditorsandGIASmanagersmustneverlosesightofthenetworkofinterrelations
betweentheindividuallevelsshownabove.Ultimatelyitistheright,individualmix
ofauditphase,servicetype,auditield(andthusauditcontent),aswellasthecoop-
erationpartnersthatallowsInternalAudittocategorizealltherequirementsitfaces
inaclearsystem.Ifalevelisletout,theworkmaybeincompleteorcontainer-
rors.
HIntSAnDtIPS ;
• Beforestartingtheiractivities,auditorshavetoplanthestructureoftheirap-
proachonthebasisoftheGIASintegrationmodel.
RelationtoAuditFieldsRelationtoAuditFields
ComplexAuditsComplexAudits
RelationtoouterLeveloftheGIASIntegration
Model
RelationtoouterLeveloftheGIASIntegration
Model
IndependenceversusCooperation
IndependenceversusCooperation
overallnetworkofInterrelationsoverallnetworkofInterrelations
111
5.8 IdentifyingAudit-RelevantFacts
KeyPoIntS •••
• Auditrequestsor leadshavetobeanalyzedtodeterminewhetherauditsteps
orother internalaudit servicesarenecessary,orwhether the issueshouldbe
referredtootherdepartments.hisdecisioncanotenbemadewiththehelpof
afewkeyquestions.
• IfInternalAuditisfoundtoberesponsiblefortheauditrequestorlead,ithas
tobedeterminedwhethertheauditshouldbeconductedexclusivelybyInternal
Audit,orincooperationwithotherdepartments.
Forauditsoutsideoftheannualauditplan,theirststepistoexaminewhetherthe
issueinquestionreallyisamatterforInternalAudit.Ifso,thenInternalAuditmust
decidewhethertostartwithapre-investigation(seeSectionA,Chapter7.2.2)oran
audit.Ausefuloptionistoconductareviewirst(seeSectionA,Chapter7.2.3).he
basic questions are whether the issue warrants an audit, which kind of audit or
otherserviceshouldbeconsidered,andwhetherInternalAuditistheappropriate
unit to handle the task. In addition, Internal Audit should establish whether it
wouldbeusefultocooperatewithotherinternalpartiesorevenwithexternalpar-
ties,suchaslawenforcement(seeSectionD,Chapter2forcooperationoptions).If
thereisdoubtaboutwhatcourseofactiontotake,itmaybeexpedienttosubmita
separateauditrequest,whichisthenoiciallyassessedandprocessedaccordingly.
Iftheissuedoesnotmeetthecriteriaforanaudit,thisconclusionmustbedocu-
mented.Ifappropriate,theissuehastobereferredtoanotherdepartmentandthe
Boardmustbeinformed.
Towarrantanaudit,atleastoneofthefollowingcriteriahastobemet:
• hereisadirectBoardresponsibility, forexampleifBoardpoliciesmayhave
beencontravened.
• hereisreasontoassumethatimportantinternalcontrolsarebeinginfringed
orarenotinplace.
• herehasbeeninfringementofresponsibilities,andthisafectstheaccuracyof
inancialstatementreportingorreportingoninternalcontrols(seeSectionD,
Chapter14formoreinformationonthisproblem).
• hereissuicientreasontosuspectfraud.
• here is a reasonable suspicion that there is a signiicant risk relevant to the
company.
Althoughitiscertainlypossibletomakecompanyorsectorspeciicadditionsto
thislist,theabovecriteriagiveaninitialideaofwhetherornottheissueinquestion
requiresfurtherInternalAuditscrutiny.Ifitisnotpossibletoresolvethisquestion
conclusively,aninformalsearchforleadsoranoicialpre-investigationshouldbe
startedtoprovidecertaintyastowhetherInternalAudithastogetinvolved.
AuditsoutsideoftheAnnualAuditPlanAuditsoutsideoftheAnnualAuditPlan
CriteriaforInternalAuditResponsibilityCriteriaforInternalAuditResponsibility
evidenceandPre-InvestigationsevidenceandPre-Investigations
ConceptualBasisofInternalAudit
FundamentalPrinciplesoftheGIASApproach
IdentifyingAudit-RelevantFacts
A|5|5.8
112
Indecidingthisissue,itmayalsobeusefultoconsultwithotherdepartmentsor
functionswithinthecompanyandtoclarifytheirresponsibility.hepossibilityof
cooperation,forexamplewiththehumanresourcesdepartmentorthelegaldepart-
ment,mustalsobeconsidered.
Ifotherpartiesaretoparticipateinanaudit,itshouldbediscussedanddocu-
mentedatthebeginningwhichpartyperformswhichtasks.heassignmentisnec-
essarytoclarifyresponsibilitiesandtohelpInternalAuditmaintainits indepen-
dence.heindingsofallpartiesshouldbeincludedasauditindingsinthereport
compiledbyInternalAudit.However,ithastobedecidedonacase-by-casebasisto
whatextenttheseotherpartiesalsomaketheirownrecommendations.Diferent
reportsorareportwithinputfromdiferentgroupsshouldnotcontainanyincon-
sistencies.Reportsthataresharedwithoutsideparties,suchasexternalauditors,
havetobecheckedwithparticularrigorforinconsistencies.
A minimum of consultation and coordination will be achieved if the parties
mentioned in thediagrambelowreportaudit-relevantmatters to InternalAudit
(fordetails,seeSectionD,Chapter2),eitherspontaneouslyasnecessaryor,prefer-
ably,aspartofaregularinformationexchange.hismaycreateproblemsinpar-
ticularforglobalcorporations,becausesuchcorporationshavemultiplesofsome
departments,forexampleseverallegalorhumanresourcesdepartments.Forthis
reason,theconsultationprocessbetweenInternalAuditandotherdepartmentshas
ConsultationConsultation
InvolvementofPartiesoutsideInternalAuditInvolvementofPartiesoutsideInternalAudit
CooperationCooperation
Internal
Audit
Corporate Legal
Compliance
O�ce
Human
Resources
Employee
representatives
SOX organization
Global Risk
Management
Management
Corporate Financial
Reporting
Fig. 16 Cooperation
113
tobeexaminedfromaglobalperspectiveaswell.InternalAuditthereforefacesthe
challengeofalwaysapplyingthesamebenchmarkswhenidentifyingandclarifying
thefactsofanauditandwhenassigningresponsibilities.
HIntSAnDtIPS ;
• If InternalAudit employees receive informationpersonally, theyirsthave to
ascertainitsvalidity.Ifappropriate,theyshouldaskforwrittenconirmation.
• Asarule,all leadshave tobe takenseriously. InternalAuditemployeeshave
anobligationtoreportanyinstanceswhentheyreceiveinformation,atleastto
auditmanagement.
LInKSAnDReFeRenCeS e
• InSTITUTEOFInTERnALAUDITORS.2001.Practice Advisory 2050-1: Coordination.
AltamonteSprings,FL:heInstituteofInternalAuditors.
ConceptualBasisofInternalAudit
FundamentalPrinciplesoftheGIASApproach
IdentifyingAudit-RelevantFacts
A|5|5.8
114
6 AuditMethods6.1 ContentDeterminantsandFormalDeterminants
KeyPoints •••
• InternalAuditusesavarietyofcontentdeterminantsandformaldeterminants
toidentifytheappropriateauditmethodtouseforaspeciicengagement.
• Contentdeterminantsincludetheauditieldsandtheauditapproaches.
• Formaldeterminantsinclude:theauditcategory,type,andstatusoftheaudit
withintheauditcycle.
• husauditmethodsarecharacterizedbyaframeworkofstandardparameters,
whichallowsauditorstotreatdiferentauditsaccordingtostandardrules.In-
dividual criteria may be added to the predeined standard parameters at any
time.
Whenplanninganaudit,InternalAuditmustconsiderseveralimportantfactorsto
determinetheappropriateauditmethodtouse.Chapter6providesanoverviewof
thedeterminantsonwhichauditmethodsarebased.Additionalfactorsfordeter-
miningtheauditmethodmaybeneeded.hesefactorsincludetheperiodperspec-
tiveandthedistinctionbetweensetandfreelyselectableauditcontent.heseother
determinantsaredescribedinSectionC,wheretheindividualauditieldsaredis-
cussed.
Foridentifyingtheappropriateauditmethodstobeused,SAPinternalauditors
consider several important content determinants and formal determinants. he
contentdeterminantsofanauditmethodaredescribedirst,followedbytheformal
determinants. Content determinants include the audit ields and the audit ap-
proaches.
AtSAP,theaudituniverseisdividedintosixauditields(formoreinformation
onauditieldsrefertoSectionA,Chapter6.2.1):
• managementaudits,
• operationalaudits,
• inancialaudits,
• ITaudits,
• fraudaudits,and
• businessaudits.
Inprinciple,eachauditieldlistedabovehasthesamesigniicancetoInternalAu-
dit,aseachisexposedtocorebusinessrisks.heserisksaremeasuredbyassessing
theindividualrisksaspartoftheannualauditplanning(seeSectionD,Chapter
3.1.2)andaremonitoredduringtheiscalyearthroughtheriskmanagementpro-
cess.hus,theremaybeadiferentnumberofindividualauditsrequiredforeach
auditieldasdeterminedbytheannualriskassessment.
overviewoverview
ContentDeterminantsContentDeterminants
AuditFieldsAuditFields
importanceoftheAuditFields
importanceoftheAuditFields
115
hecontentofauditsisdeterminednotonlybytheauditieldsbutalsobythe
auditapproachesthattheinternalauditorsuse(seeSectionA,Chapter6.3forde-
scriptionsofeachauditapproach).hediferentapproachesareasfollows:
• risk-basedauditapproach,
• system-basedauditapproach,
• transaction-basedauditapproach,
• compliance-basedauditapproach,and
• results-basedauditapproach.
Eachauditieldhasitsownsetofspeciicattributes,thustheemphasisoftheaudit
method is diferent in each case. herefore, audit approaches can generally be
alignedwiththespeciicauditields,andstandardizedcombinationscanbecreated
forauditmethods(formoreinformationseeSectionA,Chapter6.3).hecorrela-
tion identiied between audit ield and audit approach thus creates a guidance
framework for conducting audits, which allows auditors to quickly establish the
individualauditstepsrequired.
Inadditiontocontentdeterminants,anauditmethodisalsoshapedbyformal
determinants.heyincludeauditcategory,audit type,andauditcycle.heaudit
categoriesarelocal,regional,andglobalaudits(seeSectionA,Chapter6.4).he
audittypologydeinesauditsasstandard,special,orad-hocaudits(seeSectionA,
Chapter6.5).heauditcyclegenerallyconsistsofthebasicaudit,astatuscheck,
and(uptotwo)follow-upaudits(seeSectionA,Chapter6.6).
By combining the audit determinants into a consolidated approach, Internal
Audit is able to establish the inal design of the particular audit method to use.
hus,foreachspeciicaudit,theauditorsmustconsiderthefollowingfactors:
• assignmenttoanauditield,
• auditapproach,
• auditcategory,
• audittype,and
• auditcyclestatus.
he special characteristics of each formal determinant, in combination with
the content determinants, allow Internal Audit to identify the appropriate audit
method.Forexample,assumeInternalAuditisplanningaroutineauditofthepur-
chasingprocessataregionalsharedservicecenterandwillexaminevariouspur-
chasetransactionstodeterminewhetherthecontrolsareworkingefectively.he
auditors must deine each of the determinants when identifying the appropriate
auditmethodtouse,asfollows:
• auditield:operational,
• auditapproach:transaction-based,
• auditcategory:regional,
• audittype:standard,and
• auditcycle:basic.
AuditApproachesAuditApproaches
AssignmentofAuditApproachestoAuditFields
AssignmentofAuditApproachestoAuditFields
FormalDeterminantsFormalDeterminants
MergingofDeterminantsMergingofDeterminants
ConceptualBasisofInternalAudit
AuditMethods
ContentDeterminantsandFormalDeterminants
A|6|6.1
116
hefollowingdiagramshowshowtheauditmethodisdeterminedbythecontent
andformaldeterminantswiththeirpossiblecharacteristics.
HintsAnDtiPs ;
• hediferencesbetweentheindividualauditmethodsmustbeclear-cut.Decide
togetherwiththeAuditManagerinchargewhichauditmethodtouseinany
givencase.
DeterminationoftheAuditMethod
DeterminationoftheAuditMethod
Fig. 17 DeterminingtheAuditMethodwithContentandFormalDeterminants
117
6.2 AuditFieldStructure
6.2.1 Introduction
KeyPoints •••
• heauditieldsrepresentthecoreaudittasksofInternalAudit.Basedonthe
AuditRoadmap,thespeciicauditmethodsareappliedtotheauditields.
• hereareinterdependenciesbetweentheindividualauditields.Itisveryrare
thatanauditwilladdressonlyoneauditieldinisolation.
• Increasingly,InternalAudit’sworkmustbeviewedfromaproitabilityperspec-
tive.hus,acost/beneitanalysisisfrequentlyperformed.
heauditieldsrepresent thecoreaudit tasksof InternalAudit.herefore,most
auditrequestscanbeclassiiedwithintheauditields.Eachoftheseauditieldshas
severalCoreScopes,whichinturncontaintheKeyScopesatlowerlevels(seeSec-
tionA,Chapter5.3andSectionB,Chapter2.1).
AuditFieldsAuditFields
Operations
Management
IT
G I A S
BusinessFinanceandaccounting
Fraud
Preparationn
oitu
cexE
gnitropeR
pu-
wol
lo
F
Plan
ning
Fig. 18 OverviewofAuditFields
ConceptualBasisofInternalAudit
AuditMethods
AuditFieldStructure
A|6|6.2
118
heauditieldsshowninthediagramaboveareauditedonthebasisofdiferent
Scopesusingspeciicauditmethods.Ultimately,however,allauditsareconducted
accordingtoastandardprocessmodel, theAuditRoadmap(fordetails,seeSec-
tionB).
Atirstglance,theauditieldsappeartobeindependentofeachother,butthey
do have commonalities. For example, a fraud audit may also include a inancial
audit.hesameappliestobusinessaudits.Andoperationalauditsareregularlypart
ofanyaudit(forcombinedaudittopicsseeSectionB,Chapter5).herestofthis
chapterbrielyoutlinesthefocusofeachauditield.Moredetaileddescriptionsare
providedinsubsequentchapters.
Aspartofamanagementaudit(seeSectionA,Chapter6.2.2),InternalAudit
testswhethermanagementcomplieswithexistingpolicies,guidelines,andproce-
duresandwhether itsdecisionsandtheassociated internalcontrolsareefective
andeicient.
Operationalaudits(seeSectionA,Chapter6.2.3)addressissuesrelatingtoboth
organizational and worklow structures. hey can afect almost any operational
businessunit.heauditnormallycomprisesall issuesofprocessdesign,internal
controls,riskcover,andanyrelevantinancialaccounts.
hemainfocusofainancialaudit(seeSectionA,Chapter6.2.4)isonexamin-
ing theaccountingandinancialdataof theorganization.he focus isdiferent,
dependingontheaudittopic:Either,theaccountsandinancialdatacanbeaudited
asawholeonthebasisofananalysisoftheinancialstatements,ortheauditcanbe
conductedonthebasisofindividualaccounts.
heaimofITauditsconductedbyInternalAudit(seeSectionA,Chapter6.2.5)
istotestrelevantsystemstructuresandprocessesfortheiralignmentwithIT,in-
cludingcompliancewithapplicableguidelinesandriskmitigation.hisauditield
coversallprocess-relatedissues,rangingfromorganization,structure,andproce-
dures(includingprojectmanagement)throughaccessauthorization,dataandanti-
virusprotection.InasotwarecompanylikeSAP,theentiresotwaredevelopment
process can have an inluence on IT audits. herefore, SAP’s Internal Audit has
formedadedicatedglobalITauditteam.
Fraudaudits(seeSectionA,Chapter6.2.6)areaimedinparticularatidentifying
suspectedorganizationalandprocessweaknesses,investigatinganonymousaccu-
sationsorspeciicinformationonirregularities,orgatheringevidenceforcasesof
fraudthathavealreadybeenproven.Inthiscontext,itisofspecialimportanceto
establishwhetherandtowhatextentanincidenthasledtodirectlymeasurable,or
atleastindirectlyrelated,inancialconsequencesforthecompany.
Externalbusinessrelationshipsalsogiverisetoaudit-relevantissuesforInternal
Audit,because thenetworkof suppliers, customers, andpartners, relationswith
publicinstitutionsandorganizationsandevengovernmentbodiesultimatelyhave
asigniicantinluenceontheinternalprocessesofacompany.Abusinessaudit(see
SectionA,Chapter6.2.7)isapreventiveauditmeasureconductedinlinewiththe
BasicsBasics
interdependenciesinterdependencies
ManagementAudit
ManagementAudit
operationalAuditoperationalAudit
FinancialAudit
FinancialAudit
itAudititAudit
FraudAuditFraudAudit
BusinessAuditBusinessAudit
119
de-escalationstrategy.Itsmainpurposeistoensurethatprocesses,methods,and
guidelineswithinaprojectarecompliantandtakethirdpartiesintoaccount.
Intoday’senvironment,theefectofInternalAudit’sworkonproitabilityisin-
creasingly important.huscost/beneitanalysesare frequentlyperformed.Cost/
beneitanalysiscanbeperformedforeachoftheaboveauditields.Indoingso,the
focusshouldalwaysbeontheauditasawhole,i.e.,ifacombinationofseveralaudit
ieldsisused,allcomponentsmustbesubjecttoeiciencymeasurement(forde-
tails,seeSectionA,Chapter6.7).
HintsAnDtiPs ;
• Atthestartofanaudit,auditorsmustbeawareoftheauditieldtowhichthe
audittaskinquestionbelongs.
• Especially when interdependencies exist, consistent assignment to the audit
ieldsfacilitatesthestructuringoftheauditengagement.
• Auditorsshouldtrytogatherpracticalexperienceinallauditieldsinorderto
enhancetheirpersonallexibilityandeligibilityforengagements.
6.2.2 ManagementAudit
KeyPoints •••
• During a management audit, Internal Audit tests management’s compliance
withtheestablishedpolicies,guidelines,andprocedures.
• Internal Audit also examines the efectiveness and eiciency of management
decisionsandtheassociatedinternalcontrols.
• he efect of management decisions is a key benchmark of how successfully
managersperformtheirmanagementduties.
• Foravarietyofreasons,managementauditsconductedbyInternalAuditmay
leadtodiiculties,dependingonthecorporateculture,theroleandimportance
ofmanagement,aswellasthemanagerstobeauditedandtheauditorsthem-
selves.
Whenconductingamanagementaudit,InternalAuditmustdeterminewhetherall
thenecessaryprocessesandguidelineshavebeendeinedinthecompany,enabling
managerstoexecutetheirdutiesaccordingtotheestablishedrules.Auditorsmust
alsoinvestigatewhethermanagersactincompliancewiththeestablishedrulesand
policies.
Inaddition,InternalAuditmayaudittheeiciencyandefectivenessofcorpo-
ratemanagement.Evenifmanagersareverycommittedtotheirtasks,itispossible
thatthecompanyasawholederiveslittlebeneitfromtheiractivities.Ifthatisthe
Cost/BeneitAnalysisCost/BeneitAnalysis
ComplianceCompliance
eiciencyandefectivenesseiciencyandefectiveness
ConceptualBasisofInternalAudit
AuditMethods
AuditFieldStructure
A|6|6.2
120
case,theroleofmanagementshouldbereconsideredandrealignedifappropriate.
Inadditiontotheinancialefectsofmanagement’sactivities,InternalAuditmust
considerhowmanagement’sactionsafectthemotivationandconductofemploy-
ees.Oneofthekeypointsofamanagementaudit is toensurethatmanagement
activitiesarenotonlydulyperformed,butleadtothedesiredresultsandthusbe-
comemeasurable.
hetwokeytypesofmanagementauditsdescribedabove(complianceaudits
andmanagementefectivenessandeiciencyaudits)makeupthecomplexieldof
managementauditsforInternalAudit.Duringthecourseofamanagementaudit,
theinternalauditorsshouldconsider:
• Process-basedassessmentofallaspectsofgovernanceaswellasaresults-based
investigationofdecision-makingwithinthecompanyasawhole.
• heextentandthemannerinwhichthemanagersconcernedusetheentrepre-
neurialpowersvestedinthemtothebeneitofthecompany.hisincludes,in
particular,thecontrolofextraordinarymanagementanddecision-makingsitu-
ations,aswellascrisismanagement.Itinvolvesalltheprocessstepsofescalation
(and conversely, of course, de-escalation) procedures across various manage-
mentlevels.heauditassessestheexistingandrequiredmanagementandcom-
municationtools,andhowthetoolsareusedtocommunicatewithbothsuperi-
orsandsubordinates.
• Management’spast leadershipandareas for future improvement,e.g.moving
fromaproblem-basedtoasolution-basedmanagementapproach.
Insummary,themainfocusofamanagementauditistheentiremanagementpro-
cesses,includinginternalcontrols.husamanagementauditismainlyaboutexam-
iningalltheprocesschainsthatmanagersdealwithaspartoftheirstrategicand
operationaltasks.hemanagementauditfocusesonthemanager’swillingnessto
acceptprocessesandtheirinternalcontrolsandtoapplythemaccordingly.Foras-
sessingleadershipqualities,employeesatisfaction,andtheeiciencyofthemanag-
er’spersonalmanagementbehavior, thereareother,more suitable tools, suchas
managementevaluationsperformedbythehumanresourcesdepartment.
Whenimplementingtheseauditrequirements, InternalAuditmakesuseofa
numberofexistingprocedures,documents,andexternalspeciications.Forexam-
ple,InternalAuditshouldexaminewhethercorporate-widepoliciesandguidelines
areimplementedandapplied.hisincludeswhethereachemployeehasaclearun-
derstandingofthecompany’sstrategicandoperationalobjectives.Itistheonlyway
tojustifyandenforcecertaincoursesofactionamongemployeesandtoalignand
commitallinvolvedpartieswiththebasicobjectivesofthecompany.Ontheone
hand,thismayinvolvegeneralprinciples,suchasstandardrulesofconductforall
employees.Ontheotherhand,however,specialguidelinescanalsobedrawnupfor
individualbusinessareasoroperationalunitsandfunctions,suchasgeneralsecu-
rityandITsecurity.
ManagementAuditasanAuditField
ManagementAuditasanAuditField
Process-andResults-basedAudits
Process-andResults-basedAudits
ActivitiesintheinterestoftheCompany
ActivitiesintheinterestoftheCompany
HistoricalandForward-LookingAnalysis
HistoricalandForward-LookingAnalysis
examiningtheProcessChains
examiningtheProcessChains
Guidelinesandinstructions
Guidelinesandinstructions
121
Managementauditsalsoexaminecompliancewithlegalandinancialreporting
requirements. If theseexternalrequirementsdemandentrepreneurialactionand
company-internal implementation, theauditworkofInternalAuditensuresthat
the relevantprocessesarecompliant, complete,andcorrect.hisallows Internal
Audittohelpminimizethecompany’sexposuretolegalrisks.
Inthecontextofamanagementaudit,anemployeesurveyorthegeneralmoti-
vationof the teamassigned toamanagermayprovidecluesas to thedegree to
whichtheresponsibilitiesofamanagementfunctionaremet.
heexaminationofmanagementcontrolsisofhighimportanceforcompliance
with policies, guidelines, and procedures. Management controls must be estab-
lished forall activities, includingobjective-setting,processdevelopmentandap-
plication,decisionimplementation,andinformationanddocumentationactivities.
InternalAuditmust investigateandverifywhether thesecontrolsareadequately
deined and documented and working as intended. his includes management’s
responsibilitiesforcompilingandtrackingminutesandactivitylistsandmaintain-
inganadequateinternalreportingsystemtotherelevanthigherandlowerranking
management levels. InternalAuditmustalsoensure thatallprocesses forwhich
managementisdirectlyaccountablearecompliantwiththepoliciesoftheorganiza-
tionaswellaswithexternalrequirements(e.g.,legalandinancialregulations).
Managementauditsarecharacterizedby speciicchallenges.heydependon
thecorporatecultureoftheorganizationandthustheroleandimportanceofman-
agementperse,aswellasonthepersonalitiesofthemanagerstobeauditedandthe
auditorsthemselves.Duetotherequiredsensitivity,amanagementauditshouldbe
conducted by experienced internal auditors. Ideally, internal auditors who have
worked in a management function may be best suited to perform these audits.
OtherreasonswhymanagementauditsconductedattherequestoftheBoardpres-
entaspecialchallengeforInternalAuditcanbesummarizedasfollows:
• ManagementauditsconductedattherequestoftheBoardmaybeinterpretedas
asignofmistrustinmanagement.hismayleadtoirritationespeciallyifthe
company’spositionishealthyonthewholeandatirstglancetheredonotseem
tobeanyspeciicreasonsforanaudit.hismayhaveacompany-politicalim-
pact,damagingtherelationshipoftrustbetweentheBoardandmanagement.It
maybeveryhelpful,evenbeforeanaudit,iftheBoardofDirectorsmaintainsa
clearinformationpolicywithregardtoaudits.
• ManagersfearthatseriousnegativeindingsmadebyInternalAuditmaycause
themtolosestandingwithInternalAudit,theBoardofDirectors,andperhaps
evencolleaguesand theirownemployees.For fearofnegativeconsequences,
managersmayrefuse tocooperateormake theauditors’workmorediicult.
hismakesithardtoarriveatobjectiveauditindings,damagingtheworking
relationshipbetweenmanagementandInternalAuditandhamperingcoopera-
tion. Insomeculturalgroups,negativeauditindingsare interpretedas indi-
vidualfailingsatapurelypersonallevel.hismayirreparablydamagetheman-
LegalandFinancialReportingRequirementsLegalandFinancialReportingRequirements
PersonnelManagementPersonnelManagement
ManagementControlsManagementControls
specialChallengesofManagementAuditsspecialChallengesofManagementAudits
MistrustMistrust
impactonthestandingofemployeesimpactonthestandingofemployees
A|6|6.2ConceptualBasisofInternalAudit
AuditMethods
AuditFieldStructure
122
agers’standingandreputation,especiallywithregardtotheirownlinemanagers.
hisareainparticulariswhereInternalAuditfacesthechallengeofpresenting
theresultsasimpartiallyaspossible,supportedbyexamples.
• Ifmanagersalreadyhaveproblemsregardingthequalityoftheirwork,negative
auditreportsmayfurtherweakentheirstandinginthecompany.Ifthatisthe
case,itisdiiculttogivethepersonconcernedanobjectiveviewoftheaudit.
InternalAuditshouldthenactasaconsultingpartnerandconvincemanagers
that,byeliminatingtheweakpointsidentiiedbytheaudit,theymayalsoim-
provetheirperformancewithregardtoothersuccessfactors.
• Managersmaygenerallyregardtheirworkasconidentialandmaybereluctant
tosharetheirworkingpracticeswithothers.Insuchcases,InternalAuditmust
takeasensitiveapproachsothatitcanexaminethefactsonthebasisofaper-
sonalrelationshipoftrust.
• Managementauditsmaycauseproblemsiftheyclashwiththeactivitiesofother
departments,suchasemployeesurveyscarriedoutbyHumanResources.How-
ever,suchactivitieshaveadiferentfocusandarebasedonacompletelydifer-
ent method. Whereas the investigations of Internal Audit normally focus on
managementprocessesandtheassociatedinternalcontrolsandrisks,evalua-
tionscarriedoutbyotherdepartmentsareaimedatestablishingthepersonal
suitabilityofeachmanager.Itisimportanttomakethisdistinctionclearandto
demonstratethisfactonthebasisoftheauditindings.Forthisreason,manage-
mentaudits should internallyalsobe referred toasmanagementprocessau-
dits.
• Finally, management may be resistant to the audit because being audited re-
quiresthemanagertoreveal information,whichmayleadtoaseriousmoral
conlictformanagers.hatis,managementmustdecidewhatinformationcan
begiventoInternalAudit,andwhatmustbekeptconidential.OfcourseInter-
nalAuditisalsorequiredtokeepinformationsecretandconidential,butthere
isalargepoolofconidentialdatathatisdiiculttodealwithinthiscontext.In
additiontopersonalinformation,thismayinvolvestrategicandcompany-po-
liticalinformationorbudgetedsalesandproitigures.
Within thecontextofamanagementaudit, InternalAudit should focusonpro-
cesses,theassociatedinternalcontrolsandspeciicindividualrisks,andhowman-
agementdealswith theserisks.Dependingonthedegreeofpersonal trust,each
managementauditwilldevelopitsownmomentumtosomeextent,whichshould
behandledinsuchawaythattheauditobjectivescanstillbemet.
HintsAnDtiPs ;
• Auditorsmustfamiliarizethemselvesthoroughlywiththemanager’spersonal-
ity,takingintoaccountanyproblemsfromthepast.
existingQualityProblems
existingQualityProblems
ManagerPersonalityManagerPersonality
ConlictwithActivitiesofotherDepartments
ConlictwithActivitiesofotherDepartments
ConidentialinformationConidentialinformation
summarysummary
123
• Because management audits require sensitivity, the work program should be
reviewedbyanimpartialmemberofInternalAuditbeforethecommencement
oftheaudit.
• Characteristicstypicallyassociatedwithmanagers(lackoftime,etc.)mustnot
preventInternalAuditfromconductingitsaudit.
• hesensitivityofmanagement’sdatamustbeconsidered.
LinKsAnDReFeRenCes e
• AnDERSOn,U.AnDA.DAHlE.2006.Implementing the Professional Practices Frame-
work.2nded.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• InSTITUTE OF InTERnAl AUDITORS. 2000. he International Standards for the
Professional Practice of Internal Auditing.AltamonteSprings,Fl:heInstituteofInternal
Auditors.
• InSTITUTE OF InTERnAl AUDITORS. 2001. Practice Advisory 2120-A1-1: Assess-
ing and Reporting on Control Processes.AltamonteSprings,Fl:heInstituteofInternal
Auditors.
• SAWyER,l.,M.DITTEnHOFER,AnDJ.SCHEInER.2003.Sawyer’s Internal Audit-
ing.5thed.AltamonteSprings,Fl:heInstituteofInternalAuditors.
6.2.3 OperationalAudit
KeyPoints •••
• Operationalauditscanaddressissuesrelatingtobothorganizationalandwork-
lowstructures.heycanafectalmostallbusinessunits.
• Operational audits may examine traditional, corporate-wide, and project-re-
latedprocesses.
• heauditnormallycomprisesseveralauditsteps,whichdealwithallissuesof
processdesign,internalcontrols,riskcover,andanyrelevantinancialaccounts.
• Inadditiontotheactualprocesses,thecontrolssetupinthecompanymustbe
examinedandveriiedwithsuitabletests.
Operational audits include audits along the entire value chain of a company, or
speciic parts of it. Under the materiality principle, however, a careful selection
shouldbemadeofthecorebusinessprocessestobeauditedandtheafectedbusi-
nessunits.Responsibilitiesandprocessesthateitherareoflesserimportanceornot
exposedtorisksthatthreatentheexistenceofthecompanyoritsbusinesssuccess
areincludedinInternalAudit’sannualauditplanaccordingtotheirriskproile.
Aninitialanalysisidentiiesthefollowingorganizationalunitsascommonob-
jectsofoperationalaudits:
AuditsofCoreBusinessProcessesAuditsofCoreBusinessProcesses
MainobjectsoftheoperationalAuditMainobjectsoftheoperationalAudit
ConceptualBasisofInternalAudit
AuditMethods
AuditFieldStructure
A|6|6.2
124
• speciicbusinessunits(e.g.,development,sales,consulting)andtheircorefunc-
tionsandcentraltasks,
• central corporate divisions (e.g., Corporate Financial Reporting, Corporate
ManagementAccounting),
• localsubsidiaries,
• associatesthatfallwithintheremitofInternalAuditduetoamajorityinterest
orotherlegalagreements(inthecaseofminorityinterests),and
• other investment relationships (e.g., venture capital participations, joint ven-
tures,etc.).
hemainfunctionofanoperationalauditistoimprovetheorganizationandwork-
lowsofthecompany.Inthisregard,asystematicauditfocusesonanalyzingthe
organizationalstructure,aswellasindividualprocessesortransactions.hemain
objectiveistoensurethatalltheorganizationalsolutionsofthecompanyarecom-
pliantwithrelevantrulesandregulations.
heprocess-orientedapproachfocusesonentireprocessesandorganizational
units rather thanon individual circumstancesand transactions.he intention is
thatthiskindofauditshouldidentifyunderlyingrisksandtheirinterdependencies
andthuspinpointwaysinwhichtheinformationgainedcanbeusedtoimprovethe
security,eiciency,andreliabilityofinternalprocesses.Intheaboveorganizational
units, Internal Audit therefore examines all business, organizational, and legal
issues,responsibilities,authorizations,andprocedures,thecontrolsassigned,and
theriskstobecovered.
Auditsofinternalcontrolsassociatedwithprocesseshavetakenongreaterim-
portancenow,becauseSOXrequirestheCEOandtheCFOofcompanieslistedon
U.S.stockexchangestoverify,inwriting,theexistenceandefectivenessofkeyin-
ternalcontrolsaspartofitsreportingtotheSEC(seeSectionD,Chapter14).
Inadditiontotheauditobjectsmentionedabove,thereareotherareasonwhich
operationalauditsfocus.heseareashavestronginterrelationsbetweenauditob-
jectsandprocesssteps.Somemainareasare:
• globalunits(e.g.,initiatives,departments),
• person-speciicissues(e.g.,incentivescheme,pensionscheme),
• reviewsofexternaland internalprojectswithregard toprojectmanagement,
contracts,andprojectcontent,
• theentireriskmanagementprocess,and
• information management between established organizational units and proj-
ects/initiatives.
An important prerequisite for eicient operational audits is that Internal Audit
document all processes, including controls. his is done at the beginning of the
ieldworkforprocessdocumentationpurposes(seeSectionC,Chapter8andSec-
tionD,Chapter14).Inadditiontodescribingeachprocessstep,thecontrolsthat
objectivesobjectives
ProcessesversusDiscreteitems
ProcessesversusDiscreteitems
internalControlAuditinternalControlAudit
otherobjectsoftheoperationalAudit
otherobjectsoftheoperationalAudit
RecordingofProcessesandControls
RecordingofProcessesandControls
125
thecompanyhasestablishedforeachprocessaredocumented,focusingmainlyon
thefollowingquestions:
• Whatcontrolsexistinthecompanyatthemoment?
• Whoisresponsibleforthecontrols?
• Howarethecontrolsdocumented?
• Arethecontrolssuicienttocovermaterialrisks?
hereareseveraltypesofcontrolsthatorganizationsmayuse,includingmanual,
organizational,automatedorprogrammedcontrols(seealsoSectionC,Chapter8).
Examplesoforganizationalandmanualcontrolsincludethesegregationofduties,
dualcontrol, signaturerules,andITsystemauthorizations.Automatedandpro-
grammedcontrols,ontheotherhand,includeconsistencyandplausibilitychecks.
Aspartoftheaudit,InternalAuditperformsananalysisofthebusinesspro-
cessestoidentifyandhighlighttheirstrategicimportance,therisks,andcontrols
withafocusontheoverallobjectivesandstrategyoftheorganizationaswellasin
thecontextoftherelevantbusinessrisks.Intheirstinstance,thedocumentedpro-
cessstepsrequiredtomeettheobjectivesareanalyzed.Here,InternalAudituses
interviews,documents,andguidelinestoexamineandassesswhetherthecontent
andpurposeofeachprocessmakesense.Inaddition,InternalAuditmustestablish
whether the design of the process is logical, sensible, and efective, whether its
structureisclear,andwhetheritensuresthattheintendedobjectiveismet.
Atthisstage,theexistingandanymissingprocesscontrolsareidentiiedand
examinedforcorrectandfullimplementation.Inparticular,theauditmustestab-
lishwhetherthecontrolsareadequate,sensible,andsuicientfortheprocesscon-
cerned,aswellasdemonstrateandensurethattheyfunctionasintended.Underthe
requirementsofSOX,theissueofresponsibilityforthecontrolsanddocumenting
themisofparticularimportance.
Anotherstepoftheoperationalauditistoexaminetowhatextentthecontrols
identiiedcovertheestablishedoradditionalprocessriskssothattheycanbemon-
itored.Eachpossibleprocessriskshouldbemonitoredandmitigatedbyatleastone
correspondingprocesscontrol.hismayleadtoadditionalcontrolsorthedevelop-
mentofcontrolsrelatedtootherprocesssteps.
SOXrequiresanotherprocessanalysisstep:headequacyandefectivenessof
thecontrolsthathaveanimmediateefectontheaccountingiguresmustalsobe
tested. hat is, controls must be established that ensure that inancial reporting
fairlyrepresentstheinancialconditionofthecompany.
Inaddition toprocessanalysis,other typesofieldworkarenecessary to test
processapplication.Intheirstinstance,discussionsshouldbeheldtodetermine
whether the employees observe all the guidelines and instructions, whether the
lowofinformationisguaranteed,andtheprocessispracticedasdesigned.hese
interviewswilldemonstratetowhatextenttheemployeesarefamiliarwiththepro-
cesses.
PossibleControlsPossibleControls
AnalysisofBusinessProcessesAnalysisofBusinessProcesses
ContentofaControlAssessmentContentofaControlAssessment
ProcessControlProcessControl
LinkwithAccountingLinkwithAccounting
stafinterviewsstafinterviews
A|6|6.2ConceptualBasisofInternalAudit
AuditMethods
AuditFieldStructure
126
Moreover, examination of documents such as guidelines, contracts, extracts
fromthecommercial register,powersofattorney,etc. shouldbe included in the
audit. hus, an operational audit covers more than testing the internal controls
only.
Allprocesssteps,includingtheinternalcontrols,mustbedocumentedfullyand
indetail.SOXrequiresthatthisprocessdocumentation(forthoseprocessesthat
afectinancialreporting)mustbeavailableanduptodateatalltimes.hiscanbe
achievedbyusingasuitableITtool.
heactualtestingofeachprocessandtheassociatedinternalcontrolsisanother
focusofauditwork.Variousmethodscanbeused.Withthehelpofappropriate
samplingprocedures,samplesofprocessesaredrawnandthentestedwithregard
totheexistenceandcomplianceofcontrols.Analternativemethodiswhatisknown
asthewalk-through,wheretheauditorpersonallytracesaspeciictransactionor
economiceventstep-by-stepthroughpartsoftheprocessortheprocessasawhole,
includingallcontrols.headvantageofthismethodisthattheapproachconsiders
allaspectsoftheprocess.Inpractice,acombinationofbothtestmethodswillulti-
matelybesuitableforconductingtheactualaudits(seethepracticalexamplesin
SectionC).
Operationalauditsmaybeperformedasaseparateauditengagement,butitis
importanttonotethattheymayalsobeperformedinconjunctionwithanauditof
anotherauditield(e.g.,fraudorinancialaudit).Forexample,inancialauditsgen-
erallyrequireoperationalauditstoverifyanddocumentthevalidityoftheinancial
dataanalyzed.
HintsAnDtiPs ;
• Atthestartofanaudit,theauditorshouldasktheprocessownertoexplainthe
processbymeansofawalk-through.
• Analyzethedocumentationavailablefortheprocesscarefully.Aimandpurpose
ofthewholeprocessmustbeclear.
• heauditorshouldconductinterviewstogettheemployees’opinionofthepro-
cesstobeexamined.Conidentialmeetingstodiscusssuggestionsorrequests
madebytheemployeesinvolvedintheprocessmaybeagoodwaytoobtain
valuableinformation.
LinKsAnDReFeRenCes e
• AnDERSOn,U.AnDA.DAHlE.2006.Implementing the Professional Practices Frame-
work.2nded.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• InSTITUTE OF InTERnAl AUDITORS. 2000. he International Standards for the
Professional Practice of Internal Auditing.AltamonteSprings,Fl:heInstituteofInternal
Auditors.
DocumenttestingDocumenttesting
ProcessDocumentationProcessDocumentation
ProcessandControltests
ProcessandControltests
operationalAuditsandotherAuditAreas
operationalAuditsandotherAuditAreas
127
• InSTITUTE OF InTERnAl AUDITORS. 2001. Practice Advisory 2120-A1-1: Assess-
ing and Reporting on Control Processes.AltamonteSprings,Fl:heInstituteofInternal
Auditors.
• SAWyER,l.,M.DITTEnHOFER,AnDJ.SCHEInER.2003.Sawyer’s Internal Audit-
ing.5thed.AltamonteSprings,Fl:heInstituteofInternalAuditors.
6.2.4 FinancialAudit
KeyPoints •••
• Whenperforminginancial audits, auditorsexaminebothaccountingandi-
nancialdata.
• Duringanaudit,auditorscaneitherexaminetheinancialstatementsasawhole,
oranalyzeindividualaccountsanditems.
• Duringinancialaudits,allapplicablelegal,tax,andaccountingstandardsmust
beobserved.
Financialauditsaregenerallydeinedasanindependentevaluationofpastaccount-
ingdataforthepurposesofassessingwhetherthisdataisappropriate,compliant,
andreliable,ofprotectingtheassetsofthecompany,andofexpressinganopinion
ontheefectivenessoftheinternalcontrolsystem.Aspartofainancialaudit,In-
ternalAuditexaminesareassuchastheinancialaccountsofthecompany,thepay-
rollsystem,assetmanagement,andtheannualinancialstatements.herearetwo
optionsinthisregard:
• Accountsandinancialdatacanbetestedasawhole,basedonananalysisofthe
inancialstatements,or
• individualaccountsanditemscanbeexaminedspeciicallyusingqualiiedsam-
ples.
Iftheinancialdataistobeexaminedasawhole,itisadvisabletoanalyzetheinan-
cialstatementsirst.Tothisend,thedatafromthebalancesheetandincomestate-
menttobeauditedshouldbecomparedwiththecorrespondingiguresofthepre-
viousperiodandanalyzedforanyunusualitemsordiscrepancies.Inadditionto
periodcomparisons,object-relatedcomparisonscanalsobeperformed,(e.g.,local
subsidiariesofsimilarsizeandwithcomparablebusinessactivities).hecompari-
soncanbemadeeitherbyusingabsoluteiguresorbycalculatingcertainkeyratios
(e.g.,certainaccountingratioslikedebt/equityratio,proitratio,cashlowsetc.).
next,theratiosshouldbecomparedwithexternaligures,suchascorresponding
ratiosatpeerorganizations.hismayhelpauditorsidentifyunusualitemsamong
theselectedvariablesfromthebalancesheetandincomestatement.Dependingon
whattheyhaveobserved,auditorsmustdecidewhetherthesecomparisonsshould
DeinitionDeinition
AnalysisoftheFinancialstatementsAnalysisoftheFinancialstatements
ConceptualBasisofInternalAudit
AuditMethods
AuditFieldStructure
A|6|6.2
128
becontinuedforeachcasedowntotheindividualaccountlevel,inordertoestab-
lish theunderlyingcausesof anychangesorvariances.Toevaluate theneed for
moredetailedexaminations,permissiblerangesforvariancesmustbedeined.Ifa
varianceexceedsthedeinedthreshold,theauditmustcontinuedowntoindividual
accounts.Importantly,thresholdsshouldbesetinaccordancewiththemateriality
principle so that the audit remains manageable. hat is, only material indings
shouldbefollowedbyamoredetailedexamination.
At a minimum, inancial audits should include examination of the following
accounts: noncurrent assets, inventories, receivables, cash and cash equivalents,
provisions, liabilities, prepaid expenses, and deferred income from the balance
sheet;revenueandcertainexpenses,suchaspersonnelandtravelexpenses,train-
ingcosts,andotherexpensesfromtheincomestatement.
InglobalsotwarecompaniessuchasSAP,auditsoflicenseagreementsandcon-
sultingcontractsareparticularly important toensure that revenue is recognized
correctly(seeSectionC,Chapters5.2,5.3and9).hisotenentailscomplexpro-
cessesandcontrolsthatinvolvevariousdepartments(suchasinance,development,
productsupport,training,etc.).Auditsfocusingonrevenuerecognitionshouldin-
cludethefollowingtopics:
• Sotwarelicenseagreements,takingintoaccountissuessuchaspricing,mainte-
nance,specialagreements,legalissues,andaccountingpolicies.
• Anytypeofconsultingcontract(forexample,ixed-price,ortime-and-material
projects), takingintoconsiderationlegal issues, includingaccountingpolicies
andthepossibilitiesofindividualprojectreviews.
Iftheexaminationofaccountingandinancialdatafocusesonatargetedanalysisof
selectedaccountsanditems,themethoddescribedforanalyzingtheinancialstate-
mentscanbeusedinitially.However,thevariancelimitsshouldbedeinedmore
narrowly and accurately so that absolute and relative variances can be detected.
Oten,speciickeyvariablesmaybeuseful(e.g.daysoverdue,orthediscountand
creditnoteratio).Ifappropriate,eachaccountiscomparedandanalyzedinturn.
Especiallyinglobalaudits,thecarefulselectionofappropriatesubsetsorsupersets
mayproduceimportantinformation(e.g.,asummaryofbalancesoutstandingfrom
the50mostimportantcustomers).Carefulanddeliberateevaluationofindividual
accountsanditemsshoulddetectthetransaction(s)thatmaybethecauseofany
inconsistencies identiied.However, theprincipleofmaterialitycanandmustbe
observedinsuchinstances.hismeansthattimeandresourcesforauditingindi-
vidualtransactionsarelimitedandthematerialityandeiciencyprinciplesmust
againbeapplied.
heaccountingfunctionisgovernedbynationalandinternationalaccounting
standardsandlaws.Companies,suchasSAP,thatarelistedontheU.S.StockEx-
changesmustalsocomplywithUS-GAAPandtherequirementsoftheSEC.Such
companiesmustundergoinancialstatementauditsperformedbyindependentex-
ternalauditirmstocomplywithSECregulations.Inadditiontothesegeneralstan-
itemstoBeAuditeditemstoBeAudited
ProblemofRevenueRecognition
ProblemofRevenueRecognition
items/Accountsitems/Accounts
GeneralRulesandRegulations
GeneralRulesandRegulations
129
dards,companiesotenhavetoobservesector-speciicregulationsandtheirinter-
nalaccountingguidelines.
HintsAnDtiPs ;
• Aheadofainancialaudit,auditorsshouldtrytoidentifyitemsthatcouldbe
criticalinthebalancesheetandincomestatement.
• hecompany’sannualreportisanotherdocumentonwhichInternalAuditcan
baseapreliminaryassessment.
• Auditorsshouldlookatthedocumentationofindingsfrompreviousaudits.
LinKsAnDReFeRenCes e
• AnDERSOn,U.AnDA.DAHlE.2006.Implementing the Professional Practices Frame-
work.2nded.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• InSTITUTE OF InTERnAl AUDITORS. 2000. he International Standards for the
Professional Practice of Internal Auditing.AltamonteSprings,Fl:heInstituteofInternal
Auditors.
• InSTITUTE OF InTERnAl AUDITORS. 2001. Practice Advisory 2120-A1-1: Assess-
ing and Reporting on Control Processes.AltamonteSprings,Fl:heInstituteofInternal
Auditors.
• InSTITUTEOFInTERnAlAUDITORS.2001.Practice Advisory 2120-A1-3: he Inter-
nal Auditor’s Role in Quarterly Financial Reporting, Disclosures, and Management Certii-
cations.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• InSTITUTE OF InTERnAl AUDITORS. 2001. Practice Advisory 2120-A1-4: Audit-
ing the Financial Reporting Process. Altamonte Springs, Fl: he Institute of Internal
Auditors.
• SAWyER,l.,M.DITTEnHOFER,AnDJ.SCHEInER.2003.Sawyer’s Internal Audit-
ing.5thed.AltamonteSprings,Fl:heInstituteofInternalAuditors.
6.2.5 ITAudit
KeyPoints •••
• heaimofITauditsconductedbyInternalAuditistotestrelevantsystemstruc-
tures and processes for their compliance with applicable policies, guidelines,
andstandards.
• hisauditieldcoversallprocess-relatedissues,rangingfromplanningandor-
ganization,information,andsupport(includingprojectmanagement)toaccess
authorization,anddataandanti-virusprotection.
• Duringtheaudit,itisimportanttointegrateallrelevant(internalandexternal)
guidelinesandwrittendocumentation.
ConceptualBasisofInternalAudit
AuditMethods
AuditFieldStructure
A|6|6.2
130
• hestructureof theITprocessesshouldbeexaminedintermsof theirover-
all integrationintotheentirebusinessprocess.hemainfocus inthisregard
shouldbeontheinteractionoforganizationalandautomatedcontrols.
• ITauditscanhaveaninternalaswellasanexternalfocus.
• heexpertiserequiredforITauditshasledtothecreationofaseparateauditor
proile.
Informationtechnologyisanintegralpartofallcompanies.heinformationmade
availablethroughtheuseofITmustmeettherequirementsofbusinessprocessesso
thatbusinessgoalscanbeachieved.AthoroughauditofrelevantIT-relatedmatters
isthereforeanessentialpartoftheworkperformedbyInternalAudit.BecauseIT
issuchanextensivearea,ithasestablisheditselfasaseparateauditield.hefollow-
ingarethemainauditobjectivesintheareaofinformationtechnology:
• ControlsmustbeinplacetoensurethatallITprocesses(internalandexternal)
includethenecessarydataprocessingfunctionsandmeettherelevantsecurity
standardsat the time the system isdeployed. InternalAudit shouldcheck to
ensurethattheseITprocessesoperateasdesigned.
• Inaddition,theseITprocesseshavetocomplywiththelatestcorporate-wide
policies,guidelines,andstandardsaswellaslegalobligations.
like no other aspect of business, information technology is subject to constant
changeandongoingdevelopment.heinnovationsinthisareaarereachingever
greaterdimensions.Forthisreason,InternalAuditfacesthepermanentchallenge
ofadaptingtochangesinthetechnicalandsotwareenvironmentasquicklyaspos-
sible.
A large number of external guidelines and internal rules form an important
basisforITaudits.heCOBIT®(ControlObjectivesforInformationandrelated
Technology)frameworkisparticularlyusefulinanorganizationwithastrongin-
formation technology environment. he COBIT® framework was issued and is
maintainedbytheInformationSystemsAuditandControlAssociation(ISACA).
COBIT® supplements COSO and SOX by focusing on the governance of IT re-
sourcesandprocesses.
COBIT®isespeciallyhelpfulbecauseitprovidesaframeworkandsupporting
toolsetthatbridgescontrolrequirements,technicalaspectsandbusinessrisks.he
ITgovernancefocusareasinCOBIT®relectthecentralpointsoftheITauditdis-
cussedlaterinthischapter.
• Strategic alignment emphasizes aligning IT strategy and operations with the
organization’sstrategyandoperations.
• ValuedeliveryensuresthatITdeliversthedesiredbeneits.
• Resourcemanagementisconcernedwiththeoptimalinvestmentinandman-
agementofITresources.
• Risk management includes the transparency of signiicant IT risks and IT’s
awarenessoftheorganization’sriskexposure.
PositioningPositioning
theChangingFaceofittheChangingFaceofit
FactualBasisitAuditsFactualBasisitAudits
itGovernanceFocusAreas
itGovernanceFocusAreas
131
• PerformancemeasurementtracksandmonitorsIT’sroleinstrategyimplemen-
tation,resourceusageandprocessperformance.
ITgovernancemaybeseparatedintotheresponsibilitydomainsofplan,build,run,
andmonitor.heCOBIT®frameworklabelsthemPlanandOrganize,Acquireand
Implement,DeliverandSupport,andMonitorandEvaluate,andidentiiesthepro-
cessesandactivitieswithineachof thedomainsaccompaniedbyseveralcontrol
objectives.
• PlanandOrganize–Providesdirectiontosolutionandservicedelivery.Typical
auditquestionsinclude:
■ ArethebusinessstrategyandITstrategyaligned?
■ IstheorganizationachievingoptimumuseofITresources?
■ AreITrisksunderstoodandmanaged?
■ IsthequalityofITappropriateforbusinessneeds?
• Acquire and Implement – Provides the solutions to be turned into services.
Typicalauditquestionsinclude:
■ Arenewprojectslikelytodeliversolutionsthatmeetbusinessneeds?
■ Arenewprojectsdeliveredontimeandwithinbudget?
■ Arechangesmadewithoutupsettingbusinessoperations?
• DeliverandSupport–Isconcernedwiththeactualdeliveryofrequiredservices
andsupportforthoseservices.Typicalauditquestionsinclude:
■ AreITservicesbeingdeliveredinlinewithbusinessprocesses?
■ AreITresourcesoptimized?
■ IstheworkforceabletousetheITsystemsproductivelyandsafely?
■ Areadequateconidentiality,integrity,andavailabilitycontrolsinplacefor
informationsecurity?
• MonitorandEvaluate–AllITprocessesshouldberegularlyassessedforquality
andcompliancewithbothinternalandexternalcontrolrequirements.Typical
auditquestionsinclude:
■ IsIT’sperformancemeasuredtodetectproblemsinatimelymanner?
■ Areinternalcontrolsefectiveandeicient?
■ CanITperformancebelinkedbacktobusinessgoal?
■ Areadequateconidentiality,integrity,andavailabilitycontrolsinplacefor
informationsecurity?
Inadditiontotheguidelinesof theCOBIT® framework, legalrequirementsthat
recognizethegrowingconcernforprivacymustbeobserved.heFinancialMod-
ernizationActof1999(alsoknownastheGraham-leach-BlileyAct)requiresi-
nancialinstitutionstoadheretoasetofprivacyrequirementsonconsumers’per-
sonal inancial data. he Health Insurance Portability and Accountability Act
(HIPAA) introducedprivacyandsecurity rules coveringpersonalhealthcare re-
cords.Internationally,legalrequirementssuchastheGermanDataProtectionAct
andrulesaboutthesecurityofuser-speciicdatamustbeobserved.Company-spe-
ResponsibilityDomainsResponsibilityDomains
LegalRequirementsandinternalGuidelinesLegalRequirementsandinternalGuidelines
A|6|6.2ConceptualBasisofInternalAudit
AuditMethods
AuditFieldStructure
132
ciicinternalguidelinesandworkinstructionsontechnicalapplication-baseddata
handlingmustalsobecompliedwith.
WhenpreparingforandconductingITaudits,InternalAudithastofocuson
thefollowingissues:
• StrategicITplanning:hisissueincludesaspectsofacorporate-widestandard-
ized IT strategy, IT-based support of company activities, monitoring the IT
marketfornewdevelopments,andquestionsrelatingtotheimplementabilityof
feasibilitystudiesandsystemanalysis.AcriticalaspectofstrategicITplanning
isthealignmentofITgoalswithbusinessgoals.
• RiskmanagementfortheITprocess:Risksmustbeidentiiedandtheirpoten-
tialimpactestimated.heactionstakentominimizeriskmustbeanalyzed.
• IT-relatedinfrastructure:hisareadealswithauditingrelevantaspectsofphysi-
calsecurity, logicalaccessauthorizations,anddatabackupandarchivingsys-
tems.
• OrganizationoftheITfunction:hisareaprimarilylooksataspectsoforgani-
zationalstructureandprocessorganizationintheinformationtechnologyfunc-
tion,aswellasthedistributionofcentralanddecentralizedITtasks,operational
ITplanning,andtheentirechangemanagementprocess.hisalsoincludesthe
resource management of IT assets and performance measurement of the IT
function.
• OperationalITprocesses:InternalAudithastoverifywhethertheinformation
technologyassuresthecontinuityofbusinessprocesses.heauditmaycoverall
steps,fromplanningtooperationalimplementation,oftheITprocessandits
subprocesses,includingallbackupandalternativeprocedures.
• IT applications: his area looks at the entire development, maintenance, and
changeprocessduringthein-housecreationofsotware, includingall testing
andreleaseprocedures.At thesametimeitchecksthat thesotwareversions
usedareuptodate.
• IT project management: Under this aspect, the overall project framework is
tested,includingissuesofprojectorganization,projectplanning,andtherun-
ningoftheproject,includingriskmanagementandinancialprojectcontrol.
• UsageofITapplications:thisaspectfocusesonexaminingrelevantauthoriza-
tions,systemsettings,internalcontrolsandreconciliations,aswellasreporting
anddocumentationfunctions.
• Communicationsecurity:hisarea isasigniicantaspectofalldatacommu-
nicationwithexternalpartiesandthereforeanimportantobjectintheworkof
InternalAudit.Itincludesauditingtheuseofanti-virussotwareandirewalls
toprotectinformationtechnologyfromoutsideattacks.
• Dataprotectionfunctions:Auditsofthisaspectexaminewhetherallprivacyre-
quirementsrelatingtocomprehensivedataprotectionaremet,includingtracing
allsensitivedatainthesystemandloggingaccessrightchanges,accessprotec-
tion,andallaspectsofconsistentdatamaintenance.
CentralPointsoftheitAuditCentralPointsoftheitAudit
133
heitemslistedaboveprimarilyinvolvetheelementstraditionallyassociatedwith
operationalaudits.Ingeneral,processstructures,risks,andinternalcontrolsshould
beexaminedfromanITperspectiveaswell.hismeansthat inherenttechnical,
organizational,andinsomecaseseveninancial-reportingandlegalaspectsinter-
actaspartoftheprocesses.
ITauditsareconductedonthebasisofanextensiveITsystemenvironment.In
thisregard,wediferentiatebetweenthefollowingprocesses:
• purelyorganizationalprocesses,
• acombinationoforganizationalandITprocesses,and
• purelyITprocesses,i.e.thosethatrunonlywithinthesystem.
WhentheseprocesstypesarerelectedinthestructureofamodernITlandscape,
thefollowingsecurity-relevantlevelscanbedistinguished:
• hepurehardwarelevelischaracterizedbylogisticalsecuritymatters.Herethe
audit should focuson theextent towhichappropriate equipmentandbuild-
ingssecurityisinplace,forexampleaccesscontrol,emergencyplans,anti-terror
measures,andprotectionfrom force majeure.hisalsoincludesthetechnical
aspectsoftheentiremaintenanceprogramanddataarchiving.
• heoperatingsystemlevelrelatestoauditsinthewholeareaofsystemtechnol-
ogy,theuserconcept,failurecontrol,andtherelevantauthorizations,including
accesstospecialoperatingsotwarefunctions,suchasdatabackups.
• he application sotware level also comprises audits of authorization control,
systemsettings,worklows,thestructure,nature,andfrequencyofcertaindata,
igures,anddocuments,aswellasthechangeserviceandsystemarchiving.his
levelalsocoversinterfaceswithinternalandexternalsystems.
• UserguidanceandtheuserinterfacearealsopartofanITaudit,becausethe
mainparametersofacomputerhavetobeexamined,e.g.,speciicsettingsor
accesspathstodatasourcesorinternetsites.Insomecountries(e.g.Germany),
however,thisrequirestheemployee’sexplicitpermissionoracourtorderifthe
circumstancesaresuspicious.
ExaminingalltheselevelsinsequencewillensurethatacompleteITauditiscon-
ducted.
Internalcontrolsexistbothoutsideofandwithinthesystemprocesses.Hereitis
important to take the individual steps in a consistent sequence, i.e., the controls
mustittogetherandmustbemappedlogicallyandwithoutconlict.hepossibili-
tiesthesystemofersforloggingindividualprocessstepsprovideanimportantbasis
inITauditsformeetingevidenceanddocumentationrequirements.Sincethearea
ofinformationtechnologyhasdiferentescalationlevels,resultingindiferentcon-
sequencesforauditindings,therisksandinternalcontrolshavetobeparticularly
closelylinkedwiththerelevantprocesschains.Forthisreason,risk-basedauditing
isacoreelementofthecorporate-wideauditapproach,especiallyintheareaofIT.
ITauditscanhavebothaninternalandanexternalfocus.Internally,theaudit
focusesonsystem-internalbusinessprocesses.Externally,auditsotenexaminethe
itAuditasoperationalAudititAuditasoperationalAudit
AlignmentwiththesystemAlignmentwiththesystem
security-RelevantLevelssecurity-RelevantLevels
internalControlsintheitAuditinternalControlsintheitAudit
internalandexternalFocusoftheitAuditinternalandexternalFocusoftheitAudit
ConceptualBasisofInternalAudit
AuditMethods
AuditFieldStructure
A|6|6.2
134
dataofbusinesspartners,suchascustomersandsuppliers,butalsodatacommuni-
cationbye-mailandinternet.heexaminationincludesmeasurestoprotecttheIT
systemfromtechnicalmanipulationattemptsandvirusprotection,aswellaspos-
sibleaccessrightsforthirdparties.Especiallyinternally,InternalAudithastomake
surethatthelegalandsystem-relatedrequirementsofthetechnologyvendorare
respected.Indoingso,theresponsibilitiesofindividualemployeesforthewholeor
partofaprocesshavetobeclariiedandchecked.Anyadditionalinternalfactors
thatcouldhaveanegativeimpactontheprocessalsoconstituteanobjectofanIT
auditconductedbyInternalAudit.
DuetotheexpertisethatITauditsrequire,aspeciicITauditorproileshould
bedeveloped.ITauditorsmusthavesuicientknow-howtocoverthewholearea.
Forthisreason,itisessentialtoconductadequatetrainingmeasuresforInternal
Auditemployees.
AuditorProileAuditorProile
Work
programReports
● Programs
● ITtools
● SAPapplications
● Programs
● ITtools
● SAPapplications
● Programs
● ITtools
● SAPapplications
Regional
InternalAudit
structure
(workinglevel)
Central
archiving
structure/
database
Documents
Global
auditmodel
!
Internet
!
Archiving
!
Data
protection
!
Access
rights
!
Virus
protection
Regional
reportingIT
Annual
auditplan
Annual
audit plan
Work
programs
Working
papersReports
Status
reports
PreparationPlanning Execution Reporting Follow-up
Working
papers
Fig. 19 AuditsoftheGlobalITEnvironment
135
ParticularlyinITaudits,cooperationwiththeexternalauditorsisveryimportant,
becausetheyhavetoformanopiniononthereliabilityandefectivenessofthein-
ternalcontrols.Here,InternalAuditcanusetheinformationgatheredduringitsIT
audittoresolverelevantissuesinadvance.heindingsmaythuscontributetoa
reduction in theextentof theexternal audit.Particularly for ITaudits inglobal
companies,therearefurtheraspectstotakenoteofregardingacentralordecen-
tralizedorganization.
HintsAnDtiPs ;
• Auditors shouldclarify special requirementswithregard toaccessauthoriza-
tionsbeforetheaudit.
• AuditorsshouldpayattentiontoparticularweakpointsintheITorganization
andtakeanyunusualitemsintoaccountwhendeliberatingtheirindings.
LinKsAnDReFeRenCes e
• CAnADIAn InSTITUTE OF CHARTERED ACCOUnTAnTS. 2004. Privacy Com-
pliance, A Guide for Organizations & Assurance Practitioners.Toronto:heCanadianIn-
stituteofCharteredAccountants.
• InSTITUTEOFInTERnAlAUDITORS.2005.Global Technology Audit Guide 1: Infor-
mation Technology Controls.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• IT GOVERnAnCE InSTITUTE. 2007. COBIT 4.1. Rolling Meadows, Il: IT Gover-
nanceInstitute.
• OlIPHAnT, A. 2004. Auditing IT Infrastructures. Mission Viejo, CA: Pleier
Corporation.
6.2.6 FraudAudit
KeyPoints •••
• Mostcasesoffraudhaveashort-orlong-terminancialimpactthatismoreor
lessdirectlymeasurable.
• Generally,thetermfraudreferstoanykindofattackonacompanyoritsem-
ployees.
• InternalAuditmustrespondtofraudwithaself-contained,consistentprocess
model.
• InternalAudit’sapproachtofraudrequirestakingpreventivemeasuresandin-
vestigatingsuspectedoractualcasesoffraud.
• herequirementsproileforfraudauditorsisverybroad.Inadditiontotechni-
calknowledge,aninterestinforensicauditsisrecommended.
CooperationwiththeexternalAuditorsCooperationwiththeexternalAuditors
ConceptualBasisofInternalAudit
AuditMethods
AuditFieldStructure
A|6|6.2
136
• Duringfraudaudits,communicationwithotherinternalandexternalpartiesis
veryimportantandmustbecarefullyexecuted.
Internationally,thereisanincreasingtrendtorefertoallactivitiesdrivenbycrimi-
nalintentas“fraud.”Examplesincludeattacksonbuildingsandinstitutions,viola-
tionsofdataprotectionlaws,damagetothereputationofthecompanyoranem-
ployee,corruption,infringementofintellectualpropertyrights,damagetoproperty,
tradingofconidentialinformation,ornon-complianceofinancialreporting.
Fraudauditsmayfocusonfraudpreventionoroninvestigatingpossiblecasesof
fraudandincludethefollowingscenarios(fordetails,seeSectionD,Chapter13).
• Fraudprevention:
■ detectionofsuspectedorganizationalandprocessweaknesses,and
■ exactidentiicationofknownweaknesses.
• Fraudinvestigation:
■ investigationofanonymousaccusationswithorwithoutprooforevidence,
■ investigationofspeciicinformationoncommittedfraudwithoutproofor
evidenceornamingasuspect,and
■ investigation of proven fraud, where proof exists and/or the suspect is
known,butguilthasnotyetbeenestablishedbeyonddoubt.
Inthecontextoffraudaudits,itisofspecialimportancetoestablishwhetherandto
whatextentanincidenthasledtodirectlymeasurable,orindirectlyrelated,inan-
cialconsequencesforthecompany.Fraudthatcanbemeasuredininancialterms
mustbecommunicatedtotherelevantbodiesdirectlyandimmediatelybecauseof
thepotentialimpactoninancialreportingandtherulesofthe(international)i-
nancialmarkets.However,fraudthatdoesnothaveanyinancialimpactmustnot
beoverlookedortrivialized,becauseitmayentaildamagetothecompany’sreputa-
tion,environmentaldamage,stafresignations,productandservicedefects,andthe
associatedlossofconidence.
Inordertocategorizepossiblefraudincidentsquicklyandreliablyandtore-
spondwithappropriateaction,itisadvisabletosetupasystemthatcentrallycol-
latesalltheinformationandinitiatestargetedactions.Inordertoachieveamaxi-
mumofsecurity,acontrolbodyofthiskindshouldideallyexistoutsideofInternal
Audit,e.g.,withinthecompany’s legaldepartment.heactivitiesofsuchabody
include thecompilationof speciicguidelines, the treatmentof each incidentby
forwardingandmonitoringit,andaperiodicreportingsystemthatkeepsdetailed
informationregardingallongoingandclosedcases.Inaddition,cooperationwith
otherbodiesthatdealwithsimilarissuesshouldbeorganized.Itmayalsobeben-
eicialtoestablishananti-fraud/anti-corruptionprogramwithintheorganization.
An important part of such a program would be a fraud emergency plan, which
contains all necessary steps for handling fraud-related matters in a professional,
timely,andappropriatemanner.
DeinitionDeinition
AuditFocusAuditFocus
ConsequencesofFraudConsequencesofFraud
Company-internalControlBody
Company-internalControlBody
137
InternalAudit’sactivitiesinthiscontextcomprisemuchmorethanmerelyre-
spondingtocasesoffraud.heultimateobjectiveistoprotectthecompanyfrom
attacksofthisnature.Forthisreason,InternalAuditmuststrivetopreventfraud,
oratleastfacilitateearlydetection.hepreventiveexclusionofpossiblemisusein-
volvesbothidentifyingpotentialsourcesoffraudingeneralandtestingtheefec-
tivenessofcontrolsalreadyimplemented.Cashlowsandanyothersensitivearea
whereembezzlementisadirectpossibilitydeserveparticularattention.heseareas
mustbeanalyzedandadequatecontrolsmustbeestablished.
InternalAudit’sprocessmodelmustbesetupaccordingly(seeSectionB,Chap-
ter7.2). Internalandexternalcommunicationmustbe initiatedandmaintained,
andareportingsystemshouldbeimplementedalsowithregardtothespecialre-
quirementsondocumentsthatmaybeusedinacourtoflaw.Ultimately,evidence
hastobeprovidedtodemonstratethatexternalrequirements,suchasthoseim-
posedonInternalAuditbySOX,areoptimallymet.
Forinvestigatingfraud,eachauditinvolvesanindividualprocedurewithregard
totheauditstepstobetaken,theauditcontent,theinvolvementofthirdparties,
reports,andthenecessaryfollow-upactivities.Toobtainusableauditresultsinthe
shortestpossibletime,fraudauditsnormallyemploythefullrangeofauditproce-
duresavailable,fromacomprehensiveprocessapproach,includingScopeandwork
program,throughspecial,targetedad-hocaudits.Inthisprocess,thebodyofevi-
dencemustbekeptasclear-cutaspossible.
Inadditiontotechnicalexpertise,auditorsneedacertainintuitionforirregu-
laritiescombinedwithahealthydoseofskepticismandanabilitytoputthemselves
intothepositionofotherpeople.Fraudauditorscancomefromdiferenttechnical
areasofacompany.Ideally,theywillatleasthavebasicauditexperienceinother
auditields,suchasoperationalorinancialaudits.Fraudaudits,however,increas-
inglyalsorequiregeneralistswhocanuncoverandassesslinksfrombothatechni-
calperspectiveandwithaneyeforpossiblecriminalmotives.Sincefraudauditsare
mostlyconductedundertimepressure,knowledgeandexperienceintheareatobe
auditedareofgreatbeneit.
InordertoincreasetheeiciencyoftheworkperformedbyInternalAuditin
thisverycriticalauditield,aseparateScope,aseparateAuditRoadmapwithspe-
ciiccomponents,andarankinglistofpossibleauditsegmentsbasedonpastexpe-
rienceshouldbesetupforfraudinlinewiththeriskpotentialinvolved.
Relationswithotherinternalandexternalpartiesareveryimportantforfraud
audits.Firstandforemost,thisincludesthelegaldepartment,CorporateSecurity,
andHumanResources.heAuditCommitteeandthecomplianceoicershould
also be involved in these processes. Cooperation with the external auditors also
mustbearranged.Disclosureofincidentsoffraudisbecominganincreasinglyim-
portantreportingelementforallcompanies.
hewholeareaof fraudaudits isaverycomplexandsensitiveauditield for
InternalAudit.Forthisreason,thereisnosinglecorrectwayofdealingwithfraud
PreventiveAuditsPreventiveAudits
AlignmentoftheProcessModelAlignmentoftheProcessModel
AuditexecutionAuditexecution
RequirementsProileforAuditorsRequirementsProileforAuditors
eiciencyofinternalAuditeiciencyofinternalAudit
involvementofotherPartiesinvolvementofotherParties
PossibletreatmentPossibletreatment
ConceptualBasisofInternalAudit
AuditMethods
AuditFieldStructure
A|6|6.2
138
withinthecompany.heproceduremustbedeterminedforeachindividualcase.
hefollowingdiagramshowspossiblesolutionsandtheinterdependenciesthatex-
istinInternalAudit’streatmentoffraud.
hepoliceandthedistrictattorneycouldnodoubtalsobeimportantexternalpar-
ties in this context. Generally, fraud investigations are aimed at identifying un-
knownperpetrators.IfInternalAuditcannotidentifythem,inconsultationwith
company management and the company’s legal department, they may refer the
mattertothepoliceand/orthedistrictattorney.hisalsoappliesiftheinvestigation
hasbeensuccessful, i.e.,InternalAudithas identiiedtheperpetratorsandlaida
chargeagainstthem.
PoliceandDistrictAttorney
PoliceandDistrictAttorney
Fig. 20 PossibleTreatmentofFraudbyInternalAudit
139
HintsAnDtiPs ;
• Cases of suspected fraud must get priority treatment in day-to-day auditing,
becauseitisotenveryimportanttoactquickly.
• Preventrumorsorhastyreactionsatanystageinthefraudaudit.
• Ensurethattheauditorshavethenecessarydocumentstohand,becausethey
maybeaskedtogiveevidenceinalegaldispute.
LinKsAnDReFeRenCes e
• AnDERSOn,U.AnDA.DAHlE.2006.Implementing the Professional Practices Frame-
work.2nded.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• InSTITUTEOFInTERnAlAUDITORS.2001.Practice Advisory 1210.A2-2: Auditor’s
Responsibilities Relating to Fraud Investigation, Reporting, Resolution and Communication.
AltamonteSprings,Fl:heInstituteofInternalAuditors.
• InSTITUTE OF InTERnAl AUDITORS.2001.Practice Advisory 1210.A2-1: Auditor’s
Responsibilities Relating to Fraud Risk Assessment, Prevention and Detection.Altamonte
Springs,Fl:heInstituteofInternalAuditors.
• SAWyER,l.,M.DITTEnHOFER,AnDJ.SCHEInER.2003.Sawyer’s Internal Audit-
ing.5thed.AltamonteSprings,Fl:heInstituteofInternalAuditors.
6.2.7 BusinessAudit
KeyPoints •••
• Today,relationshipswithexternalparties(suchaspartnersorcriticalvendors)
exposeorganizationstoriskandthereforerequireInternalAudit’sattention.
• heBoardormanagementmayengageInternalAuditinauditsoftheseexternal
relationshipsforavarietyofreasons,includingde-escalation,legalclaims,etc.
• InternalAuditmayperform full-ledgedauditsof these relationshipsorpro-
jects,knownasbusinessaudits.Alternatively,InternalAuditmayperformbusi-
nessreviews,whicharelessrigorousandrequirelessieldwork.
• he objectives of business audits or business reviews are generally to ensure
compliancewithlegal,regulatoryandcontractualrequirementsandtoevaluate
riskrelatedtoexternalrelationships.
• InternalAuditshouldseekinputfromallinterestedpartiestodevelopashared
responsibilityforthesuccessoftherelationshipand/orproject.
Formanyyears,InternalAuditworkhasfocusedonauditinginternalprocessesand
organizationalunitstoinvestigatehowefectivelydepartmentsandtheiremployees
interactwitheachotherandtheircustomersasthemaindeterminantoforganiza-
internalandexternalPerspectiveinternalandexternalPerspective
ConceptualBasisofInternalAudit
AuditMethods
AuditFieldStructure
A|6|6.2
140
tionalsuccess.Whilethisstillappliestoday,theperspectivehasshitedsomewhat.
heincreasingrelianceuponsupplyandservicechains,bothwithinacompanyand
acrossdiferentorganizations,businesssectorsandcountries,hassigniicantlycon-
tributedtobroadeningtherangeoffactorsthatdetermineanorganization’ssuccess.
histrendissettocontinue.Ultimately,thenetworkofsuppliers,customers,part-
ners,andinancialinterestsaswellasrelationswithpublicinstitutions,organiza-
tionsandgovernmentalbodieshasasigniicantinluenceontheinternalprocesses
ofacompanyandthereforeshouldbeintheforefrontofInternalAudit’sfocus.his
meansthatInternalAudit’smainauditareasaredeterminedbybothinternaland
externalconcerns.
heimportanceofauditsrelatedtoexternalconcernswillcontinuetoincrease
asorganizations’relianceonexternalpartnersgrows.ManagementortheBoardof
DirectorsmayengageInternalAudittoexaminetheserelationshipsorprojectsfor
avarietyofreasons:
• Toefectivelymanagearelationshiporprojectwithoutsidepartiesitisimpera-
tivethattheorganizationexaminecurrentandon-goinginformation.Anysig-
niicantinancialoroperationaldisruptionsatanyoftheseorganizationsmay
cause(insomecasesincalculable)damagetothecompany’sreputationandits
market.Damagestoanorganization’sreputationareverydiiculttocontroland
areotenhardtoreverse.
• Otenwhenorganizationsengageinprojectswithoutsidecompaniesthereisa
riskofescalationofcommitment(i.e.,makingirrationaldecisionstojustifypre-
viouschoices).hatis,becausetheorganizationhasenteredintotherelation-
shipthereisadesiretomakeitwork–atallcosts.Escalationofcommitment
otenoccurswhentheprojectorrelationshipisnotasefectiveorproductiveas
originallyexpectedandtheorganizationincreasestheresourcesdedicatedtoit
inanattempttoimprovethelikelihoodofsuccess.De-escalationactivitiesare
designedtocounter-actanyescalationofcommitmenttendenciesthatmayex-
ist.heaimofthede-escalationapproachistoreturntoastablesituationinter-
nallyandtoshowthoseinvolvednewwaysofreachingtheirtargets.
• Whenanorganizationpartnerswithothercompaniesitisexposedtoincreased
complianceandregulatoryriskbecauseitisalsoresponsibleforensuringthatits
partneralsocomplieswithallapplicablelegalandregulatoryrequirements.Ifa
partnerfailstocomplywithapplicablerequirements,theorganizationmaybe
liablefordamagesandsubjecttosanctionsorpenalties.herefore,InternalAu-
ditmustcarefullyexaminetherelationshipsandactivitiesoftheorganizations’
partnersinatimelymannertoensurelegalandregulatorycompliance.
• Ratherthanfocusingonthespeciicpartner,InternalAuditmayalsoexaminea
projectinwhichtheorganizationhasengagedwithitspartner.Internalauditors
mayfocusonproject-speciicissues,suchasdelays,excesscosts,andnonper-
formanceofservicesbythecontractpartner,orsigniicantproductorservice
defects.
increasingimportanceincreasingimportance
interestinUp-to-Dateinformation
interestinUp-to-Dateinformation
De-escalationDe-escalation
LegalRequirementsLegalRequirements
Project-speciicAnalysisProject-speciicAnalysis
141
Foralloftheabovereasons,theBoardmayrequestthatInternalAuditconducta
specialauditofbusinessobjects,alsoreferredtoasabusinessauditorbusinessre-
view.hequestionastowhethertoconductanauditorareviewisusuallyaskedin
connectionwiththeextentoftheieldworkthathastobeperformed.Whenper-
formingabusinessaudit,InternalAuditexaminestheentireauditenvironmentin
depthusingtheAuditRoadmap.Alternatively,abusinessreviewfocusesonrecord-
ingandanalyzingspeciickeyaspectsoftherelationshiporprojectduringlimited
ieldwork.hatis,duringabusinessaudittheauditorperformsalltheindividual
auditsteps,includingthenecessarydocumentation.However,duringareview,the
auditor draws conclusions on the basis of readily available information. Usually,
businessreviewsproduceresultsfaster,althoughtheresultsmustbeanalyzedfrom
the perspective of a review. he advantage of a review over an audit is that it is
soonerpossibletomaketheirststatementsandimplementmeasures.Overall,the
resultsofabusinessauditincludeindingsandrecommendations,whereasabusi-
nessreviewonlyconcludeswithproceduralproposals(formoreinformation,see
SectionA,Chapter7.2.3).herestofthischapterdealswithbusinessauditsinmore
detail.InadditiontotheBoard,otherparties,(e.g.,thelegalorcontractsdepart-
mentofacompany, thesalesorconsultingoicerresponsible,otherserviceand
supportunitsofthecompany,andRiskManagement)mayrequestanindependent
auditoftheorganization’sexternalrelationshipsandprojectsbyInternalAudit.
Abusinessauditisdeinedasapreventiveauditmeasureconductedinlinewith
thede-escalationstrategy.Itsmainpurposeistoensurethatprocesses,methods,
andguidelinesarecompliantandworkingasintended.Atthesametime,therisks
relatedtotheprojectorpartnerareexaminedand,ifnecessary,appropriatede-es-
calationmeasuresareproposed.Objectivesandcontentofabusinessauditmustbe
deinedexactly.heauditmayfocusonlegal,contractual,ororganizationalmat-
ters.
heresultsofabusinessauditarepreparedandpresentedinaslightlydiferent
mannerthanarethoseforatraditionalaudit.Becauseofthedynamicnatureofthe
businessprocessesit isnecessarytoexplaininterimresultsandperspectivesina
timelymannertomanagementandtheemployeesinvolved.hismeansthat,apart
fromthetraditionalreportformatsusedbyInternalAudit,additionalmemos(see
Section B, Chapter 5.3.1) or presentations (see Section B, Chapter 5.3.2) may be
needed.hismaybeofspeciicimportanceifthepartiesconcernedneedtocon-
siderpossibleactionsorcosts.However,itisachallengetocommunicateinterim
results,withoutrevealingimportantindingstooearly.
Whenexaminingrelationshipsandprojectswithexternalparties,itmaybenec-
essarytoconductauditactivitiesoutsideone’sownbusinesspremises.Inthisre-
gard,itisnecessarytoclarifyinadvancetowhatextentthisislegallypossible.Oten
a“righttoaudit”clauseisincludedinthecontractbetweentheorganizationandits
partner.Ifsuchaproceduredeservessupport,InternalAuditcontactsthepartner
inordertoagreetheobjectiveandtherequiredaction.Generally,relationshipswith
BusinessAuditversusBusinessReviewBusinessAuditversusBusinessReview
FeaturesofaBusinessAuditFeaturesofaBusinessAudit
PreparingandPresentingtheResultsPreparingandPresentingtheResults
AuditsoutsidetheCompanyAuditsoutsidetheCompany
A|6|6.2ConceptualBasisofInternalAudit
AuditMethods
AuditFieldStructure
142
externalpartiesaremoreproductiveifthepartiesareabletocooperateandcoordi-
natesuchauditswithoutconlict.
HintsAnDtiPs ;
• Forabusinessaudit,auditorsshouldenlistsupportfromotherspecialistdepart-
mentsandcorporatecommunications.
• Duringabusinessaudit,auditorsshouldexaminealltheexistingdocumentsfor
theprocess,includinge-mails.
• Duringabusinessaudit,auditorsmustkeepthemselvesinformedonanopera-
tionallevelaswellasonastrategiclevelwiththelatestinformationfromthe
BoardofDirectors.
LinKsAnDReFeRenCes e
• AnDERSOn S.W. AnD K. l. SEDATOlE. 2003. Management Accounting for the
ExtendedEnterprise:PerformanceManagementforStrategicAlliancesandnetworked
Partners.InA. BHIMInI (ED.). 2003.Management accounting in the digital economy.
london:OxfordPress.
• AnDERSOn,S.W.,M.H.CHRISTAnDK.l.SEDATOlE.2006.Managing Strategic
Alliance Risk: Survey Evidence of Control Practices in Collaborative Inter-Organizational
Settings. IIA Research Foundation. http://www.theiia.org/research/research-reports/
downloadable-research-reports/?i=237(accessedMay31,2007).
6.3 AuditApproaches
KeyPoints •••
• herisk-basedauditapproachallowsInternalAudittotargetitsworkatareasof
criticalbusinessrisk.
• heauditriskconsistsofinherentrisk,controlrisk,anddetectionrisk.
• Fourauditmethodsareusedundertherisk-basedauditapproach.hesemeth-
odscanbeusedlexiblyinthecourseoftheaudit,inresponsetointerimaudit
results: General risk analysis, analytical ieldwork, system and process based
ieldwork,andsubstantivetesting.
• Aspartoftherisk-basedauditapproachandwithintheauditmethodsthatits
applicationentails,otherauditapproachescanbeusedduringauditwork,either
individuallyorincombination.
• hesystem-basedauditapproachisusedtotesttheefectivenessofthecontrols
andsafeguardsthathavebeenputinplace.
• he objective of the transaction-based audit approach is primarily to detect
143
transactionerrors.hisnormallymeansthatInternalAuditmustuseaninves-
tigativemethod.
• hecompliance-basedauditapproachiscenteredontestingthecomplianceof
anyauditobject,inrelationtomeetingaspeciicrequirement.
• he objective of the results-based audit approach is to arrive at a quantiied
comparisonoftheauditobject’scurrentconditionwiththerelevantcriteria,for
examplelegalstandardsorbusinessguidelines.
• herisk-basedauditapproachisakeyconceptthatprovidesaframeworkfor
theotherauditapproaches.heauditobjectsthatareselectedandthespeciic
audit activities to be conducted are determined within the framework of the
risk-basedauditapproach.heselectionisthereforeguidedbytheriskattached
totheauditobjectanditsmateriality.
Inprinciple,anauditapproachisamethodfordevelopingacertainprocedurefor
anaudit,i.e.,forformulatingtheauditstrategy.Inresponsetomoderncorporate
structures,theaimoftherisk-basedauditapproachistoallowInternalAuditto
tailoritsauditworktotheareasofbusinessrisk.InternalAudit’suniversalityclaim
ofrepresentingpermanentcontrolinallareasisgivingwaytogreaterfocusonau-
ditobjectswithahighriskpotential.
hefollowingdiagramshowsthatauditriskhastwocomponents,errorriskand
detectionrisk.Errorriskbreaksdownfurtherintoinherentriskandcontrolrisk.
Inherentriskistheriskthatisintrinsictoaprocessandresultsfromtheauditob-
ject’ssusceptibilitytoerrors.Itcomprisesmacroeconomic,sector-andcompany-
speciicfactors(e.g.,theeconomicsituation,organizationalstructure,orthecom-
pany’s legal environment, as well as factors speciic to the audit object). Factors
speciic to theauditobject include thecomplexityofworkprocesses inbusiness
Risk-BasedAuditApproachRisk-BasedAuditApproach
AuditRiskAuditRisk
inherentRiskinherentRisk
Detectionrisk
Audit risk
Errorrisk
ControlriskInherentrisk
Fig. 21 AuditRiskComponents
ConceptualBasisofInternalAudit
AuditMethods
AuditApproaches
A|6|6.3
144
unitsanddepartmentsandthetimepressuretowhichtheyaresubject.Toassess
the inherentrisk,auditorsmusthavecomprehensiveknowledgeof thecompany
anditsenvironmentanduseinterviewsandobservationsoranalyzedocumentsin
ordertoobtaininformationonworkloads,workquality,andtechniquesintheunit
beingaudited.
Controlriskrepresentsthedangerthattheimplementedinternalcontrolsystem
doesnotdetectorpreventallrelevanterrors.heremaybetworeasonsforthis:
Either,thecontrolsaretriggeredonlyateratimedelay,whichmeansthatanyer-
rorsareidentiiedtoolate,orcertainaspectsarenotcheckedbecausetheinternal
controlsarenotefectiveallthetimeortherearegapsintheircoverage.
Detectionriskistheothermaincomponentofauditrisk.Itquantiiesthepos-
sibilitythatinspiteofdetailedtests,theauditorsdonotdetectmaterialerrors,for
examplebecausetheyhaveselectedaninsuicientnumberofsamplesorinappro-
priateauditmethods.Unliketheothercomponents,auditorscanthereforedirectly
inluencedetectionriskbyselectingthetypeandextentofieldwork.
Forreasonsofeiciency,onlymaterialrisksareincludedintheauditplanning.
Sincethethreecomponentsofauditriskcanofsetorreinforceeachother,audit
riskisdeterminedbymultiplyingitscomponents:
Auditrisk=inherentriskxcontrolriskxdetectionrisk.
Once theoverallauditriskacceptable for theaudithasbeendeinedandthe
inherentandcontrolriskshavebeendetermined,thetolerabledetectionriskcanbe
set.Auditorsmustkeepwithinthisrisklevelbyconductingappropriateieldwork.
Itis,however,impracticaltoworkouttheexactlevelofriskmathematically,sothat
generalriskcategories(low,medium,high)areusedinpractice.
Fromariskperspective,fourapproachesforriskanalysisareusedaspartofthe
risk-basedauditapproach:
• generalriskanalysis,
• analyticalauditprocedures,
• systemsandprocessbasedieldwork,
• substantivetesting.
Inriskanalysis,theareasofbusinessriskaredeterminedandtherelevantrisksare
identiiedintheoverallcontextofauditrisk.heauditobjectsaredeterminedand
theauditisplannedonthebasisoftheresultsoftheriskanalysis.
Analyticalauditprocedures(seeSectionC,Chapter3.1)areusedtogenerally
assesstherisksatprocesslevel.heproceduresconsistofanalyzingindividualig-
uresandratiosorgroupsofiguresandratios.heyareintendedtoallowauditors
togetanoverviewofthereliabilityof theriskmanagementandinternalcontrol
systems.Analyticalauditproceduresalsohelpprovideaglobaloverviewofthepro-
cessesandcontrolsoftheunitbeingauditedandidentifyanyinterdependencies.
heauditcontentisdividedintoauditareasonthebasisofthisknowledge.
Detailedsystemieldworkhelpstestthereliabilityandefectivenessoftheinter-
nalcontrols.Itisalsousedtoassessthemainprocessrisks.hesetestsarebasedon
acomparisonbetweentheapplicablestandardsorcompany-internalrulesandthe
ControlRiskControlRisk
DetectionRiskDetectionRisk
AuditRiskastheProductofitsComponents
AuditRiskastheProductofitsComponents
tolerableDetectionRiskLevels
tolerableDetectionRiskLevels
RiskAnalysisRiskAnalysis
AnalyticalAuditProcedures
AnalyticalAuditProcedures
systemAuditandsubstantivetesting
systemAuditandsubstantivetesting
145
actualprocessorsituationintheunitsbeingaudited.Substantivetestingisade-
tailedreviewofindividualmaterialcausesofriskorofaspeciicprocess.
Bycombiningtheabovefourauditmethodsintheindicatedsequence,theaudi-
torscanconductanauditeicientlywiththespeciieddegreeofreliabilityandop-
timizeitwithregardtothetimeandefortitinvolves.Duringthisprocess,thereli-
abilityof the individual audit statements increases continually fromgeneral risk
analysisthroughsubstantivetesting.Asigniicantattributeoftherisk-basedaudit
approachisthatthecombinationsofmethodscan,andhaveto,belexiblyadapted
duringtheauditinlinewithinterimauditresults,i.e.,InternalAudit’sactivitiesare
scaleddownorexpandedwhiletheauditisbeingconducted.
Aspartoftherisk-basedauditapproachandwithintheauditmethodsthatits
applicationentails,theauditorscanuseotherauditapproachesduringtheiraudit
work,eitherindividuallyorincombination.hediagrambelowshowshowthedif-
ferentauditapproachesinteract,andthetextthatfollowsexplainstheapproaches
andtheinteractionbetweenthem.
he system-based audit approach should be used to test the efectiveness of the
controlsand safeguards.hemainobjectiveof the system-basedaudit approach
istogivethemanagerswithoverallresponsibilityforcorporatemonitoringanas-
suranceregardingthecontrolsystemsused.Anyactualorpossibleweaknessesin
FlexibleCombinationofMethodsFlexibleCombinationofMethods
otherAuditApproachesotherAuditApproaches
Risk-based audit approach
(de�nition of audit object
and strategy)
Transaction-based
approach
Combinations
Results-based
approach
System-based
approach
Compliance-based
approach
Fig. 22 EmbeddednessofAuditApproachesintheRisk-BasedAuditApproach
A|6|6.3ConceptualBasisofInternalAudit
AuditMethods
AuditApproaches
146
thesystemshouldbedetectedandeliminated.hesystem-basedauditapproachis
generallyalsobasedontheriskanalysisperformedonthecompanyanditspro-
cessesandprocedures.
Audits that followasystem-basedapproacharesimilar toprocessauditsand
focusoncontrolmechanisms.Althoughthisapproach isalso intendedtodetect
errors,itfocusesonsystematicerrorsduringprocessortransactionhandling,not
onspeciicone-timeerrors.hismeansthatthesystem-basedauditapproachisless
retrospectiveandshouldalsobeabletoproduceforward-lookingauditresults.
Becauseofitssystematicwayofdealingwithtransactionswithinthecompany,
whichrequiresthemtobecomprehensivelyanalyzed,thesystem-basedapproachis
particularlywellsuitedtoauditmattersrelatedtoor impactingonthefollowing
topics:Reliabilityandintegrityofaccounting,securingofassets,eiciencyoftrans-
actions,andcompliancewithlegalrulesandrequirements.
heobjectiveofthetransaction-basedauditapproachisprimarilytouncover
transactionerrors.Inlinewiththisobjective,thetransaction-basedapproachoten
meansthatInternalAudithastouseaninvestigativeprocedure.
Auditsthatfollowthetransaction-basedapproacharebestsuitedtoieldwork
suchassampletestsandfullauditsofindividualbusinesstransactionswithinthe
company.heyassesswhethertherelevantprocessesareperformedcorrectlyand
the transactionhasbeenhandledand recognizedproperly.Under this audit ap-
proach, thecontrols integrated in thecorporateprocesses areonlyof secondary
importance,becausetheseauditsanalyzenotthegeneralprocessasawhole,but
focus on a speciic manifestation. As such, the audit procedure used under the
transaction-basedapproachfocusesonthepastorpresent,butcanrarelyarriveat
forward-lookingauditresults.
Becausethefocusofauditactivitiesunderthetransaction-basedapproachison
aspeciictransaction,itisbestsuitedtoinvestigatingsuspectedfraud,helpingwith
issuesrelatingtotheassessmentofmanagementdecisions,orsupportingcustomer
projectsorsimilarconsultingtasks.
hecompliance-basedauditapproachiscenteredontestingthecomplianceof
anauditobject.Consequently,theauditobjectistestedtodeterminewhetheror
notitmeetsaspeciicrequirementsettoestablishcompliance.Suchrequirements
may include legal standards or company-internal conduct rules, policies, and
guidelines.Auditsthattestwhethercertaincontrolsorindividualcontrolelements
areinplacearealsofeasible.
Auditobjectsmayincludeinternalmonitoringsystemsaswellasspeciicpro-
cesses,processsteps,andworkresults.notethatthecompliance-basedauditap-
proach leads toanaudit statement in the formofayes-nodecision. If theaudit
objectisfoundtobecompliantwiththerelevantbenchmark,thisresultsinaposi-
tiveauditoutcome.However,iftheauditindstheauditobjecttodeviatefromthe
relevant benchmark, it is documented as non-compliant. he inding does not
commentontheextentofthevariance,i.e.,theerrorisnotrated.
Sinceitfocusesonfollowingrulesexactlyortheexistenceofspeciiedcontrols
orprocesssteps,thecompliance-basedauditapproachisbestsuitedforassessing
Characteristicsofthesystem-Based
AuditApproach
Characteristicsofthesystem-Based
AuditApproach
Applicationofthesystem-Based
AuditApproach
Applicationofthesystem-Based
AuditApproach
objectiveofthetransaction-Based
AuditApproach
objectiveofthetransaction-Based
AuditApproach
Characteristicsofthetransaction-Based
AuditApproach
Characteristicsofthetransaction-Based
AuditApproach
Applicationofthetransaction-Based
AuditApproach
Applicationofthetransaction-Based
AuditApproach
objectiveoftheCompliance-Based
AuditApproach
objectiveoftheCompliance-Based
AuditApproach
CharacteristicsoftheCompliance-Based
AuditApproach
CharacteristicsoftheCompliance-Based
AuditApproach
ApplicationoftheCompliance-Based
AuditApproach
ApplicationoftheCompliance-Based
AuditApproach
147
compliancewithlegalstandardsorcomplianceregulations,assuringthequalityof
theprocessstructures,ortestingwhetherprojecttargetsareachievedasplanned.
he objective of the results-based audit approach is to arrive at a quantiied
comparison of the audit object’s current condition with relevant criteria, which
againincludelegalstandardsorcompany-internalguidelines.hisapproachisnot
onlyaboutestablishingwhetherornottheauditobjectmeetsthebenchmark.Ifany
non-compliancewith the requirement is found, it shouldbequantiiedas far as
possible.hisappliestobotherrorsinspeciicproceduresandtheimpactofany
controlweaknessesthathavebeenidentiied.
Whentheresults-basedauditapproachisapplied,auditresultsareexpressedas
aquantitativemeasure,notayes-nodecision.henon-compliancesthathavebeen
identiiedcanbeexpressedeitheraspercentagesorrelativevalues,orasmonetary
amounts. If the consequences in the form of a direct percentage or monetary
amountcannotbespeciied,theauditorsmayalternativelyratetheerrorqualita-
tively according to its seriousness. Sample testing is particularly suitable for use
undertheresults-basedauditapproach,not leastbecauseof thelexibilityof the
variables.heresults-basedapproachisalsousefulwheretheauditstatementisnot
tobelimitedtosimplyconirmingcompliance,butwherethepositiveaspectsareto
be quantiied. his approach could be used for projects, for example, where the
auditorswanttoreportnotonlythegeneralfactthattheobjectiveshavebeenmet,
but also that the project was implemented faster and with greater success than
planned.
Sincetheresults-basedauditapproachfocusesonmeasuringandassessingthe
variancefromtherelevantrequirements,itisbestsuitedtotestingcontrolmecha-
nismsandqualityassurancesystems.Inthesetypesofaudit,itisnotonlyimportant
toidentifytheexistenceoferrors,butalsotoestablishwhethertheyarematerial
andwhatefecttheyhave.heresults-basedauditapproachisalsousefulaspartof
internalconsultingactivitiesandforauditingcustomerprojects.
Inprinciple,theauditobjectivesofInternalAuditdeterminewhichauditap-
proachisselected.hechoiceinturnafectsthespeciicauditactivitiesthatInter-
nalAuditconducts.Firstly,itisimportanttoclarifywhetheritisconductingacom-
prehensiveauditofawholeareaoronlyexaminingcertainkeyissues.Iftheaudit
objective iscomprehensive, forexample, testingtheefectivenessoftheintended
controlmechanisms,asystem-basedapproachisadvisable.Formorespeciicissues
orsubstantivetestsonsingle transactionsorsimilar, thetransaction-basedaudit
approachismoreappropriate.
Butthesystemandtransactionbasedauditapproachesarenotmutuallyexclu-
siveandcanbeusedincombinationwitheachother.Inparticular,theauditorscan
usethetransaction-basedapproachforadditionaltestingunderthesystem-based
approach.hereverseprocedure,i.e.,usingthesystem-basedapproachasanaddi-
tion to the transaction-based approach, is normally more diicult and will only
rarelybeconsidereda feasiblewayofachievingtheauditobjectives. Inpractice,
compliance-basedandresults-basedapproachescanalsobeusedincombination,
forexampletotestfortheexistenceofcontrolmechanisms,whileatthesametime
objectiveoftheResults-BasedAuditApproachobjectiveoftheResults-BasedAuditApproach
CharacteristicsoftheResults-BasedAuditApproach
CharacteristicsoftheResults-BasedAuditApproach
ApplicationoftheResults-BasedAuditApproach
ApplicationoftheResults-BasedAuditApproach
ChoiceoftheAppropriateAuditApproach
ChoiceoftheAppropriateAuditApproach
CombinationofAuditApproachesCombinationofAuditApproaches
ConceptualBasisofInternalAudit
AuditMethods
AuditApproaches
A|6|6.3
148
arrivingatquantitativestatementsaboutwhethertheintendedproceduresarefully
andappropriatelycompliedwith.
Itisalsopossibletocombinethecompliance-basedauditapproachwithboth
thesystem-basedandthetransaction-basedapproach.Acombinationofthecom-
pliance-basedwiththesystem-basedapproachisparticularlyusefulwhentesting
whethercontrolmechanismsorcertainprocess stepsexistwithinprocess struc-
tures.hecompliance-basedandtransaction-basedauditapproachescanbecom-
bined, for example when auditing compliance with speciic standards, where a
positiveornegativeauditresultwithoutquantiicationissuicient.However,ifthe
auditorsneedtoquantifytheauditresultinatransaction-basedaudit,theyshould
combine thisapproachwith the results-basedapproach.Whenassessingcontrol
mechanismsorrequirementsrelatingtoprocedures,itissensibletocombinethe
system-basedandresults-basedapproaches.Insuchcases,theauditorsaretesting
notonlythegeneralefectiveness,butalsothematerialityofvariancesfromstated
requirements.
herisk-basedauditapproachisakeyconceptthatprovidesaframeworkfor
the other audit approaches: he audit objects are selected and the speciic audit
activitiesaredeterminedwithintheframeworkoftherisk-basedauditapproach.
heselection is thereforeguidedby the riskattached to theauditobject and its
materiality.Withinthe individualstepsorauditmethodsof therisk-basedaudit
approach,theauditorsshouldfallbackonotherauditapproachesthatallowthem
toaddspeciicauditcontentintheappropriateplacewithinthespeciiedframe-
work.Itwilldependonthecaseinquestionwhethertheauditorsshouldusethe
pureformsorcombinationsofauditapproaches.hisdecisionistakeninlinewith
theauditobjectiveonthebasisofthespeciicrequirementsandcircumstances.
Onthisbasis,itisalsopossibletocreatelinksbetweenthetasksofInternalAu-
ditandtheapplicableauditapproaches.Forthemoretopicaltasks,theassignments
arerelativelyclear.ForanITaudit,thesystem-basedapproachwithresults-based
elements will normally be best. But a fraud audit will almost invariably use the
transaction-basedapproachincombinationwiththecompliance-basedapproach,
unlessitinvestigatesthegeneralefectivenessofapreventivesystem.
Intheareaofinternalconsulting,customerprojectswilltendtobeaddressedby
thetransaction-basedauditapproach,butconsultingprojectsforprocessimprove-
mentswillprobablyrequireasystem-basedapproach.hesameappliestobusiness
audits.Inmostcases,theresults-basedapproachwillbemoreprevalentthanthe
compliance-basedapproachintheseareas,becausethequantitativeimpactofaudit
indingsisveryimportantininternalconsulting.
Whenexaminingtheorganizationalstructure,managementauditsmayusethe
system-basedauditapproach,butotherwisethetransaction-basedapproachwillbe
morecommon.Inthisauditield,aresultsfocusshouldcommonlyoutweighapure
complianceassessment.
Sinceinbothoperationalandinancialauditsthefocusisonprocessesandbusi-
nesstransactions,system-basedauditapproachesarethepreferredchoice.Inboth
ields,transaction-basedapproacheswillonlybeusedinindividualcasestocon-
otherPossibleCombinations
otherPossibleCombinations
Risk-BasedAuditApproachasa
Framework
Risk-BasedAuditApproachasa
Framework
UseinitandFraudAudits
UseinitandFraudAudits
UseininternalConsultingandBusiness
Audits
UseininternalConsultingandBusiness
Audits
UseinManagementAudits
UseinManagementAudits
UseinoperationalandFinancialAudits
UseinoperationalandFinancialAudits
149
irm the results. he adequacy of a compliance-based or results-based approach
depends on the audit object in hand, although the results-based approach will
probablybeusedmoreoten.
he above diagram explains the relations between audit ields and the audit ap-
proachestobeused.Fortheassignmentofpossibleauditapproachestothetask
areas,therisk-basedauditapproachonceagainfunctionsasaframework.Onthe
basisofriskconsiderations,decisionsaretakenaboutthecontentofauditobjects,
whichcanbelongtoonemaintaskortoseveralactivitiesofanauditield.Oncethe
auditobjectshavebeenspeciiedandthebasicauditstrategyhasbeendeined,the
auditapproachcanbechosen.
HintsAnDtiPs ;
• Auditors should always keep risk-based procedures in mind and act accord-
ingly.
• Risk aspects are also very important when choosing appropriate audit ap-
proaches,anditmaythereforemakesensetoconsultwithriskmanagement.
• Auditors should thoroughly analyze the impending audit request in order to
aligntheirmethodwithoneormoresuitableauditapproaches.
• Evenatertheaudithasstarted,auditorsshouldregularlyconsiderusingdifer-
entoradditionalauditapproachesorauditmethodsintheirwork.
AssignmentbyRiskorientationAssignmentbyRiskorientation
Audit
approach
X=important
x=lessimportant
Results-
based
Manage-
mentFinancialOperational IT Fraud Business
System-
based
Transaction-
based
Compliance-
based
Ris
k-b
ase
d
Risk-based
X
X
X
X
X
X
X
x
X
X
X
x
X
X
x
x
X
X
X
X
x
X
x
X
X
XX X X X
Fig. 23 RelationsbetweenAuditFieldsandtheAuditApproachestobeUsed
A|6|6.3ConceptualBasisofInternalAudit
AuditMethods
AuditApproaches
150
LinKsAnDReFeRenCes e
• KEITH,J.2005.KillingtheSpider.Internal Auditor(April2005):25–27.
• MESSIER, W. F. 2003.Auditing and Assurance Services: A Systematic Approach.3rded.
Boston,MA:McGraw-Hill.
• RITTEnBERG,l.E.AnDB.J.SCHWEIGER.2005.Auditing: Concepts for a Changing
Environment.5thed.Boston,MA:hompson.
• SAWyER,l.,M.DITTEnHOFERAnDJ.SCHEInER.2003.Sawyer’s Internal Audit-
ing.5thed.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• SEARS,B.2002.Internal Auditing Manual.newyork,ny:Warren,Gorham&lamont.
6.4 AuditCategories
KeyPoints •••
• heauditcategoriesincludelocal,regional,andglobalaudits.
• localauditsfocusonlocalunitsandprocesses.heyareconductedbythede-
centralizedunitsofInternalAudit,takinglocalcircumstancesintoaccount.
• Auditsoftopicsthatarerelevantforthewholeregionarecalledregionalaudits.
heseincludeauditsofatopicperformedcentrallyforthewholeregion,orona
decentralizedbasisatdiferentlocationsintheregion.
• Globalauditsalwaysinvolvehorizontalprocesschainsthatafecteitherdifer-
entorganizationalunitsorthesameorganizationalentityasaglobalfunctionin
diferentregionsandcountries.
• All audit standards that have been developed apply without exception to
the diferent audit categories. Deviations from the standards are only al-
lowed in justiiedexceptionalcircumstances.hereasons for suchdeviations
mustbedocumentedandpermissionmustbeobtainedfromtheAuditMan-
ager.
hreeauditcategoriesarediferentiatedatSAP:local,regional,andglobalaudits.
Allaudittopicscanbeassignedtotheseauditcategories.Inpractice,someaudits,
e.g., of inancial or process topics, are primarily conducted locally, but audits of
strategictopics,suchasmanagementprocessesorriskmanagement,aremoreoten
auditedregionallyorglobally.
However, the links between audit ields and audit categories are not always
clear-cut,andmultipleassignmentsarepossible.Ainancialauditcanbeconducted
locally inanoperatingunit,but it isalso feasible toconduct itonaglobal level
throughoutthecompany.
localauditsareallauditactivitiesthatexclusivelycoverauditcontentatalocal
level,e.g.,processesandobjectsthatrelatetoonlyonecountryorthosethatareto
beexaminedfromalocalperspective,eventhoughtheyaregloballysigniicantfor
AssignmentofAuditCategoriestoAudit
topics
AssignmentofAuditCategoriestoAudit
topics
MultipleAssignmentsMultipleAssignments
DeinitionofLocalAudits
DeinitionofLocalAudits
151
theentirecompany.Inadditiontolocalsubsidiaries,theauditobjectsoflocalau-
ditscanincludejointprojects,partnerships,andjointventures.
SAP’sInternalAuditisorganizedinseveralregionalteamswithahighdegreeof
autonomy(seeSectionA,Chapter4.3).Acoretaskoftheseregionalauditunitsis
toimplementtheauditstandardsdevelopedinthevariousauditcategories.local
auditsofentities in thearearepresentavirtuallyautonomousauditcategory for
regionalteams.hisgivestheauditteamsahighdegreeofresponsibility.Regional
teammembersaremainlyrecruitedfromamongtheemployeesoftheregion,en-
suringthattheregionallyorlocallyspeciicexpertiseremainswithintheunitre-
sponsiblefortheregion.
Typicallocalauditsincludeprocessandaccountingaudits,aswellasauditsof
compliancewithcorporatelaw(e.g.,registerentriesandarticlesofpartnership).In
addition, local audits also examine speciic local processes and approval proce-
dures,takinglocallyrelevantlegalcircumstancesintoaccount.hisincludesaudits
of localITprocessesandITequipment,aswellasspeciicinvestigationsintoal-
legedorsuspectedfraud.Ultimately,manyelementsofthewideieldofaudittopics
maybecomelocallyrelevant.
Undernormalcircumstances,standardauditswillbethetypemostcommonly
conductedfromalocalperspective,i.e.,auditsthatcouldhappeninsimilarwaysat
diferentlocations.Specialauditswithaspeciictopicfocusoccurmorerarely,ifat
all,becausesuchuniquetopicsareotenencounteredonlyonceinthecompanyand
arethereforenormallynotconductedindecentralizedunitsbutratheronaglobal
level,e.g.auditsofthecorporatetreasurydepartment(fordetailsonaudittypology,
seeSectionA,Chapter6.5).
localauditsalwaysfollowtheAuditRoadmap,fromplanningandpreparation
throughexecution,reporting,andfollow-up(seeSectionB).Inaddition,thewhole
qualityassuranceframeworkmustbecompliedwith.localauditsareshapedbythe
combinedinluenceofcentrallyspeciiedstandardprocessesandcontentsonthe
onehandandtheirdecentralizedadaptationandapplicationontheother.Central
standardsmustbeappliedtotheaudittotheextentpossible,butdespitestandard-
izationspeciiclocalfeaturesmustbeconsidered.
Especiallyinsmallerregions,itisimportanttoexchangeasmuchinformation
aspossiblepriortoanaudit,becausethisallowstheauditorstoidentifyauditfocus
areasinatimelymanner.hisappliestobothinternalandexternalcontacts,e.g.the
localexternalauditors.localculturalaspectsmustalsobeconsidered.
localauditsare listed in theregionalexecutionplan(seeSectionB,Chapter
2.2),whichmustbebasedon theoverall regionalcapacity forall auditsand the
availableresourcestoavoidschedulesthataretooambitious.Sometimes,however,
especiallyifcapacitysuddenlybecomesunavailableorspecialistknowledgeisre-
quired,theremaybeadditionaldemandforauditorcapacity.Insuchcircumstances,
the regional teams should get ad-hoc support from colleagues of other regions.
Evenwhenalocalauditisconductedbyamixedteam,theauditremainslocaland
fullyundertheresponsibilityoftheregionalauditorganizationconcerned,i.e.the
regionalteamandtheregionalAuditManager.
RegionalteamsatsAPRegionalteamsatsAP
subjectofLocalAuditssubjectofLocalAudits
standardAuditsversusspecialAuditsstandardAuditsversusspecialAudits
PositionofLocalAuditswithintheProcessModelPositionofLocalAuditswithintheProcessModel
informationexchangewithotherPartiesinformationexchangewithotherParties
MixedteamsMixedteams
ConceptualBasisofInternalAudit
AuditMethods
AuditCategories
A|6|6.4
152
Duetotheirresponsibilityforconductingauditsintheirregions,AuditManag-
ersarealsoresponsibleforprioritizingandschedulingeachaudit.Alladministra-
tiveprocesses,suchastheauditannouncementandthedistributionofreports,are
alsoperformedregionallyonthebasisoftheapplicabledistributionlists.hisaf-
fectsthemanagersoftheunitbeingauditedatlocallevelinparticular.
Regionalauditsfocuseitheronregionalmatters,e.g.regionalmanagementof
businesspartnerrelations,oronprocessescentrallyorganizedthroughsharedser-
vicescenters,e.g.,standardizedpurchasing.hismeansthatunderaregionalaudit,
aspeciictopicisexaminedinvariousdiferentlocations,eithersimultaneouslyor
onedirectlyatertheother.heauditorganizationmustmakesureineachinstance
thattheauditsareconducteduniformlyandlocalpreferencescannotinluenceor
distorttheauditresults.
hecommentsonlocalauditswithregardtocomplyingwithauditstandards
andputtingtheauditteamtogetheralsoapplytoregionalaudits.However,thereis
amajordiferenceinthewaytheregionalnatureoftheauditimpactsthemanage-
mentoftheunitmainlyafectedbytheaudit.Inthecaseofregionalaudits,higher-
level(regional)managementisresponsibleforenablingtheauditontheonehand
andforimplementingtheauditresultsontheother.hismeansthat,unlikeforlo-
calaudits,thismanagementlevelmustalwaysbeinvolvedinthemainphasesofthe
audititselfandtheopeningandclosingmeetings.
Another signiicant diference is that the results of regional audits may have
greaterimportanceforthecompanythanthoseoflocalaudits.Forthisreason,itis
possiblethat,inthesearchforcompany-widesolutions,criticalresultsofaregional
auditwillmorereadilybebroughttotheBoardofDirectors’attentionbecausethe
objectiveistoreleaserulesandguidelinesatseniormanagementleveltohelphar-
monizationacrossregionalboundaries.
Internationalcorporateauditdepartmentscanandmustalsofaceglobalaudit
topics(seeSectionC,Chapter7).Diferentaudittopicscanbeidentiiedaschal-
lengesforInternalAuditonagloballevel.heyarerelatedtodiferentmethodsthat
canorhavetobeusedaccordingtotheunderlyingdeterminants.
Aglobalauditofonetopicmayoccuratlocationsindiferentregionsunderone
organizationwithoverallfunctionalresponsibility.Examplesincludetheglobales-
calationdepartment,theglobalprocessingofpatentstosafeguardintellectualprop-
erty,oraglobalpurchasingorganization.Ultimately,theyalwaysinvolvehorizontal
processchainsthateitherafectdiferentorganizationalunitsorthesameorganiza-
tionalunitindiferentregionsandcountries.Aglobalauditareamayalsobeatopic
whosespeciiccontentsaredeinedbyacentralunit,whichimplementsandcoor-
dinatestheminthediferentcountriesandregions.Examplesincludeglobalrisk
managementandgloballystandardizedinternalcontrols,particularlyinresponse
toSOX.Globalstructuresofthiskindmayalsobefoundindevelopmentorsales
organizations,whicharethereforealsopossiblesubjectsofInternalAudit’swork.
FromInternalAudit’sperspective, itmaybe sensible tocentrally standardize
certaintopicsthustransformingthemintoglobaltopicsforthetimeoftheaudit
tasksoftheAuditManager
tasksoftheAuditManager
DeinitionofRegionalAudits
DeinitionofRegionalAudits
LocalversusRegionalAudits
LocalversusRegionalAudits
ValueoftheAuditResults
ValueoftheAuditResults
GlobalChallengesforinternalAudit
GlobalChallengesforinternalAudit
subjectofGlobalAuditssubjectofGlobalAudits
CentrallystandardizedAudits
CentrallystandardizedAudits
153
engagement.Toensurethatforthesetopics,auditcontent,procedures,andexper-
tiseareoptimized,suchauditobjectsareeasiertoenforceandcoordinatefromIn-
ternalAudit’spointofviewiftheyaremanagedunderthesametechnicalresponsi-
bility.heauditsinquestionincludeprimarilymanagementandfraudaudits,but
alsoauditsof ITprocessesand informationnetworks.A special featureof these
typesofauditsisthatthetopicsunderreviewareotensensitiveandmayhavea
globalimpactontheentirecompany.
Globalauditsareseenasasingleunitforthewholedurationoftheauditpro-
cess.hismeansthatthetotalityofanauditcannotbebrokenup,evenifitcovers
areasthatdiferintermsofcontent(centralfunctionsanddecentralizedunits).In
aglobalaudit,theaudittopicthereforeclearlydominatestheregionsandformsthe
focalpointofallauditprocedures.hewholeorganizationandprocessofanaudit
mustfallinlinewiththeglobaltopic.heonlyrelevantoutcomeisacompleteand
globallycoordinatedauditresult,becauseonlythisresultwillpermittheauditorsto
arriveatindings,recommendations,andconclusionsthatareappropriatefroma
globalperspective.hismeansinturnthattheauditcontentmustbedeinedona
globallevel,notwithalocalorregionalfocus.
Globalauditsprimarilydealwithoperationalbusinessunitsthatareunderuni-
formglobalmanagementandthereforehavegloballystandardizedprocesses.he
reportinglinestothegloballevelmustbeclearlydeinedinthiscontext.Unitsthat
aremanagedonadecentralizedbasis,yetfollowglobalprocesseshaveclearlocalor
regionalreportinglines.
Globalauditsmustbetreatedasawholenotonlywithregardtocontent,but
alsointermsofmethodinordertoensureauditsuccess.hisiswhytheworkpro-
gram,theworkingpapers,andthereportsmustalwayscoverallareasofaglobal
audit.Individualpartscannotreceiveindependenttreatment,eveniftheyinvolve
diferentcountriesororganizationalunits.Eachstageofthequalityassurancesys-
temshouldalsoincorporatetheresultsofallauditedunitssimultaneously.hepro-
cedurecanonlybeconsistentanddeliveragloballycohesiveauditresultifallaudit
stepsarecoordinatedacrossallinvolvedauditorsandsynchronizedwithregardto
content.
Global audits require the auditors involved to communicate and cooperate
acrosscontinentsandtimezonesandthereforeplacegreatdemandontheaudit
lead.Globalcooperationalsorequiresthatallteammemberskeeptotheworkpro-
gram(intermsoftimingandorganization)anddeliverpartialresultswhentheyare
dueinordertosupporttheauditleadinconductingasuccessfulaudit.
Whatmakesglobalauditschallengingisthepotentialconlictbetweenwhathas
beencentrallyspeciiedandwhatcanbeimplementedregionally.Insuchcases,the
rightbalancehastobefoundinordertogetanacceptableauditresult.henature
ofdiferentglobal audit scenariosalso requiresdiferentwaysof conducting the
audit.Insomeaudits,forexample,thecentralfunctionswillbeexaminedirst,fol-
lowedbycorrespondingauditsintheregions,whichareconductedsimultaneously
orsuccessively.Itmaybesensibletoauditdiferentdecentralizedunitssimultane-
thematicUnitythematicUnity
ReportingLinesReportingLines
standardMethodstandardMethod
GlobalCooperationGlobalCooperation
DiferentAuditProceduresDiferentAuditProcedures
ConceptualBasisofInternalAudit
AuditMethods
AuditCategories
A|6|6.4
154
ouslysothatyoucanusethemutualexchangeofinformationasabasisforthenext
steps.Alternativelyitmaybeconsideredtoconcludetheauditofonedecentralized
unitirstsothatthelessonslearnedcanbeappliedtoimprovingtheauditproce-
dureforfurtherunits.heauditleadandInternalAuditmanagementhavetode-
cideonacase-by-casebasiswhichprocedureisbest.
Onthewhole,globalauditsalsofollowtheAuditRoadmap(seeSectionB),i.e.,
theaudit steps tobe takenare integrated into therelevantphasesof theprocess
model,althoughtherearesomespecialpointstoconsiderwhenauditingglobally
whichwillbediscussedinthefollowingparagraphs.
heplanningphaseofglobalauditsnormallytakeslonger,becausetheyinvolve
signiicantlymorecoordinationinselectingtheteammembersandassigningthe
taskswithintheteam.Otherpointstoclarifyincludetheentireinfrastructure,the
organization of meetings, and how information will be exchanged and require-
mentsdocumented.Inaddition,globalauditsmayentailaneedtoinformthevari-
ousglobalunitsoftheauditobjectmorecomprehensivelyabouttheobjectiveand
purpose of the audit than in regional or local audits. he auditors must check
whethertherelevantScope(seeSectionA,Chapter5.3)completelycoverstheglobal
aspectsandupdateitifnecessary.
When preparing the work program, the auditors may ind that global audits
(more oten than local audits) require additional technical expertise, e.g., in the
formofguestauditorsorexpertadvisors(seeSectionD,Chapter10).heschedule
tobecompiledhastotakeintoaccountthat,duetothegreatphysicaldistances,
meetingsandthedocumentationofworkingstepsareparticularlydiiculttoorga-
nizeinglobalaudits.
Globalauditsdonothaveanyspeciicrequirementsintermsofauditexecution,
but linguistic and cultural needs must be taken into account when creating the
workingpapersandduringtheclosingmeeting.
Duringthereportingphase,theauditleadmustensurethatallpartsofthere-
portarecompletedontimeandareconsistentwitheachother.heamountofwork
this requires in global audits should not be underestimated. he responsibilities
mustbedeinedcarefullyandclearly to supportand to facilitate the subsequent
implementationoftheauditresults.
HintsAnDtiPs ;
• Allinvolvedpartiesmustbeawareofthecharacteristicsoftheauditcategoryin
question.
• Communicateaudit-speciicinformationwithlocalandculturalcircumstances
inmind,usinginformalchannelsifappropriate.
• heglobalauditleadmustmakesurethatthevirtualnetworkbetweenallteam
membersisfunctional.
GlobalAuditsandtheAuditRoadmap
GlobalAuditsandtheAuditRoadmap
PlanningPhasePlanningPhase
AuditPreparationAuditPreparation
AuditexecutionAuditexecution
ReportingReporting
155
LinKsAnDReFeRenCes e
• SAWyER,l.,M.DITTEnHOFERAnDJ.SCHEInER.2003.Sawyer’s Internal Audit-
ing.5thed.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• SEARS,B.2002.Internal Auditing Manual.newyork,ny:Warren,Gorham&lamont.
6.5 AuditTypes
KeyPoints •••
• heaudittypeisanimportantdeterminantoftheauditmethod.
• Wecandiferentiatebetweenstandard,special,andad-hocaudits.
• Eachaudittypehasitsownobjectives,content,andindividualprocedures,al-
thoughitisbasedontheAuditRoadmap.
• StandardauditsmostcloselyfollowtheAuditRoadmap.heycanbeplanned
almost intheirentiretyandcanthereforebeperformedasotenasnecessary
andatrelativelyshortnotice.
• Specialauditsusuallydealwithauditobjectsthatoccuronlyoncewithinthe
company. hey also contain many elements of the Audit Roadmap, but they
havealargernumberofindividualelementsthanstandardaudits.
• Ad-hocauditsarethemostindividuallystructuredauditsfocusingonspecial
topics, or person-speciic one-time audits. hey are oten commissioned by
companymanagement.AlthoughtheyfollowtheAuditRoadmapinprinciple,
theirveryindividualnatureotenrequiresspeciicsteps,ieldwork,anddocu-
mentsduringeachphase.
• Anad-hocauditmayalsoreadilyleadtoadditionalstandardorspecialaudits.
heaudittypeisanotherimportantdeterminantoftheauditmethod.Itrefersto
thediferentiationofauditsbypurpose,content,aswellasorganizationandexecu-
tion.hree typescanbedistinguished: standardaudit, specialaudit,andad-hoc
audit.Assignmentofanaudittoatyperesultsinspeciiccharacteristicsfortheau-
ditthatafecteachstageoftheAuditRoadmap,fromthewaytheauditisplanned,
theexistenceofaScopeandworkprogram,theformandtimingofauditexecution,
throughthevariousreportingformsandthefollow-upprocedure.
Standardauditsinvestigateobjectsthathavemultipleoccurrencesinthecom-
pany,sothatthetopicoftheauditcomesuprepeatedly.hismeansthattheaudit
canbestandardized,i.e.,itscontentandprocedurecanbeappliedtoanynumberof
similar audit objects. Examples include individual departments in subsidiaries,
suchasAccountingorPurchasing.Butsimilarprocessessuchaspayrollandtravel
orotherexpensescanalsobespeciiedforstandardaudits.heyarealsousefulin
areaswhereguidelines,rules,andprocessstandardsaretobeharmonized.Stan-
dardauditsareotenconductedlocally.
AudittypeandCharacteristicsAudittypeandCharacteristics
standardAuditsstandardAudits
A|6|6.5ConceptualBasisofInternalAudit
AuditMethods
AuditTypes
156
StandardauditshavecertaincharacteristicsintermsoftheAuditRoadmap(see
SectionB):
• Aspartofannualauditplanning,theyarenormallysubjecttoriskassessment
andareincludedintheannualauditplan,ifappropriate(seeSectionB,Chapter
2.2andSectionD,Chapter3).heauditisannounced(seeSectionB,Chapter
3.1)andtheteamcompiled(seeSectionB,Chapter2.4)inlinewithclearproce-
dures.AScope,whichdescribestheauditcontent,existsforstandardaudits.
• heworkprogramiscompiledonthebasisofthecontentoftheexistingScope,
whichmeansthatitcanbeusedforsimilaraudits.
• Certainstandardieldworkactivitiescanalsobedeinedfortheauditexecution
stage,e.g.,sampletestprocedures,interviewtechniques,orquestionnaires.
• All standard reports, from implementation report through Board summary,
mustbeusedforreportingunderstandardaudits(seeSectionB,Chapter5).One
ofthereasonsforthisrequirementisthattheresultsofstandardauditsmustbe
documentedandcommunicatedaccordingtoixedrulestoensurecompliance
withtheauditprocessintheAuditRoadmap.Anyindividualadaptationatthis
stageshouldthereforebereservedforspecialjustiiedcircumstances.
• hesameappliestothediferentphasesofthefollow-up.Foroptimizationpur-
poses,itisimportantthatthemeasuresandrecommendationsmadebyInternal
Auditarerigorouslyimplemented,whichiswhysystematicfollow-upsarees-
sential.
Standardauditsareconductedaccordingtoclearrulesandfollowingstandardized
steps.Forthisreason,theyarewellsuitedforlessexperiencedauditorstogainex-
perience,insomecasesevenasauditleads.Standardauditscanalsoserveasabasis
fortheotheraudittypes,especiallyspecialaudits.
hetopicofaspecialauditusuallyoccursonlyonceintheentireorganization.
Examplesincludespecialdevelopmentdepartmentsthatdevelopadd-onswithor
withoutalinktoacustomerproject.likestandardaudits,specialauditsarealso
subjecttothewholeannualplanningprocess.Specialauditsaremostlyconducted
onaglobaloratleastonaregionalbasis,becausetheirtopicsareotentoospeciic
to be present at local level. hey oten require speciic technical knowledge and
specialpreparation,whichmustbeconsideredwhencomposing theaudit team,
becausetheauditors’technicalknowledgeandinterestscanmakeakeycontribu-
tiontothesuccessoftheaudit.
SpecialauditsrequirediferenttreatmentundertheAuditRoadmap(seeSec-
tionB)thanstandardaudits,atleastinpart:
• Althoughtheyareincludedintheannualauditplan,theyneedlongerprepara-
tiontimeswhentheyareaddedtotheexecutionplan.hisappliesparticularly
tocreatingtheScope,aprocesswhichshouldbesupportedbycompany-inter-
nal or external experts if possible. Suicient time for building up knowledge
amongInternalAuditemployeesisalsonecessary.
• Whentheauditisconducted,itmaybecomenecessarytousespecialauditac-
tivitiesortechniques.Suchadecisionhastobetakenonacase-by-casebasis.
CharacteristicsofstandardAuditsinthe
AuditRoadmap
CharacteristicsofstandardAuditsinthe
AuditRoadmap
executionofstandardAudits
executionofstandardAudits
specialAuditsspecialAudits
CharacteristicsofspecialAuditsintheRoadmap
CharacteristicsofspecialAuditsintheRoadmap
157
Pre-structuredquestioncatalogsmaybehelpful.It is importanttodocument
workresultsintheworkingpapersandtodisclosereferencesaccuratelywhen
usingadditionaldocuments(e.g.,contracts,statutes,externalguidelines).
• Similartostandardaudits,auditorshavetoensurethatthereportsareinline
withreportingrequirements.heimplementationreport inparticularshould
be as detailed as possible so that the indings and recommendations can be
communicatedtoallconcernedinacomprehensibleandclearformat.Internal
Audit’srecommendationsareespeciallyimportantinthisregard,becausethere
arenoorfewcomparisonswithsimilarconstellations.
• hesameappliestofollow-ups,wheretheprogressofimplementationmeasures
hastobecloselymonitored.
Specialauditsshouldbeconductedpreferablybyexperiencedauditors.Inaddition,
itmaybenecessarytouseinternalorexternalexpertsasguestauditors.Sincefor
specialauditsieldworkactivitiescannotbeplannedaheadtothesameextendas
forstandardaudits,adjustmentstotheworkprogrammayberequiredduringaudit
execution.Alternativeieldworkactivitiesmustbedocumented in therespective
workingpapersaccuratelyandcompletelyincludingthereasonsforchoosingthe
speciicapproach.
Ad-hocaudits,i.e.auditsconductedatshortnotice,requirethatresourcescanim-
mediatelybededicatedtoissuesandtasksthatarepartofInternalAudit’sremit.
Examples includesuddenproblemsinday-to-daybusinessoperations, inspecial
projects, or with external business relations, or the need to respond to open or
anonymous allegations or suspicions of fraud. he content of ad-hoc audits can
executionofspecialAuditsexecutionofspecialAudits
Ad-hocAuditsAd-hocAudits
Audit
according
to plan
Audit
Ad-hoc
audit
Standard
audit
Special
audit
One-time
auditSpecial
audit
Standard
audit
Fig. 24 AuditTypes
ConceptualBasisofInternalAudit
AuditMethods
AuditTypes
A|6|6.5
158
thereforebeveryvaried.Itisalsopossiblethatstandardorspecialauditsturninto
ad-hocauditsifcircumstancesrequireimmediateaction.Butthosearetheexcep-
tion.normally,ad-hocauditsareone-timeauditsofspecialtopicsorrelatingtoa
particularperson,especiallyinconnectionwithallegationsorsuspicions.
InrelationtothephasesoftheAuditRoadmap,ad-hocauditshavethefollow-
ingspecialcharacteristics:
• Since it is impossible toplaneither thecontentor thenumberofad-hocau-
ditsduringayear,theamountoftimerequiredinthepastistheonlybasison
whichanadequatebufercanbebuiltintotheannualauditplan.Experiencehas
shownthataround30%to40%ofannualauditcapacityshouldbereservedfor
ad-hocaudits.Sincetheirtimingisuncertain,anyad-hocauditwillleadtoan
adjustmenttotheongoingexecutionplanning.Ifthead-hocauditistobebased
on a Scope, this Scope is oten created in stages during audit preparation or
sometimesevenwhiletheauditisbeingconducted.Especiallywhenone-time
auditsrelatetoaperson,itisvirtuallyimpossibletodeineaScope.Inordernot
towastetimebeforetheaudit,butstillpreservetheknowledgeandexperience
gained for similarcases in the future, internalauditors shoulddocument the
mainauditcontentatertheaudit,intheformofaScopeifappropriate.
• Preparationsforanad-hocauditshouldalwaysincludethecreationofawork
program(evenif it isrudimentary)sothat theprocessmodelcanbeapplied
totheauditasfullyaspossible,inspiteoftimeconstraintsandmandatedcon-
tent.Whenone-timeauditsareinvestigationsonpersons,theauditisnotan-
nounced;inallothercases,aconidentialmeetingwiththemainpersonrespon-
sibleshouldbeheldtodiscussthead-hocauditannouncementbeforehand.
• heconductofad-hocauditsisveryindividualanddependsonthecontentto
becovered.Evenso,standardauditingmethodsandworkingpapersshouldbe
usedasfaraspossible.Ifspecialpartnerssuchasthepoliceorthedistrictattor-
ney’soiceneedtogetinvolved,thereasonsmustbedocumented.Insomecases
theauditorshavetoindoutwhetherevidencemustbeprovidedtobeusedin
acourtof law.Contentandobjectivesmaychange in thecourseofanaudit:
Forexample,ad-hocauditsmayleadtostandardaudits,eithertobeconducted
immediatelyortobeaddedtotheplanningschedule.Directescalationand/or
informationchannelsbetweenInternalAuditmanagementandthepartiesre-
sponsible,particularlytheBoardofDirectors,areimportantforad-hocaudits.
• Somepartsofthereportingsystemfollowdiferentrulesthanthatoftheother
twoaudittypes.Becauseofitsspeciiccontent,itmaybeusefultodedicatea
separatecolumnofthespecialauditreporttomoredetailedinformationonau-
ditcontent.Detailedinformationforafollow-upauditisnotnecessary,oronly
toalimitedextent,becausethereleaseoftheindingsofad-hocauditsdirectly
triggersthenecessaryaction,ormanagementinitiatesatargetedresponsethat
doesnotnormallyinterferewithprocesses.
• Forthisreason,ad-hocauditfollow-upcanbevaried,rangingfromafullfol-
low-uptonofollow-upatall.Inthecaseofone-timeaudits,itisotensuicient
CharacteristicsofAd-hocAudits
intheAuditRoadmap
CharacteristicsofAd-hocAudits
intheAuditRoadmap
159
iftheauditleadandthemanagerresponsiblebrielycoordinatetheirresponse.
Irrespectiveoftheprocedureused,InternalAuditmustalwaysdocumentwhen
arecommendedmeasurehasbeencompleted.
Muchofthecontentandorganizationofad-hocauditscannotbeplannedahead
andotenhastobescheduled,prepared,andstartedatshortnotice.Itisalsoimpor-
tanttonotewhoismakingtherequest.Inprinciple,anyonecanmakeanauditre-
quest,but requests from theBoard,highermanagement levels, the legaldepart-
ment,andinternalauditorsgetspecialpriority,particularlyiffraudissuspected.
SuspectedfraudandrequestsfromtheBoardaregiventhehighestpriority.Insome
cases,however,aninitialanalysisofthetasksmayshowthattherequestdoesnot
fallwithinInternalAudit’sremit,butshouldratherbedealtwithbyentitiessuchas
themanagementresponsible,thecomplianceoicer,HumanResources,orthele-
galdepartment(seeSectionA,Chapter5.8).
HintsAnDtiPs ;
• Inspecialaudits,itwillhelptheauditorsiftheycanrelyonspecialistsupport
anddiscusstheScopewithpeoplewhohavethenecessaryknowledge.
• Inad-hocaudits,auditorsmustgainaclearunderstandingoftheauditcontent
bydiscussingtheauditobjectivesandcontentwiththerequestingpartyorthe
personresponsibleinInternalAudit.
• Evenduringtheaudit,itmaybeexpedienttoreporttotheBoardofDirectors,if
thecontentistime-criticaloraresponsefromthepeopleresponsibleisneeded.
LinKsAnDReFeRenCes e
• SAWyER,l.,M.DITTEnHOFERAnDJ.SCHEInER.2003.Sawyer’s Internal Audit-
ing.5thed.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• SEARS,B.2002.Internal Auditing Manual.newyork,ny:Warren,Gorham&lamont.
6.6 AuditCycle
KeyPoints •••
• heauditcycleisanimportantformaldeterminantoftheauditmethod.
• hediferentstatuses(basicaudit,statuscheck,andfollow-up)areintendedto
ensurethattheauditprocessisconductedinfull,includingacheckofwhether
theimplementationmeasuresperformedhavebeenefective.
• heauditcycleafectstheaudittypesindiferentways.Ithasamajorinluence
onstandardandspecialaudits,butad-hocauditstendtobemoreindividualin
nature.
executionofAd-hocAuditsexecutionofAd-hocAudits
ConceptualBasisofInternalAudit
AuditMethods
AuditCycle
A|6|6.6
160
Inadditiontotheformaldeterminantsalreadydescribed,theauditcycleisanother
importantfactornecessaryfordeiningtheauditmethod.heauditcyclehasthree
stages(alsoknownasstatuses):Basicaudit,statuscheck,andfollow-up.heaimof
themulti-stageprocessistogetawayfromonlylookingattheauditprocess,andto
includeacheckofwhethertherecommendedimprovementandimplementation
measureshavebeenefective.Eachaudithastorunthroughthefullauditcycle,
althoughtheimportanceofeachstagemayvary,dependingonthecaseinquestion.
Insomecases,thefollow-upauditandtheensuingphasesareoptional(seeSection
B,Chapter6.1).
Abasicaudit isperformed inaccordancewithplanning, theScopes,and the
work program, and the speciications in the audit request, if applicable. It runs
throughallthephasesoftheAuditRoadmapandproducesindingsandrecom-
mendationstoeliminateanyweaknessesidentiied.heauditresultsarepresented
totheauditeesandtheirmanagersataclosingmeeting,andadratreportisfor-
wardedtothepartiesinvolvedforadditionalcomment.Consultationwiththearea
beingauditedisintendedtocreatemutualunderstandingandasharedbasisforthe
subsequentsteps.Onaverage,ittakes30daystoconductabasicaudit.
Althoughthecalculatedaveragecompletiontimesareotencorrectforstandard
audits,basicauditsconductedaspartofspecialaudits,especiallyglobalones,oten
takeuptosevenweeks.Inad-hocaudits,thedurationofthebasicauditmaybeup
totwoweeksshorterthanforstandardaudits,includingreporting.Basicauditsare
thefoundationfortheauditcycle,especiallyforscheduledaudits.
Atleastsixmonthsshouldelapsebetweenthebasicauditandthenextstepof
theauditcycle, thestatuscheck.Incaseofanescalationprocess, this timeframe
maybereduced.Forthestatuscheck,InternalAuditasksthepersonsresponsible
fortheauditedareatocompileastatusupdatethatgivestheirviewofhowimple-
mentation isprogressing.Duringthestatuscheck,seniormanagementevaluates
thedegreeofimplementationforeachindingandaskstheauditeestoverifythe
statusonthebasisoftheimplementationreport.Problemswiththeimplementa-
tionofrecommendationscanbediscussedandrecommendationscanbeadjusted
or,inexceptionalcircumstances,evenwaived.InternalAuditdoesnotperformex-
plicitieldworkatthisstage.Acomprehensive,fullydocumentedcheckofimple-
mentationmeasuresisreservedfortheactualfollow-upaudit.
Statuschecksareinsertedintotheannualauditplanwithoutaseparateriskas-
sessment.heyareatypeofpreliminarytestintendedtoindoutwhetherandhow
InternalAudit’srecommendationsfromthebasicauditarebeingimplemented.he
basictimerequiredforastatuscheckaveragestwodays.
hestatuscheckisrequiredforallaudittypes.Instandardandspecialaudits,it
isusedasoriginallyintended,butinad-hocauditsitmaybeappliedasainalcheck
forthemeasuresthathavebeenimplemented,becauseunderthisaudittype,rec-
ommendationsotenleadtoanimmediaterequirementforaction,andimplemen-
tationmerelyhastobeconirmed.
three-PhaseProcessthree-PhaseProcess
BasicAuditBasicAudit
LinkbetweenBasicAuditandAudittype
LinkbetweenBasicAuditandAudittype
statusCheckstatusCheck
executionofstatusChecks
executionofstatusChecks
LinkbetweenstatusCheckandAudittype
LinkbetweenstatusCheckandAudittype
161
Follow-upauditsarealsoincludedintheauditplanwithoutaseparateriskas-
sessment(fordetails,seeSectionB,Chapter6).heyshouldtakeplaceapproxi-
matelysixtotwelvemonthsaterthestatuscheck.Ifanaudit is inanescalation
process, itmaybesensibletoperformthefollow-upwithinashortertimeframe.
hefollow-upaudit isbasedontheresultsof thestatuscheck.Unlikethestatus
check,afollow-upauditinvolvesieldworkbyInternalAuditbecausetheefective-
nessoftheimplementationmeasuresperformedhastobeveriiedbeyonddoubt.
heimplementationreportofthebasicauditconstitutestheworkprogramforthe
follow-upaudit. InternalAuditpreparesworkingpapers tobeusedasauditevi-
dence.Ifimplementationisfoundtobeinsuicient,thisfactmustbedocumented
andadditionalauditindingsmayhavetobeadded.
Afollow-upauditmaygiverisetonew,additionalaudittopics,eitherplanned
orunplanned.Insuchcases, theindingsof theadditionalauditworkaredocu-
mentedinanewauditreportwithaseparatestatus.
Again,follow-upsshouldbeconductedbythesameauditteamasthebasicaudit
(oratleastbythesameauditlead).hedesignofthefollow-upenvisagestwofol-
low-upsincasetherewerereasonsthatmadeitimpossible(orverydiicult)totest
implementationduringtheirstfollow-up(e.g.,non-availabilityoftheemployees
concerned).Asecondfollow-upcanalsobeschedulediftheirstfollow-uppro-
ducesunsatisfactoryresults, i.e. if the identiiedweaknessesfromthebasicaudit
havenotbeensatisfactorilyremediated.hesecondfollow-upauditisscheduled
approximatelysixmonthsatertheirstone.hismeansthatthemaximumdura-
tionofanauditcycleisapproximately24months.Afollow-uptakesaround16days
onaverage,includingallnecessaryieldwork.
Follow-upsarenormallyconductedinthecontextofstandardandspecialau-
dits.Inthecaseofad-hocaudits,theyonlymakesenseifconductedshortlyater
thebasicauditifatall.hefollowingdiagramshowseachaudittypeinrelationto
theextentofitscycle.
Follow-upFollow-up
AdditionalAudittopicsAdditionalAudittopics
executionofFollow-upsexecutionofFollow-ups
LinkbetweenFollow-upAuditandAudittypeLinkbetweenFollow-upAuditandAudittype
Basic audit Status check Follow-up I Follow-up II
Standard audit
Special audit
Ad-hoc audit
Fig. 25 ExtentoftheCycleofeachAuditType
A|6|6.6ConceptualBasisofInternalAudit
AuditMethods
AuditCycle
162
Inconnectionwiththeauditcycle,theproblemotenarisesthat,sinceorganization
andworklowstructuresinmodern(especiallyglobal)companieschangerapidly,
someauditedunits,e.g.,departmentsorprocesses,onlyexist fora limited time.
hismeansthatotenthereisonlyoneauditcycleofInternalAuditthatrelatestoa
clearlydeinedunitrequiringthesameaudittreatment.Insuchcases,subsequent,
separateauditcyclesfortheauditedunitarelinkedup.
HintsAnDtiPs ;
• Toprepareforabasicaudit,auditorsshouldobtaindocumentsfromearlierau-
ditcyclesofthesameauditobject.
• Auditorsshouldensurethattheresponsibilitiesanddeadlinesforimplementing
measuresareclearlydeined.
• heauditedunitshouldrecordall its implementationmeasuresbyproviding
clearevidence,documents,andexamplesforinclusionintheworkingpapers.
• Auditors shoulddocumentanydeviations from theagreedmeasuresand in-
cludereasons.
LinKsAnDReFeRenCes e
• SAWyER,l.,M.DITTEnHOFERAnDJ.SCHEInER.2003.Sawyer’s Internal Audit-
ing.5thed.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• SEARS,B.2002.Internal Auditing Manual.newyork,ny:Warren,Gorham&lamont.
6.7 Cost/BenefitAnalysis
KeyPoints •••
• Whilethecostofaninternalauditiseasilyquantiiable,measuringitsbeneits
is lessstraightforwardsince internalauditindingsmayhavebothdirectand
indirectefects.
• herelevantbeneitsofinternalauditsotenmanifestthemselvesonseverallev-
elsandmaynotbeimmediatelyvisible.
• Costsavingsareeasiertoallocatedirectlythanotherbeneits.
• Byestablishinga correlationbetween thepotentialbeneits and the costs in-
curredbytheinternalauditdepartment,anapproximationoftheproitability
canbeobtained.
Itcanbeveryimportanttomeasuretheeiciencyofinternalauditwork.Itinvolves
examiningtheratioofcostsincurredbyInternalAuditduringthecourseofaspe-
ciicaudit,orthecostoftheentireinternalauditdepartment,comparedwiththe
actualbeneitsachievedforthecompanyasawhole,(e.g.throughcostsavings,re-
Changeintheorganizationand
Worklowstructures
Changeintheorganizationand
Worklowstructures
eiciencyMeasurementeiciencyMeasurement
163
ducedriskexposure,etc.).hefollowingcriteriacanbeusedtoanalyzeeachaudit
withregardtothebeneitsitdeliversintheshort,medium,andlongterm(forde-
tailsoncostmanagementofInternalAuditseeSectionD,Chapter8):
• cost-relatedbeneits(reducing,avoiding,orlimitingcosts),and
• monetary and non-monetary beneits (increased sales, improved operating
proits,motivation,reputation).
Generally, thecost impactofanauditcanbeseenintheshorttomediumterm.
Costsnormallyrespondlinearlyandusuallycorrelateveryclearlyandcloselywith
theirdrivers.heycanbequantiied,forexampleonthebasisofefectivepayments
made,althoughdirectperceptiondeclinesasthetimebetweenimplementingthe
recommendationandthetimeofpaymentincreases.Inaddition,imputedcostscan
beusedaspartoftheanalysis.normally,imputedcostsincreasetheimpactofaudit
indingsinareasmorepronetoinducingcosts,becauseinefectiveinternalcontrols
alsoleadtocostsandexpensesthatcouldotherwisehavebeenavoided.
Whilethecostsrelatedtointernalauditsandtheresultingrecommendationsare
relatively straightforward to determine, the beneits are much more diicult to
quantify.First,thebeneitsotencontinueoverlongperiodsoftime.Secondly,itis
otendiiculttomeasurebeneitsandattributethemdirectlytotheprocessesthat
havebroughtthemabout.Beneitsarefrequentlyabstractandtheinterdependen-
ciesbetweencauseandefectareotenobscure.Acomplicatingfactoristhatthe
efectsofqualitativeandquantitativebeneitssometimesoverlapandcanthusei-
therreinforceordetractfromeachother.hemoregeneralthebeneitanalysis,the
morediicultitwillbetoreliablyassignindicatorsthatmapandexplainthecausal
relationship between an audit activity and its indings on the one hand and the
perceptiblebeneitsontheother.
Beforeitispossibletoquantifyanybeneits,representativebenchmarksmustbe
deinedforeachauditield(e.g.,throughputtimes,purchasingtermsandcondi-
tions, contribution margins), applying either direct or indirect measures. Quite
possibly,auditrecommendationswillleadtotangiblebeneits,suchasanimproved
workingatmosphere,greatermotivation,orerrorreduction,whichwillinturnen-
hanceeachemployee’sunderstandingofvalues.heremayalsobeachangeinthe
wayefectsareperceivedexternally.Animprovedpositioninthemarketplace,eas-
ieraccesstoinance,andadiferentpublicperception,forexample,ifnegativefac-
tors are eliminated quickly and with determination and their recurrence is pre-
ventedbyimplementingadequatemeasures.Itisimportanttorecognizethatthere
maybebothshort-termcostsavingsandlonger-termbeneitsgainedfromInternal
Audits and the implementation of the resulting control recommendations. Both
beneitsshouldbeconsideredwhenperformingacost/beneitanalysis,eventhough
theymayoverlapsometimes.
Includingquantiiablebeneitsintheanalysisbringsupthemostdiicultaspect
ofmeasuringInternalAudit’seiciency.hemainpurposeofexaminingtheseben-
eits is to establish a causal link between an audit inding and increased beneit
impactonCostsimpactonCosts
BeneitsBeneits
DerivingofBeneitsDerivingofBeneits
QuantiiableBeneitsQuantiiableBeneits
ConceptualBasisofInternalAudit
AuditMethods
Cost/BeneitAnalysis
A|6|6.7
164
valuesforabusinessunitorthecompanyasawhole.Akeychallengeinthisregard
istoextrapolatethequantiiedbeneitcreatedbyeliminatingaprocessweakness,
thusmakingitvisible.
With regard to the implementation of audit results organizational efort and
timedelaysshouldnotbeignored.Sinceeachauditieldhasdiferentcontent,each
mustbeconsideredindetail.Inbusinessaudits(seeSectionA,Chapter6.2.7),for
example,linearcorrelationsbetweenauditresultandincreasedproitscanbeestab-
lished, because there is a direct link between the audit object and the success
driver.
Oten,thebeneitderivedfrominternalauditsisunclear,withoutadirectlink
tothemeasurablebeneit-relatedunits.herefore,equivalentsmustbeestablished
byusingauxiliaryvariablestoquantifythecostimpactandthebeneitsrelatedto
theauditindings.
To deine a standard cost/beneit analysis for each audit ield, Internal Audit
mustdeineandcategorizeseparatebenchmarks(seeSectionD,Chapter8formore
onInternalAuditcostmanagementandSectionD,Chapter7forbenchmarking).
hus,InternalAuditisintegratedintothebusinesscontrolanddecisionprocesses,
whichresults in interdependencieswithotherdisciplines, suchascapital invest-
mentappraisal,managementaccounting,andplanning.
HintsAnDtiPs ;
• Whenpreparingforanaudit,auditorsshouldinvestigatewhetherthereareex-
pectationsabouttheaudit’seiciency.
• Auditors should discuss the cost savings and beneit potential for each audit
withtheauditleadorAuditManager.
LinKsAnDReFeRenCes e
• AnDERSOn,U.AnDA.DAHlE.2006.Implementing the Professional Practices Frame-
work.2nded.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• SAWyER,l.,M.DITTEnHOFER,AnDJ.SCHEInER.2003.Sawyer’s Internal Audit-
ing.5thed.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• SEARS,B.2002.Internal Auditing Manual.newyork,ny:Warren,Gorham&lamont.
organizationalandtimeDelays
organizationalandtimeDelays
AnonymousCost-BeneitRelationship
AnonymousCost-BeneitRelationship
standardCost/BeneitAnalysis
standardCost/BeneitAnalysis
165
7 OtherServices7.1 Introduction
KeyPOintS •••
• OtherservicesthatInternalAuditcanperforminadditiontotraditionalaudit
workcanbeclassiiedasaudit-relatedandnon-audit-relatedotherservices.
• Audit-relatedotherservicesincludecost-efectivenessanalysis,preliminaryin-
vestigations,reviews,andimplementationsupport.
• Non-audit-related other services include primarily ongoing support, internal
consulting,andprojectmanagement.
Inadditiontotheauditactivitiesalreadymentioned,InternalAuditcanperform
furtherserviceswithinthecompany.heseotherservicescanbeclassiiedintotwo
basiccategories:Audit-relatedotherservicesandnon-audit-relatedotherservices.
hefollowingdiagramgivesanoverviewoftheotherservicesperformedbyInter-
nalAudit.
Audit-relatedotherservicesincludecost-efectivenessanalysis,pre-investigations,
reviews,and implementationsupportprovidedbyInternalAudit.heseservices
are either ieldwork in the broadest sense or support activities directly resulting
fromInternalAudit’srecommendations.
Non-audit-relatedotherservicesarenotdirectlyrelatedtopastorfutureaudits.
Instead,theyinvolveservicesprovidedforlonger-termengagementsandinclude
ongoingsupport,internalconsulting,andprojectmanagement.
Non-audit relatedother servicesgenerally supportprojects initiatedbyother
corebusinessareasandarethereforeprimarilyperformedbyemployeesofthese
OtherServicesOtherServices
Audit-RelatedOtherServicesAudit-RelatedOtherServices
non-Audit-RelatedOtherServicesnon-Audit-RelatedOtherServices
Reasonsfornon-Audit-RelatedOtherServicesReasonsfornon-Audit-RelatedOtherServices
Fig. 26 OtherServicesofInternalAudit
ConceptualBasisofInternalAudit
OtherServices
Introduction
A|7|7.1
166
areas.However,theremaybeavarietyofreasons(seeSectionA,Chapter2.5.3)that
justifytheinvolvementofInternalAudit.Onepossibleobjectiveistosupportthe
areainquestionfromatechnicalperspectiveortoprovideadditionalpersonnel.
ForInternalAudit,cooperatinginthesetypesofprojectshelpsincreaseemployee
motivation,providestrainingforauditors,facilitatesthetransferofknowledge,and
improvescooperationandcommunicationamongInternalAuditandotherdivi-
sionswithintheorganization.
he other services performed by Internal Audit should be regarded as com-
pletelyseparatefromtraditionalauditingtasks.InternalAudit’schallengeistorec-
oncileitsresponsibilitiesasastafdepartmentthatconductsauditswiththoseofa
functional department that provides operational support to other areas. Opera-
tionalsupportresults ininteractionwithauditingtasksandcreatesanetworkof
interrelationswithin thecompany. InternalAudit thereforemust strike theright
balance,observingallprinciplesofauditinginordertomaintainitsindependence.
Importantly,thisincludesensuringthatInternalAuditdoesnotassumemanage-
mentresponsibilitiesandthatinternalauditorsdonotaudittheirownwork(see
SectionA,Chapter2.5.3).
HintSAndtiPS ;
• OtherservicesmustnotimpactontheindependenceofInternalAuditorthe
objectivityofinternalauditors.
• hereshouldalwaysbeareasonablebalancebetweenotherservicesandaudit
activitiesperformedbyanemployee.
LinKSAndRefeRenceS e
• ANderSON,U.2003.AssuranceandConsultingServices.In:BAIleyJr.,A.d.,A.A.
GrAmlINGANdS.rAmAmOOrtI.(eds.).2003.Research Opportunities in Internal
Auditing.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• ANderSON,U.ANdA.dAHle.2006.Implementing the Professional Practices Frame-
work.2nded.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• CASCArINO,r.ANdS.vANeSCH.2005.Internal Auditing: An Integrated Approach.
lansdowne,SA:JutaandCo.
• INStItUteOFINterNAlAUdItOrS.2001.Practice Advisory 1000.C1-1: Principles
Guiding the Performance of Consulting Activities of Internal Auditors.AltamonteSprings,
Fl:heInstituteofInternalAuditors.
• INStItUteOFINterNAlAUdItOrS.2002.Practice Advisory 1000.C1-2: Additional
Considerations for Formal Consulting Engagements.AltamonteSprings,Fl:heInstitute
ofInternalAuditors.
• INStItUte OF INterNAl AUdItOrS. 2005.Practice Advisory 1130.A1-2: Internal
Audit Responsibility for Other (Non-Audit) Functions.AltamonteSprings,Fl:heInsti-
tuteofInternalAuditors.
independenceindependence
167
• reddING,K.,P.SOBel,U.ANderSON,m.HeAd,S.rAmAmOOrtI,ANdm.
SAlAmASIK.2007.Internal Assurance and Consulting Services.AltamonteSprings,Fl:
InstituteofInternalAuditors.
• SAwyer,l.,m.dItteNHOFer,ANdJ.SCHeINer.2003.Sawyer’s Internal Audit-
ing.5thed.AltamonteSprings,Fl:heInstituteofInternalAuditors.
7.2 Audit-RelatedOtherServices
7.2.1 Cost-EffectivenessAnalysis
KeyPOintS •••
• Cost-efectivenessanalysisispartofInternalAudit’srangeofaudit-relatedother
services.
• It canbeperformedonsubjects fromdiferentbusinessareas, includingcost
accounting,investmentappraisal,andmanagementaccounting.
• Cost-efectiveness analysis can be conducted in pure form, or in connection
withauditindingsorauditrecommendations.
• Finance-mathematicalorstatisticalmethodscanbeusedforcost-efectiveness
analysis.
• heresultsofcost-efectivenessanalysisoferanidealbasisforfurtherinternal
consultingbyInternalAudit.
Cost-efectivenessanalysis(alsocommonlyreferredtoas“value-for-money”audit-
ing)focusesondeterminingwhetherorganizationsorprogramsaremanagedinan
economical,eicientandefectivemanner.heanalysismayrelatetoauditsoflegal
entities(e.g.,localsubsidiaries),departmentswithintheorganization,orindividual
projects. Cost-efectiveness analysis uses quantitative data based on actual costs
andquantiiablebeneits,includingfuturerevenuesorreducedcosts.hedatamay
be obtained from diferent functions including cost accounting, investment ap-
praisal, and management accounting. Processes and structures are therefore not
assessedinqualitativeterms,butmappedusingsuitableindicators.Inordertoar-
riveatappropriateconclusions,cost-efectivenessanalysisnormallyusesinance-
mathematicalorstatisticalmethods.
hemainobjectiveofusingmathematicalandstatisticalproceduresistomake
theauditresultsreliableandtoidentifyandrecommendalternativecoursesofac-
tionfortheimplementationofauditresults.especiallyininternationalcompanies,
thiskindofinancialanalysisfacilitatesdiscussionandcomparison,(e.g.,between
subsidiaries)onthebasisofprovenquantitativeresults.
Cost-efectivenessanalysis isconductedasaseriesofmainauditstepsasfol-
lows:
• clearanduniquedescriptionoftheobjecttobeaudited,especiallywithregard
toitseiciencyapproach,
Objectofthecost-efectivenessAnalysisObjectofthecost-efectivenessAnalysis
ObjectiveandPurposeObjectiveandPurpose
MainAuditStepsMainAuditSteps
ConceptualBasisofInternalAudit
OtherServices
Audit-RelatedOtherServices
A|7|7.2
168
• motivated selection of the inance-mathematical or statistical methods to be
used,
• identiicationofthebasedatamaterial(currentcondition,desiredcriteriaor,if
available,planned,budgeted,orforecastedvalues),
• performanceoftheactualcalculationsandalternativecalculationsforcompari-
son,
• analysisofthe(partial)resultsinthecontextoftheauditcontentandtheirag-
gregationifappropriate,and
• compilationoftheindingsandrecommendations,eitheratthedetailedorthe
overallcompanylevel.
hisauditingprocedurecanbeusedindiferentauditscenarios(seebelowfora
brief description). each speciic case will determine which scenario is used or
whetheracombinationissensible.
Anauditcanbeannouncedaspurecost-efectivenessanalysisfromtheoutset.
tothisend,InternalAuditmustdeterminetherelevantauditobjects,suchasthe
ordersadepartmenthasreceived(rankedbyproit, loss,orcontributionmargin
generated),allinancialtransactionsofacompany(cashlows,keyincomestate-
mentigures,contributionmargins),orthekeyratiosofacapitalexpenditureproj-
ect(presentvalue,internalrateofreturn).reportsattheoverallcompanylevelare
alsopossible(e.g.ananalysisofallixed-priceprojectsthroughouttheconsolidated
group).
Another scenario forcost-efectivenessanalysis is thecalculationofinancial
ratiosinconnectionwithauditindingsasanadditionalanalysis.hismeansthat
inrelationtoainding,cost-efectivenessanalysiscanbeperformedtogainaddi-
tionalinformationandtoanalyze,modify,orexpandexistingratios.examplesin-
cludediscountedreceivablesintheareaofdebtoranalysis,comparisonofaccount
balances,andmaximum/minimumlevelsofoutstandingpaymentsandtheirex-
trapolationtotheendoftheiscalyear,includingprior-yearandperiodcompari-
son.
heresultsofcost-efectivenessanalysiscanalsobeusedtosupportarguments
inconnectionwithrecommendations.Itisparticularlyimportanttodemonstrate
whytherecommendationsmadebyInternalAuditcanleadtoimprovedbusiness
performance.examplesincludeinternalloansandborrowingswithexcessivema-
turities, reinancing alternatives, or the efect of alternative compensation/bonus
modelsforseniormanagers.herecognitionofprovisionscanalsobebackedwith
inance-mathematicalcalculationsofcost-efectivenessanalysis.
heresultsofcost-efectivenessanalysisfromtheauditscenariosshownabove
canbetreatedindiferentways.heycanbedealtwithinisolation.Alternatively,it
maybeexpedienttosensiblylinktheresultsthuscreatingnewindicators.hein-
terpretationoftheseindicatorsformsthebasisforbusinessdecisions.Classicmod-
els suchas thestaticreturn-on-investmentconceptormoreup-to-datedynamic
AreasofUseAreasofUse
Purecost-efectivenessAnalysis
Purecost-efectivenessAnalysis
cost-efectivenessAnalysisinconnection
withAuditfindings
cost-efectivenessAnalysisinconnection
withAuditfindings
cost-efectivenessAnalysisinconnection
withRecommendations
cost-efectivenessAnalysisinconnection
withRecommendations
Stand-AloneversusLinkedRatios
Stand-AloneversusLinkedRatios
169
discountedcashlowconceptsmaybeusedinthisregard.heinvestigationand
analysisoftheresultsthentendstofocuslessonindividualiguresandmoreon
structuredratiohierarchiesanddependencies(formoreonratios,seeSectiond,
Chapter7.1.2).
hecommentsontheoptionsforusingcost-efectivenessanalysisshowclearly
thatthisisavariedieldofinternalauditwork.heresultsachievedcanbeusedas
inputforinternalconsulting(seeSectionA,Chapter7.3.2).heresultshavetobe
adequatelycommunicatedtothevariousmanagementlevels,abovealltheBoardof
directors,onthebasisofsuitableindicators.Inaddition,acompany’sexternalau-
ditorscanalsousetheresultsintheirwork.
Resultsofcost-efectivenessAnalysisResultsofcost-efectivenessAnalysis
Fig. 27 Cost-EfectivenessAnalysis
A|7|7.2ConceptualBasisofInternalAudit
OtherServices
Audit-RelatedOtherServices
170
HintSAndtiPS ;
• hepotentialofappropriatecost-efectivenessanalysis shouldbeexplored in
thecontextofeveryaudit.
• Undercost-efectivenessanalysis,diferentaccountingperspectives(e.g.,proit-
abilityversuscashlows)shouldbepresentedanddiscussed.
LinKSAndRefeRenceS e
• levy,r.1996.managingvalue-for-moneyAuditintheeuropeanUnion:heChallenge
ofdiversity.Journal of Common Market Studies. (december1996):509–529.
• OFFICe OF tHe AUdItOr GeNerAl OF CANAdA. 2000. Value for money au-
dit manual.http://dsp-psd.pwgsc.gc.ca/Collection/FA3-30-2000e.pdf(accessedmay31,
2007).
• U.S. GeNerAl ACCOUNtABIlIty OFFICe (GAO). 2003. GAO-03-673G Govern-
ment Auditing Standards. http://www.gao.gov/govaud/yb/2003/html (accessed may 31,
2007).
7.2.2 Pre-Investigations
KeyPOintS •••
• Pre-investigationsareaimedatgatheringrelevantfactsquicklyandefectively
todecidewhetheracertaintopicmustbepursuedornot,e.g.,inresponseto
tip-ofsorfraudallegations.
• Fornewaudittopics,apre-investigationmayalsohelpauditorsprepareforthe
actualaudit.
• Pre-investigationsshouldonlybeconductedbyexperiencedauditors,withsup-
portfromInternalAuditmanagement.
• heresultsofapre-investigationrelatedtofraudallegationsshouldbecommu-
nicatedtotheBoardimmediately,evenduringtheinvestigationifnecessary.
• heresultisnormallypresentedintheformofamemorandumwhichdetails
thecontentoftheinvestigationandthestepsthatneedtobetaken.
• heimportanceofpre-investigationswilllikelyincreaseinthefutureduetothe
possiblyincreasingamountsofanonymoustip-ofsinday-to-daybusinessand
theprotectionofwhistleblowersresultingfromSOX.
Sometimesanauditorreviewisprecededbyapre-investigationwiththeaimof
clarifyingthefactsaheadofotherauditservicesbycollectingappropriatedataand
information.Onthebasisoftheinsightgainedduringthepre-investigation,mea-
suresarerecommendedand/ortakendirectlyinordertoconcludethecase,orIn-
ternalAuditmayfollowitupwithfurtheractivities,suchasanauditorareview.
ObjectiveofaPre-investigation
ObjectiveofaPre-investigation
171
Onediferencebetweenapre-investigationandaregularauditistheinitialun-
certaintyregardingtheextentoftheinvestigation.moreover,itisnotclearfromthe
outsetwhethertheinvestigationfallsunderInternalAudit’sresponsibilityatall,or
whetheradiferentdepartmentshouldberesponsible,e.g.,thelegaldepartmentto
make use of the attorney-client privilege. However, the general audit principles
continuetoapplyinfull.
hemainreasonforconductingapre-investigationistoanalyzeandevaluate
thenecessityofanauditengagementmostlyinresponsetoanad-hocrequest.A
pre-investigationmayalsobetriggeredbyotheraudits,ormaybetheresultofa
whistleblower’stip-of,report,orallegation.Inaddition,pre-investigationscanalso
beconductedaspartoftheannualauditplanwiththeaimofclarifyingtheaudit
contentindetailbeforetheactualauditstarts.
Pre-investigations shouldnormallybeconducted immediatelyandquickly. It
maybebeneicialtoinvolveanAuditmanagerinapre-investigationsothatdeci-
sionsonsubsequentactivitiescanbetakendirectly.Asubsequentactivitydoesnot
necessarilyhavetobeanauditorareview.Ifamatterisnotreadyforauditing,In-
ternalAuditmustirstcreatethenecessaryauditprerequisites,suchasguidelines
andprocessdescriptions.heseshouldbepreparedwithinvolvementbyInternal
Audit,sothatitcancontributealltheknowledgeithasgainedduringthepre-inves-
tigationandalsoacquiretechnicalknow-howforthesubsequentaudit.
Pre-investigationsshouldbeperformedbyexperiencedauditorswhocancom-
prehendandevaluatevagueinformation.Further,insomecases,company-political
decisionsmustbetaken,thus,extensiveexperienceisadistinctadvantage.hein-
vestigativeteamshouldbekeptsmallsothatitcanfocusitsinvestigation.
Pre-investigationsmakeuseofallelementsoftheAuditroadmaptotheextent
possible(fordetailsontheAuditroadmap,seeSectionB).However,someareas,
suchastheScope,maybeneitfrombeingsimpliied.hecreationofaworkpro-
gramis,however,indispensable,andallthestepstakenmustbedulydocumented
intheworkingpapers.
hereportingofapre-investigationhastobeadequateinitsdetails.heinves-
tigationteamcandiscussinterimresultsdirectlywiththeappropriatemembersof
seniormanagementandtheBoardofdirectors.Further,ifnecessary,legalcounsel
shouldbenotiiedimmediately.Ifnecessary,theBoardshouldbeinformedofnew
insightsimmediately,forexamplethroughapriorityBoardissue(onpriorityBoard
issuesseeSectionB,Chapter5.2.5).heoverallreportonthepre-investigationcan
becompiledasamemorandum(seeSectionB,Chapter5.3.1).Itshouldprimarily
presentfactsandtherelevantdecisionbasissothatoptionsforactioncanbede-
rived.Anauditreportwillonlybecompiledifaspeciicrecommendationhasbeen
made.
Pre-investigationsarelikelytobecomeincreasinglyimportanttotheday-to-day
workofInternalAuditasaresultofthewhistleblowerprovisionincludedinSOX.
his provision (section 806) protects employees’ right to reveal irregularities or
weakpointsinthecompany’saccountingsystemandinternalcontrolswithoutrisk
distinctionfromAuditdistinctionfromAudit
ReasonsforaPre-investigationReasonsforaPre-investigation
SubsequentActivitiesSubsequentActivities
teamcompositionteamcomposition
AuditRoadmapAuditRoadmap
ReportingReporting
importanceofPre-investigationsimportanceofPre-investigations
ConceptualBasisofInternalAudit
OtherServices
Audit-RelatedOtherServices
A|7|7.2
172
ofbeingiredorexperiencingdiscrimination.SOXhasalsomadeemployeesmore
awareoftheimportanceofcompliance.hepublic’sexpectations,whichareheight-
enedduetogreatermediaexposure,alsoplayamajorrole.rapidorganizational
changesinthecompanyandtheintroductionofnewstrategiesandinitiativesata
global level are also driving the need for pre-investigations. even if it does not
changetheimportanceoftheotherauditservicesofInternalAudit,apre-investiga-
tionformsalinkbetweentheseandotherauditdisciplines.
HintSAndtiPS ;
• Prepareadetailedtimescheduleaheadofapre-investigation.
• Itisespeciallyimportanttopreserveconidentialityinpre-investigationstopre-
ventrumors.
• Auditorsshouldtrytoderiveanddocumentrobustknowledgethatcanbeused
infutureaudits.
LinKSAndRefeRenceS e
• ANderSON,U.ANdA.dAHle.2006.Implementing the Professional Practices Frame-
work.2nded.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• INStItUteOFINterNAlAUdItOrS.2001.Practice Advisory 1000.C1-1: Principles
Guiding the Performance of Consulting Activities of Internal Auditors.AltamonteSprings,
Fl:heInstituteofInternalAuditors.
• INStItUteOFINterNAlAUdItOrS.2002.Practice Advisory 1000.C1-2: Additional
Considerations for Formal Consulting Engagements.AltamonteSprings,Fl:heInstitute
ofInternalAuditors.
• INStItUte OF INterNAl AUdItOrS. 2005.Practice Advisory 1130.A1-2: Internal
Audit Responsibility for Other (Non-Audit) Functions.AltamonteSprings,Fl:heInsti-
tuteofInternalAuditors.
• reddING,K.,P.SOBel,U.ANderSON,m.HeAd,S.rAmAmOOrtI,ANdm.
SAlAmASIK.2007.Internal Assurance and Consulting Services.AltamonteSprings,Fl:
InstituteofInternalAuditors.
• SAwyer,l.,m.dItteNHOFerANdJ.SCHeINer.2003.Sawyer’s Internal Audit-
ing.5thed.AltamonteSprings,Fl:heInstituteofInternalAuditors.
7.2.3 Review
KeyPOintS •••
• reviewsareanindependenttechniquetoassessfactsandfunctions.
• AreviewmayleadtoanauditorotherservicefromInternalAuditatanytime.
• reviewsfocusonproject-typemeasuresandinternationalstructuresandpro-
cesses.
173
Areviewisacriticalassessmentoffactsandfunctions.Itissimilartoanauditbut
providesamoregeneralassessmentofamatterorfunctionanddoesnotprovide
thelevelofdetailthatistypicalofanaudit.hatis,areviewdoesnotexaminede-
tailsandtherelatedevidencebutinsteadfocusesontheoverallcontextandbasic
aspectsofthematterorfunction.Inareview,thepresentationofevidenceislimited
tofundamentalinsightsregardingthematter.Similartoanaudit,areviewcanalso
comparethecurrentconditionwiththedesiredcriteria,targets,orupstreamcon-
ceptandprocesslevels,thusdeterminingtheextenttowhichprojectsandprocesses
meetorfallshortofthesevalues.
Unlikeanaudit,a reviewdoesnotprovideorrecommendsolutions. Instead, its
purposeistoidentifyaneedforactionorclariicationinordertoeliminateshort-
falls,(i.e.topointoutdeicienciesandthenecessaryorganizationalandmethodical
stepstoarriveatasolution).Generally,thepresentationofevidenceisverylimited,
sothattheauditor’sexperienceandspecialistknowledgeformthebasisfortheas-
sessment. For this reason, a review should always be conducted by experienced
auditors.
reviewsareappropriateasaudit-relatedserviceswheneveraquickoverviewof
auditcontentisneeded.Bythesametoken,reviewsusuallyinvolveseveralparties
andfocusonverydivergentspecialistareas.heycanalsoafectexternalparties
likepartnersandsuppliers(seeSectionC,Chapter6).hereviewsharesthesefea-
tureswiththeaudit,anditisthereforepossibletofollowareviewwithafullaudit,
especiallyifthetopicorresultofthereviewhasidentiiedthisasusefulorneces-
sary.
reviewsareparticularlywellsuitedforproject-relatedorhighlycomplextopics.
examplesofproject-relatedtopics includeinternalprojects(introductionofnew
systemsorreorganization)andexternalcustomerand investmentprojects (joint
ventures,cooperationforaspeciicbusinesspurpose).examplesof international
review topics includea regionalorglobaloutsourcingorganizationora shared-
deinitiondeinition
PurposeoftheReviewPurposeoftheReview
UseofReviewsUseofReviews
contentofReviewscontentofReviews
Looks at results onlyLooks at an entire issue or
processApproach
Less timeMore timeTime
ReviewAudit
Complete, but some steps are
carried out in simpli�ed formCompleteAudit Roadmap
Presentation of results,
supplemented by (selected)
reports/action list
Detailed reportsDocumentation
Fig. 28 ComparisonofAuditandReview
A|7|7.2ConceptualBasisofInternalAudit
OtherServices
Audit-RelatedOtherServices
174
servicecenter.Areviewwillprovideacomprehensiveoverviewofcomplexstruc-
turesandprocesseswithinashorttime.
Areviewalsouses the fullAuditroadmap (seeSectionB), althoughcertain
partsofit,(e.g.,theScopeortheworkprogram)areusuallysimpliiedintheinter-
estoftime.However,detaileddocumentationisrequiredforeachstepthathasbeen
performed,withreporting(intheformofpresentations)otentakingplaceconcur-
rentlytoexecution.Sinceareviewdoesnotinvolveintensiveauditactivities,(par-
tial)resultsshouldbediscussedindetailwiththoseconcernedtoprecludeerrors
onthepartofInternalAudit.Aspecialreviewreportiscompiledonthebasisofthe
resultspresentation,which includes thecontent,chronological structure, results,
andanyoptionsforaction.Inaddition,summariesarecompiledformanagement
andtheBoardofdirectorsand,ifappropriate,actionitemsareidentiiedformon-
itoringoutstandingitems.
reviewsshouldnotbeasubstituteforaudits.However,theycompletetheser-
vicerangeoferedbyInternalAudit.reviewsareaneicientandselectivewayof
quicklyarrivingatadequateresultsforthetopictobeinvestigated.Inparticular,
theyarealsosuitableforpreparingorjustifyingotherauditservicesprovidedby
InternalAudit,(e.g.abasicaudit).herefore,reviewsareanimportantcomponent
ofInternalAudit’srangeofserviceoferings.
HintSAndtiPS ;
• Informaldiscussionsatthestartofareviewwillhelpauditorsgetanoverviewof
thetaskathand.
• requestexpertsupportatthebeginningofareview.
• regardthereviewasatoolforidentifyingnewaudittopicsforInternalAudit.
• Ifpossible,presentthereviewresultsincombinationwithkeyratiostodemon-
stratethereview’sbusinessrelevance.
LinKSAndRefeRenceS e
• ANderSON,U.ANdA.dAHle.2006.Implementing the Professional Practices Frame-
work.2nded.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• INStItUteOFINterNAlAUdItOrS.2001.Practice Advisory 1000.C1-1: Principles
Guiding the Performance of Consulting Activities of Internal Auditors.AltamonteSprings,
Fl:heInstituteofInternalAuditors.
• INStItUteOFINterNAlAUdItOrS.2002.Practice Advisory 1000.C1-2: Additional
Considerations for Formal Consulting Engagements.AltamonteSprings,Fl:heInstitute
ofInternalAuditors.
• INStItUte OF INterNAl AUdItOrS. 2005.Practice Advisory 1130.A1-2: Internal
Audit Responsibility for Other (Non-Audit) Functions.AltamonteSprings,Fl:heInsti-
tuteofInternalAuditors.
ReviewProcessReviewProcess
ReviewsasaServicePerformedbyinternal
Audit
ReviewsasaServicePerformedbyinternal
Audit
175
• reddING,K.,P.SOBel,U.ANderSON,m.HeAd,S.rAmAmOOrtI,ANdm.
SAlAmASIK.2007.Internal Assurance and Consulting Services.AltamonteSprings,Fl:
InstituteofInternalAuditors.
• SAwyer,l.,m.dItteNHOFer,ANdJ.SCHeINer.2003.Sawyer’s Internal Audit-
ing.5thed.AltamonteSprings,Fl:heInstituteofInternalAuditors.
7.2.4 ImplementationSupport
KeyPOintS •••
• InternalAuditcanprovidevaluablesupportduringtheimplementationofaudit
recommendations.
• It is importantthattheoverallresponsibilityforimplementationremainwith
themanagementandtheemployeesof theauditedarea.hus,InternalAudit
doesnotperformtheactualimplementationoftheauditrecommendations,but
merelyprovidessupport,whichmayincludeprovidingexpertopinionsorfa-
cilitatingcommunication.
• Allworkperformedmustbecarefullydocumented.
• Internal Audit must be careful to strike a balance between its position as an
independentstafdepartmentanditssupportactivities.
• headvantagesofprovidingimplementationsupportareprimarilythatInternal
Auditcanbuildspecialistexpertiseandthatrecommendationscanbeefectively
implemented.
Althoughimplementationsupportisnotanauditactivity,itisanaudit-relatedser-
vicethatInternalAuditcanprovide.hereareseveralreasonswhyInternalAudit
mayprovidesupportforimplementingauditrecommendations,newconcepts,and
strategies.hesereasonsincludeauditors’specializedknowledgeandexpertise,in-
suicientresourcesinthedepartmentconcerned,andextensivecoordinationre-
quirements.InternalAudit’sservicesmayincludeprovidinganexpertopinionon
theprocessesandstructurestobedeinedorfacilitatingthecommunicationamong
those involved.heseserviceshelpensure fast, timely,andsmooth implementa-
tion.
heimplementationreportcontainsanyoptionsforactionrecommendedasa
resultofauditindings(seeSectionB,Chapter5.2.3),anditformsthebasisforsub-
sequentimplementationmeasures.heimplementationreportcontainsinforma-
tionthatwasjointlydiscussedattheclosingmeetingsoftheauditandduringthe
preparationoftheauditreport.However,themanagersandemployeesofthearea
concernedremainresponsiblefordrivingtheimplementationmeasures.Internal
Audittakesonaconsultingroleandmustnotbeactivelyinvolvedinthetaskstobe
performed.
ReasonsforimplementationSupportReasonsforimplementationSupport
implementationReportimplementationReport
ConceptualBasisofInternalAudit
OtherServices
Audit-RelatedOtherServices
A|7|7.2
176
ArecommendationmadebyInternalAuditmaytargetoneparticularchange,
(e.g., theneedforasecondsignatureundercertaincontracts).heemployeesof
InternalAuditactasconsultantsinsuchcases,identifyingpossiblesolutions.Ad-
ditionally,itmayalsobecomenecessarytochangeorredesignentireprocesses.In
suchcases, InternalAuditprovides informationoradvice,whilemaintaining its
impartialrolewithregardtothisaudittopicandorganizationalunit.
hesupportworkmustremainidentiiableassuch.tomaintainindependence,
InternalAuditmusttakeononlyaconsultingrole,notadecidingrole.hisrequire-
mentmustalsoberelectedinthedocumentationoftheimplementationsupport.
InternalAuditmustneverperformthedetaileddratingoftheactiontobetakenor
make the inal decision about its implementation. If internal auditors did make
crucialimplementationdecisions,orevenifsuchanimpressionwascreated,these
InternalAuditemployeeswouldnotbeallowedtotakepart in the follow-up.In
principle,however,auditorsshouldworkthroughtheentireauditcycle(seeSection
A,Chapter6.6)undertheirownresponsibility.herefore,internalauditorsmust
guardtheirindependenceespeciallywhenprovidingimplementationsupport.
Insomecasesitmaybebeneicialtoinvolveaguestauditorinimplementingthe
recommended action (for more information on guest auditors, see Section d,
Chapter10).hisprovidesevengreaterassurancethattheimplementationsupport
provided is impartial. he use of guest auditors is beneicial when no other re-
sourcesareavailableortheguestauditorhasspecialexpertiseorknowledge.Guest
auditorsandtherelevantInternalAuditemployeesmustworkincloseconsultation
witheachother.
heauditleadandtheAuditmanagerjointlydeterminewhetherandinwhat
formanInternalAuditemployeeisinvolvedinimplementingauditrecommenda-
tionsatertheaudithasbeencompleted.together,theymustensurethatauditors
donotperformtheimplementationorspendexcessivetimeonthisconsultingtask.
heauditresourcesdedicatedtoimplementationsupportmustbereasonablypro-
portionatetothetimefortheactualaudit(forexample,implementationsupport
shouldnottakemorethanamaximumof50%ofthetimeittooktoconductthe
audit).
hefunctionaldepartmentconcernedisresponsiblefordocumentingtheindi-
vidualimplementationactivities.Independently,however,InternalAuditemploy-
eesshouldcompileminutesoramemorandumdetailingtheirownactivities,con-
tributions,andthetimespentinordertodemonstrateclearlythatthereisatime
limitontheseactivities.heoveralldocumentationmustidentifyallinvolvedper-
sonsandtheirrolesandresponsibilities.Ifthereareanydisputesduringthefollow-
up,theindividualmeasurescanbeidentiiedandtracedbacktotheemployeesin-
volvedintheirimplementationbasedonthedocumentation.
Ifpossible,InternalAuditshouldnotrepeatedlygetinvolvedinthesameimple-
mentationactivitiesandingeneralavoidprovidingsupportinonespeciicareatoo
frequently.hishelpscountertheimpressionthatitroutinelyofersacompleteser-
SimpleandcomplexRecommendations
SimpleandcomplexRecommendations
independenceindependence
GuestAuditorsGuestAuditors
timeSpenttimeSpent
documentationdocumentation
LimitsofimplementationSupport
LimitsofimplementationSupport
177
vice,includingchangemanagement,becauseitisprimarilyastafdepartmentthat
reports to the Board of directors, not an operational service department of the
company.
Nevertheless,InternalAuditbeneitsfromprovidingsuchservices.Forexam-
ple,theknowledgegainedcanbeuseddirectlyforpreparingnewScopesorrevising
existing ones (see Section B, Chapter 2.1), thus keeping the expertise available
within theauditdepartment.Asa result, InternalAuditmaybeable to respond
fastertofutureauditrequestsandconducttheauditswithgreaterfocus.
HintSAndtiPS ;
• Beforestartingtheirimplementationsupportwork,auditorsshouldgetalistof
thepeopleresponsibleforimplementation.
• If,duringthecourseofanimplementation,avoteistaken,InternalAuditem-
ployeesmustremainimpartial.
• InternalAuditemployeesmustneverarbitrate.
• Ifauditorsdeterminethatimplementationsupportactivitiesmaynotbecom-
pletedinatimelymanner,theyshouldcommunicatethesedoubtstomanage-
mentearly.
LinKSAndRefeRenceS e
• ANderSON,U.ANdA.dAHle.2006.Implementing the Professional Practices Frame-
work.2nded.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• INStItUteOFINterNAlAUdItOrS.2001.Practice Advisory 1000.C1-1: Principles
Guiding the Performance of Consulting Activities of Internal Auditors.AltamonteSprings,
Fl:heInstituteofInternalAuditors.
• INStItUteOFINterNAlAUdItOrS.2002.Practice Advisory 1000.C1-2: Additional
Considerations for Formal Consulting Engagements.AltamonteSprings,Fl:heInstitute
ofInternalAuditors.
• INStItUte OF INterNAl AUdItOrS. 2005.Practice Advisory 1130.A1-2: Internal
Audit Responsibility for Other (Non-Audit) Functions.AltamonteSprings,Fl:heInsti-
tuteofInternalAuditors.
• reddING,K.,P.SOBel,U.ANderSON,m.HeAd,S.rAmAmOOrtI,ANdm.
SAlAmASIK.2007.Internal Assurance and Consulting Services. AltamonteSprings,Fl:
InstituteofInternalAuditors.
• SAwyer,l.,m.dItteNHOFer,ANdJ.SCHeINer.2003.Sawyer’s Internal Audit-
ing.5thed.AltamonteSprings,Fl:heInstituteofInternalAuditors.
AdvantagesforinternalAuditAdvantagesforinternalAudit
A|7|7.2ConceptualBasisofInternalAudit
OtherServices
Audit-RelatedOtherServices
178
7.3 Non-Audit-RelatedOtherServices
7.3.1 OngoingSupport
KeyPOintS •••
• Byprovidingongoingsupport,InternalAuditcanacquireexpertisenecessary
forsubsequentaudits,exchangeknowledgewithother individualswithin the
organization,andsupportotherdepartmentsintheimplementationofnewsys-
temsandorganizationalchange,orassistwithtemporaryresourceshortages.
• InternalAuditcangainpracticalinsightintospeciicareasoftheorganization
byprovidingongoingsupport.
• Ongoingsupportshouldnotexceedoneyear.
• Becauseprovidingongoingsupportrepresentsadeparturefromthetraditional
responsibilitiesofInternalAudit,theseactivitiesmustbeapprovedbytheBoard
ofdirectors.
Internal Audit may support other departments within the organization in their
day-to-day tasks.Ongoingsupport isotenprovided toovercome temporary re-
sourceshortagesortogainaclearerunderstandingofcertainareastofacilitatefu-
tureaudits.Ingeneral,ongoingsupportshouldprimarilyfocusoninternalcontrol
andshouldlastnomorethansixmonths.Further,InternalAuditemployeesshould
notdevotemorethan50%oftheirworktimetoongoingsupport,sothattheycan
continuetoperformtraditionalauditwork.
Generally,ongoingsupportactivitiesareinitiatedbythedepartmentrequiring
thesupport.However,InternalAuditmanagementshouldinformothermanagers
that the internal auditdepartmentcanprovide theseactivities.Further, auditors
shouldmaintaincontactwithmanagersandemployeesinfunctionaldepartments
todeveloptheskillsthatwillallowthemtoperformnecessarydutiesifappropriate.
Importantly,beforeInternalAuditcanprovidesupport,certainprerequisitesmust
bemet.Firstofall,theBoardofdirectorsmustapprovetheactivitiesandsetneces-
sarylimitations.
eventhoughongoingsupportdoesnotgiverisetomanyauditelementsalong
theAuditroadmap,themaincontentandresultsshouldatleastbebrielydocu-
mented.Insomecasesitisnecessarytoprepareaspecialreportintheformofa
memorandum.Forexample,ifinthecourseofprovidingongoingsupportanaudi-
toridentiiestheneedforanaudit,itmayleaddirectlytoanauditrequest,orthe
mattermaybeconsideredinthenextannualauditplan.
heextent towhichspeciicauditorsapply themselves toongoingsupportas
partoftheirworkisalsodeterminedbytheirpersonalattitudestowardthetopic
concerned.hatis,ifitisoneofanemployee’sspecializationsorinterests,andpros-
pectsforpersonalandprofessionaldevelopmentcanbeidentiiedinanattractive
workingenvironment,thisauditorshouldbethelikelychoicetoperformtheongo-
PointsofdeparturePointsofdeparture
PrerequisitesPrerequisites
documentationdocumentation
Auditors’PersonalPreferences
Auditors’PersonalPreferences
179
ingsupport.If theplanningframeworkandpersonnelcapacitiesallow,theaudit
managerwillconsidertheauditor’srequestforperformingthiskindofwork.
Forauditorswhodonotyethaveextensiveprofessionalexperience,longer-term
supportworkisagoodwayofacquiringdetailedpracticalknowledge.herefore,
thiskindofworkcanformpartofageneralauditortrainingplan.hisgivesaudi-
torsanopportunitytocoverallaspectsofatopicandperhapsevendevelopanew
audittopicorestablishthemselvesasauditexpertsandcontactsforthistopic.even
experiencedauditorsshouldtakeadvantageofsuchopportunitiestobecomefamil-
iarwithnewtopics.
Byprovidingongoingsupporttoselectedareas,InternalAuditcanidentifyau-
dittopics,gainabetterunderstandingoftheircontent,andultimatelyconductbet-
ter audits. If the work performed is limited to support, the same employee may
generallyalsoauditthisarea,becausewiththiskindofsupport,contentisnotnor-
mallyredeinedorchanged.However,iftheauditorsareactivelyinvolvedinchang-
ingorredeiningthecontent,theyshoulddocumentalltheknowledgeacquired,
butnotperformsubsequentauditsofthearea.hisappliesatleasttotheauditcy-
cle,i.e.thenexttwoyears(seeSectionA,Chapter6.6),followingthesupportwork
toensureInternalAuditcanmaintainindependenceandtheauditorscanremain
objective.
HintSAndtiPS ;
• heremaybeinformalwaysofidentifyinganarea’srequirementforsupportby
InternalAudit.
LinKSAndRefeRenceS e
• ANderSON,U.ANdA.dAHle.2006.Implementing the Professional Practices Frame-
work.2nded.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• INStItUteOFINterNAlAUdItOrS.2001.Practice Advisory 1000.C1-1: Principles
Guiding the Performance of Consulting Activities of Internal Auditors.AltamonteSprings,
Fl:heInstituteofInternalAuditors.
• INStItUteOFINterNAlAUdItOrS.2002.Practice Advisory 1000.C1-2: Additional
Considerations for Formal Consulting Engagements.AltamonteSprings,Fl:heInstitute
ofInternalAuditors.
• INStItUte OF INterNAl AUdItOrS. 2005.Practice Advisory 1130.A1-2: Internal
Audit Responsibility for Other (Non-Audit) Functions.AltamonteSprings,Fl:heInsti-
tuteofInternalAuditors.
• reddING,K.,P.SOBel,U.ANderSON,m.HeAd,S.rAmAmOOrtI,ANdm.
SAlAmASIK.2007.Internal Assurance and Consulting Services.AltamonteSprings,Fl:
InstituteofInternalAuditors.
• SAwyer,l.,m.dItteNHOFer,ANdJ.SCHeINer.2003.Sawyer’s Internal Audit-
ing.5thed.AltamonteSprings,Fl:heInstituteofInternalAuditors.
AcquisitionofdetailedPracticalKnow-HowAcquisitionofdetailedPracticalKnow-How
AuditWorkintheSupportedAreaAuditWorkintheSupportedArea
ConceptualBasisofInternalAudit
OtherServices
Non-Audit-RelatedOtherServices
A|7|7.3
180
7.3.2 InternalConsulting
KeyPOintS •••
• InternalAuditcanperformconsultingtasksrelatedtospeciiclong-termproj-
ectsorgeneralconsultingtasksthatareindependentofspeciicprojects.
• dependingonthepersonalexperienceandinterestsoftheinternalauditor,dif-
ferent levelsofconsultingtaskscanbeassumed.hesetasksmayrangefrom
simplygivingexpertopinions,inputintoconcepts,andsolutionimplementa-
tionthroughactivelydesigningcooperationmodelsandpartnerships.
• InternalAudit’sindependencemustbesafeguardedatalltimes.Appropriatear-
rangementsmustbemade,especiallyincaseswhereInternalAuditwasactively
involvedindesigningthesolutions.
• heconsultingworkperformedbytheinternalauditormustbeadequatelydoc-
umented.
• Consultingworkhelps InternalAuditdevelop intoacompetentpartnerwith
employeeswhohavetherequisitemotivationandexpertise.
Consultingtasksoferinternalauditorstheopportunitytocontributetheirexper-
tiseinprojectsoutsideofthedepartment.Inadditiontotheirknowledgeandex-
pertise, auditors can provide their analytical and conceptual capabilities to ind
solutionstailoredtotheindividualproject.
herearemanydiferenttypesofconsultingprojectsinwhichInternalAudit
canbeinvolved.InthecontextoforganizationalorItprojects,possibleconsulting
tasksincludedratingconcepts,includingacceptancetesting,documentation,and
internalcontrols.Incapitalspendingprojects,consultingmayrelatetothecompila-
tionofcapitalexpenditurebudgetsandongoinginancialandorganizationalmon-
itoringofassociatedactivities.heintroductionofspecialaccountsettlementsys-
tems would also be a sensible target for consulting services ofered by Internal
Audit,withparticularfocusoncompliance,internalcontrols,andtheirimpacton
inancialreporting.Inthecaseofrestructuringandchangemanagement,Internal
Audit’sconsultingworkshouldfocusonplanningnewstructures,creatingatransi-
tionplan,andensuringthatinternalcontrolsandriskmitigationstrategiesarein
placeintheneworganization.Finally,InternalAuditcanprovideassistancewith
costingmodelsandcost/beneitanalysisforoutsourcingandsharedserviceorgani-
zations.
InternalAuditcanalsoprovideconsultingsupportthatisnotdirectlylinkedto
speciicprojects.hismayinclude:
• basicanalysistoimproveinformationandcommunicationlows,
• creation of early warning systems (e.g., with regard to risks, budgets or rev-
enue),
• assessmentofandcommentaryonproblemsandsuggestedsolutions,
• mediationassociatedwiththeabove,
contributingexpertisecontributingexpertise
Possibleconsultingtasks
Possibleconsultingtasks
consultingtasksnotRelatedtoProjects
consultingtasksnotRelatedtoProjects
181
• improvementofdecisionprocesses,and
• generalsupportforprocedureandconductrecommendations.
Oten,InternalAuditbeginsconsultingworkasaresultofaspeciicrequest.Such
consultingrequestscanbedeinedbytheBoardorbyvariouslevelsofmanagement
andfunctionaldepartments.ConsultingrequestsinitiatedbytheBoardorsenior
managementaregenerally focuseduponstrategicmatters,which in turncanbe
transformedintocorrespondingaudits.hismayincludepreparationsforajoint
venture or for acquiring a share in a company. Internal Audit may also support
strategiccustomer,supplier,andpartnerselectionprocesses.
Asinitstraditionalauditactivities,InternalAuditmustdocumenttheresults
andconsultingmethodsusedinseparateworkingpapers.Speciicinvolvementin
deiningcontentandjointdecisionsmustalsobedocumentedandabriefmanage-
mentsummaryshouldbepreparedifnecessary.hesereportsarethenavailablefor
futureaudits.
InternalAudit’sconsultingservicescanaddvaluewithinthecompany.Itsac-
tivitiescaninvolveprovidinganexpertopinionordesigninput.Althoughdesign
tasksgenerallyincreasethemotivationandknowledgeofthoseinvolved,theycan
poseasigniicantrisktoInternalAudit’sindependence.duecaremustbetakento
ensureindependenceandobjectivityaremaintained.heBoardortheBoardmem-
berinchargeshouldbeconsultedpriortoconsultingengagements(seeSectionA,
Chapter2.5.3).
whenInternalAudithasprovidedinternalconsultingservices,anysubsequent
auditmustbeconductedbyadiferentauditor,preferablyfromadiferentteam,
fromthosewhoperformedtheconsultingservices.Alternatively,auditorswhodid
performtheconsultingservicesshouldrefrainfromauditingthatareaforatleast
twoyears.Ifforreasonsofexpertise,theauditorswhoworkedasconsultantsareto
provideexpertauditsupport,theyshouldonlyworkinconjunctionwithothercol-
leagues.heseprecautionswillhelpensurethatInternalAuditmaintainsindepen-
denceinfactaswellasappearance.
headvantagesofconsultingworkforInternalAuditincludeenhancedknowl-
edgeandskillsfortheauditorsinvolvedandfortheinternalauditdepartmentasa
whole. Other important beneits include increased motivation of auditors and a
greatergeneralacceptanceofInternalAuditthroughoutthecompany.hatis,per-
formingconsultingworkcanimprovetheimageofInternalAudittothatofadivi-
sionthataddsrealvaluetotheorganization.
HintSAndtiPS ;
• Auditorsmustbeclearabouttheobjectivesoftheconsultingproject,especially
theextentoftheirexpectedcontribution.
• Auditorsshouldmakerealisticestimatesofthetimerequirementandinclude
theserequirementsintheannualInternalAuditstaingplan.
consultingRequestsconsultingRequests
documentationdocumentation
necessaryconsultationnecessaryconsultation
PersonnelSegregationPersonnelSegregation
AdvantagesofconsultingAdvantagesofconsulting
ConceptualBasisofInternalAudit
OtherServices
Non-Audit-RelatedOtherServices
A|7|7.3
182
• whenperformingconsultingactivities,InternalAuditshouldhighlighttheim-
portanceofinternalcontrolsintheprojectoractivities.
LinKSAndRefeRenceS e
• ANderSON,U.2003.AssuranceandConsultingServices.In:BAIleyJr.,A.d.,A.A.
GrAmlINGANdS.rAmAmOOrtI.(eds.).2003.Research Opportunities in Internal
Auditing.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• ANderSON,U.ANdA.dAHle.2006.Implementing the Professional Practices Frame-
work.2nded.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• CASCArINO,r.ANdS.vANeSCH.2005.Internal Auditing: An Integrated Approach.
lansdowne,SA:JutaandCo.
• INStItUteOFINterNAlAUdItOrS.2001.Practice Advisory 1000.C1-1: Principles
Guiding the Performance of Consulting Activities of Internal Auditors.AltamonteSprings,
Fl:heInstituteofInternalAuditors.
• INStItUteOFINterNAlAUdItOrS.2002.Practice Advisory 1000.C1-2: Additional
Considerations for Formal Consulting Engagements.AltamonteSprings,Fl:heInstitute
ofInternalAuditors.
• INStItUte OF INterNAl AUdItOrS. 2005.Practice Advisory 1130.A1-2: Internal
Audit Responsibility for Other (Non-Audit) Functions.AltamonteSprings,Fl:heInsti-
tuteofInternalAuditors.
• reddING,K.,P.SOBel,U.ANderSON,m.HeAd,S.rAmAmOOrtIANdm.
SAlAmASIK.2007.Internal Assurance and Consulting Services. AltamonteSprings,Fl:
InstituteofInternalAuditors.
• SAwyer,l.,m.dItteNHOFerANdJ.SCHeINer.2003.Sawyer’s Internal Audit-
ing.5thed.AltamonteSprings,Fl:heInstituteofInternalAuditors.
7.3.3 ProjectManagement
KeyPOintS •••
• herearediferentwaysinwhichInternalAuditcansupportorassumeproject
managementtasks.
• Internalprojectmonitoringandcontrolarethemostimportanttasksandshould
relatetoInternalAudit’spertinentaudittopics,sothatexpertisecanbebuiltor
enhancedforsubsequentaudits.
• Apartfromthisbasicfunction,InternalAuditemployeescanalsotakepartin
steeringcommitteesorprovidecontrolandsupportforprojectcommunication.
AnotherwayforInternalAudittoofernon-audit-relatedservicesistoparticipate
in or assume project control and management tasks. Although the project lead
drivestheprojectintermsofcontentandmakestherelevantdecisions,theproject
ProjectcontrolandManagementtasks
ProjectcontrolandManagementtasks
183
managerisresponsiblefortaskssuchastimeandcostplanning.heauditorcan
takeontheroleofprojectstaforofsub-projectlead.
In thecaseofprojectmanagement, the individualproject stepsirstmustbe
plannedandcalculatedaccordingtotheprojectphasemodel.hepreparatorywork
iscoordinatedamongtheprojectteammembers.Projectimplementationmustbe
closelymonitored,comparingcurrentconditionsagainstdesiredscenariosandtar-
gets,identifyingalldeadlines,costs,content,orqualityvariances,anddeiningand
initiatingappropriatecountermeasures.
Projectmanagementalsorequiresanadequatereportingsystemfortheproject
teammembersandthoseresponsible.Projectmanagementalwayshasainancial
andatechnical/logisticalaspect.hischapterdoesnotprovideadetailedpresenta-
tionofthecomplexissuesofprojectmanagement.Abasicdescriptionofasimilar
application,knownasauditprojectmanagementfollowslater(seeSectiond,Chap-
ter11).
Usually,projectmanagementisperformedbyoperationalmanagementandthe
functionalexecutivelevel.Inexceptionalcases,InternalAuditemployeesmayalso
beinvolvedinprojectmanagementactivities.ForInternalAudit,themostsuitable
projectsarethosewhosecontentisrelatedtooneofthedepartment’sauditields.
Ofparticularinterestarechangemanagementprojectsandimplementationproj-
ectstoguaranteecompliance(e.g.,internalcontrolsystemsasrequiredbySOX,or
Itprojectswithworklowprocesses).
Similartointernalconsulting,projectmanagementperformedbyInternalAu-
dithastwomainobjectives,thecontributionofexperienceandauditortraining.
InternalAuditcanincorporatetheknowledgegainedfromparticipatinginproject
managementactivitiesintofutureaudits.Importantly,however,thereisaneedto
safeguardInternalAudit’s independence,especiallybecauseprojectmanagement
meansparticipationindesigningproceduresratherthanimplementingthem.
Asmentionedearlier,projectmanagementservicescanprovidevaluableinfor-
mationandideasforthemanagementofaudits.AlthoughtheAuditroadmapisan
importantbasictoolforauditmanagement,itisaproceduralmodelandtherefore
highlyfocusedoncontent.Forthisreason,theAuditroadmapshouldbelinked
withamethodforprojectcontrolwhichturnsthecontentsoftheAuditroadmap
intooperationalstepsoftheauditproject.
Anotherprojectmanagementserviceisparticipationinsteeringcommittees.In
suchcases,anAuditmanagertakespartinregularstatusmeetings,receivesmeet-
ing minutes, and is involved in fundamental decisions regarding project proce-
dures.hemostsuitableprojectsare thoseofvalue toInternalAuditbecauseof
their organizational or content aspects. examples include the introduction of a
globalriskmanagementsystem,theimplementationofSOXrequirements,orthe
creationofashared-serviceorganization.
Anotherformofproject-relatedsupportisthecontrolandcoordinationofcom-
munication channels and information lows between regional project teams in
globalimplementationandorganization-wideprojects.hesigniicanceofthistask
ProjectimplementationProjectimplementation
ReportingReporting
ProjectsProjects
ObjectivesandindependenceObjectivesandindependence
LinkwiththeAuditRoadmapLinkwiththeAuditRoadmap
SteeringcommitteesSteeringcommittees
communicationandinformationSupportcommunicationandinformationSupport
ConceptualBasisofInternalAudit
OtherServices
Non-Audit-RelatedOtherServices
A|7|7.3
184
will increase in the future, because diferent cultural groups must be networked
interactively,thusitisimportanttoconsiderspeciicregionalcircumstances.multi-
region projects may be hampered by a lack of communication and support that
inhibitsthesuicientimplementationofallimplementationphasesandmeasures
simultaneously in all regions. Finally, Internal Audit can provide direct regional
supportonaone-to-onebasistofacilitatetheimplementationoftheproject.hese
formsofprojectsupportenhancetheperceptionofInternalAuditthroughoutthe
company.
Inprinciple,anyInternalAuditemployeehastheoptiontotakeontheproject
managementtasksdescribedabove;but,functional,methodical,andpersonalpre-
requisitesandinterestsshouldbetakenintoaccount.herefore,thesekindsoftasks
shouldbeassignedtoauditorswithextensiveprojectmanagementknow-howfor
thepurposeofpersonaldevelopment.
HintSAndtiPS ;
• Auditorsmustbeclearabouttheirpersonalstrengthsandselecttheirproject
managementfunctioncarefully.
• Closecooperationwithexperiencedprojectmanagersmakesiteasiertowork
successfully.
• Auditorsshouldproducetheirownpersonaldevelopmentplanonthebasisof
theacquiredexpertise.
LinKSAndRefeRenceS e
• ANderSON,U.ANdA.dAHle.2006.Implementing the Professional Practices Frame-
work.2nded.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• INStItUteOFINterNAlAUdItOrS.2001.Practice Advisory 1000.C1-1: Principles
Guiding the Performance of Consulting Activities of Internal Auditors.AltamonteSprings,
Fl:heInstituteofInternalAuditors.
• INStItUteOFINterNAlAUdItOrS.2002.Practice Advisory 1000.C1-2: Additional
Considerations for Formal Consulting Engagements.AltamonteSprings,Fl:heInstitute
ofInternalAuditors.
• INStItUte OF INterNAl AUdItOrS. 2005.Practice Advisory 1130.A1-2: Internal
Audit Responsibility for Other (Non-Audit) Functions.AltamonteSprings,Fl:heInsti-
tuteofInternalAuditors.
• PrOJeCtmANAGemeNtINStItUte(PmI).2004.A Guide to Project Management
Body of Knowledge (PMBOK Body of Knowledge). 3rd ed. Newton Square, PA: Project
managementInstitute.
• reddING,K.,P.SOBel,U.ANderSON,m.HeAd,S.rAmAmOOrtIANdm.
SAlAmASIK.2007.Internal Assurance and Consulting Services.AltamonteSprings,Fl:
InstituteofInternalAuditors.
• SAwyer,l.,m.dItteNHOFerANdJ.SCHeINer.2003.Sawyer’s Internal Audit-
ing.5thed.AltamonteSprings,Fl:heInstituteofInternalAuditors.
SuitableemployeesSuitableemployees
186
1 GeneralIntroduction1.1 StructureandFeaturesoftheAuditRoadmap
KeyPoInts •••
• heAuditRoadmapisamodelforvisualizingallphasesandprocessstepsofan
auditintermsofformandcontent.
• Itisaimedatgivingauditorsallthenecessarystandardinformationonthebasis
ofastandardized,globallybindingprocessmodel.
• A standard Audit Roadmap helps to achieve uniform audits throughout the
company.
• hemainphasesoftheAuditRoadmapareplanning,preparation,execution,
reporting,andfollow-up.
• Eachofthesephasesisdividedintosub-phases,whichhavetobeexecutedina
speciiedsequence.
• heAuditRoadmapisintendedforuseasanauditprocessmodelforstandard
audittopics.
• Inaddition,AuditRoadmapscanbedeinedforspecialauditcontent,specii-
callyforacertainsector,company,oraudit.
Anordinaryroadmaptellsdrivershowtoget toplaces. Inaigurativesensethe
AuditRoadmapservesthesamepurpose.heAuditRoadmapprovidesinforma-
tiononasequenceofeventsintermsofcontentandphysicalarrangementtoensure
achievementofan intendedauditoutcome.Aroadmapvisualizesastrategyand
deinesimportantmilestones.hekeyobjectiveofhavinganAuditRoadmapisto
ensurethatallauditsconductedbyInternalAuditfollowastandardprocessmodel
asfaraspossible.EvenifnotallpartsoftheAuditRoadmapcanbeusedinevery
audit,thebasicstructureoftheRoadmapaddssecuritytoauditsandallowsfora
standardizedauditapproachthroughoutthecompany.
However,theAuditRoadmapismorethanaprocessmodel.heRoadmapalso
linksauditstepswithtemplatesandotherdocuments.Initselectronicimplementa-
tiontheRoadmapcontainsmanydocuments,standardtemplates,examples,and
additional information that auditors can access whenever necessary. he Audit
Roadmapmustthereforehaveanin-depthstructurethatmakesitpossibletoassign
documentstoeachauditstep.
hesequenceofstepswithintheAuditRoadmapisclearlydeined.hemain
areasoftheAuditRoadmaparereferredtoasphases.Eachphaserepresentsaself-
containedauditsectionwithaclearstructure.hemainphasesoftheAuditRoad-
mapare:
• Planning,
• Preparation,
• Execution,
• Reporting,and
• Follow-up.
AimoftheAuditRoadmap
AimoftheAuditRoadmap
InformationMediumInformationMedium
MainPhasesoftheAuditRoadmap
MainPhasesoftheAuditRoadmap
187
Together,thesephaseslayoutacompleteauditsequence,ensuringthatallneces-
saryauditactivitiesareperformed.
Forbetterimplementationduringtheaudit,eachphaseisdividedintosub-phases.
hesub-phaseshavetobeexecutedinthesamewayasthemainphases.Asequen-
tialworkprocessisnecessarybecausecertainmeasurescanonlybeperformedater
otheroperationshavebeencompleted.hismandatorysequenceofauditstepsis
intendedtoensurethatsecurityandqualityrequirementsaremet(seeSectionD,
Chapter5).
heAuditRoadmapexistsasastandardizedmodel.Eachofitsphasescontains
a largenumberofspeciicinformation.his informationincludesorganizational
aspects,suchasthedescriptionoftheopeningandclosingmeetings,aswellasau-
dit-relevantdocumentsandstandards.Intermsofcontent,thestandardizedAudit
Roadmapcoversallauditields(seeSectionA,Chapter6.2).Forspeciicaudits,like
fraudauditsormanagementaudits, theAuditRoadmapscanbemodiiedbyre-
placing, adding, or removing certain standard procedures (see Section B,
Chapter7).
BasedonthebasicstructureoftheAuditRoadmap,additionalAuditRoadmaps
canbedrawnupwithcompany-speciicandaudit-relatedmodiicationsifneeded.
Forinstance,additionalquestioncatalogscanbeincluded,orthewaytheauditis
announcedcanbechanged.However,theobjectiveisnottomaximizethenumber
of individualAuditRoadmaps,butrathertocovertheuniquefeaturesofspecial
audit topics as comprehensively as possible and to make information on the re-
quirementsofsuchauditsavailablewithminimalefort.
sub-Phasessub-Phases
standardAuditRoadmapstandardAuditRoadmap
ModiicationoptionsModiicationoptions
Fig.1 StructureoftheAuditRoadmap
TheSAP®-AuditRoadmapasaWorkingBasisforInternalAudit
GeneralIntroduction
StructureandFeaturesoftheAuditRoadmap
B|1|1.1
188
Itismandatorythatallinternalauditorscomplywiththestandardbasicstruc-
ture of the Audit Roadmap. his ensures that all internal audits, irrespective of
whenandwheretheyareconducted,followthesameformalframework.
AnimportantfeatureoftheAuditRoadmapisthatitisaprocessmodelwitha
masterversionthatcanbeupdatedcentrally.hiscentrallymaintainedversionis
the most up-to-date standard and mandatory throughout the internal audit
department.Audit-speciiccopiesfortheindividualregionsandauditteamsfollow
thisversion.hisensures,especiallyinglobalcorporateauditdepartments,thatall
regional teams follow the same audit sequence in preparation for an audit and
during an audit. he Audit Roadmap provides the ordinal framework for
communicating the necessary individual process steps and documentation
requirements.
heAuditRoadmapcontainsqualitygatesorperformancemeasures suchas
time and cost budgets. Quality gates function as milestones and conclude audit
phases. he start of the next phase is contingent upon passing the quality gate.
Qualitygateshelptoensurethatnecessarydocumentationexists,thatsuchdocu-
mentationisinthecorrectformatandcontainsalltherelevantinformation.Qual-
itygateslinktwophasesoftheAuditRoadmapandcanconcerndiferentpeople
andinvolvediferenttypesofqualityassurancemeasures.Documentstobeexam-
inedandreleasedbyonepersonareforwardedeitherinhardcopyorelectronically,
bye-mailor through theworklow, to theotherperson.hisallowsperforming
qualityspotcheckswithoutdelayingtheoverallauditprocess(fordetailsonquality
assurance,seeSectionD,Chapter5).
HIntsAndtIPs ;
• Auditors should structure and archive their documents according to the re-
quirementsoftheAuditRoadmap.
• AuditorsshouldensurethattheyareusingthelatestversionoftheAuditRoad-
map,thattheyfollowthestandardsitcontains,andthattheyusethedocuments
requiredbytheRoadmap.
• AllauditorsshouldusetheirexpertisefortheongoingdevelopmentoftheAudit
Roadmap.
LInKsAndRefeRences e
• InSTITuTE oF InTERnAl AuDIToRS.2005.Practice Advisory 1300-1: Quality As-
surance and Improvement Program. Altamonte Springs, Fl: he Institute of Internal
Auditors.
• InSTITuTE oF InTERnAl AuDIToRS. 2006. Quality Assessment Manual. 5th ed.
AltamonteSprings,Fl:heInstituteofInternalAuditors.
standardBasicstructurestandardBasicstructure
UseinGlobalcorporateAudit
UseinGlobalcorporateAudit
QualityAssuranceQualityAssurance
189
1.2 AdvantagesandBenefitsoftheAuditRoadmap
KeyPoInts •••
• heAuditRoadmapprovidesanumberoforganizational,content-related,and
formal advantages as well as beneits with regard to teamwork and coopera-
tion.
• Auditorscanuse theAuditRoadmapasacommunicationandguidanceme-
dium.
• herearemanyoptionsforindividualuseandadaptationoftheAuditRoad-
map.
he use of a standardized Audit Roadmap ofers many advantages for everyday
auditing.hischaptersummarizesthemainaspects.
• useoftheAuditRoadmaphelpsguaranteethatthedataiscompleteandupto
date:Allauditorscanbecertainthatstandardtemplatesanddocumentsareup
todate.hereisnoneedfortime-consumingsearchesorforredeiningaudit
documents.Auditorscanthusfocusontheactualaudit.
• heclearstructureoftheAuditRoadmapfacilitatesandshortensboththeprep-
arationandtheexecutionoftheaudit.heformalstandardizationoftheRoad-
mapalsohelpsauditorstoexchangeinformationquicklyandeiciently,which
createsthepotentialfortimesavingsatallphasesoftheaudit.
• he Audit Roadmap makes it possible to plan and monitor audits in detail:
Deadlines,costs,andemployeeassignmentcanbeplannedandcontrolleddown
tothesub-phaselevel.
• Improvedplanningandmonitoringfacilitateassigningauthorizationsandac-
cessrightstodataandITsystems.hisisimportantespeciallywithregardto
conidentiality.Accessrightsaregrantedforeachphase,basedonactivitiesor
documenttypes,anddeinedviaroleproiles.heresultingauthorizationscan
beenteredinthesystemforeachphase,activity,anddocumenttype.
• An Audit Roadmap-based audit procedure facilitates a project-based audit
monitoringsystem.heAuditRoadmapmakesitpossibletoeicientlycontrol
theoverallaudit.Progressismeasurableforeachphaseandfortheauditasa
whole.hisallowsidentifyingdeviationsinthebudgetandaudittimeline.Au-
ditorsinchargeforthephaseinwhichthevarianceoccurredareresponsiblefor
understanding and explaining these diferences. he auditors in turn can re-
spondonthebasisofdocumentsorstatementsthattheycreatedinthatphase.
histimelycontrollingallowstakingnecessarycountermeasuresearly.
• heAuditRoadmapalsofacilitatesanalysisofthecontentofauditprocedures
(seeSectionD,Chapter7).heauditsconductedarereviewedandcomparedon
thebasisofresults,procedures,phases,etc.,bothindividuallyandacrossasam-
pleorallstepstaken.KeyiguresformeasuringInternalAudit’seiciencycan
thenbederivedandareasforfutureprocessimprovementsinauditworkidenti-
AdvantagesoftheAuditRoadmapAdvantagesoftheAuditRoadmap
completeandUp-to-datecompleteandUp-to-date
shorterProcessingtimesshorterProcessingtimes
schedulinganddeadlineMonitoringschedulinganddeadlineMonitoring
AccessAuthorizationAccessAuthorization
AuditMonitoringsystemAuditMonitoringsystem
AuditAnalysisAuditAnalysis
TheSAP®-AuditRoadmapasaWorkingBasisforInternalAudit
GeneralIntroduction
AdvantagesandBeneitsoftheAuditRoadmap
B|1|1.2
190
ied.hephase-by-phasecomparisonofcontentcanbeofespeciallygreatsig-
niicance. An integrated quality control system helps to identify any process
stepsthatdonotmeetthedeinedexpectations,makingitpossibletorespond
immediatelytoanydefectsidentiied.
• he Audit Roadmap supports the use of a quality assurance system through
qualitygates.Astheauditproceeds,qualitygateshavetobepassed,wherethe
qualityoftheauditworkischeckedagainstclearlydeinedrequirementsbefore
advancement to the next process step is possible (for details, see Section D,
Chapter5).
• heAuditRoadmapguaranteesthattheprocedureusedforauditsisconsistent.
heseconsistentproceduresinturncanbesupportedbyITsolutions.heover-
all administration of documents, including archiving, should be phase-based
andrunasanintegratedpartoftheITsystemtoensurethatnodocumentsare
missing(seeSectionD,Chapters1and4).
• InadditiontoastandardizedAuditRoadmap,itisalsopossibletocreateindi-
vidualAuditRoadmapsforspeciicgroupsoftopics(seeSectionB,Chapter7).
Forfraudaudits,forexample,itispossibletoplanspecialactivitiesatthestart
oftheaudit,e.g.,gatheringinformationinadvanceorpreparingquestioncata-
logsforspecialinterviewtechniques.Formanagementaudits,itmaybeuseful
tohaveadditionalexplanatoryinformationoraspeciicmanagement-basedre-
portingsystem(e.g.portfolioortrendanalysis).
• Standardizingproceduresisparticularlyimportantforcorporateauditdepart-
mentsinglobalcompanies.hepotentialconlictbetweencentraldatamainte-
nanceanddecentralizedprocessinggivesrisetospeciicrequirements.Aglobal
processmodelisnecessarytoensurethatsimultaneousprocessstepsindiferent
regionsarecoordinatedandmulti-levelapprovalandqualityassuranceproce-
duresareinplace.Suchaprocessmodelhastoaccommodatethediferentaudi-
torsinvolved,thedivergingcontents,andthevariousprocesslevels.Inthiscon-
text, theAuditRoadmap functionsasaglobal integrationmodel, supporting
globallystandardizedprocessesandpersonalandculturalintegration.
• Standardizedprocessesofastringentprocessmodel,suchastheAuditRoad-
map,allowauditorstofocusontheauditcontentratherthanonadministrative
issues.Asaresult,auditorsreachhigherpersonalqualiicationsfaster,because
theirexpertisegrows faster thanwithunstructured,non-standardizedproce-
dures.Assessmentcriteria forperformancemeasurementcanalsobedeined
moreclearlyanddevelopmentpotentialcanbeidentiiedmorespeciically.
• lastbutnotleast,anAuditRoadmapcontributestoauditreliabilityandmateri-
ality.Amongtheelementsofauditreliability,thecompletenessoftheauditisthe
mostimportantfeature.otherimportantelementsaredeterminedbyexternal
standardssetbyorganizationssuchastheIIA.hesestandardscanbeincluded
inanAuditRoadmapasdesiredcriteria,thusaimingatautomaticcompliance.
hesameappliestocompliancewithSoXrequirements(seeSectionC,Chapter
8;SectionD,Chapter14)whicharerelectedeitherinthestandardAuditRoad-
QualityAssuranceQualityAssurance
ItsolutionforInternalAudit
ItsolutionforInternalAudit
IndividualdesignofanAuditRoadmap
IndividualdesignofanAuditRoadmap
GlobalRequirementsandIntegration
GlobalRequirementsandIntegration
AuditorQualiicationAuditorQualiication
AuditReliabilityAuditReliability
191
maporinamodiiedAuditRoadmap.Asfarasspeciicaudit,test,anddocu-
mentationstepsarerequired,phase-dependentconsistencycheckscanbeinte-
grated into theAuditRoadmap.Suchcheckscouldhelpguarantee thataudit
resultsareveriiedautomatically(e.g.,thecompletenessofasamplebytesting
theindingsand/ortestcases).
heabovelistofadvantagesoftheAuditRoadmapininternalauditingisnotex-
haustive,butthebeneitsmentionedshowthatanAuditRoadmapisimportantfor
auditworktobeeicient.
HIntsAndtIPs ;
• Bycomparingprocedureswithauditorsofothercompanies,auditorscaniden-
tifybestInternalAuditpractices.
conclusionconclusion
TheSAP®-AuditRoadmapasaWorkingBasisforInternalAudit
GeneralIntroduction
AdvantagesandBeneitsoftheAuditRoadmap
B|1|1.2
192
2 Planning2.1 ContentofScopes
2.1.1 IntegrationandOrganizationalStructure
KeyPoints •••
• EventhoughScopesareintegratedintotheauditprocess,theyaredeinedinde-
pendentofindividualaudits.
• CoreScopesrepresentclosedbusinessororganizationalauditareas,whichcan
bebrokendownintoanynumberofauditsegments,referredtoasKeyScopes.
• Scopeshavetheadvantagethattheycanbeusedinindividualwaysandcom-
binedwitheachotherindiferentaudits.
• Scopesrequireregularupdating.Auditemployeesshouldbeassignedresponsi-
bilityforkeepingScopescurrent.
• Access authorizationshave tobedeined forScopes so that conidentiality is
guaranteed.
SectionA,Chapter5.3givesadeinitionofSAP’sconceptofScopesanddescribes
thegeneralreasonsforusingScopes.hischapterprovidesasystematicpresenta-
tionof thedetailsrelevantatAuditRoadmaplevel.Withregardtotheposition-
ingofScopesitneedstobenotedthat,inspiteoftheirintegrationintotheaudit
process, creating them is independent from any speciic audit work because the
Scopesaregenerallyandgloballyavailableandarenormallydeinedbeforetheac-
tualaudit.hatisthereasonwhythissub-phaseoftheAuditRoadmaphastobe
addressedirst.
herelevantScopesshouldalwaysbeavailablebeforetheworkprogramiscom-
piled(seeSectionB,Chapter3.2).Forauditsthatareplannedfortheirsttimeor
conductedatshortnotice,itispossibleasanexceptiontocreatetheScopewhenthe
actualauditingprocessisalreadyunderwayorinitspreparationphase.Forsuch
audits,creatingaScopemakessense if theaudit topic is repeatableandaScope
shouldbeavailableinthefuture.
hereisafunctionallinkbetweenthediferentaudittypesandScopes:Forstan-
dardandspecialaudits,theScopescoverarelativelywiderangeoftopics,because
theseaudittypesleavesuicienttimeforresearchandthecreationofScopes.For
ad-hocaudits,whicharemostlyone-timeauditsofspeciictopicsorpersons,there
aregenerallyfewerScopesavailableinadvance.
Scopesarebrokendown intoCoreScopesandKeyScopes.heCoreScopes
representclosedbusinessororganizationalauditareas,e.g,purchasing,sales(for
auditsonsalesandpurchasingseeSectionC,Chapter4.1and4.2).EachCoreScope
mapsoutasubsectionofanauditieldoreventheentireauditield(e.g.,fraud).
CoreScopesinturnbreakdownintoindividualKeyScopes.hisallowsdividinga
complexauditareaintoindividualauditsegments,whichcanthenbehandledlex-
ibly.KeyScopesinpurchasingforexamplecouldbetheprocurementofthird-party
services,thevehicleleet,ordeliveryprocessing.
PositioningofthescopePositioningofthescope
AvailabilityAvailability
interrelationbetweenAudittypesandscopes
interrelationbetweenAudittypesandscopes
CorescopeandKeyscope
CorescopeandKeyscope
193
KeyScopescanbecombinedwithotherKeyorCoreScopestodeinethespe-
ciiccontentofanindividualaudit.It ispossibleforauditsthatarebasedonthe
sameScopetohavediferentauditobjectivesorsteps.Scopeshavetheadvantage
thattheycanbeadaptedandusedbythemselvesorcombinedwitheachother.
Scopesrequireregularupdatingtoensurethattheyarecurrent.Scopesareas-
signedforregularmaintenancetooneorseveralauditors,knownasScopeowners,
onthebasisofcontent,hierarchy,region,ortimeattributes.heassignmentshould
berotatedatregularintervals.Eventhoughauditorsareonlyresponsibleforthe
Scopes assigned to them, they also have to keep themselves informed on other
Scopes.hereshouldbeacomprehensivereviewofallScopesatleastonceayear.
Asaresultofsuchreviews,newauditsegmentsmaybeaddedorexistingonesmay
bereplacedormergedwithothers.
Scopesshouldalwaysbestoredcentrally.Sinceonlytheownersortheirdeputies
shouldbeabletoeditthem,theyhavetobeprotectedforeditingandaccessautho-
rizationsshouldbeputinplace.Allpersonsdirectlyorindirectlyinvolvedinaudits
(e.g., in the functional departments concerned) should have read access to the
Scopes.SinceScopescontaincomprehensiveinformationabouttheorganizationof
thecompanyandformthebasisforaudits,accessfornon-departmentemployees
mustbestrictlycontrolledtomaintainconidentiality.AccesstoScopesforauditees
andguestauditorsshouldbedecidedonacase-by-casebasis(seeSectionD,Chap-
ter10).Sinceguestauditorshaveknow-howthatcouldmakeavaluablecontribu-
tiontotheScopes, their involvementprovidesanexcellentopportunitytorevise
existingScopesordevelopnewones.
HintsAndtiPs ;
• AuditorsshouldanalyzetheScopesforsuitabilitytoaspeciicaudittask.
• AuditorsshouldusetheirindividualexpertisetodevelopexistingScopesand
forwardtherelevantinformationtothoseresponsible.
• It may be useful to exchange information on the content of Scopes with the
functionaldepartmentstoobtaintheirinput.
2.1.2 TemplatesandHowtoUseThem
KeyPoints •••
• hemainelementsofaScopearelawsandprofessionalguidelines,theoperat-
ingfunctions,therespectiveprocesses,andtheincludedspeciicobjects.
• AsystemofScopeworksheetsisintendedtofacilitatethestandardizedandsys-
tematicdevelopmentofallScopes.
• hefollowingtypesofScopeworksheetsexist:TableofKeyScopes,Functionsto
Processesrelationshipmatrix,ProcessestoObjectsrelationshipmatrix,andthe
ScopeinDetailtable.
FreeCombinationsFreeCombinations
ResponsibilityforMaintenanceandUpdates
ResponsibilityforMaintenanceandUpdates
AccessAuthorizationAccessAuthorization
TheSAP®-AuditRoadmapasaWorkingBasisforInternalAudit
Planning
ContentofScopes
B|2|2.1
194
• StandardsaredeinedforallsigniicantcontentcomponentsofaScope.
• Scopesneedtobeconsistentwithinthemselvesandclearlydistinctfromeach
other.
Tocoverallthecomplextypesofauditcontentwithinacompany,Scopescontain
thefollowingelements:
• legal and governance provisions, mandated company-internal policies and
guidelines,
• descriptionsoftheorganizationaloperatingfunctions,
• presentationoftherelevantbusinessprocessesandtheirinternalcontrols,and
• theactualauditobjectsasveriiableandauditablecomponentsofoperational
processing.
Scopeshavetomapthenatureandextentoftheseelements,whilealsodescribing
therelationsamongtheminbothquantitativeandqualitativeterms.Whentheyare
createdandwhenchangesaremade,Scopesfollowastandardizedapproachwhich
islaidoutinstandardworksheets.hesestandardworksheetscontainthestructure
oftheScopesandinstructionsonhowtocreatethem.EachScopeworksheet(see
igures below as an example) has diferent audit perspectives, and use of all the
worksheetsavailablewithintheScopewillmaximizetherangeofapplications.
Asshownintheaboveigure,theindexprovidesgeneralinformationandshows
thevariousstandardScopeworksheets.Speciically,thesheetshavethefollowing
functions:
elementsofthescopeselementsofthescopes
deinitionthroughWorksheets
deinitionthroughWorksheets
KeytasksofthescopeWorksheets
KeytasksofthescopeWorksheets
Core Scope: Purchasing
Auditor(s):
Date Completed:
Global Internal Audit Services
1
2
3
4
Table of Key Scopes
Functions-Processes
Processes-Objects
Scope in Detail
Fig. 2 Core Scope Index
195
• he“TableofKeyScopes”breakstheCoreScopedownintomeaningfulaudit
segments.
• he“FunctionstoProcesses”relationshipmatrixshowswhichprocessesafect
orrunthroughwhichoperatingunitsandfunctions.
• he“ProcessestoObjects”relationshipmatrixexplainswhichauditobjectsare
afectedbyaprocess.
• he“ScopeinDetail”tablecontainsallthedetailsspeciictoeachprocessthat
couldberelevanttoanaudit.
Purchase
Requisition
● Purchasing Global/
● Regional/Local Policies
● and Guidelines
● Purchasing Global/
● Regional/Local Strategy
● Global/Regional/Local
● Purchase Terms and
● Conditions
● Intercompany
● Purchasing Policy
● Delegation of Authority
…………
………………
Purchase Order ● Global/Regional/Local
● Purchasing Policies
● and Guidelines
● Global/Regional/Local
● Purchasing Strategy
● Intercompany
● Purchasing Policy
● Authorization Policy
● Purchasing Guidelines
● and Procedures
…………
………………
Content
Key Scopes
Policies/Guidelines/
ProceduresFunctions/Operations Processes Objects
● Purchasing
● Responsibility
● Legal department
● Departments requesting
● goods/services
…………
………………
…………………
● Vendor Selection
● Approvals
● Competitive Bidding
● Contract Negotiation
● Contract Approval
● Purchase Requisition
● creation
…………
………………
● Buyers
● Commodity Groups
● Quote/bid Logs
● IndividualandFrame
● Vendor Contracts
● Delegation of Authority
● O�er Documentation
● Purchase Requisition
…………
………………
● Purchasing
● Responsibility
…………
………………
…………………
● Approval
● Vendor Selection
● Creation of Vendor
● Master Data
● Purchase Order Creation
● Purchase Order
● Execution
● Purchase Order and
● Contract Filing
…………
………………
● Approval
● Documentation
● Purchase Order
● VendorNoti�cation
● Vendor Contracts
● Open Purchase Order
● Report
● Order Con�rmation
…………
………………
…………
………………
…………………
…………
………………
…………………
…………
………………
…………………
…………
………………
…………………
…………
………………
…………………
…………
………………
…………………
…………
………………
…………………
…………
………………
…………………
…………
………………
…………………
…………
………………
…………………
…………
………………
…………………
…………
………………
…………………
Goods Receipt
Purchase
Related
Accounting
Shared Services
Mandatory
Global Internal Audit Services
Purchasing
Table of Key Scopes
Fig. 3 Table of Key Scopes
B|2|2.1TheSAP®-AuditRoadmapasaWorkingBasisforInternalAudit
Planning
ContentofScopes
196
heTableofKeyScopesprovidesanoverviewofthecontentsofacomplexaudit
area.hisiswhereallthecoreelementsforeachKeyScopearedeined.heTable
ofKeyScopesisprimarilyasummaryprovidinganoverview,aswellasachecklist
forsubsequentsteps.TopreparetheTableofKeyScopes,dratsshouldbediscussed
withtherelevantfunctionaldepartmentsandinterestedtargetgroups(e.g.,theAu-
ditCommittee).Itisespeciallyimportanttomakeafull,one-to-oneassignmentof
audittopicstotheKeyScopes.hecreationofScopesshouldalwaysincludeainal
reviewtoensurethattheScopeiscompleteandfreeofinconsistencies.
heTableofKeyScopesfacilitatesthecreationofassignmentmatrices.heassign-
mentoffunctionstoprocessesshownintheabovediagramisintendedtoprovide
aclearpictureofwhichfunctions(i.e.,organizationalunits)arerunthroughbya
certainprocessandwhichprocessesrunwithinafunctionalbusinessunit.Atthe
sametimethisresultsinacross-checkoftheinformationprovidedintheTableof
KeyScopes:Iffunctionscannotbeassignedtoprocessesorviceversa,theseele-
mentsareeithernotrelevantfortheScopeinquestion,ortheymaynotevenexist.
hemainadvantageofassigningfunctionstoprocessesisthatthistypeofpresenta-
tionallowsselectinganyindividualitemforanauditdependingontheauditobjec-
tive.
tableofKeyscopestableofKeyscopes
FunctionstoProcessesRelationshipMatrix
FunctionstoProcessesRelationshipMatrix
Fig. 4 FunctionstoProcessesRelationshipMatrix
197
hisalsoappliestotheaboveworksheet,whichshowstheassignmentofprocesses
toauditobjects.hisreinesthewayinwhichauditcontentcanbeselectivelyac-
cessedbyanotherlevel.heworksheetexplainswhichspeciicobjectsareincluded
inaprocessandwhichprocessesanobjectrunsthroughatdiferentprocessstages.
heinformationcontainedintheworksheethastobelogical,i.e.,itmustbepos-
sibletoassignatleastoneauditobjecttoeachprocess.heassignmentofprocesses
to audit objects allows looking at partial views, since the spreadsheet shows the
processesthatanauditobjectrunsthrough.
ProcessestoobjectsRelationshipMatrixProcessestoobjectsRelationshipMatrix
1 2 3 4 5 6 7Objects
Processes
1Vendor
Selection
2 Approval
3Competitive
Bidding
4Contract
Negotiation
5Contract
Conclusion
6
Purchase
Requisition
Creation
X X X X X X
X X X X X X X
X X X X X X
X X X X X X
X X X X
X X X X X
Global Internal Audit Services
Purchasing
Purchase Requisition
Processes-ObjectsOptional
BuyersCommodity
Groups
Competitive
BidsQuote Log
Vendor
Contracts
Approval
Authority
Matrix
Purchase
Requisition
X = Applicable
Fig. 5 ProcessestoObjectsRelationshipMatrix
The SAP®-Audit Roadmap as a Working Basis for Internal Audit
Planning
Content of Scopes
B|2|2.1
198
P1/O1-O6
Global Internal Audit Services
Purchasing
PurchaseRequisition
ScopeinDetail Optional
Reference Item Data
Vendor
Selection
ImpactsContent Documentation Internal controls
P2/O1-O7 Approval Contract,
Purchase
Requisition,
Vendor Master
Data
P3/O1-O6 Competitive
Bidding
Bid, Contract,
Purchase
Requisition,
Bid Log
Risk Area
Operational
Risks
Operational
Risks
Operational
Risks
Operational
Risks
P5/P1-2,5-6 Contract
Conclusion
Review,
Approve
Approve
Control
Activity
Review,
Approve
Approve
Input
Procedures to
ensure objec-
tive vendor
selection
Procedures to
ensure
competitive
bidding
Contract
Output
Vendor Master
Data
Purchase
Requisition
Vendor Master
Data,
Purchase
Requisition
Approved and
Signed
Contract
Process
Bidding,
Vendor
Selection
Approval,
Delegation of
Authority
Bidding
Approval
Process,
Delegation of
Authority
Document
Purchase
Requisition
Contract
Transparent
Vendor
Selection,
Price-Perfor-
mance Ratio
Transparent
Order Process,
Control Over
Purchasing
Activities
Transparent
Bidding
Process
Legal
Compliance
Fig
. 6
Sco
pe
in D
eta
il
199
Ontheoperationalauditlevel,moredetailedinformationoneachindividualpro-
cessisneeded.hisinformationissummarizedintheaboveScopeinDetailtable.
hisworksheetcollates,atthelevelofaspeciicprocess,everythingthatnormally
belongstoanaspectofieldwork.FirstthelinktothecoordinatesoftheProcesses
toObjectstablehastobemade;therelevantdataislistedunderContent.henext
columnshowstheinputandoutputinformationrelevantfortheprocess,suchas
data,organizationalinformation,orspeciicupstreamprocessesordocuments.At
thisstage,theworksheetshouldalsoprovideclearinformationontheactualobjec-
tiveoraddedvalueoftheprocessinquestion.AnothercolumncontainsInternal
Audit’sdocumentationrequirementsthathavetobemettoobtainauditreliability.
henextcolumncontainsinformationneededtomakesurethattheinternalcon-
trolsforthisprocessareinplace,includingareasexposedtorisk,theinternalcon-
trolsassignedtothem,andtherequireddocumentation.hisstructurehascertain
similarities to the documentation requirements set out in SOX (see Section D,
Chapter14).helastcolumnofthissheetliststheimpactoftheprocessesdescribed
(eitherbeneitsordisadvantages).
ItmustbepossibletoreadtheScopetablesbothtopdownandbottomup,i.e.
theremustnotbeanymissingcomponentsorbreaksinthelogicbetweenthem.For
thisreason,theScopeownermustmaintainandupdateallworksheets,notonly
certainparts.Ifpossible,Scopesshouldalwaysbemaintainedandupdatedintheir
entiretytomakesurethattheyareconsistentwithsubsequentprocesslevels.
Aclariicationmaybenecessarytoavoidanyconfusionabouttheapplicationof
theScopetemplates.Asthecontent-relatedpartofanaudit,thepurposeandobjec-
tiveofScopesistoensurethecompletenessofaudit-speciicworkprograms.Scopes
alsoallowonetoobjectivelydetermineobservations,indings,andrecommenda-
tionsbyprovidingthecriteriaagainstwhichthecurrentconditionofanentityis
compared. However, depending on the extent of an audit, the application of all
Scope templatesdescribed in thischaptermaysometimesnotbe feasibledue to
time constraints. In practice, the consistent application of all Scope templates
willonlybepossiblewhenitisbasedonanintegratedauditmanagementITsolu-
tion.
Withoutsuchasolution,itisstronglyrecommendedtoapplytheTableofKey
Scopesasaminimumtoensurethecompletenessofallrelevantpartsofanaudit
includingtheconsiderationofpolicies,guidelines,processes,andinternalcontrols.
heapplicationof theotherScope templatesmaybeoptionaldependingon the
extentofanauditduetothepotentiallysigniicantworkrequiredtocompletethem.
hepreciseauditcontentwillthenbedescribedindetailintheworkprogramonly.
Mostoftherelevantprocessesandinternalcontrolsarealreadydescribedaspartof
theSOXdocumentation.ReferringtothisSOXdocumentationmayhelptocom-
pile thediferent line itemsof theworkprogramandensurealignmentwith the
structureofprocessesandcontrolsintheauditedareaorentity.
scopeindetailscopeindetail
end-to-endApplicationend-to-endApplication
ApplicationofscopesinPracticeApplicationofscopesinPractice
tableofKeyscopesasaMinimumRequirementtableofKeyscopesasaMinimumRequirement
B|2|2.1The SAP®-AuditRoadmapasaWorkingBasisforInternalAudit
Planning
ContentofScopes
200
In theend, theconsistentandeicientapplicationofallScope templatesde-
pendsontheavailabilityofafullyintegratedauditmanagementITsolution.Ideally,
suchasolutionwouldhelp:
• tocreateandpermanentlymaintainandupdatetheScopes,and
• to link and combine the Scopes with the SOX processes and controls docu-
mentedintheinternalcontrolmanagementtool(seeSectionD,Chapter14).
AssoonassuchanITsolutionisavailable,theentireScopeprocesscanandshould
becomeamandatorypartofeachplannedaudit.
HintsAndtiPs ;
• Auditors should familiarize themselveswith the latestversionof the relevant
Scopesbeforetheaudit.
• AuditorsshouldmaintaintheScopesforwhichtheyareresponsibleonthebasis
ofinternalandexternalinformationandkeepthemuptodateatalltimes.
• WhencreatingScopes,auditorsshouldusetheappropriateworksheetsastem-
plates.AuditorsmayalsoindexistingScopesusefulasguidance.
• Auditors who, during audit preparation, make additions to the information
storedinaScopeshouldconsiderwhetheritisappropriatetoupdatetheScope
and,ifso,contacttheScopeowner.
2.1.3 Overview of Available Scopes
KeyPoints •••
• hedeinitionofScopesallowsaquickoverviewofallimportantaudittopicsin
thecompany.
• hecreationofScopesshouldfollowthematerialityprinciple.
• helistedCoreScopesshowtheauditareasthatareimportantforaglobalhigh-
techcompanywithastronglydevelopeddecentralizedorganization.
BydeiningScopes,InternalAuditcangetanoverviewofallimportantaudittopics
inacompanywithinashortperiodoftime.hecreationofScopesshouldfollow
thematerialityprinciple,i.e.,themainfocusshouldbeoncorporateareasthatare
exposedtoincreasedriskandareimportantintermsofcorebusinessprocesses.
InternalAudithasdeinedthefollowingCoreScopesforSAP,aglobalhigh-tech
companywithstronglydevelopeddecentralizedstructures(inalphabeticalorder):
• AccountsPayable:Structure,organization,andexecutionofaccountspayable
accounting.
• AccountsReceivable:Structure,organization,andexecutionofaccountsreceiv-
ableaccounting.
AuditManagementitsolution
AuditManagementitsolution
overviewofimportantAudittopics
overviewofimportantAudittopics
CorescopesatsAPCorescopesatsAP
201
• Cost Based Activity Charging: Structure and process of cost-based activity
charging.
• Custom Development: Additional customer-speciic developments, as well as
thestructureandorganizationofthisarea.
• Defense and Security: Organization, processes, and standards in connection
withthecreationofsecurity-sensitivesotware.
• EducationalServices:Structure,program,andtasksoftheeducationalservices
area.
• Escalation:Organizational structuresandprocesses incriticalcustomerproj-
ectsandmeasurestoresolveescalations.
• Fraud:Structureandconductoffraudaudits.
• GeneralLedgerAccounting:Structure,organization,andexecutionofgeneral
ledgeraccounting.
• GlobalCommunication:Structureandimpactofglobalinformationandcom-
municationprocesses,bothinternallyandexternally.
• GlobalInitiatives:Globalinternalprojects(e.g.,introductionofsotware)and
activities.
• GlobalMarketing:Structureandorganizationofglobalmarketing.
• GlobalProcesses:Organizationalandprocessstructuresofglobalunits,includ-
ingreporting.
• GlobalQualityManagement:Structureandfunctionsofprocess-relatedquality
assurance.
• HumanResourceswiththreeCoreScopes,whichareCompensationandBen-
eits,Recruiting,andPayroll:PresentationofallorganizationalHRprocesses,
payrolltransactions,andinformationlows.
• IntellectualProperty:Protectedpatent,trademark,andtradenamerightsand
associatedorganization.
• IT:Structure,organization,andfunctionsintheITarea.
• Labs:Labsforthedevelopmentofstandardsotware.
• LicenseAgreements:Overallprocessingandmodalitiesofallcontracttypesin
connectionwithstandardsotwarelicensesales.
• Management:Structureandfunctioningofmanagementprocesses.
• ManagementAccounting:Structureandfunctionsofglobalinancialandman-
agerialcontrol,includingthehandlingofconidentialigures.
• Property, Plant, and Equipment: Structure of property, plant, and equipment
recognizedinthebalancesheet,includinggeneralandspeciicformsofmea-
surement.
• Purchasing:Structureandprocessofaglobalpurchasingorganization.
• RealEstateProperty(includingconstructionprojects):Constructionandman-
agementofcompanyrealestate.
• Risk Management: Integration into the overall organizational process of the
company,includingallspeciicfunctionsandtasks.
The SAP®-AuditRoadmapasaWorkingBasisforInternalAudit
Planning
ContentofScopes
B|2|2.1
202
• SAPConsulting:Structure,organization,andfunctionsoftheconsultingser-
vicearea,includingprojectaudits.
• SecurityofExternalData:Dealingwithdataprovidedbyexternalpartiesfrom
asecuritypointofview.
• SharedServices:Serviceorganizationforcentralbusinessprocesses,takinginto
accountalllegalandtaxissues.
• SOX:OrganizationandconductofauditsundertheSarbanes-OxleyAct.
• Subsidiaries:Summaryofallbusinessprocessesthatregularlyoccurinasubsid-
iary,includingorganizationandresponsibilities.
• hirdPartyLicenses:Structure,process,and impactof integratingandusing
third-partylicenses.
• TravelManagement:Structure,processes,andimpactofglobaltravelmanage-
ment.
• Treasury:Allinancialtransactions,takingintoaccountallinternalandexternal
treasurytasksandtheorganizationalsafetyandsecuritymeasuresrequiredfor
thispurpose.
• WorldwideTransferPolicy:Typesandexecutionofworldwidetransfersofin-
ternalemployees.
heCoreScopeslistedaboverepresentacomprehensiveframeworkofauditcon-
tentandtargets.Eachofthemincludesupto15KeyScopes,whichcanbecombined
asrequiredbyindividualcircumstances.hecomplexityofthedataallowsGIASto
conductextensiveandveryspeciicaudits.
2.2 AnnualAuditPlanning
KeyPoints •••
• AnnualauditplanningisanintegralpartoftheAuditRoadmap.
• Annualauditplanningcomprisesthecreationofriskproiles,thecompilation
oftheauditinventory,aswellasthecreationoftheannualauditplanandofthe
regionalteam-basedexecutionplans.
InadditiontocreatingScopes(seeSectionB,Chapter2.1),annualauditplanningis
thesecondcomponentoftheAuditRoadmapindependentfromanyspeciicaudit
activities.heculminationoftheannualauditplanninginvolvesscheduling,i.e.the
audits linedupforayearareslotted into theavailableweeksandmonthsunder
considerationofpersonnelcapacities.Anadjustmentoftheassignmentduringthe
yearmayafectauditsstilltobeconducted.hischaptergivesanoverviewofthe
maincomponentsofauditplanningandtheirimpactonday-to-dayauditwork.For
amoredetaileddiscussion,seeSectionD,Chapter3.
AuditContentandtargets
AuditContentandtargets
ContentoftheAnnualAuditPlan
ContentoftheAnnualAuditPlan
203
hediagramaboveshowsthattheannualauditplanningphasebreaksdownintoa
numberoffurthersub-phases.Annualauditplanningbeginswiththecreationof
riskproilesforallpossiblyrelevantauditableentities.Forallthoseentitiesarisk
proileiscreated,andtheyaresubsequentlyaddedtotheauditinventory.hean-
nualauditplanisthencompiledbasedonthetopicsintheauditinventoryandtheir
respectiveriskproiles.
Foreachauditableentityariskproileiscreated.Eachriskproileincludestwo
signiicantcomponentsinamatrixformat.hehorizontaldimensionisbasedupon
thestructureoftheSOXprocessgroupsandensurestheconsiderationofallrele-
vantprocessesandcontrolsrequiredforSOXcompliance.heverticaldimension
denotesso-calledriskindicatorswhichallowdetailedriskassessmentonboththe
processgroupandtheentity level.herisk-assessment iscompletedbyGIASas
wellasbyGlobalRiskManagement.Bothresultsarecombinedandweightedbya
predeinedratio.(75%InternalAuditto25%RiskManagementisrecommended.)
Allevaluatedentitiesareincludedintheauditinventorywiththeirassociated
risklevels.heinventorymirrorsthetotalnumberofrisk-assessedentitiesandis
structured by GIAS teams. he annual audit plan is derived from the inventory
basedupontheprioritiesgivenbytheriskassessment.hisapproachenablesAudit
Managerstocontinuouslymaptheirinventorytotheannualauditplanand,ifre-
quired,addressanyunforeseeableeventsandauditneeds.
subPhasesofAnnualAuditPlanningsubPhasesofAnnualAuditPlanning
CreatingRiskProilesCreatingRiskProiles
CreatingtheAuditinventoryCreatingtheAuditinventory
Fig. 7 OverviewofthePlanningProcess
TheSAP®-AuditRoadmapasaWorkingBasisforInternalAudit
Planning
AnnualAuditPlanning
B|2|2.2
204
heannualauditplanistheresultofseveralsteps(seeSectionD,Chapter3).It
isimportantintheplanningphasetoirstconsiderthoseauditsthatmustbecon-
ducted,takingavailablecapacitiesintoaccount.henotherauditsareaddedinline
withtheirpriorityasidentiiedduringtheriskassessment.Oncetheannualaudit
planiscomplete,itispresentedtotheAuditCommitteeforconcurrenceandthe
CEOisinformed.
hestructureoftheannualauditplanfollowsGIAS’teamstructure.hisen-
sures the proper allocation of the audits according to the responsibilities of the
teams.Withineachteam,theauditengagementsaresortedaccordingtotheirpri-
oritiesandappeareitherasixedengagementsorpotentialengagementsdepending
ontheirriskrating.
heannualauditplanisembeddedintotheauditperformancerecord,which
providesup-to-dateannualstatisticsofcompletedauditsandthestatusofaudits
not(yet)conducted.heauditperformancerecordafordsaquickoverviewofthe
activities of Internal Audit. At SAP, the audit performance record is maintained
centrally,makingsurethattheentireGrouphasauniformunderstandingofInter-
nalAudit’sactualperformancerequirements(seeSectionD,Chapter11.2.1).
henextstepatercreatingtheannualauditplanisthepreparationoftheactual
executionplan.Twopointsareofimportanceattheactivity-relatedlevel:
• hescheduledauditshavetobeassignedaccordingtothenumberandskillsof
the auditors. Qualiication, experience, availability, etc. are important for the
compositionofeachauditteam.
• hetimeplanningandsequenceofthevariousauditsisacloselyrelatedissue.
heauditperformancerecordhastobeconsultedtoensurethatthescheduled
auditscan in factbeconductedbasedonpreviousperformanceandtimere-
quirements.Itisalsoimportanttoschedulereservecapacitiesforunscheduled
audits.hisallowsidentifyingnoticeablecapacityover-orunderutilizationin
timetomakeadjustmentstotheplan.
hesestepscompletetheannualauditplanning.
Generally,whencompletingtheannualauditplanning,interactionwithother
phasesoftheAuditRoadmapshouldbeconsidered.hefollowingpointsareim-
portant:
• AssigningtherelevantScopestoeachauditduringtheplanningphasefacilitates
matchingauditsegmentswithplannedaudittasks.Oten,aone-to-onerelation-
shipexists.MatchingScopestoauditsisagoodwaytoindoutwhetherScopes
areavailableforaspeciicauditand,ifnot,whatstepsneedtobetakentocreate
Scopesbeforetheactualaudit.
• Anauditannouncementissentoutatasetpointbeforethestartoftheaudit
(seeSectionB,Chapter3.1).hisisanotherimportantreasontocompletethe
detailedplanningatanearlystage.
• Additionalauditsmayberequestedduringtheyear(seeSectionB,Chapter2.3).
It isthereforepossibletohavecompetingplanningscenarios.Foreachcasea
CreationoftheAnnualAuditPlan
CreationoftheAnnualAuditPlan
structureoftheAnnualAuditPlan
structureoftheAnnualAuditPlan
AuditPlanasPartoftheAudit
PerformanceRecord
AuditPlanasPartoftheAudit
PerformanceRecord
executionPlanningexecutionPlanning
interactionwiththeAuditRoadmap
interactionwiththeAuditRoadmap
205
decisionmustbemadewhethertheadditionalauditrequestisalreadycovered
inthecurrentplan,orwhetheritshouldbeaddedtothisyear’sornextyear’s
plan.
heplanningisintegratedintotheAuditRoadmap,bothintermsofthegeneral
planandtheoperationalexecutionplan.Moreover,theauditperformancerecord,
mentionedearlier,isonesteptowardacompleteaudit-relatedmonitoringsystem,
thusgivingtheplanningdataanevengreaterweightinthecontrolandanalysisof
variances.
HintsAndtiPs ;
• On the basis of the audit topics expected of them, auditors should reconcile
theirtimecommitmentstooptimizetheirpreparationsfortheplannedaudits.
• Auditorsshouldpreparepersonalsummariesofscheduledandactuallyrequired
timesandanalyzeanyvariances.
LinKsAndReFeRenCes e
• BEuMER,H.2004.StartingfromScratch.Internal Auditor (August2004):79–85.
• HuBBARD,L.2000.AuditPlanning.Internal Auditor (August2000):20–21.
• InSTITuTEOFInTERnALAuDITORS.2001.Implementation Standard 2010.A1: As-
surance Engagements. AltamonteSprings,FL:heInstituteofInternalAuditors.
• InSTITuTEOFInTERnALAuDITORS.2001.Practice Advisory 2010-1: Planning. Al-
tamonteSprings,FL:heInstituteofInternalAuditors.
• InSTITuTE OF InTERnAL AuDITORS. 2001. Practice Advisory 2010-2: Linking
the Audit Plan to Risk and Exposures. AltamonteSprings,FL:heInstituteof Internal
Auditors.
• InSTITuTE OF InTERnAL AuDITORS. 2001. Practice Advisory 2030-1: Resource
Management. AltamonteSprings,FL:heInstituteofInternalAuditors.
• KRAMER,J.1999.PlanningforWorld-ClassAudits.Internal Auditor(October1999):88.
• RIFE,R.2006.PlanningforSuccess.Internal Auditor (October2006):25–29.
2.3 AuditRequest
KeyPoints •••
• AnyemployeecanrequestanauditorspecialservicefromInternalAuditfora
varietyofreasonsatanytime.
• InternalAuditreviewsrequestspromptlyanddiscussesthenextstepswiththe
Board.
signiicanceoftheAnnualAuditPlanningsigniicanceoftheAnnualAuditPlanning
TheSAP®-AuditRoadmapasaWorkingBasisforInternalAudit
Planning
AuditRequest
B|2|2.3
206
• Dependingontheoutcomeofthisassessment,therequestmaybemetimme-
diately,includedinfutureplanningorintheauditinventory,orreturnedtothe
requestor.
Inadditiontotheannualauditplanningdescribedearlier(seeSectionB,Chapter
2.2),thereisanotherwayinwhichauditsareinitiated:auditrequests.newevents
orchallengesthatthecompanyfacesotenmakeitnecessarytoconductadditional
audits (or perform other services). Audit requests are an important tool for the
Boardtoensurecompliancethroughouttheorganization.
Ad-hoc audit requests are submitted for a variety of reasons. he main ones
are:
• Circumstanceshavearisenthatmakeanimmediateauditseemsensible.Such
circumstancesmayincludegeneralleadsorhardevidenceoffraud.
• InternalAuditreceivesunoicial informationaboutmatters tobeaudited.In
suchcases,InternalAuditcanissueanauditself-request.
• Changesinorganizationalworklowsarecausingproblems.Inthiscase,anau-
ditrequestmayincreasethepriorityofanauditthathasalreadybeenscheduled
ormaydirectlyleadtoaseparateaudit.
• heBoardidentiiestheneedforanaudit,e.g.,inconnectionwithcriticalcus-
tomerprojects.
• InternalAudit isasked for supportaspartofother services it isperforming,
forexampleinternalprojectreviewsorprojectmanagementsupport,whichis
particularlyimportantinglobalprojects.
Anycompanyemployeecanmakeanauditrequest.Sincethiscouldpotentiallylead
toaloodofrequests,InternalAudithasthediscretiontodecidehowtodealwith
eachrequest.hismaymeanthatarequest:
• leadstoanimmediateauditorotherserviceofInternalAudit,
• isintegratedintotheannualauditplan,or
• isincludedintheauditinventory.
Assoonastheauditrequesthasbeenapprovedandsignedbythepersonresponsi-
ble,itautomaticallyturnsintoabindingauditengagementletterforInternalAudit.
Inrarecases,anauditrequestmaybeturneddown,althougharejectionmustbe
suicientlyjustiiedanddocumented.
AnauditbyInternalAuditcanonlybeinitiatedaspartoftheregularannual
auditplanningorinresponsetoadulyapprovedrequest.hisensuresthataudits
cannotbeconductedarbitrarily.EvenifInternalAuditactsinresponsetoaself-
request,therequestwillonlybeacceptedateracriticalreviewbyInternalAudit
managementincooperationwiththeresponsibleBoardmember(e.g.,theCEO).
heauditrequestisalwaysassessedwithriskexposureinmind.Forthisreason,
eachrequestedauditissubjectedtoariskassessment.hismayleadtoacompeti-
tivesituationwhenthecurrentriskassessmentofad-hocrequestsarecompared
needforanAuditRequest
needforanAuditRequest
ReasonsforanAuditRequest
ReasonsforanAuditRequest
dealingwithanAuditRequest
dealingwithanAuditRequest
solidBasisforanAuditRequest
solidBasisforanAuditRequest
207
withauditstheriskassessmentofwhichmayhavebeencarriedoutseveralmonths
earlier.hismeansthattherequestcanonlybefullyjudgedonthebasisofallavail-
ableinformation.Anauditrequesttemplateisprovidedintheigurebelow.
Fig. 8 AuditRequest
B|2|2.3TheSAP®-AuditRoadmapasaWorkingBasisforInternalAudit
Planning
AuditRequest
208
Anauditrequestcanbeusedtoapplyforauditsandanyotherservicesoferedby
InternalAudit(seeSectionA,Chapter7):
• Anengagementrequestisrequiredforallauditsthatarenotpartoftheannual
auditplan.
• Apre-investigationrequestisusedforpreliminaryaudits.
• Areviewrequestismainlysubmittedforconcept,guideline,andcustomerpro-
jectreviews.
• Arequestfornon-audit-relatedservicescanbesubmitted,forexample,forin-
ternalconsultingservicestobeperformedbyInternalAuditandforservicesin
connectionwithinternalprojectmanagementtasks.
To simplify, we use the term “audit request” as a general term for all the above
types.
InternalAuditprocessesaudit requestsaccording toadeinedsystem,which
comprisesthefollowingsteps:
• herequestingunitillsintherelevantform,clearlystatingtherequiredtasks
andpreferredtimings.
• InternalAuditcheckstherequestimmediatelyandresolvesanyquerieswiththe
requestingparty.
• heCEOreceivesinformationaboutallauditrequests.
• he number of auditors and estimated time requirement are assigned to the
auditrequest.
• Acopyoftherequestfortheauditconcernedorotherservicestobeperformed
byInternalAuditissenttotheAuditManagerresponsiblesothatpreparations
canbegin.heoriginalsareiledcentrallyintheoiceoftheCAE.
• Iftherequestisnotdealtwithimmediately,therequestingpartyisinformedof
thedelay.
Requestsforauditsandotherservicesmadeinthecourseofayearmayrequirea
dynamicresponsebyadaptingtheauditplan.Asaresult,thefocusofauditsmay
shitsothatInternalAuditcanadapttoday-to-dayoperationsandavoidrunning
theriskofauditingmattersthathavelostrelevance.However,auditslistedinthe
annualauditplanshouldnotbecancelledwithoutdueconsiderationbecausethe
annualauditplanistheresultofcarefulrisk-orientedplanning.Cancelledaudits
shouldreceivehighpriorityinthenextyear.
2.4 CompositionandRoleoftheAuditTeam
KeyPoints •••
• hecompositionoftheauditteamisofkeyimportance.
• Itisadvisabletoselectemployeeswhoaremostlikelytoaccomplishthetaskat
handnotonlyintermsofexpertise,butalsopersonality.
typesofAuditRequesttypesofAuditRequest
ProcessingAuditRequests
ProcessingAuditRequests
impactofAuditRequests
impactofAuditRequests
209
• hechoiceofauditleadrequiresparticularcare.
• Apartfromtheactualteamcomposition,otheraspects,suchasrequestingsup-
portservicesfromotherparties,havetobeconsidered.
Auditteamsarecomposedwithconsiderationtothetype,content,andextentof
theaudittobeconducted.Inaccordancewiththedual-controlprinciple,eachaudit
shouldbeconductedbyatleasttwoInternalAuditemployees,oneofwhomhasto
actasauditlead.hisguaranteesthatthetasksandresponsibilitiesareclearlyas-
signedforeachaudit.
heauditleadshouldbenominatedearly.Inthecaseofglobalaudits,theendof
theauditplanningphaseisagoodtimetoappointtheauditlead.Forallotherau-
dits,theappointmentshouldbemadewellaheadbeforetheauditannouncementis
sentout(seeSectionB,Chapter3.1).However,iftheauditleadisnominatedtoo
early, changes may be necessary later on. he position of audit lead is a lexible
technical coordination role related to a speciic audit. he nomination is deter-
minedbyworkloadsandeiciencyconsiderations.Allsuitableauditorsshouldbe
giventheopportunitytoprovethemselvesasauditleads.
heAuditManagerisresponsibleforselectingtheauditteams.heCAEalso
hasavoiceintheselectionoftheteam,especiallyforglobalauditsandauditsthat
areofspeciicinteresttotheBoard.Individualauditteamcompositionsareout-
linedfortheirsttimewhentheannualauditplaniscompiled(seeSectionB,Chap-
ter2.2).heprocessof teamand topicassignment should take intoaccount the
auditors’expertiseandexperienceaswellastheirmaininterestsandrequestsfor
furthertraining.Itisusefulatthisstagetoestablishemployeeproiles(seeSection
A,Chapter4.5)onthebasisofwhichauditorsareassignedtospeciicaudits.
Whenselectingtheauditteammembers,considerationshouldbegiventoaudit
content, cultural group, and linguistic requirements, as well as personal aspects.
Althoughauditteamsprimarilymustbeabletomeettherequirementsoftheaudit,
itisalsoimportantthattheteammembersareagoodsocialitandareabletowork
together,especiallyininternationalassignments.hemanagementofInternalAu-
dithas todealwiththechallengeofrecognizingthesecircumstancesandtaking
appropriateactions.
Inadditiontothebasicrequirementsofauditteamcomposition,anumberof
otheractivitieshavetobeperformed.Taskssuchasthecompilationofthework
programmustbeassignedandtheneedforguestauditors(seeSectionD,Chapter
10)determined.Inaddition,itmaybenecessarytoenlistadditionalteammembers
forconsultingandsupportandtodeineescalationpathsincaseproblemsoccur
(seeSectionD,Chapter6).Lastly,cooperationwithexternalpartieshastobecoor-
dinated(seeSectionD,Chapter2).
heassignmentof tasksmustbeorganized in termsof timing. Inparticular,
datesformeetingsandforpreparinginterimresultsmustbeset.Forinternational
auditsinfrastructurehastobeconsidered.heworkprogramshouldbediscussed
with the team and individual task areas and milestones have to be deined. A
organizationorganization
AuditLeadAuditLead
GeneralCriteriaGeneralCriteria
PersonalCriteriaPersonalCriteria
otherActivitiesotherActivities
timeConsiderationstimeConsiderations
The SAP®-AuditRoadmapasaWorkingBasisforInternalAudit
Planning
CompositionandRoleoftheAuditTeam
B|2|2.4
210
timesheetisausefultoolinthisregard;ithelpstocalculateandprovideevidence
foreachtimecomponent(seeSectionA,Chapter4.7).
Eachteammembermustunderstandtheauditprocessbeforethebeginningof
theaudit.Itisthereforeimportanttoholdjointkickofmeetings,whereimportant
aspectsoftheauditarehighlighted.Inaddition,theteammemberresponsiblefor
takingminutesshouldbeidentiiedandthemannerforpresentinginterimresults
shouldbeclariied.Accesstosensitivedatashouldbediscussed.
HintsAndtiPs ;
• Auditleadshavetodevelopanunderstandingearlyonofthetechnicalandper-
sonalskillsrequiredoftheirauditteams.
• Oncetheauditleadhasbeenappointed,heorshemusthaveasayinchoosing
teammembers.
• Procureanyadditionalresourcesnecessarywellinadvance.
distributionoftasksdistributionoftasks
211
3 Preparation3.1 Audit Announcement
KeyPoints •••
• AuditannouncementsgiveInternalAuditandtheunittobeauditedtheoppor-
tunitytocometoacommonunderstandingontheactualauditanditscontents
wellinadvanceoftheaudit.
• Suchannouncementsareadvisablewithinacertainperiod,dependingonthe
auditorservicetype.
• Althoughtherearemanyargumentsinfavorofauditannouncements,itshould
becriticallyexaminedwhetherannouncingtheauditjeopardizesauditobjec-
tives.
• Whatever the circumstances, announcements have to be in general terms so
thattheextentoftheauditcanbesupplementedwithresultsfromieldworkor
otherauditsatanytime.
heauditannouncementservesanimportantfunctionaspartofthepreparations
foranaudit.heauditannouncementgivesthedepartmentstobeauditedandthe
managersresponsibleanunderstandingofauditobjectivesandbreadthoftheaudit
andoutlinesfurthertestprocedures.hiscreatesbothanopportunityandanobli-
gation for Internal Audit to announce audits to auditees before the actual audit
workcommences.heauditannouncementispreparedbytheauditleadandap-
provedbytheAuditManager.
In general it must be accepted that Internal Audit, which is an independent
body,hastherighttoconductauditsinresponsetocertainrisksituationsatany
time, even without prior announcement. It is advisable not to announce certain
typesofauditsinadvance,butthereareothertypesofauditforwhichitmaybe
sensibletomakeanannouncement.Inparticular,allstandardandspecialaudits
conductedaspartoftheannualauditplanshouldbeannounced.Additionalaudits
initiatedbyseparateauditrequestsshouldbeannouncedonlyiftheywereincluded
intheannualplanasanexception.AnannouncementhasadvantagesifInternal
Auditstronglydependsonsupportfromtheunitbeingauditedorifitisconducting
auditsacrossdiferentunits.
Reasonsforannouncinganauditinadvanceinclude:
• heannouncementgivesthepartiesconcernedinformationaboutwhentoex-
pectanauditbyInternalAudit.hisallowsthedivisiontoincludetheauditin
theirownplanningandtoensurethattherelevantpeopleandrequireddocu-
mentsareavailable.
• heauditcontentannouncedgivesbothInternalAuditandthedivisiontobe
auditedtheopportunitytofamiliarizethemselveswiththeauditobjectivesatan
earlystage.hisallowsthepartiestoaddtotheScope(seeSectionB,Chapter
2.1),resolveanymisunderstandings,andagreeonwhatisbeingcovered,sothat
nounnecessaryinterruptionsoccurduringtheaudit.
DeinitionDeinition
AreasofUseAreasofUse
ReasonsforAnnouncingAuditsReasonsforAnnouncingAudits
The SAP®-Audit Roadmap as a Working Basis for Internal Audit
Preparation
Audit Announcement
B|3|3.1
212
• Inaddition,bothpartiescanagreeonproceduresforparticularlysensitivein-
formationanddata.InternalAuditmayneedaccesstoconidentialinformation
foritsieldwork.Specialaccessrightstosuchinformationmayhavetobear-
ranged.
• Incaseofdoubt,bothInternalAuditandthedivisiontobeauditedcanrefer
totheauditannouncementregardingthecontentoftheaudit.However,anan-
nouncementmustneverbeunderstoodasalimittotheaudit.Itshouldrather
bewordedinsuchawaythat,althoughthecontentsspeciiedarethemandatory
minimumfortheaudit,theactualauditworkmaybeadjustedaccordingtothe
auditprogressandwithchangingrequirements,orifappropriate,attheaudi-
tors’discretion.
• Anotheradvantageofannouncinganaudit is thattheauditcannotbeeasily
delayedorrescheduled.However,ifitturnsoutthatanauditisnolongerneces-
saryorhastobepostponed,thepartiesdecidejointlyhowtoproceedfurther.
• Ultimately,announcingauditsbeneitstheauditorsbecausetheycanmaintain
areliableplanningschedule.However, ifthereareunexpectedauditrequests,
someoftheauditsalreadyannouncedmayhavetobepostponed,scaleddown,
or,inrarecases,cancelledaltogether.
heexamplebelowshowsthemostimportantinformationthatanauditannounce-
mentisintendedtoaddress.Inadditiontogivinggeneralauditdataandnaming
theaddressees,italsoservestoexplainthemissionofInternalAudit(seeSectionA,
Chapter3.1)andtheobjectivesandcontentoftheplannedaudit.
ContentofAuditAnnouncementsContentofAuditAnnouncements
Global Internal Audit Services
Audit Announcement
Conducted in accordance with the International Standards
for the Professional Practice of Internal Auditing.
Audit Type: Audit Title:
Audit Report No:
Audit Status:
Executive responsible:
Date of Audit:
Audit Lead:
Auditor(s):
Distribution List:
Mission and Aims of GIAS:
Scope and Objectives:
Contact:
Fig. 9 Audit Announcement
213
Auditannouncementsareusedindiferentways,dependingonthetypeofaudit.
Forstandardaudits,atleasttwoweeks’noticeisrequiredbeforetheaudit,butindi-
vidual leadtimesmustbeobservedforspecialaudits.Localandregionalspecial
auditsmustbeannouncedonaveragethreeweeksbeforetheaudit.Becauseglobal
special audits require more comprehensive consultation among the parties in-
volved,theyshouldbeannouncedwithatleastfourweeks’notice.
Becauseoftheirspecialnature,ad-hocauditsusuallyrequirethatInternalAudit
takesimmediateactionwithoutpriorwarning.hesameappliesiftheobjectiveis
touncover factsand to secureevidence in this regard. If anadditional standard
audithasbeenrequestedonanad-hocbasis, anauditannouncement shouldbe
senttothoseafectedimmediately.
AuditannouncementsmustalwaysbedirectedtotheCEOandtheCFO.Depend-
ingonthestructureandorganizationofthecompany,announcementsshouldad-
ditionallybesenttooperationalmanagementandthehigherlevelsofmanagement
iftheirareasofresponsibilityareafected.Allannouncementsofstandardaudits
are simultaneously sent to the central corporate departments (e.g., Management
Accounting,FinancialReporting,Legal,Taxes,etc.).heauditannouncementasks
operationalmanagementofthedivisiontobeauditedtonotifyallemployeesinthat
divisionwhowillbeinvolvedintheaudit.
heauditannouncementispartoftheAuditRoadmapandisthereforeanele-
mentofmostaudits.Injustiiedexceptionalcircumstances,itmaynotbepossible
(e.g., ifcertainindividualsaresuspected)ornecessary(e.g., forunannouncedli-
cense audits) to make an announcement. he system of audit announcements
shouldnotmakeaudits toopredictable,becauseacertainelementof surprise is
necessaryfortheworkofInternalAudit.Itisarealpossibilitythat,givenenough
warning,thedivisiontobeauditedcouldmanipulatedocumentsormakeinappro-
priateuseoffactsandinformation.Suchmanipulationmustbeprevented.
timeHorizontimeHorizon
noPriorAnnouncementofAd-HocAuditsnoPriorAnnouncementofAd-HocAudits
AddresseesAddressees
AssignmenttotheAuditRoadmapAssignmenttotheAuditRoadmap
Standard audits Special audits Ad-hoc audits
Announcements
two weeks
three
weeks
four
weeks
Local/
RegionalGlobal
imme-
diatelyno
StandardSpecial/
One-time
Fig. 10 Timing of Audit Announcements
The SAP®-Audit Roadmap as a Working Basis for Internal Audit
Preparation
Audit Announcement
B|3|3.1
214
InternalAuditmustnotcreatetheimpressionthatitsuddenlystrikesatrandom
incertaindepartmentsinordertolookforerrors.Besides,auditsriskbeinginei-
cientandinefectiveifanunannouncedauditcausesthedivisionbeingauditedto
provideonlyhalf-heartedsupportornoneatall.InternalAuditmustgiveconsider-
ationtothecircumstancesoftheauditwhendeterminingwhethertomakeanan-
nouncement. he cultural perception of audits plays an important role in this
regard.
HintsAnDtiPs ;
• Discusstheauditcontentasdeinedintheauditannouncementwiththemain
personresponsiblefortheaudit.
• Auditteammembersshouldreceiveacopyoftheannouncementandkeepiton
record.
3.2 Work Program
3.2.1 Standard Structure of the Work Program
KeyPoints •••
• heworkprogramisasetofoperationalinstructionsforimplementingScopes
aspartofanaudit.
• Eachworkprogramhasaplanningandanimplementationcomponent.
• he individual ieldwork activities are described on the basis of the diferent
Scopelevels.Completenessismoreimportantthanadetaileddescription,be-
causetheactualieldworkisdescribedindetailintheworkingpapers.
• Inaddition,theremayalsobeworkprogramsthatarenotbasedonany,oronly
onaveryrudimentary,Scope.
• Ifusedrepeatedly,workprogramscanbestandardized.
heworkprogramcanbeinterpretedasaseriesofinstructionsforauditorsbecause
itsfunctionistodividealltheauditmaterialintosmallpackagesandtodescribethe
workingstepsthatmustbetaken.heworkprogramisalinkbetweentheplanning
phaseofanauditanditsactualexecution,i.e.,itusesspeciicinstructionstotrans-
formtheplannedauditcontentintoanactualauditprocess(seeSectionC,Chapter
3.2.2).Inarisk-basedauditapproach,analyticalauditprocedures(seeSectionC,
Chapter3.1)areusedtoassessandprioritizetheauditworkgenerallyincludedin
theworkprogram.hebasisforthisassessmentistheScopes.hegoalistoalign
thedetailoftheworkprogramwiththespeciicaudittask.
heworkprogramrepresentsasystematicplanfortheaudit.Italsoallowsthe
auditleadtocheckthattheauditedcontentcorrespondstothecontentoftheas-
DisadvantagesofUnannouncedAudits
DisadvantagesofUnannouncedAudits
DeinitionDeinition
AdvantagesAdvantages
215
signedScopes(seeSectionB,Chapter2.1).Inaddition,itprovidesabasisfortrain-
inginexperiencedauditorstofamiliarizethemwiththeobjectivesofanaudit,the
Scope,andthetestprocedures.heauditleadcommunicatesthisworkprogramto
theauditorsinvolved.Aworkprogramcanalsobeusedtoensurethatthesame
benchmarksareappliedtoauditswiththesameorsimilarcontentasauditscon-
ductedinthepast.hisachievesalevelofstandardizationthatallowscostandtime
savingsduringauditpreparation.
heirstcolumnoftheworkprogramhastheheading“KeyScope.”Itreferstothe
relevantKeyScopeoftheCoreScopeonwhichitisbased.Ifthestructureisvery
detailed,the“Area/Object/ProcessunderAudit”columnprovidestherelevantpro-
cess coordinates from the “Processes to Objects” Scope matrix (see Section B,
Chapter2.1.2).
OncetheScopeshavebeendetermined,thecontentoftheworkprogramhas
beendeined.Itispossibletorefertothestandardinformationorstandardparam-
KeyscopeKeyscope
Risks andinternalControlsRisks andinternalControls
Fig. 11 The Work Program
The SAP®-Audit Roadmap as a Working Basis for Internal Audit
Preparation
Work Program
B|3|3.2
216
etersoftheScopesincolumns3through5(AuditObjectives,Risks,ExpectedCon-
trolActivities).Sincetheworkprogramshouldbetailoredtoeachauditindividu-
ally,audit-speciicobjectivescanalsobeincluded.Inaddition,furtherrisksand/or
internalcontrolsmayneedtobedeined.Whendeterminingrisks,itisusefulto
refertothestandardcategoriesandsubcategoriesoftheriskmanagementsystem.
Inthiscontext,itisalsopossibletoaccessinformationrelatingtoSOXaudits.In
bothcases,severalentriescanbemadeintheworkprogram.Topreserveaudit-
speciiccharacteristics,auditorsshould,however,avoidacceptingdefaultrisksand
internalcontrolswithoutcriticallyquestioning theirvalidity (fordetailsonrisks
andinternalcontrolsintheworkprogram,seeSectionB,Chapter3.2.3).
henextcolumnoftheworkprogram,the“TestProcedures”column,describes
eachplanned testprocedure.Here, auditorshave toenterallieldworkactivities
thatseemsensiblefromaplanningpointofviewandareexpectedtooccurwhen
theauditisconducted.hereisnoneedtoprovidegreatdetail,becausethisisonly
possibleduringtheactualieldwork.Itismoreimportanttopresentthefundamen-
talstructureofessentialtestproceduresrelatingtotheauditobjectives.However,
acertainlevelofcompletenessisalsoworthaimingfor.hevariousieldworkac-
tivitieslistedmustbeconsistentwitheachotherandultimatelydeinethespeciic
frameworkforthetestprocedurestobeperformed.Itmaybenecessarytoname
severalauditstepsforeachitemoftheworkprogram.Usually,thehighertheag-
gregation levelof theauditcontent, themoreieldworkactivitieswillhavetobe
deined.hedescriptionoftheindividualtestproceduresconcludestheplanning
partoftheworkprogram.
Nextistheareaofcontrolanddocumentationoftheactualauditexecution.In
theAuditRoadmap,thesestepsareassignedtotheauditexecutionphasewhichis
coveredinSectionB,Chapter4.herefore,onlytheaspectsrelevanttothedescrip-
tionoftheworkprogramarementionedatthispoint.
Ifieldworkcannotbeperformedtotheextentplannedoratthenecessaryqual-
ity,anotetothisefectshouldbemadeinthe“Comment”column.he“Working
PaperReference”columnestablishesthelinktotheworkingpapers(seeSectionB,
Chapter4.2).
hedesignoftheworkprogramhasasanadditionalobjective:tosupportaclear
deinitionofprocessesandobjects.Proposalsforbestpracticesolutionsaredevel-
opedonthisbasis,allowingcomparisonsofthemodelprocesseswiththeprocesses
thathaveactuallytakenplace,eitherataglobalorataregionallevel.Iftheto-be
andas-issituationsdonotcorrespond,variancesmayoccur,resultinginauditind-
ings.
Itshouldalsobementionedthattherecanbeworkprogramsthatarenotlinked
toaScopeorarelinkedtoaverycondensedScope.hismayhappeninthecaseof
newtopicsinad-hocauditsorauditsthatcanonlybedetailedstepbystepinthe
courseoftheaudit.hekeyforsuccessfullycreatingaworkprograminthesecases
isverydetailedprogressplanningandmonitoring.
individualtestProcedures
individualtestProcedures
ControlandDocumentation
ControlandDocumentation
Comment,WorkingPaperReference
Comment,WorkingPaperReference
ClearDeinitionofProcessesandobjects
ClearDeinitionofProcessesandobjects
WorkProgramswithoutLinktoscope
WorkProgramswithoutLinktoscope
217
HintsAnDtiPs ;
• Findoutbeforehandwhetheranyworkprogramsalreadyexistfortheupcom-
ingaudit,andworkthrougholdworkprogramsbeforetheauditandtakeany
relevantinsightsintoaccount.
• Auditorsshouldtrytorecordalloperationalinformationrelatingtotheaudit
intheworkprogram.hisgivesthemacentraldocumentfortheentireaudit
process.
3.2.2 Integration of the Work Program
KeyPoints •••
• he work program integrates upstream and downstream stages of the Audit
Roadmap,i.e.,theScopes,theieldwork,andtheworkingpapers.
• he relationship between the work program and the Scopes is that the work
programassignsthecontentoftheauditmaterialtotheplannedauditsteps.he
relationshipbetweentheworkprogramandtheworkingpapersiscenteredon
givingevidenceontheimplementationoftheauditsteps.
• Althoughbothrelationshiplevelsdeinecertaindependencies,theyofergreat
lexibilityfortheindividualaudit.
One of the key features of the work program is its integrative relationship with
otherelementsoftheAuditRoadmap.Likeabridge,theworkprogramlinksthe
auditcontentandtheScopesontheonehandwiththescheduledauditactivities
and resultson theother.he topics selected for theaudit arebrokendown into
workpackagesandthecorrespondingtestprocedures,thusmakingtheaudittopics
moretangiblefortheauditandsubsequentchecks.
heselectionofthemainauditcontentsfromthetotalofallScopesandtheir
integrationintotheworkprogramisveryimportantforthesuccessofanaudit(for
detailsonthecontentofScopes,seeSectionB,Chapter2.1).Ifthereismorethanone
Scope,adecisionhastobemadetowhatlevelofdetailtheauditistobeconducted.
Anindividualassessmentofthetimingandtheobjectivesoftheauditismadeatthis
stage.
Anotherimportantquestionistherelationshipbetweentheitemsofthework
programandtheresultingieldworkactivities.Forexample,aworkprogramitem
maycontainadetaileddescriptionoftheactualieldwork.Byputtingvarioussepa-
rateieldworkactivitiestogether,ahigherlevelisachieved,i.e.thecombinationinto
aworkpackage,whichcaninturnformaworkprogramlevel.
Itdoesnothappenotenthatseveralworkprogramitemsarecombinedintoa
singleieldworkactivity,althoughitmaybefeasible,especiallywhencircumstances
PurposeoftheWorkProgramPurposeoftheWorkProgram
WorkProgram/scopeRelationshipWorkProgram/scopeRelationship
LevelsoftheWorkProgramLevelsoftheWorkProgram
CombinedWorkProgramitemsCombinedWorkProgramitems
B|3|3.2The SAP®-Audit Roadmap as a Working Basis for Internal Audit
Preparation
Work Program
218
donot(yet)permitseparateieldworkactivitiesormakecombiningworkprogram
itemsseemasensiblecourseofaction(e.g.,combiningdiferentsamplelevels).
HintsAnDtiPs ;
• AuditorsmustmakesurethatallScopesrelevantfortheaudittopicareincluded
intheworkprogram.
• Duringtheaudit,theworkprogramshouldcontinuallybemonitoredforcom-
pleteness.
3.2.3 Process Elements: Risks and Internal Controls
KeyPoints •••
• he risks and the internal controls identiied for a process as a whole or for
singleprocessstepsareanimportantpartoftheworkprogram.
• Disclosuresmaybenecessaryasaresultoflegalrequirementsorgeneralbusi-
nessprocesscompliance.
• heindividualrisksshouldbeinlinewiththeriskcategoriesofanimplemented
riskmanagementsystem.
herisksandtheinternalcontrolsidentiiedeitherforaprocessasawholeorfor
singleprocessstepsareanimportantpartoftheworkprogram.Dependingonthe
givenframework,therearetwopossiblestartingpointsforanalyzingriskandinter-
nalcontrols:First,therearecompaniesthatdonot(yet)havetocomplywithSOX
orsimilar laws.hesecompaniesshould,orhaveto,deineauditcontentonthe
generalbasisofriskandinternalcontrolforeachprocessstep.Second,companies
thatarealreadysubjecttotheaboveexternalrulesofriskandcontrolmanagement
haveimplementedsystemsthatprovideinformationonrelevantrisksandthenec-
essary internal controls and transfer them into the work program. he risk and
controlmanagementsystemmayevenbesowelldevelopedthat,foraspeciicield-
workactivity,itispossibletoreferfromtheworkprogramorScopetotherelevant
sourcedocumentationofaninternalcontrolsystemunderSOXorariskmanage-
mentsystem.
Forcompaniesthathaveariskmanagementsystem,therelevantriskscorrespond
totheriskcategoriesandsub-riskcategoriesoftheintegratedoperationalriskman-
agementsystemused.Asageneralframework,theScopeshowsthemainriskcat-
egories,andtheworkprogramaddsfurtherdetailbyprovidingsubcategories.Of
course, inaddition to therisk thatcanbeplanned for,unexpectedrisksmaybe
identiiedatanytimeduringieldwork.Unexpectedrisksmustbedocumentedin
theworkingpapersbutshouldnotafecttheriskallocationintheworkprogram.
startingPointsstartingPoints
Mainandsub-RiskCategories
Mainandsub-RiskCategories
219
hediferenttypesofinternalcontrolscanbeusedspeciicallytomitigaterisks.
Withoutlayingclaimtocompletenessorgeneralapplicability,thefollowingindi-
vidualassignmentsarepossible.
heinternalcontrolscontainedinaScopecaneitherbeusedastheyarewhen
creatingaworkprogram,oradaptedtoindividualaudits.However,ifSOXdocu-
mentationisavailable,thealreadyprescribedcontrolsshouldbedeemedmanda-
tory. Additionally, the deinition of controls may vary between Scope and work
programbecauseofspecialregionalbusinesspracticesordiferentlawsandregula-
tions.
he above combination of direct use and adaptation of the internal controls
containedintheScopeisagoodfoundationforthecreationofacompleterecordof
allinternalcontrolsintheworkprogram.hisisintendedtoensurethatallsignii-
cantbusinessprocessesincludingtheirrespectivecontrolsarefullycovered.Inad-
dition, not only should all the risks of each process step be covered by internal
controls,buttheirefectontheaccountingandinancialreportingsystemshould
alsobeconsidered.heauditprocedureson thebasisofprocessdocumentation
thatcomplieswithSOXprovideanimportantbasisforthisstep.
InternalAuditcanbecomeinvolvedinidentifyingandcontrollingriskonlyas
partofitsauditmandate.InternalAuditmustnotactasanexclusivecontrolbody
andthusbecomepartofoperationalprocesscontrols.
HintsAnDtiPs ;
• Auditorsshouldalsouseinformaldiscussionstogetanoverviewoftheinternal
controlsinthecompany.
• Inaddition,auditorsshouldgetanideaofthecompany’svalueatrisk.Toesti-
mateavalueatrisk,theyhavetoassigntheriskstothecorebusinessprocesses
andanalyzetheirimpact.
• Duringanaudit,auditorsmustalwaystesttheefectivenessoftheinternalcon-
trols.
3.3 Other Preparation Activities
3.3.1 Obtaining Background Information
KeyPoints •••
• Duringauditpreparation,auditorsperformfurthertasksinadditiontocompil-
ingtheworkprogram.
• Tomasteraspeciicaudittask,auditorsneednotonlygeneralauditexpertise,
butalsoa lotofspeciicandup-to-date information,whichtheyobtainfrom
internalandexternalsources.
signiicanceofinternalControlssigniicanceofinternalControls
internalControlsandCreationoftheWorkProgram
internalControlsandCreationoftheWorkProgram
FullRecordofinternalControlsFullRecordofinternalControls
RoleofinternalAuditRoleofinternalAudit
The SAP®-Audit Roadmap as a Working Basis for Internal Audit
Preparation
Other Preparation Activities
B|3|3.3
220
• Aback-up functionprovides technicalexperts foraudit teams,andalthough
these experts do not actively conduct audit activities, they perform content
qualityassuranceinthebackground.
Apartfromcompilingtheworkprogram,thereareanumberofothertasksauditors
mustcompleteduringauditpreparation.Itisimportantforauditorstofamiliarize
themselvesadequatelywiththeaudittopic.Inadditiontogeneralauditexpertise,
comprehensivepreparationusuallyrequiresup-to-dateaudit-speciicinformation
(seeSectionB,Chapter3.3.2).
Anauditor’sgeneralexpertiseincludesthefundamentalfactsoftheauditseg-
mentsidentiiedinthecompany,irrespectiveofwhetherstandardorspecialaudits
areplanned.Auditorsreceivesuitableinternalandexternaltrainingtoacquiregen-
eralauditorknow-howandthespeciicknowledgerelevantforspeciicauditseg-
ments.Coordinatingtrainingwiththehumanresourcesdepartmentmakessense
toassuresystematictraininginlinewiththerequirementsofInternalAudit.
Asmentionedabove,auditorshavetoobtainspeciicinformationabouttheau-
dit at hand, beyond the general audit expertise that they already have. Possible
sourcesinclude:
• Specialist publications and periodicals, publications of professional organiza-
tions, conferences, special training (seeSectionB,Chapter3.3.2),workshops,
etc..
• Iftheauditcontentsuggestsso,itisagoodideatocontactthemanagementof
theareatobeauditedforadvanceinformationaboutcertaintopicsandtheir
importance.heauditleadandeachauditteammembershouldconsiderany
requests or suggestions made by the auditees. Auditors should let employees
makingsuggestionsknowthattheirinputwillbeconsideredasfaraspossible
withoutcompromisingtheindependenceandobjectivityoftheaudit.
• Valuable information can be obtained by contacting other corporate depart-
ments(FinancialReporting,ManagementAccounting,RiskManagement,etc.),
e.g.,aboutreportsandanalyses,corporateguidelinesthatarecurrentlyappli-
cableorunderpreparation,andfrequentproblems.Obtainingsuchinformation
makesiteasiertodeinefocusareasfortheaudit.
• Iftheaudittopicinvolveslegalissues,recentjudgments,comments,andrecom-
mendationsgivenbythelegaldepartmentshouldbetakenintoaccount.Evenif
InternalAuditisforcedtorelyontheknowledgeofexperts,auditorsmustassess
allworkdonebyothersintermsofitsreliability.
• Foremployee-relatedaudittopics,thehumanresourcesdepartment,employee
representatives,thedataprotectionoicer,andthecomplianceoicershouldbe
contacted.However,forsuchauditsitisdiiculttoobtaininformationbecause
theseauditsareusuallyconidential.Asarule,InternalAuditneedsveryup-to-
dateinformation,buttheprocessofgettingcurrentinformationmustnotreveal
anythingabouttheactualaudit.
• Itisalsopossibletoexchangereportsorinformationonauditfocusareaswith
theexternalauditors.
necessaryKnowledgeBase
necessaryKnowledgeBase
BasicKnowledgeBasicKnowledge
Audit-speciicinformation
Audit-speciicinformation
221
Inadditiontogatheringinformationbeforeoratthestartofanaudit,information
shouldalsobeobtainedfromtheabovesourcesduringtheaudit.
Cooperationwithemployeesoutside thedepartment isextendedwhen itbe-
comesclearthatadditionalcapacityisnecessaryoruseful.Althoughanyonework-
inginsuchacapacityisoiciallypartoftheauditteam,theperson’sroleislimited
toindirectactivitiesinthebackground,whichareperformedonrequest.Bothex-
ternalexpertsandinternalemployeescanperformsuchafunction,whichnormally
involvescontentqualityassurance.heconidentialityoftheauditcanbeguaran-
teedbyaskingthepersontosignanon-disclosuredeclaration.
LinKsAnDReFeRenCes e
• GRENOUGH,J.2006.SeekandYeShallFind.Internal Auditor(October2006):65–69.
• MCCOLLUM,T.2004.AnIntranetSuccessStory.Internal Auditor(June2004):32–35.
3.3.2 Specific Training Needs
KeyPoints •••
• Inadditiontogeneralauditexpertiseandaudit-speciicinformation,Internal
Auditemployeesalsoneedtechnicalknowledge,whichtheyhavetobuildup
throughtraining.
• Such training measures introduce new audit topics and content, bring the
knowledgebaseuptodate(includingforsotware),andpromotepersonalde-
velopment.
Inadditiontotheirbasicknowledgeandthegeneralinformationtheyobtainatthe
startofanaudit,auditorsmayalsoneedspeciicknowledge,andthenecessaryso-
cialandinterculturalskills.Diferentaudittopicsgenerallyrequireintellectuallex-
ibilityfromauditors.Bygivingtheauditdepartmentaregionalstructureandas-
signingaudittopicstoemployeesdependingontheirinterestandexpertise,auditors
canachievespecialization.However,rotationmaybeusefulornecessaryovertime,
andnewaudittasksmayarise.
Whenshitsincontentornewaudittopicsarise,auditorsshouldbeassignedto
therelevantauditsassoonaspossiblesothattheycanpreparethemselvesforthe
auditandobtaintrainingifnecessary.Suchtrainingcancomprisebothtechnical
knowledgeabouttheaudittopicandinformationneededtodealwithspeciallocal
orregionalpeculiarities.Forexample,ifcompanyactivitiesaremovedtoadiferent
location,considerationfortheapplicablelocalrules,laws,andregulationsmustbe
given when planning the audit. he necessary knowledge should be acquired as
partoftheauditpreparations.
Eveniftheaudittopicsassuchdonotchange,itisnecessarytoupdatetheexist-
ingknowledgeregularly.Inparticular,itisimportanttokeepupwithchangesin
AdditionalCapacityAdditionalCapacity
needforspeciicKnowledgeneedforspeciicKnowledge
newAudittopicsnewAudittopics
UpdatingofexistingKnowledgeUpdatingofexistingKnowledge
B|3|3.3The SAP®-Audit Roadmap as a Working Basis for Internal Audit
Preparation
Other Preparation Activities
222
legalrequirementsandprofessionalguidance.helatestbestpracticesshouldalso
beincludedinthetrainingplan.
Auditorsalsoneedtobefamiliarwithsotwarerelevanttotheaudit.Suchsot-
ware iseitherapplicationsotwareoraudit-speciicsotware.herapiddevelop-
mentsinthisareamakespeciicknowledgeacquisitionparticularlyimportant.
hesocialandculturalenvironmentofanauditmayleadtofurtheraudit-spe-
ciictrainingneeds.Inadditiontoknowledgeoflocalcustoms,thisincludesforeign
language skills and supplementary training on information and communication
behavior,teamtraining,andvariousformsofcooperation.
Together,thethreecomponents–generalauditexpertise,informationgathered
foraspeciicaudit,andtrainingmeasurestoacquirespeciictechnicalknowledge
–ensurethatauditorshavethenecessaryknowledgeleveltobesuccessfulintheir
tasks(seealsoSectionB,Chapter3.3.1).
HintsAnDtiPs ;
• Auditorsshouldcompiletheworkprogramasearlyaspossiblesothattheycan
identifyanytrainingrequirementsandschedulethenecessarytraining.
• Ifpossible,trainingneedsshouldbeassessedcontinuouslywithtrainingsched-
uledregularly.
LinKsAnDReFeRenCes e
• APPLEGATE,D.2004.TrainingNewAuditors.Internal Auditor (April2004):66–73.
• BAKER, N. 2006. A Checkup for the Audit Shop. Internal Auditor (August 2006):
88–92.
• CAMPBELL,D.,ANDS.DIONISI.2001.TrainingasaRetentionTool.Internal Auditor
(October2001):47–51.
• GLASCOCK, K. 2007. Reaching a Higher Level. Internal Auditor (February 2007):
20–25.
• INSTITUTE OF INTERNAL AUDITORS. 2002.Practice Advisory 1230-1: Continuing
Professional Development.AltamonteSprings,FL:heInstituteofInternalAuditors.
softwareKnowledgesoftwareKnowledge
PersonalDevelopmentPersonalDevelopment
summarysummary
223
4 Execution4.1 Fieldwork Activities
4.1.1 Introduction
KEyPoints •••
• heopeningmeetingisprimarilyusedtoexchangeinformationbetweenaudi-
teesandInternalAuditabouttheaudit.
• Fieldworkactivitiesaresubjecttothematerialityprinciple.
• Auditorsmustensurethattheworkprogramiscompletedfullyandconsistently.
Allworkprogramobjectivesmustbeachievedbysuitableieldworkactivities.
• heauditactivitiesandtheirresultsaredocumentedintheworkingpapers.
• Closingmeetingsareheldtocommunicateauditresultstotheauditees.
Atthebeginningofieldworkanopeningmeetingisheld.Atthismeeting,Internal
Auditpresents,onthebasisoftheauditannouncement,theauditobjectivesandau-
ditcontentstotheauditeesandtomanagement.Inadditiontopassingoninforma-
tion,akeyobjectiveoftheopeningmeetingistoreachagreementoncooperation
duringandatertheaudit.Anyunresolvedquestionscanalsobeaddressedandde-
tailsoftheauditcanbedeined,ifthisdoesnotalterthenatureoftheaudit.heau-
ditleadmustensurethattheopeningmeetingdoesnotresultinnegotiationabout
audit contentor theaudit itself.heopeningmeeting shouldbeproperly struc-
tured,andminutesshouldbetaken,especiallyifchangestotheauditaremade.
Fieldwork issubject to thematerialityprinciple.For thisreason, theauditors
shouldalwayschoosethoseitemsthatarematerialtoachievingtheauditobjectives.
heauditorsmayvarytheextentofthedatatobeexaminedandtheworktobe
done,providingitleadstomeaningfulauditresults.Forthisreason,theauditors
shouldalwaysconsidertheselectionofieldworkactivitiesintheoverallcontextof
theauditconcernedanddeineitinlinewithspeciicneeds(forinformationonthe
mainieldworkactivities,seeSectionB,Chapter4.1.2).
heaimof conducting suitableieldworkactivities is toproduceevidence in
ordertomeettheauditobjectives.heselectedsourcesandinformationcarriers
mustbeabletodeliverreliableinformationontheauditobjectfortheauditor.he
extentandnatureoftheieldworkmustbecarefullycoordinatedandalignedwith
theauditobjectivesothattheieldworkandtheauditresultscanalwaysbeobjec-
tivelytraced.hismakesitnecessarytotakeaclearlystructuredapproachtoaudit
execution.
Auditexperienceandrelianceontheintegrityandcompletenessoftheinforma-
tionarenotenough.Onthebasisoftheworkprogram,theauditorsmustspecifyin
detailthetypeandextentofieldworktobeconducted.Oneitemintheworkpro-
grammaygiverisetooneorseveraldiferentieldworkactivities(seeSectionB,
Chapter3.2.2).
openingMeetingopeningMeeting
MaterialityPrincipleMaterialityPrinciple
needforFieldworkActivitiesneedforFieldworkActivities
DeinitionontheBasisoftheWorkProgramDeinitionontheBasisoftheWorkProgram
The SAP®-Audit Roadmap as a Working Basis for Internal Audit
Execution
Fieldwork Activities
B|4|4.1
224
heauditprocessmaynecessitateadditionalieldworkactivities.Adjustingthe
pre-structuredworkprogramtoactualauditprocessesincreasesthedemandonthe
auditors’ judgment,which iscritical inensuring thatqualityandquantityof the
ieldworkconductedduringtheauditdeliversuicientauditevidencesothatro-
bustindingscanbederived.Itisnotnecessarytouncovereverydetail,butrather
toprovideevidencethattheieldworkactivitiesperformedaresuicienttoarriveat
auditresultsandprovethattheseresultsarecorrect.Oten,thenecessaryevidence
canonlybeprovidedbysensiblycombiningdiferentieldworkactivities.
hediagrambelowshowshowieldworkactivitiesarepositionedintheaudit
executionphase.Ononesidetheyrelatetotheworkprogram,andontheotherto
theworkingpapers(seeSectionB,Chapter4.2).hedocumentationintheworking
papers is thesecondaspectofauditexecution.Here, theieldworkactivitiesand
theirresultsarestoredinthedocumentsprovidedforthepurpose.
AdditionsDuringtheAudit
AdditionsDuringtheAudit
PositioningofFieldworkActivitiesintheAudit
ExecutionPhase
PositioningofFieldworkActivitiesintheAudit
ExecutionPhase
Fig. 12 Positioning of Fieldwork Activities in the Audit Roadmap
225
Audit execution requires clearly structured methods. Before the start, auditors
thereforehavetoengageinsomebasicconsiderationstypicalofanauditanddecide
howtheywanttoproceedwiththeirwork,includingthefollowingselectedaspects:
Atestofindividualdocumentsmayproduceleadsastowhetherandhowtheield-
workshouldbeexpanded.hesameappliestotestinginventoriesforaccuracyand
completenessandcheckingwhethermeasurementscomplywithlaws,guidelines,
andinstructions.Determiningauditprocedurealsoincludesadecisiononwhether
touseprimarilyformal(formalprocesscompliance)orsubstantive(correctnessof
process content and results) ieldwork activities. Moreover, an audit can be ap-
proached fromtwodirections:Eitherprogressively (i.e., fromtheoriginaldocu-
mentortransactionthroughprocessingtotheinalresultofdocumentprocessing),
orretrogressively(i.e.,byretracingtheprocessfromitsendtoitsbeginning,where
thetransactionoriginatedorthedocumentwasentered).SectionB,Chapter4.1.2
givesdetailsonieldworkactivity.
Whendeterminingtheextentofanaudit,thesizeofthebasicdatatobeexam-
inedisthemainparametertobeconsidered.heextentoftheauditdependsonthe
numberofobjectstobeexamined,theauditobjectives,andtheconclusivenessand
reliabilityoftheresults.hefullauditcomprisesallobjectsthatmeettheauditcri-
teria.healternativetoafullauditissampletesting,whichisusediftheauditors
cantestasamplethatisrepresentativeofthewholepopulation.
Once the ieldwork and the documentation have been completed, a closing
meetingisheldwiththeauditees,atwhichtheauditindingsarediscussed.Ifunre-
solvedissuescannotbesettledbymutualagreement,theauditorshavetodocument
themasdisagreementsintheimplementationreport(seeSectionB,Chapter5.2.3).
Especiallyforglobalauditsorauditsconductedwithinaverytighttimeframe,drat
reportsmaybeavailableintimefortheclosingmeeting,butnormallytheyarethe
subjectofaseparatemeeting.
HintsAnDtiPs ;
• Auditorsmustdeineatleastonesuitableieldworkactivityforeachitemofthe
workprogram.
• Eachieldworkactivityshouldmakeameasurablecontributiontotheauditre-
sult.
• Auditorscanuseauditactivitiesfrompastauditsforpractice.Indoingso,they
shouldaskthemselves,whyaspeciicprocedurewaschosenforthecaseinques-
tion,andwhethertheywouldhavedecideddiferently.
LinKsAnDREFEREncEs e
• CruMBlEy, l., Z. rExAEE, AnD D. ZIEgEnFuSS. 2004. U.S. Master Auditing
Guide.3rded.AltamonteSprings,Fl:heInstituteofInternalAuditors.
BasicconsiderationstypicalofanAuditBasicconsiderationstypicalofanAudit
ExtentofAuditExtentofAudit
closingMeetingclosingMeeting
The SAP®-Audit Roadmap as a Working Basis for Internal Audit
Execution
Fieldwork Activities
B|4|4.1
226
• InStItutE OF IntErnAl AuDItOrS. 2002. Practice Advisory 2310-1: Identifying
Information.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• InStItutEOFIntErnAlAuDItOrS.2002.Practice Advisory 2320-1: Analysis and
Evaluation.AltamonteSprings,Fl:heInstituteofInternalAuditors.
4.1.2 Main Fieldwork Activities
KEyPoints •••
• Fieldworkactivitiescomprisethegathering,analysis,andassessmentofaudit-
relevantevidenceonthebasisoftheworkprogram.
• Withtheauditobjectiveinmind,eicientieldworkactivitiesshouldbeselected
fromabroadrangeofdiferentoptions.
• hemainieldworkactivitiesincludeexternalconirmations,documentanaly-
sis,sampling,walk-throughs,directobservation,internalcontroltesting,ana-
lyticalauditprocedures,andinterviews.
Auditactivitiesarealsoreferredtoas“ieldworkactivities.”heyincludethegath-
ering,analysis,andassessmentofaudit-relevantevidenceonthebasisofthework
program,i.e.,theauditstepsthathavebeentakenandhavetobedocumentedinthe
workingpapersalongwiththeconclusionsandresults.
AdeinedstandardsetofefectiveieldworkactivitieshastobeselectedforIn-
ternalAuditfromthelargenumberofpossibleieldworkactivities.Howthissetis
puttogetherisdeterminedbytheaudittopicsandobjects,theorganizationaland
technicaloptions,theauditobjectives,andtoacertainextentalsobytheskillsand
expertiseofthepartiesinvolved.Inaddition,inancial,time,andlegalaspectsmust
be taken intoconsideration,aswellasaccess rights,dataprotectionregulations,
culturalpractices,andcorporateculture.heieldworkactivitiesdescribedbelow
represent a selection made with this in mind; audit or company-speciic adjust-
mentsmaybenecessary.heauditorscanalsoadaptieldworkactivitiesintermsof
technologyandorganizationinordertomeettheauditrequirementsineachcase.
It is critical that thenecessarycontentandproceduresaremaintained toensure
stableauditresults.
he following typesofieldworkactivitiesare suitable foruse inglobalaudit
departmentsandarethereforeexplainedinthischapter:
• externalconirmations,
• documentanalysis,
• sampling,
• analyticalprocedures,
• walk-through,
• directobservation,
FieldworkActivitiesFieldworkActivities
selectionofFieldworkActivities
selectionofFieldworkActivities
MaintypesofFieldworkActivities
MaintypesofFieldworkActivities
227
• internalcontroltesting,and
• interviews.
Conirmation obtained from carefully selected external parties involves asking
themtoexplicitlyconirmacertainprocess,stateofafairs,oritsresulttoInternal
Audit.Sincetheseconirmationscomefromanindependentparty,suchasacus-
tomer,thiskindofevidenceusuallycarriesmoreweightasevidencethancompany-
internal conirmations. here are two types of external conirmations: negative
conirmationonlyrequirestheexternalpartytorespondifitwantstoobjecttothe
factspresented;explicitagreementisnotnecessary.Inthecaseofpositiveconir-
mation,however,aresponseisrequired,irrespectiveofwhetherornotthefactsare
regardedascorrect.tothisend,theauditorscansendtherecipienteitherablank
form, asking for a description, or an agreement/rejection declaration regarding
factsthathavealreadybeendescribed.Iftheauditorsdonotgetadequateresponses,
theymustperformadditionalieldworkactivitiestoensurethattheauditobjective
ismet.
Document analysis is oten recommended at the start of an audit. It tests
whetherthedocumentsareconclusiveandcompleteinordertogetanoverviewof
theaudittopic.Documentanalysismaybesuicientinitself,oritmayhavetobe
followedbyotherieldworkactivities.Documentanalysisbreaksdownintodifer-
entcategories:
• contractanalysis(completeness,signatureauthorizations,compliance,andac-
counting),
• analysisofguidelines(up-to-dateness,compliance,expedience,familiarity,un-
derstanding,andapplication),
• analysisofprocessdescriptions(structureandworklows,internalcontrols,ex-
pedience,feasibility,andefectiveness),and
• analysisofsupportingdocumentation(existenceandauthorizations).
tohelpwiththesetasks,theauditorscancreateauditlistsorquestioncatalogs,forex-
ampletoguidethemthroughacontent-basedorformalassessmentofguidelines.
testprocedures(seeSectionC,Chapter3.1)usedinauditsincludebothanalyti-
calauditproceduresandsubstantivetesting.testproceduresformthequalitative
andquantitativebasisforprovidingstrongandreliableevidenceofspeciiccircum-
stancesinaudits.
Asshowninthediagrambelow,whenperformingsubstantivetestingtheremay
beareaswhereauditreliabilitycanonlybeobtainedifallauditobjectsaretestedin
full.PossibleexamplesincludeallpurchasingprocessesthatrequireBoardapproval,
orthecompletenessofaccruals.However,individualsampletestsorcombinations
areusediftheauditorswantorneedtolimittheextentoftesting.Inallcircum-
stances, the selected procedures must meet the requirements of a representative
samplesize toguaranteeameaningfulconclusion.Samplingcanbedividedinto
purposive(orjudgmental)samplingandrandomsampling.
ExternalconirmationsExternalconirmations
DocumentAnalysisDocumentAnalysis
testProcedurestestProcedures
samplingsampling
The SAP®-Audit Roadmap as a Working Basis for Internal Audit
Execution
Fieldwork Activities
B|4|4.1
228
underpurposivesampling,thesampleisdeinedonthebasisofauditexperience
andknowledgeoftheauditsegment.heauditorsuseadvanceinformation,thresh-
olds,riskfactors,anderrorprobabilitiestodecidewhichtransactionsaretobein-
vestigated.
• underconcentrationsampling,theauditorsbasetheirselectionontheabsolute
orrelativeimportanceofthetransactions.
• Detectivesamplingfocusesonthosetransactionswhereahighprobabilityofer-
rorsisexpected.hescaleoftheauditshouldbeincreasedorreduced,depend-
ingonwhethertheauditdetectsmoreorfewererrorsthanexpected.
• Whentypicaltransactionsareselected,theinvestigationfocusesonthosetrans-
actionsthatareregardedastypicaloftheauditsegmentinquestion,withthe
aimofobtaininganauditresultthatisasrepresentativeaspossible,evenwitha
smallnumberoftransactions.
Inthecaseofrandomsampling,eachobjectthatmeetsthedeinedcriteriahasa
speciic,predeinedmathematicalprobabilityofbeingincludedinthesample.ran-
PurposivesamplingPurposivesampling
RandomsamplingRandomsampling
Fig. 13 Test Procedures
229
domsamplingproceduresbreakdownintoprocedureswithapresetsamplesize
(thenumberofelementstobeauditedisdeterminedbeforetheaudit)andproce-
dureswitharesult-dependentsamplesize(determinedonlyduringtheaudit).he
presetsamplesizeprocedureisinturndividedinto:
• Simplerandomsampling,whereeachtransactionhasthesamemathematical
probabilityofbeingincludedinthesample.
• Complexrandomsampling,wherealltransactionshavecalculable,butdiferent
probabilitiesofbeing includedinthesample.Sincethepopulationsareoten
very heterogeneous, there are diferent procedures for stratifying the sample
moredeeplythroughstructuringattributes.Withineachoftheseprocedures,it
ispossibletolookatfurthersamplesatthevariouslevels.
■ Clustersampling:hepopulationisdividedintoclusters,orsubsets,insuch
awaythattheauditmaterialofeachsubsetisasrepresentativeofthetotal
populationaspossiblewithregardtotheexpectedproportionoferrors.In-
dividualclustersarerandomlyselectedforafulltest.
■ Stratiiedsampling:hepopulationisdividedintostratainsuchawaythat
theproportionoferrorsofthestratadifersasmuchaspossiblefromeach
other. Samples are again selected from each stratum, but the volume can
normallybesmallerthaninthecaseofsimplerandomsampling.
■ Probability-proportional-to-size sampling: he elements to be audited are
selectedfromthepopulationinproportiontotheirvalue.
heaccuratetestingoftheselectedsampleistheirststeptowardproducingare-
sult.Distributioncalculationsorstatistical testingcanbeusedtoextrapolatethe
attributesidentiiedtothepopulationasawhole,thuspermittingconclusionsabout
thepopulation.
Asmentionedearlierandshowninthediagramundertestprocedures,testing
includesbothsubstantive testingandanalyticalauditprocedures(seeSectionC,
Chapter3.1).heseactivitiesshouldalsoleadtoaconclusivestatementaboutthe
qualityoftheunderlyingauditobjects.hemainobjectiveinthisregardistoverify
theconsistencyandplausibilityofallauditobjects,e.g.,entryandrecognitionof
transactionsoraccountingigures.Cumulativeigurescanbeusedtodetectorfore-
castirregularitiesthatexceedsetdeviationranges.tostandardizetheprocedure,
thefollowingstepsshouldbecarriedout:
• Deinetheexpectedtestresults.
• Determinethetolerabledeviationrange.
• Checktheresultsformaterialdeviations.
• Analyzematerialdeviations.
Analyticalauditprocedurescanbeusedatanytimeduringanaudit.Inparticular,
theyserveto:
• identifycriticalprocessesandobjectsforauditing,
• identifythemainauditcontents,
conclusionsaboutthePopulationconclusionsaboutthePopulation
AnalyticalAuditProceduresAnalyticalAuditProcedures
UseofAnalyticalAuditProceduresUseofAnalyticalAuditProcedures
The SAP®-Audit Roadmap as a Working Basis for Internal Audit
Execution
Fieldwork Activities
B|4|4.1
230
• reduceorreplacedetailedtesting,
• detectfraud,
• beforeanaudit,deineexpectationsabout theinancialigures tobeaudited,
and,
• attheendofanaudit,testtheplausibilityofaccumulatingindingsandfacilitate
auditorjudgment.
In terms of practical application, there are ive diferent analytical audit proce-
dures:
• Multi-period analysis or analysis of third-party key performance indicators
(KPIs)shouldproduceconclusiveexplanationsincaseofdeviationsorchanges.
Inabilitytoprovideexplanationsmayindicateerrors.
• trend analysis looks at trends over several past periods and plots the course
andextentofdeviations.Italsoallowstheauditorstochecktheplausibilitywith
regardtotrends.
• Inplausibilityanalysis,iguresoraccountsofthecurrentorofpastperiodsare
compared with the values expected when calculated in a model. his allows
comparisonswithbudgetedtargets.
• regressionanalysisallowstheauditorstoquantifyexpectedvaluesintermsof
size. his type of analysis looks at functional dependencies, such as the sell-
ingexpensestorevenueratio,forwhichapproximatevaluescanbedetermined
mathematicallyonthebasisofobservations.regressionanalysisisusedabove
allwhensettingexpectedtargets.
• Scanning,whichisthesystematicsearchforspeciictransactions,amounts,or
specialattributes,e.g.,inaccounts,allowsexperiencedauditorstoidentifycon-
stellationsthatarepronetoerrorsorpossiblefraud.
Inawalk-through,anindividualtransactionisfollowedthroughtheentiresystem
from beginning to end, encompassing all organizational steps, It processes and
reports, and their integration into theaccountingsystem.his typeofieldwork
producesacomprehensiveinsightintotheprocess,includingthecontrolsandtheir
importanceforensuringthattheaccountingsystemiscompliantfromendtoend.
Inawalk-through,theauditeesexplaintotheauditorseachprocessstep,theirdu-
tiesandresponsibilities,andtheinternalcontrolsimplemented.heauditorscom-
parethemwithexistingguidelinesanddocumentallprocesssteps,includingthe
interviewswiththeauditees.hecontentsofwalk-throughsmakethemparticu-
larlysuitableforauditsconductedunderSOxandgenerallyastheirstieldwork
activityofanaudit,becausetheyhelpbuildabasicunderstanding.Walk-throughs
alsoworkwellincombinationwithotherieldworkactivities,suchasinterviews,
internalcontroltesting,anddocumentanalysis.
Auditorsperformdirectobservationwhentheywatchtheobjectsandprocesses
tobeauditedwhiletheyarebeingcarriedoutortakeplaceinpractice.Directob-
servationotencomplementsotherieldworkactivities.Itisalsosuitableforhelping
DistinguishingBetweenAnalyticalAudit
Procedures
DistinguishingBetweenAnalyticalAudit
Procedures
Walk-throughWalk-through
DirectobservationDirectobservation
231
auditorsdecideonfurthertestproceduresduringanongoingaudit.Atthestartof
anaudit,directobservationisusedtogetaninsightintothetasksofanauditee.
Directobservationisalsousefulwhenassessinginternalcontrolmechanisms,be-
cause the auditors have to inspect the objects physically in order to arrive at a
meaningfulauditresultandgetsuicientevidenceregardingtheoperationalefec-
tivenessofcontrolprocedures.Fordirectobservation,theauditorscanuseasimilar
templateasforthewalk-through,becausetheinformationisessentiallythesame.
hiskindofdocumentationisespeciallyusefulifthereisnotyetanybasicprocess
description.
Internalcontroltestinginvolvesauditingtheinternalcontrolsystemofanorga-
nizationalunit(department,entity,etc.).InternalcontrolsshouldensurethatInter-
nalAudit’sobjectivesaremet(seeSectionA,Chapter1.2).
testingtheinternalcontrolsservestoensurethattransactionswererecordedin
linewithaccountingrulesandtoconirmtheprocess,recording,anddocumenta-
tionoftransactions,includingthepreparationoftheannualinancialstatements.
Anotherobjectiveistoguaranteethatthetransactionsentereddonotleadtoany
misstatementorarefraudulent.Internalcontrolsshouldaboveallbetestedincom-
binationwith system testsordetailed testsof theentire internal control system.
Auditlists,questioncatalogs,orItapplicationscanbeusedforsupport(seeSec-
tionB,Chapter4.1.3).
herearetwodiferentproceduresfortestinginternalcontrols:
• testingaspartoftheworkprogrammeansthatalltestprocedureslistedinthe
workprogrammustbeperformed.Weaknessesintheinternalcontrolsystem
mustbedocumentedintheworkingpapers.
• testingaspartofthecomplianceauditunderSOxisintendedtoprovideevi-
denceoftheefectivenessofthetestsperformedbymanagement.Inthisregard,
itispossibletocomparetheresultsofInternalAudit’stestswiththetestresults
obtainedbymanagement.
Interviewsareotenconductedatthestartofanauditinordertogatherbasicdata
orbackgroundknowledgeonaspeciicaudittopic.heresultscanalsobeusedas
abasisforadditionalieldworkactivities.Moreover,aninterviewmaybeusefulfor
discussingtheresultsofpreviousaudits.hequalityofaninterviewissubstantially
determinedbytheexperienceoftheinterviewerandthetypeofquestions.Inter-
viewresultscanbesummarizedinwriting.Interviewscanbasicallybestructured
intermsofthefollowingcriteria:
• Directionoftheinformationlow:Informationisgiventoorrequestedfromthe
interviewee.
• Interviewstructure:One-to-oneoringroups.
• Formofcommunication:Verbalorwritten.
Additionally,interviewscanbebrokendownbytype:
• hestandardizedinterviewwithclearlyspeciiedquestionsandatrendtoward
internalcontroltestinginternalcontroltesting
UseofinternalcontroltestingUseofinternalcontroltesting
ProcedureforinternalcontroltestingProcedureforinternalcontroltesting
interviewsinterviews
typesofinterviewstypesofinterviews
The SAP®-Audit Roadmap as a Working Basis for Internal Audit
Execution
Fieldwork Activities
B|4|4.1
232
one-directionalcommunicationleadstoclear,easilycomparableresponses.But
thereisariskthatimportantpointsnotcoveredbythesetquestionsarenotad-
dressed.
• hesemi-standardizedinterviewissupportedbyaquestioncatalogandofers
morefreedomtotailorittoindividualneeds.histypeofinterviewisnormally
usedatthestartofieldworkactivitiestogatherbasicdataandinformation.
• heunstructuredinterviewdeliberatelyrefrainsfromusingquestioncatalogs
andisonlydeterminedbytheinterviewobjective.hecontentandtypeofques-
tionscanbechosenfreely,providingtheyservetheobjectiveoftheinterview.
headvantageofthisformofinterviewisthatallmaterialaspectscanbead-
dressed,althoughitishardlypossibletocompareitsresultswiththoseofother
interviews.
Irrespectiveoftheinterviewtype,interviewshavethreebasicquestiontypes:
• theclosedquestion,whichhasalimitedchoiceofsetanswers(e.g.,“Howmany
peopleworkinyourdepartment:lessthan10,between10and20,morethan
20?”);
• theclosedquestionwithadditionalcommentsorthesemi-openquestion(e.g.,
“What is thedistributionofprofessionalexperience for theemployees in the
department?”);and
• theopenquestionwithoutspeciiedresponseoptions(e.g.,“Howdoesthein-
voicingprocesswork?”).
Dependingontheinterviewtype,theinterviewprocesscanbesupportedandsim-
pliied with question catalogs (for more information on question catalogs as an
organizationaltool,seeSectionB,Chapter4.1.3.1).
hediferentieldworkactivitiesoferabroadrangeofoptionsforconducting
audits.heindividualselectionoftheproceduresandthejudgmentoftheauditor
responsiblearecriticaltoasuccessfulauditprocess.Inspiteofthelargechoiceof
procedures,itisultimatelytheauditor’swealthofexperiencethatdeterminesthe
conclusionstobedrawnfromtheieldworkactivitiesandthustheauditresults.
HintsAnDtiPs ;
• Itisimportanttoensurethattheieldworkactivitiesarestructuredsothatthey
complementeachother.
• Auditorscangetdetailedinformationontheselectionandconductofindivid-
ualieldworkactivitiesbylookingatpastauditsalreadycompleted.
• Auditorsshouldaskthemselveswhatieldworkactivitieswillleadtoauditresults
mostquicklyandunambiguously,includingtheoptiontoproduceevidence.
• Auditorsshouldnoteanythingtheywanttoavoidwhileconductingieldwork
activities(e.g.,theexcessiveuseofclosedquestionsininterviews,etc.)andlook
attheirnotesasadailyreminder.
BasicQuestiontypesBasicQuestiontypes
summarysummary
233
LinKsAnDREFEREncEs e
• SEArS,B.2002.Internal Auditing Manual.newyork,ny:Warren,gorham&lamont.
• SAWyEr,l.B.,M.ADIttEnHOFEr,AnDJ.HSCHEInEr.2003.Sawyer’s Internal
Auditing.5thed.AltamonteSprings,Fl:heInstituteofInternalAuditors.
4.1.3 Technical Support
4.1.3.1 Organizational Tools
KEyPoints •••
• Organizational,methodological,andIt-basedtoolsareavailableforconducting
ieldworkactivities.
• Auditlistsandquestioncatalogsareorganizationaltools.
• herearediferenttypesofauditlists;theyareparticularlysuitablefortesting
internalcontrolsandsingleprocesssteps.
• hebasicpatternsofquestioncatalogs followthe interviewtechniques.hey
may be standardized or tailored speciically to the individual audit. When
usingquestioncatalogs,theauditorsshouldensurethattheyareappliedwith
thenecessarylexibility.
Organizational,methodological,andIt-basedtoolsareavailabletoprovidetech-
nical support to the auditors. Some of these tools were already discussed in the
contextofieldworkactivities(seeSectionB,Chapter4.1.2).hisandsubsequent
chaptersfocusonanddescribethetechniquesandtoolsrelevantforpracticalau-
ditwork.heorganizationaltoolsareexplainedirst.Inthisregard,itcanbedif-
ferentiatedbetweenauditlistsandquestioncatalogs.Auditlistsarethepreferred
tool for non-verbal audit activities and question catalogs are more commonly
usedforverbalactivities.
Auditlistsallowtheauditorstoexamineindividualprocessstepsorauditob-
jectscomprehensivelyandthoroughly.heyconsistofatleastonequestionorstate-
mentandoneresponseorcheckield.hecheckieldcanbeexpandedbyentering
ayes/noresponseorcommentieldforadditionalexplanations.
Althoughauditlistscanalsobeusedforclosedinterviews,theyhaveprovento
beparticularlyusefulinconnectionwithauditinginternalcontrols.Whentesting
internal controls, theaudit list is tailored to thecontrol step, i.e., it contains the
controlstepassuch,theobjectiveofthecontrol,conirmationofitsefectiveness,
andadescriptionoftheteststepsperformed.
here are various forms of question catalogs. hey are lists of audit-relevant
questionsandarethereforeavaluabletoolforstructuredaudits.Sincetheyareusu-
allybasedontheinterviewtechniqueused,theymaycontainclosed,semi-open,or
open questions. Question catalogs can be supplemented by providing multiple-
toolsforconductinganAudittoolsforconductinganAudit
AuditListstructureAuditListstructure
UseofAuditListsUseofAuditLists
FormsofQuestioncatalogsFormsofQuestioncatalogs
The SAP®-Audit Roadmap as a Working Basis for Internal Audit
Execution
Fieldwork Activities
B|4|4.1
234
choiceanswers.hismayfacilitateconductingthe interviewandmaketheaudit
resultsmoreclearlyidentiiable.Forarrivingatauditresults,theauditorsmayind
itparticularlyusefultocomparetheresponsesgiveneitherbydiferentinterview-
eesoratdiferenttimes.
Questioncatalogsmaybestructuredpurelyinlinewiththetechnicalarea,in
whichcasetheyarenormallycloselyrelatedtothecontentsofaScope.Iftheaudi-
torswanttoaligntheinterviewswiththeparticularsituationoriftheyfocusmainly
onpersonalbehavior,thequestioncatalogsnormallyhavetobespeciicallydevel-
oped,oratleastadjustedindividually.
Sincetheauditorsneedspecialknowledgeonthedidacticstructuretooptimize
questioncatalogs,theyshouldmakeuseofinternalconsultantsorauxiliarytools.
Whendesigningquestioncatalogs,theauditorsshouldalsoconsideradditionalop-
tions,suchascombiningdiferenttypesofquestioncatalogs,posingintroductory,
transitional, and concluding questions, using alternative languages, or changing
contacts.Also,theimportanceofhowtheauditordeliversquestions,howtheyare
worded,andhowspeciicthequestionsare,shouldnotbeunderestimatedforthe
successoftheaudit.
Aquestioncatalogshouldalsoallowfordeviationsfromtheinterviewplan.It
shouldbepossibletodiscussadditionalissues.Iftheauditorskeeptothequestion
catalogtoorigidly,theauditeesmaygettheimpressionthatInternalAuditisnot
quitesureofhowtoproceed.Itisthereforeimportantthatauditorsusethequestion
catalogwithconidence.heyshouldbeveryfamiliarwiththequestionsandtake
guidancefromthewaytheyarestructuredwithoutlettingthisprecludetheneces-
sarylexibility.
HintsAnDtiPs ;
• Auditorscanuseexistingtemplatesandtheresultsofearlierauditsasabasisfor
developingaudit-speciicauditlistsandquestioncatalogs.
• Auditorsshoulduseexternalauditlistsandquestioncatalogsassamplesoras
controlinstruments.
• Auditors can only make lexible use of the question catalog if they know its
structureexactly.
LinKsAnDREFEREncEs e
• CruMBlEy, l., Z. rExAEE, AnD D. ZIEgEnFuSS. 2004. U.S. Master Auditing
Guide.3rded.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• WHAtlEy,P.2005.EasingIntoInterviews.Internal Auditor(October2005):25–26.
contentofQuestioncatalogs
contentofQuestioncatalogs
structureofQuestioncatalogs
structureofQuestioncatalogs
FlexibilityofQuestioncatalogs
FlexibilityofQuestioncatalogs
235
4.1.3.2 Methodological Tools
KEyPoints •••
• Methodologicaltoolssupportauditactivitiesbymodelingauditcontentoras-
suringtheprocedureused.
• Flowcharts serve to standardize the visualization of audit content, especially
processes.
• heuseofauditactivitiesismethodologicallyassuredbyusingsamplingproce-
dureswhichguaranteethequalityofasample.
Methodological tools to model audit content or to assure the procedure applied
duringtheauditareusedtosupportieldworkactivities.Itisofparticularimpor-
tanceinthisregardtostandardizetheappliedmethodsthroughoutthecompany.
Flowcharts,whichmapthecontentandtimedependenciesofprocesses,arethe
mostcommonlyusedtoolformodelingcontent.heycanbeproducedeitherby
handorwithsotwaresupport.SuitableItsupport isparticularlyrecommended
forstandardizingthevisualizationofcomplexlowdocuments.
Forconductingaudits,itisanadvantagetoobtainlowchartsinadvance.SOx
requiresdepartmentstoproduceprocessandcontroldocumentationthatcanbe
accessedduringtheaudit.Itdevelopmentdepartmentsalsootenuselowcharts
fortheirwork,sothattherelevantdocumentationisnormallyavailableforusedur-
ingsystemaudits.Butirrespectiveofanyexistingdata,itmaybeexpedientduring
anaudittostructureandanalyzeprocessesandfunctionalrelationshipsintermsof
formandcontentwiththehelpoflowcharts.
heuseofsymbolsinlowchartsisstrictlyformalized.hismakesitpossibleto
presentcomplexrelationshipsinawaythattheycanbeuniformlyunderstoodand
usedinaninternationalenvironment.Flowchartsfocuslessontheanalysisofevery
detail, but on explaining an entire process that is conclusive within itself. If the
processismappedlogicallyandconsistently,anyqueriesaboutthecontentcannor-
mallybeansweredbyreferringtothelowchart.
Amongthemethodologicaltools,thereareaudit-relatedproceduresandmod-
els,knownassamplingprocedures,whichareintendedtoprovidemethodological
assurancefortheuseofauditactivitiesbyguaranteeingthequalityofasample.By
usingsuchprocedures,templatescanbestandardizedanddeined.Forexample,a
collectionofbasicdatacanirstbe layeredthroughanABCclassiicationbefore
applyingdiferentsamplingmethodstomakeaselectionwithineachlayer(fora
moredetailedpracticalexampleonsampling,seeSectionC,Chapter9).
HintsAnDtiPs ;
• Auditorsshouldtrytounderstandanddocumentcomplexrelationshipsbypre-
sentingthemgraphicallyinalowchart.
MethodologicaltoolsMethodologicaltools
ModelingofAuditcontentwithaFlowchartModelingofAuditcontentwithaFlowchart
UseofExistingDataUseofExistingData
strictFormalismstrictFormalism
samplingsampling
The SAP®-Audit Roadmap as a Working Basis for Internal Audit
Execution
Fieldwork Activities
B|4|4.1
236
• Auditorsshouldfamiliarizethemselveswiththetemplatesandrulesaccording
towhichinternallowchartsaregeneratedsothattheycanapplythemappro-
priately.
LinKsAnDREFEREncEs e
• COlBErt,J.2001.AuditSampling.Internal Auditor(February2001):27–29.
• CruMBlEy, l., Z. rExAEE, AnD D. ZIEgEnFuSS. 2004. U.S. Master Auditing
Guide.3rded.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• MArtIn,J.2004.SamplingMadeSimple.Internal Auditor(August2004):21–24.
4.1.3.3 IT Tools
KEyPoints •••
• It applications are commonly used as technical support tools in conducting
auditactivities.
• heSAPAuditInformationSystem(AIS)allowsuserstoselectandpresenti-
nancialdatainparticular.
• heinternalcontrolmanagementtoolsupportsallprocessdocumentation,in-
cludingthatoftheinternalcontrolsinaccordancewithSOx.
• he risk management tool is used to document and track all risks reported
throughoutthecompany.
Itapplicationsarecommonlyusedastechnicalsupporttoolsinconductingaudit
activities.helargenumberofdiferentsystemscanbebroadlysplitintotwocate-
gories:
• Computer-basedauditsystemsthatallowuserstoprocessanentireauditmust
mapandsupportallthephasesoftheauditprocessmodelused(seeSectionD,
Chapter4).
• In addition, there are a number of computer-based audit systems with func-
tionsthatfocusonspeciictasks,forexampledataselectionandanalysis,pro-
cessdescription,riskassessment,andthecreationofauditreports.hesefunc-
tionsformpartofanoverallcomputer-basedauditsystem.heycangenerally
beusedineachphaseoftheAuditroadmap,fromplanningandpreparation
throughexecution,reporting,andfollow-up.
he SAP Audit Information System (AIS), which is one of SAP’s application
programs,supportsindividualtestprocedures.hemaintasksoftheSAPAISare:
• structuredcollectionoftherequireddatabypresettingparametersforstandard
SAPreportsandaudit-speciicanalyses;
itApplicationsastechnicalsupporttools
itApplicationsastechnicalsupporttools
MaintasksofthesAPAis
MaintasksofthesAPAis
237
• tailoredpresentationandcoordinationofdata;
• transferofdocumentdata,accountbalances,andbalancesheetdatatousersys-
temsforfurtherprocessing;and
• onlinecontrolstodetectfraud.
hefunctionsoftheSAPAISallowauditorstoimprovetheauditprocessandaudit
quality,particularlyduringtheexecutionphase.Itthereforeservesastheauditor’s
toolboxinanSAPenvironment.Forexample,AIShasanon-screenmenuwiththe
most importantreportsandanalysesstructured for thepurpose.Particularly for
inancialaudits,itofersreportingprogramswithpresetcontrolparameters,which
auditorscanaccessthroughindividualscreenselection.Oneofthemainfunctions
oftheAISistooferuserstheoptiontoselectandanalyzedocuments,accounts,
andbalancesheetcaptionsaspartofinancialaudits.
Another It tool that can support ieldwork activities is the internal control
managementtool.Inconjunctionwiththeprocessdocumentationrequiredunder
SOx,thistoolhelpsmeettherequirementsofsections302and404inparticular.
histoolisalsousefulforassessingthecontrolsidentiiedintheMonitorandEval-
uatedomainoftheCOBIt®frameworkforItgovernance.Itprimarilysupports
thedocumentationofbusinessprocessesandofeachprocessstep, includingthe
relevantinternalcontrols,thestatusassessment,aswellasmanualandcomputer-
assistedtestingoftheinternalcontrolsystem.Inaddition,thetoolprovidesauto-
matic reports and analytical diagrams, which are intended to help management
understandtheapplicationofinternalcontrolsandtracktheirefectiveness.
Mainfunctionsoftheinternalcontrolmanagementtool:
• documentationofallbusinessprocessesandinternalcontrolsacrossthecompa-
ny’smainareasofactivity;
• annualassessmentofthestructureandcontentoftheinternalcontrolstotest
theirefectivenessandeiciency;
• support for the detection of control weaknesses and monitoring of measures
implementedtoeliminatethem;
• documentationofprocessandcontrolchanges;
• preparationofreportsoninternalcontrols;and
• supportfortheauditactivitiesofexternalauditors.
An important advantage of this application is that it consistently documents all
businessunitsandtheirbusinessprocesses.heinternalcontrolmanagementtool
alsodeinesauniformdocumentationstandardthroughoutthecompanyandsup-
portsandmonitorsthecentralqualityassuranceandimplementationoftheinter-
nalcontrolsystemtoensurecompliance.heapplicationalsosupportsthereport-
ingsystemrequiredunderSOxandprovidesmanagementwithastatusreportto
conirmafunctioninginternalcontrolsystem.
AdvantagesofthesAPAisAdvantagesofthesAPAis
internalcontrolManagementtoolinternalcontrolManagementtool
FunctionsoftheinternalcontrolManagementtool
FunctionsoftheinternalcontrolManagementtool
AdvantagesoftheinternalcontrolManagementtool
AdvantagesoftheinternalcontrolManagementtool
The SAP®-Audit Roadmap as a Working Basis for Internal Audit
Execution
Fieldwork Activities
B|4|4.1
238
heinternalcontrolmanagementtoolsupportsInternalAuditinauditingthe
implementationofSOx(seeSectionC,Chapter8andSectionD,Chapter14).his
applies toall threeareas related toSOx, suchas support forprocessdesignand
documentation,auditingthedesignofprocessesandimplementedcontrols(design
assessment),andtestingtheinternalcontrols.heinformationfromthetoolhelps
createtheworkprogramandtheworkingpapers.Inconnectionwithreportingand
follow-upaudits,thetoolcanalsobeusedtoquery,document,andmonitorthe
presentstatusofrespectiveentitytoreconcileInternalAudit’sreports.
AnotherIttoolforconductingauditactivitiesmaybeanoperationalriskman-
agementtool.Suchanapplicationsupportsglobalriskmanagementwithstandard-
izedapplicationfunctions(fordetailsontheintegrationofInternalAuditandrisk
Management,seeSectionD,Chapter2.2).Basedonthecompany’sorganization,it
guaranteesthatthoseresponsiblearealertedtothevariousrisksandthusableto
respondadequately.
Mainobjectivesoftheriskmanagementtoolare:
• heriskmanagersintheoperationalbusinessunitsusethetoolasabasisfor
applyingstandardrulesthroughoutthecompanytoidentify,assess,andreport
risksandtrackthemwiththenecessarymeasures.
• Forthispurpose,thetoolhasdiferentviewsthatallowcomprehensiveanalysis
oftheorganizationalunits,activities,andrisks.
• hepeopleresponsiblemustcontinuallyreassesstherisksonthebasisofthe
riskmanagementguidelines.
• Inaddition,managementcanassessthoserisksthatarerelevantfromitspoint
ofview.
tomeettheseobjectives,risksareidentiiedandassessedinpredeinedprocesses
andactivities.tothisend,usersdeinetheresponsestrategyandongoingriskmon-
itoringmethodinthesystem.riskanalysesallowthemtogeneraterisksummaries
aswellasthecorrespondingbreakdownacrossallorganizationalunits.toguaran-
teethattheinformationitprovidesisalwaysuptodate,theriskmanagementtool
isfullyintegratedintothesystemssupplyingthedata.
InternalAuditreportsanyrisksidentiiedduringanaudittotheresponsiblerisk
managerwhoentersthemintheriskmanagementtoolsothattheycanbeprocessed
further,trackedjointly,andultimatelyreviewedaspartofthefollow-upaudit.
HintsAnDtiPs ;
• Auditorsshouldalwaysfamiliarizethemselvesthoroughlywiththefunctionsof
theItapplicationsavailable.Ifneeded,theyshouldattendtrainingcourses.
supportforinternalAuditfromtheittool
supportforinternalAuditfromtheittool
RiskManagementtoolRiskManagementtool
MainobjectivesoftheRiskManagementtoolMainobjectivesoftheRiskManagementtool
AdvantagesoftheRiskManagementtool
AdvantagesoftheRiskManagementtool
importanceoftheRiskManagementtoolfor
internalAudit
importanceoftheRiskManagementtoolfor
internalAudit
239
4.2 Use of Working Papers
4.2.1 Requirements for the Documentation of Fieldwork
KEyPoints •••
• heworkingpapersmaptheieldworkconductedandthusdocumenttheactual
auditprocess.
• WorkingpapersareeitherpreparedbyInternalAudititself,ortheyareexternal
sourcedocuments.
• heauditorshavethemainresponsibilityforpreparingtheworkingpapers.
• Workingpaperscanbeiledaccordingtodiferentcriteria.
• Duetothesensitivenatureofthedatatheycontain,workingpapersaresubject
tostrictaccesscontrol.
heresultsofauditactivitiesmustbedocumentedtruthfully,consistently,clearly,
andcompletely,withacomprehensibledescriptionofallmaterialdetails.hisin-
volvesboththecontentsofaieldworkactivityandtheprocedureitself.hisdocu-
mentationofieldworkactivities isreferredtoas“workingpapers”toexpress its
connectionwiththeworkresults.hebasicrequirementsforproperdocumenta-
tionapplytoalltypesofieldworkactivities(seeSectionB,Chapter4.1.2),although
therearediferenttypesofdocuments,dependingonthenatureoftheaudit.Inad-
ditiontotheworkingpaperswhicharemandatory,otherdocumentscanbecreated
asoptionalextras;theycontaininformationbeyondtheminimuminformationre-
quirement.
ProperdocumentationensuresthatInternalAuditmeetsthreeimportantobli-
gationsofauditwork:
• Inconnectionwiththereportsontheauditconducted(fordetailsonreporting,
seeSectionB,Chapter5),thedocumentationintheworkingpapersprovides
suicientevidence,whichcanbeaccessedatanytime.hisgivestheindings
in the audit reports a veriiable content quality and makes the audit results
clearlytraceable,evenforthirdparties.heauditthusbecomesdemonstrably
separable fromthepersonof theauditor. If thereareclaimsthat theauditor
maybebiased,theycanbesubstantiatedorrefutedonthebasisofthedocu-
mentation.
• ProperdocumentationalsoensuresthattheauditmethodcomplieswithInter-
nalAudit’sprinciples.Ifadisputeweretoarisewiththeauditeesabouttheaudit
indings,itisalwaysveryimportanttohaveevidencethattheprinciplesofau-
ditinghavebeenobserved.
• hedocumentationnotonlyrecordstheactualieldworkactivities,italsoforms
thebasisforreportingontheauditindings.hedocumentationthusalsopro-
videsprocesssupportforlargepartsoftheAuditroadmap.Forexample,the
documentationofpre-investigationscanbeusedtoprepareforthesubsequent
audit.Inaddition,thedocumentationmayformpartoftheclosingmeetings.
BasicRequirementsBasicRequirements
MeetingofobligationsMeetingofobligations
independentAuditFindingsindependentAuditFindings
safeguardingoftheAuditMethodsafeguardingoftheAuditMethod
BasisforReportingBasisforReporting
The SAP®-Audit Roadmap as a Working Basis for Internal Audit
Execution
Use of Working Papers
B|4|4.2
240
hepointsthathavebeendocumentedcanalsoformthebasisforexpertdiscus-
sionsandtheexchangeofknowledge,especiallyininternationalteams.
heworkingpapersareanindicationoftheauditqualityingeneral.hisneedsto
beconsideredbecausequeriesbydiferentgroupsofaddresseesortheirrequestsfor
information may oten require access to this documentation. Accordingly, the
workingpapersmayserveasdiscussionorevidencedocuments, forexamplefor
queriesfromtheBoard,theunitrequestingtheaudit,InternalAuditmanagement,
theAuditCommittee,ortheexternalauditors.
Workingpapersbreakdownintoprimary,ordirect,documentsanddocuments
thataresecondary,orindirect,fromInternalAudit’sperspective.Directdocuments
are always prepared by Internal Audit itself, and indirect documents are source
documentsintheformoforiginals,copies,orreferencestosources.Indirectdocu-
mentsaresubjecttothesamereferencing,archiving,andretentionrequirementsas
direct documents. Since they are not created internally, indirect working papers
mustbeincludedintheelectronicarchiveascopies,withinformationsuchas“re-
ceivedfrom/distributedby,”thedateofreceipt,andtheauditor’sinitials(forrefer-
encingseeSectionB,Chapter4.2.3;forarchivingseeSectionD,Chapter4.1.2).
hepreparationofworkingpapersissubjecttocertainorganizationalrequire-
ments. Each auditor always has the main responsibility for preparing the docu-
ments,bothduringandimmediatelyaterieldwork.Eventhoughtheaudit lead
andAuditManagerhaveultimateresponsibilityforqualityassurance,eachauditor
has toprepareandmaintain theworkingpaperswith thenecessaryattention to
detail.Workingpapersmaybecompiledbyhandorentereddirectlyintoasystem
(whichisnormallymoreexpedient,becauseitmakesiteasiertoaccesstheinfor-
mationagain,e.g.,tolittextblocksforthereport).
Duringanaudit,workingpaperscanbeiledaccordingtodiferentcriteria,for
examplebyorganizationalcriteriaorbysubject.Iftheworkingpapersareiledac-
cording to organizational criteria, they are assigned to the individual audit ele-
ments,suchasreportingortheclosingmeeting.Iftheyarestructuredaccordingto
subject, the auditor can distinguish between documents on licensing and docu-
mentsonassetaccounting,forexample.
Allworkingpapers shouldbeavailablebefore the reportsarecompiled.like
almostallInternalAuditdocuments,theycontainverysensitivedata,whichmeans
that theauditors shouldcontrolaccess to themstrictly.While theaudit isbeing
conducted,onlytherelevantauditorandtheauditleadshouldhaveaccesstothe
documentation.Oncetheaudithasbeencompleted,accesscanbeextendedtothe
AuditManagerandtheCAE.
Documentswithspecialevidentiaryvaluemustbeconsideredseparately.Ifnec-
essary,theycanbeusedinacourtoflaw.Insuchcases,InternalAuditshouldco-
operatewiththelegaldepartmenttoensurethatallnecessaryinformationisdis-
closed and that it complies with the rules of legal practice. In this context, the
attorney-clientprivilegeshouldalsobeconsidered.Similararrangementsapplyif
partsofthedocumentationaretobeusedforotherpurposes,e.g.,publication.he
importanceoftheDocumentation
importanceoftheDocumentation
DirectandindirectDocuments
DirectandindirectDocuments
organizationalFoundation
organizationalFoundation
FilingofWorkingPapersFilingofWorkingPapers
AccessAuthorizationAccessAuthorization
DocumentswithspecialValueasEvidence
DocumentswithspecialValueasEvidence
241
correctprocedureinsuchcasesmustbecoordinatedwiththelegaldepartmentand
theBoard.
Inthecontextofproperdocumentation,thequestionofapermanentileasa
long-termdocumentationtoolisotendiscussedinrelationtoaspeciicauditob-
ject.hisformofdocumentationisusefulinmorestaticorganizations.heorgani-
zationalandprocessstructuresofinternationallyfocusedcompaniesthatoperate
inafast-movingenvironmenttendtochangemorefrequently.Forthelonger-term
perspectiveofInternalAudit,thismeansthattheauditcycle(ofaroundonetotwo
years)carriesmoreweight than theauditobject.Providing theyarecomparable
overseveralcycles,thedocumentedcyclescanbelinkedtoeachotherwithanin-
dexorcross-referencing.
HintsAnDtiPs ;
• Duringtheentireaudit,auditorsshouldregularlycoordinatetheworkingpa-
perswiththeauditleadandseekhisorherfeedback.
• Alwayscompiletheworkingpapersduringorimmediatelyaterieldwork.
LinKsAnDREFEREncEs e
• HuBBArD,l.2000.AuditWorkingPapers.Internal Auditor(April2000):21–23.
• InStItutEOFIntErnAlAuDItOrS.2001.Practice Advisory 2240-1: Engagement
Work Program. AltamonteSprings,Fl:heInstituteofInternalAuditors.
• InStItutEOFIntErnAlAuDItOrS.2001.Practice Advisory 2240.A1-1: Approval
of Work Programs.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• InStItutEOFIntErnAlAuDItOrS.2001.Practice Advisory 2330-1: Recording In-
formation. AltamonteSprings,Fl:heInstituteofInternalAuditors.
• InStItutEOFIntErnAlAuDItOrS.2001.Practice Advisory 2330.A1-1: Control of
Engagement Records.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• InStItutEOFIntErnAlAuDItOrS.2001.Practice Advisory 2330.A1-2: Legal Con-
siderations in Granting Access to Engagement Records.AltamonteSprings,Fl:heInsti-
tuteofInternalAuditors.
• InStItutEOFIntErnAlAuDItOrS.2001.Practice Advisory 2330.A2-1: Retention
of Records. AltamonteSprings,Fl:heInstituteofInternalAuditors.
4.2.2 Structure and Content of Working Papers
KEyPoints •••
• Standard templates for working papers ensure that ieldwork is documented
fullyandinacommonformat.
• herearemandatoryworkingpapersaswell asworkingpapers thatarepre-
paredonlyasneeded.
PermanentFilePermanentFile
The SAP®-Audit Roadmap as a Working Basis for Internal Audit
Execution
Use of Working Papers
B|4|4.2
242
At gIAS, the working papers are designed as standard templates to ensure that
ieldworkisdocumentedfullyandinauniformformat.However,forspeciicield-
workactivities,suchasinterviewsovertheinternetorvideoconferences,itisalways
possibletopreparespeciallystructuredminutesandaspecialagenda.Ifnewlyde-
velopedworkingpapersproveuseful,theyareintroducedasstandardtemplatesfor
futureuse.heexistingworkingpapertemplatesthusprovideabasicsetoftoolsto
whichfurtherexamplescanbeaddedastheauditorsproceed.
he work done sheets are the only working papers which are mandatory for
eachinternalauditatSAP.Workdonesheetscontaintheaggregateddocumenta-
tionofindividualaudittasksandcontentandtheassociatedieldworkwithregard
toamainaudittopic.Intheworkdonesheettemplate,theaudittitleandnumber,
thetopicoftherelevantworkdonesheet,andthecreationdatearespeciied.his
informationisfollowedbyalistoftheactualtestproceduresforeachworkpackage
and the indings made; any risks are also stated and possible recommendations
given.
he individualworkdone sheets shouldbecreatedevenwhennoindingswere
made.Inadditiontothesemandatoryworkingpapers,thereareanumberofother
documentsthatareusedonlyasrequired.gIAScurrentlyhasthefollowingdocu-
ments:
• heauditsummarywhichgivesanoverviewofallworkdonesheetsorderedby
themainaudittopicscoveredintheaudit.
standardtemplatesstandardtemplates
MandatoryWorkingPaper
MandatoryWorkingPaper
WorkingPaperstoBeUsedasneeded
WorkingPaperstoBeUsedasneeded
Fig. 14 Work Done Sheet
243
• Interviewrecordsandminutesofmeetings,whichareotensubjecttothesame
formal rules from an auditing perspective. However, to record a general ex-
changeofideasratherthanaspeciicmeeting,auditorsshoulduseablankform
orcreateanewtemplate.
• Aformforauditnotes,whichauditorscanusetorecordunusualorirregular
events.
• Atemplatetosummarizetheauditofaspeciicobject,e.g.,acontract,sothat
importantinformationisreadilytohandforcomparisons.
• Anoverviewofalldocumentspreparedaspartofananalysis.
• Amemorandumforaninternalstatusreportorthecreationofaninterimre-
portsothatadecisiononfurtherauditstepscanbetaken.
• Questioncatalogs(seeSectionB,Chapter4.1.3.1)astemplatesfortherelevant
ieldwork.
• Adocumentforrecordingunresolvedquestions,intendedasanaide-mémoire
toplanfurtherieldworkorsupportthenexttestprocedures.
• Alistofcontacts.
• Alistofreferences(seeSectionB,Chapter4.2.3).
Oneofthemoreimportantworkingpapersthatareusedonlyasneededistheaudit
summary.heauditsummarygivesanoverviewofallworkdonesheetsaccording
AuditsummaryAuditsummary
Fig. 15 Audit Summary
B|4|4.2The SAP®-Audit Roadmap as a Working Basis for Internal Audit
Execution
Use of Working Papers
244
totheirtopics.heauditsummarytemplateshownbelowgivesthetitle,theaudit
number,thetopicofthesummaryandoftheworkdonesheets,andthecreation
date.Inadditiontotheworkdonesheets,theauditsummaryalsocontainsasum-
maryoftheobservationsandindingsaswellasanoverallassessmentandconclu-
sionoftheauditresult.
HintsAnDtiPs ;
• Beforewritingtheauditsummary,auditorsshouldagreetheworkingpaperson
whichthesummaryisbasedwiththeirauditlead.
• Auditors should leave the working papers they have written for a while and
criticallyreviewthemlater.
4.2.3 Referencing of Working Papers
KEyPoints •••
• referencingprovidessigniicantsupportfortheadministrationoftheworking
papersandotherdocuments.
• toensureauniformprocedure,SAPspeciiesbothprocess-relatedandcontent-
relatedstandardreferences.
• hisframeworkalsoallowsforanykindofaudit-speciicreferencing.
Inordertoprovideaclearstructureforthelargenumberofworkingpapersand
otherdocumentsandtomakethesepaperseasiertohandle,areferenceframework
shouldbedeined.hisgivestheorganizationofthedocumentsauniformstruc-
ture,whichallowsuserstoaccessindividualdocumentsatanytimeortoaccessa
more detailed level while they are systematically working through the summary
levels. referencing also signiicantly facilitates and supports report analyses and
qualityassurancemeasures.
SAP uses referencing to link the individual working papers with each other.
referencingisastructuredindex,whereeachID,oridentiicationnumber,occurs
onlyonceandcanbelocalizedinanyrelationtothesubordinatedorsupraordi-
natedID.hereferencecanbeestablishedduringasubphase(e.g.,workingpapers)
orasa linkingelementbetweendiferentsubphasesof theAuditroadmap.his
allowsuserstoassignaninterviewrecordtoaworkdonesheet,forexample,andto
makereferencetotheworkprogram.
tousereferencinglexiblywithoutcompromisinguniqueidentiication,thefol-
lowingpointsshouldbeobserved:
• Auniqueandself-explanatoryterminologymustbespeciiedforallaudits.he
rulesforidentifyingtherelevantdocumentsmusthaveagloballyuniformbasis.
tothisend,itisagoodideatousetheAuditroadmap.hereforeanindexfor
eachphaseoftheprocessmodelwascreatedatSAP:
needforaReferencingFramework
needforaReferencingFramework
ReferencingtechniqueReferencingtechnique
ReferencingRequirements
ReferencingRequirements
245
■ Auditplanningandpreparation:referenceA;
■ Auditexecutioningeneral:referenceB;
■ Speciicauditexecution:referenceC;
■ reporting:referenceD.
v
co
management letters
management letters
Index
Audit Title: Audit No.: XX/200y
Global Internal Audit Services
co
po
Reference
A
A-1
A-2
A-3
A-4
A-5
B
B-1
B-2
B-3
B-4
B-5
B-6
B-7
B-8
C
C-1
C-2
C-2
C-2-10
C-2-10-100
C-2-20
C-2-20-100
C-2-20-200
C-3
D
D-1
D-2
D-3
Fig. 16 Referencing Structure
The SAP®-Audit Roadmap as a Working Basis for Internal Audit
Execution
Use of Working Papers
B|4|4.2
246
hisstructure,whichfollowstheAuditroadmap,providessigniicantsupportfor
thebreakdownandassignmentofworkingpapers.Italsomakesitmucheasierfor
thirdpartiestousethereferencingsystem.
• heseconddimensionofreferencingrelatestocontent.hestandardreference
(irstnumericclassiication)identiiestheaudittopictobedocumentedand/or
thetypeofdocumentorreport.Standardreferencesmayhaveeitherasingle
digitorseveraldigits.
• Withinthisstandardreferenceframework,thelower-levelreferencingstructure
canbeusedfreely,i.e.,theaudit-speciicreferencesareconstructedinrelation
tothenatureandextentoftheworkingpapers.hissystemhastoworkona
one-to-onebasissothateachdocumentcanbeuniquelyassigned.
SincereferencingisstandardizedtoalargeextentbylinkingtheAuditroadmap
and audit contents, it allows users above all to create a uniform documentation
systematagloballevel.Auditleadsarestillfreetokeeparegularcheckonreferenc-
ingduringtheaudit.hisapproachisrecommendedforaudits involvingseveral
auditors.
HintsAnDtiPs ;
• Auditorsmust followthestandardreferencingrules forall theirworkingpa-
pers.
• Auditorsmustensurethatalldocumentsarereferencedconsistently.
UseofReferencingUseofReferencing
247
5 Reporting5.1 Basics of Reporting
5.1.1 Professional Principles
KeyPoints •••
• heresultsoftheieldworkconductedbyInternalAuditaresummarizedand
documentedinanauditreport.
• he reporting principles for external auditors apply also to Internal Audit’s
work.
• Impartialreportingmustbecomplete,truthful,andclear.
• Toensurethattheinformationisoptimized,thereportsshouldbemadeavail-
ableasquicklyaspossible.
• Dependingontheaddressee,therearediferentreportingformatsandwriting
styles.
heresultsoftheieldworkconductedbyInternalAuditarecompiledintoainal
auditreport,whichcontainsobjective,expertise-basedinformationontheresults
oftheaudit.Atthesametime,theauditreportservesasarecordoftheworkper-
formedbyInternalAuditemployees.heIIAhasissuedprofessionalguidelinesfor
properreporting.
Externalauditors’reportsmustbecomplete,impartial,andaccurate.heAICPA
provides guidance for the completion of audit work and standardized reporting
practicesforexternalauditors.Internalauditorscanfollowthesestandardsaswell.
hefollowingparagraphsprovideabriefexplanationofmainprinciplesofreport-
ingandcommunication,includingcompleteness,truthfulness,andclarity.
he requirement of completeness prescribes that all material indings be in-
cludedintheauditreport.herefore,thisrequirementisverycloselyrelatedtothe
materialityprinciple.Speciically,theauditorsshouldincludeinthereportallinfor-
mation that may inluence the report addressees’ assessment of the situation. In
addition,auditindingsmustbesupportedbyevidentialmatter.
Internalauditreportsmeettherequirementof truthfulnesswhenthepresent
conditionsarepresentedastheycurrentlyexist.InternalAuditmustnotincludeits
owninterpretationsofthesituationbutshouldrelyonfacts.
Auditreportsthatfocusonclarityhelptheuserstoaccuratelyinterpretthein-
formation.herefore,auditorsshouldformulatethereportsothatitiscoherentand
clearlydescribesthecurrentcondition.Inaddition,thestructureofthereporthas
tobeorganizedandlogical,andthetermsusedmustconveyrealityaccurately.
Toensurethattheinformationisoptimized,thereportsshouldbemadeavail-
ableinatimelymanner,i.e.,shortlyatercompletionoftheaudit.hiswillhelpthe
auditeesimplementtherecommendedmeasuresandderiveabeneitfromtheaudit
quickly.
ContentoftheAuditReportContentoftheAuditReport
ReportingRequirementsReportingRequirements
CompletenessCompleteness
truthfulnesstruthfulness
ClarityClarity
immediateinformationimmediateinformation
The SAP®-Audit Roadmap as a Working Basis for Internal Audit
Reporting
Basics of Reporting
B|5|5.1
248
Auditreportsmaybeissuedtovariouslevelswithintheorganization.Auditors
mayusediferentreportingformatsorstylesforauditindingsandrecommenda-
tionswhenaddressingthesediferentaudiences.Auditorsshouldchoosewording
thatmatchestheappropriatereportingstyle.hefollowingchaptersdealwiththese
aspectsindetail.
HintsAndtiPs ;
• Auditorsshouldreadtheirreportscriticallytomakesurethattheycomplywith
therelevantreportingprinciples.
• Auditorsfromotherauditteamsshouldalsoreviewthereports,e.g.,forcompli-
ancewithqualityandreadabilityprinciples.
LinKsAndRefeRenCes e
• BAlAkrAn,l.2007.ASolidreportingline. Internal Auditor (February2007):96.
• InSTITuTE oF InTErnAl AuDITorS.2001.Practice Advisory 2400-1: Legal Con-
siderations in Communicating Results.AltamonteSprings,Fl:he Instituteof Internal
Auditors.
• InSTITuTEoFInTErnAlAuDITorS.2001.Practice Advisory 2410-1: Communica-
tion Criteria. AltamonteSprings,Fl:heInstituteofInternalAuditors.
• InSTITuTE oF InTErnAl AuDITorS. 2001. Practice Advisory 2420-1: Quality of
Communications. AltamonteSprings,Fl:heInstituteofInternalAuditors.
• InSTITuTEoFInTErnAlAuDITorS.2001.Practice Advisory 2440-1: Recipients of
Engagement Results. AltamonteSprings,Fl:heInstituteofInternalAuditors.
• InSTITuTE oF InTErnAl AuDITorS. 2001. Practice Advisory 2440-2: Commu-
nications Outside the Organization. Altamonte Springs, Fl: he Institute of Internal
Auditors.
• InSTITuTE oF InTErnAl AuDITorS.2003.Practice Advisory 2440-3: Communi-
cating Sensitive Information Within and Outside of the Chain of Command.Altamonte
Springs,Fl:heInstituteofInternalAuditors.
5.1.2 Integration into the Audit Roadmap
KeyPoints •••
• reportingisoneofthemainphasesoftheAuditroadmap.
• Aclearlinkbetweentheworkingpapersandtheindividualindingsinthere-
portmustbeestablished.
• heauditreportsformthebasisforthefollow-upphase.
ReportformatsandstylesofWriting
ReportformatsandstylesofWriting
249
hefourthphaseoftheAuditroadmapisthereportingphase.Itformsaconclu-
sionphasebecause,atertheauditactivitieshavebeencompleted,theauditresults
areprocessedintothediferentauditreportswhicharethenmadeavailabletothe
partiesconcerned.reportingalsorepresentsthetransitiontothenextphaseofthe
Auditroadmap:hefollow-upphasestartswhentheinalauditreportshavebeen
released.
hereportsareprimarilybasedontheworkingpapers(seeSectionB,Chapter
4.2).referenceismadetoboththeworkdonesheetsandtheworkingpaperson
individualactivitiessuchasminutes,interviewnotes,andquestioncatalogs.Sec-
ondarydocuments,i.e.originaldocumentsproducedfromnotesbythirdparties,
mayalsobeusedtocreateauditreports.
heauditsummaryisthelinkbetweentheworkingpapersandtheactualaudit
report(seeSectionB,Chapter4.2.2).heauditsummaryliststheworkdonesheets,
andfromtheretheauditorscancross-referencetotheindividualdocuments.he
linkscanbeestablisheduniquelythroughthenameandnumberoftheaudit(see
SectionB,Chapter4.2.3).heinformationisthenincorporatedintotheindividual
indingsoftheimplementationreportandselectivelyintosubsequentreports,e.g.,
themanagementsummary.
heclarityandspeciicityoftheauditindingsformthebasisforanefective
follow-upprocess(seeSectionB,Chapter6).onlyiftherecommendationsarefor-
mulated comprehensibly and constructively can implementation and control be
performed to an appropriate extent and with reasonable efort. he follow-up is
thusbasedonreportingandisthereforedependentontheauditreport,intermsof
bothtimeandcontent.
HintsAndtiPs ;
• Iftheauditorshavetocommunicateindingsthataresensitive,theyshouldcon-
sultwiththeAuditManagerortheauditleadbeforesuchindingsareincluded
inthereport.
• Whenwritingthereport,auditorscanalreadythinkofactivitiesforthefollow-up,
i.e.,possiblemeasurestoensurethattheirrecommendationsareimplemented.
5.1.3 Overview of the Main Report Formats
KeyPoints •••
• Allresultsoftheauditactivitiesmustbeadequatelydocumentedintheformof
reports.
• hereareaudit-relatedandperiodicreports.
• he audit-related reports provide an assurance of proper, comprehensive re-
portingtailoredtoindividualneeds.
natureofReportingnatureofReporting
LinktotheWorkingPapersLinktotheWorkingPapers
AuditsummaryAuditsummary
Linktothefollow-UpPhaseLinktothefollow-UpPhase
The SAP®-Audit Roadmap as a Working Basis for Internal Audit
Reporting
Basics of Reporting
B|5|5.1
250
AllresultsoftheauditactivitiesconductedbyInternalAuditmustbedocumented
withoutexception.hereport formatdependsontheproceduresappliedduring
theaudit,andontheauditobjectivesandthusthecontents.Forthisreason,aspe-
ciicpredeinedreportformatshouldbeusedtoreportoneachtypeofaudit.
hediagrambelowshowstheoverallstructureofthereportingsystemofInter-
nalAuditatSAP.herearetwomainareas,individualized,audit-relatedreporting
andstandardizedperiodicreporting.Audit-relatedreportingcoversprimarilyall
reportsthatmustbepreparedwithinaclearlydeinedtimeframeandrelatedirectly
toaspeciicaudit.Calculationsbasedontimesheets(seeSectionA,Chapter4.7)
haverevealedthatittakesonaveragearoundtwotofourweekstowrite,coordinate,
anddistributethereports.hisappliesparticularlytoallstandardandspecialau-
ditsconductedonthebasisoftheAuditroadmap.Forad-hocaudits,thereports
areproducedwithinashortertime.Sinceinformationfromad-hocauditsisoten
requiredquickly,thereportsusuallyhavetobewrittenwithinamatterofdays.he
preparationtimefortheauditreportsalsoincludestimetodiscussthedrats.he
actualwritingofthereportshouldbecompletedinashortertime.
PeriodicreportsrefertoallauditsandotheractivitiesthatInternalAudithasper-
formedwithinthereportingperiod.heirmainpurposeistopresentasummary
of signiicantauditindings,keyigures, andproject content.unlike the reports
mentionedthusfar,thesereportsdonotrelatetoauditsdirectly(formoreinforma-
tion,seeSectionB,Chapter5.4).
Amongtheaudit-relatedreportformatspresentedabove,theimplementation
report,themanagementsummary,andtheBoardSummaryareofparticularim-
needfordiferentReportformats
needfordiferentReportformats
Audit-RelevantReportingsystem
Audit-RelevantReportingsystem
PeriodicReportsPeriodicReports
importantReportformats
importantReportformats
Fig. 17 Reporting Structure
251
portance (on the contents of these report formats, see Section B, Chapters 5.1.4,
5.2.3,5.2.4,and5.2.5).hesereportsformthecoreofInternalAudit’sreportingand
arethereforecloselyrelatedtoeachotherandareusedformostaudits(seeSection
B,Chapter5.2).Althoughintermsofcontenttheyalwaysrefertoasingleaudit,
theyusediferentformsofpresentation.
hevarious reportsare tailored to their respective targetgroups, in termsof
bothdetailandemphasis.Inspiteofthesediferences,aclearinternallinkmustbe
maintained,i.e.,thediferentreportformatshavetobeconsistentandthewaythey
buildonorrelatetoeachothermustbetraceable.
heotherreportsmentionedintheabovediagramcoverfurtherspeciicobjec-
tives.heyincludepriorityBoardissues,thememorandum,andthepresentationof
results. hese reports difer in results and format and generally respond to very
speciicinformationneeds.Additionalreportformatsmaybespeciiedatanytime,
forexamplereviewreports,activitycatalogs,actionplans,etc.
HintsAndtiPs ;
• Auditorsshouldbeclearaboutthesigniicanceofeachreportformat.
• Itisadvisabletosummarizethespeciiccriteriaofeachreportformatinatable.
• Ifpossible,auditorsshouldlookatthereportsofothercompanies,sectors,or
auditinstitutestoidentifybestpracticesinreporting.
5.1.4 Overview of Report Contents
KeyPoints •••
• Formostaudits,particularlyimportantintermsofreportingare:implementa-
tionreport,managementsummary,andBoardsummary.
• hereportsaretailoredtothesituationandaddresseesbyusingreporting-spe-
ciicterminology.
• hereportsmustpresentalltherelevantcontentandexplainindingsandrec-
ommendationsclearlyandunambiguously.
• Becausetheyhavetodealwithdiferenttargetgroups,allauditorsmustcom-
plywithcertainruleswhenpreparinganauditreport,especiallywithregardto
structure.
• ItmustbepossibletotracethemanagementsummariesandBoardsummaries
backtotheindividualitemsintheimplementationreport.
Forauditsacrossnationalandregionalboundaries,theauditteamscooperateona
worldwidebasisandjointlyproducethenecessaryauditreports.Sincethereports
areproducedandanalyzedbydiferentpeople,theyshouldbestandardizedasfar
aspossiblesothatallemployeesinvolvedassessandinterprettheminthesameway.
diferenttargetGroupsdiferenttargetGroups
otherReportformatsotherReportformats
typesofAuditReportstypesofAuditReports
B|5|5.1The SAP®-Audit Roadmap as a Working Basis for Internal Audit
Reporting
Basics of Reporting
252
Itisthereforeadvisabletopreparethemonthebasisofstandardrulesthatapply
throughoutthecompany.hestandardreportpackagecreatedbyGIASincludes
theimplementationreport, themanagementsummary,andtheBoardsummary,
eachwithadiferentemphasis,andmayalsoincludeattachedmemorandums.hey
arebrielydescribedbelow(formoredetails,seeSectionB,Chapter5.2).
heimplementationreportisprimarilyadescriptionofobservationsandind-
ingsmadeduringtheaudit.hecircumstancesarepresentedfromanoperational
perspective, i.e. predominantly related to processes, controls, risks, and inance.
hereportisusedtoexplaintheauditresultstothecompany’soperationalmanage-
ment.Eachauditresultispresentedseparately,thedescriptionofeachindingbro-
kendownbytopic.Itshouldincludethefollowingelements:
• clearpresentationoftheissueidentiiedduringtheaudit,
• comparisonofas-isandto-besituation,and
• resultofthecomparisonofthecurrentconditionwiththedesiredcriteria.
Eachof theaboveelements isstructuredaccordingtoprocess,control, risk,and
inancialimpact.hereportalsostatesinteractionsintheriskconstellationandthe
resultingconsequences,twokeyitemsofinformationforidentifyingtherisksand
transferringthemtotheoperationalriskmanagementsystem.
he implementationreportalsocontains theaudit recommendations,which
setoutwhattheauditeescandotochangethecurrentsituation.heimplementa-
tion report also has to make clear who must implement which action in what
way.
Eachcontentelementofanauditindingmusthaveaone-to-oneassignmentto
arecommendedaction.heauditorscanalsocombineseveralpointsofainding
intoonerecommendation,orconversely,suggestseveralrecommendationstore-
spondtoasingleinding.
he way the audit recommendations are worded should not leave any doubt
abouttheirintendedefect.hereareanumberofkeytermsthatclearlyexpressa
suggestedcourseofaction.Criteriaforselectingtheappropriatewordinginclude
thedegreeofexposureandthesigniicanceoftheindingfortheauditedarea,as
wellastheinancialimpactoftheproblemidentiied.Inaddition,theoverallefects
andtheinluenceontheauditedunit’sachievingitsobjectivesarefurtherconsider-
ationsforhowtherecommendationshouldbeworded.
hemanagementsummaryisacondensedversionoftheoriginalindingsand
recommendationsoftheimplementationreport,groupedbycertainaspectsofcon-
tent. he above notes on the wording apply by analogy, but the auditors should
chooseastylesuitabletomanagement.onefunctionofthemanagementsummary
istoexplaintomanagementingeneraltheresponsibilityfortheindingsandtheir
impact.Inthiscontext,theauditorsshouldfocusinparticularonhowtheindings
areinterrelated.hesummaryshouldalsopointouttheconsequencesoffailureto
implementtherecommendationsandrefertoanyactionsalreadyresolvedand/or
introducedduringtheaudit.
descriptionoftheResultsinthe
implementationReport
descriptionoftheResultsinthe
implementationReport
RecommendationsintheimplementationReport
RecommendationsintheimplementationReport
AssignmentAssignment
WordingofRecommendations
WordingofRecommendations
ManagementsummaryManagementsummary
253
hemanagementsummarycondensestheindingsintheimplementationre-
portrelating to thesameorsimilar topics. Itmust,however,bepossibleatany
timetomakeaplausiblelinktotherelevantauditresultbyusingthecorrectrefer-
ence.
It is important that the management summary reaches managers at diferent
levelsandindiferentfunctions,andtheauditorsshouldtakethisintoaccountby
tailoring the wording accordingly. A general summary of the audit result in the
formofanoverallconclusionfortheauditshouldbeincluded(fordetails,seeSec-
tionD,Chapter7.2.1).
heBoardsummarycontainsalltheindingsthatarereporteddirectlytothe
responsibleBoardmembers.ofcourse,theBoardcanatanytimeaskforthere-
lated reports toobtainmoredetailed information. Inorder to communicate the
information efectively, the summaries should, as far as possible, be forwarded
alongsidethereportsdescribedabove.Sincetheobjectiveistoconveyinformation
onimportantindingsaswellastoprovideanoverallassessmentoftheaudit,the
referencemustprovideadirectlinktoeachindingoftheimplementationreport.
hisaggregatedreportformatprovidesasummaryofindingsandalsoreports
selectedindividualindingsfromtheimplementationreport.otenfactsordevel-
opmentsaresosigniicantthattheBoardmustbeinformedimmediately.Itisim-
portantinsuchacasetogivereasonsfortheassessmentoftheauditor(e.g., the
efectonthecompany’simage,potentiallegalrisks,economicfactors,etc.).
Ifadditionalinformationaboutthebackgroundofanauditengagementisre-
quired,amemorandumisalsopartofthereportpackage.hismaybethecase,for
example, forspecialauditsorad-hocauditengagements.Tointegratetheimple-
mentation report and the corresponding memorandum, both reports are refer-
encedaccordingly(formoreinformationseeSectionB,Chapter5.3.1).
HintsAndtiPs ;
• Auditorsshouldcheckeachindingforconsistencytoavoidcontradictions.
5.1.5 Report Addressees and Distribution
KeyPoints •••
• heconidentialityofauditreportsiscriticalformanyreasons,andcarefulcon-
siderationmustbegiventothepartieswhoreceivethereport.
• Conidentialitymustbemaintainedalsoduringdistribution.For this reason,
thepartiesconcernedreceivetheirreportsthroughclearlydeinedchannels.
• hesechannelsfollowuniquedistributionlistsbasedonthecompany'sorgani-
zation.
LinktotheimplementationReportLinktotheimplementationReport
diferentfunctionsandLevelsdiferentfunctionsandLevels
BoardsummaryBoardsummary
ContentoftheBoardsummaryContentoftheBoardsummary
MemorandumMemorandum
The SAP®-Audit Roadmap as a Working Basis for Internal Audit
Reporting
Basics of Reporting
B|5|5.1
254
• All the reports are distributed by conidential e-mail. Management and the
Boardmembersadditionallyhaveaccesstothereportsviatheintranet.
Sinceauditreportsareconidential,theirdistributionintheorganizationmustbe
handled with sensitivity. he distribution is based on the current organizational
structure.Althoughallinformationisofcoursestrictlyconidential,thecontentsof
reportsformanagementandtheBoardmembersaresubjecttoanadditionallevel
ofconidentiality.Speciicdistributionlists,whichfollowthestructureofthereport
levels, contain theauthorizedaddressees foreachreport.hesedistribution lists
havetobekeptuptodateatalltimesbytheAuditManageroracentralcoordinator
fromInternalAudit,andaccessauthorizationstoeachreportmustbeconstantly
monitored.
Auditreportsarenormallydistributedtothoseresponsibleintheauditedarea
atthedratstage.hisisparticularlyimportantfortheimplementationreportand
themanagementsummary,butnotfortheBoardsummary,whichisnotdistrib-
utedtotheauditees.hepersonsresponsibleintheauditedareahaveanopportu-
nitytocommentonthedrats,i.e.,agreewithorrejectthedrat,andmakeaddi-
tionsorcorrections.InternalAudithasadutytoexamineeachcommentcarefully
andincorporateitinthereportifappropriate.Conidentialitymustbefullymain-
tainedalsoduringthedratingphase.
Final versions of the audit reports should be distributed within two to four
weeksatertheendoftheaudit.hismeetsanimportantrequirementonthepart
ofInternalAuditfortimelyimplementationoftheauditresults.
Beforethedratreportsaredistributed,theauditleadreviewstheircontentand
form,andtheAuditManagerchecks themforaccuracyandcompleteness.only
thencanthedistributionprocessbegin.Toensurethatastandardprocedureisfol-
lowed,InternalAuditatSAPdistributesthereportsthroughoutthecompanyusing
thefollowingmeans:
• heauditedareaandtherelevantoperationalmanagersreceivethereportsby
conidentiale-maildirectlyfromtheauditleadortheAuditManager.
• regionalmanagerswhoareresponsiblefortheareaalsoreceivethereportsby
conidentiale-mail.At thesametime,anInternalAuditemployeemakes the
reportsavailabletotheseemployeesonthecompanyintranet.
• heCEoandtheCFohaveaccesstotheBoardsummariesthroughanintranet-
basedmanagementinformationsystem.Allreportsarelinkedtoeachotherso
thatitispossibletogetadetailedanalysisattheleveloftheindividualinding.
otherBoardmemberscanalsogetaccess.Ifnospecialaccesshasbeenautho-
rized,themembersoftheBoardaresenttherelevantsummariesbye-mail.
Inadditiontotheabovegroupsofpeople,theremaybeotherappropriaterecipients
forthereports,e.g.,thelegaldepartment,thehumanresourcesdepartment,oreven
theexternalauditorsorotherbodiesinthecaseoflegalmatters(i.e.,SEC,district
attorneyetc.).DistributiontothesepartiesmaybeagreedwiththeCAEonacase-
ReportLevelstructureReportLevelstructure
draftdistributiondraftdistribution
timeframetimeframe
distributionoftheReportsatsAP
distributionoftheReportsatsAP
otherReportAddresseesotherReportAddressees
255
by-casebasisanddependsoncontentandnecessity.Sinceauditreportsalwayscon-
tainsensitivedata,theCEoshouldbeconsultedbeforethereportsaresenttoany
additionaladdressees.Beforereportsaresenttolegalauthorities,thelegaldepart-
mentshouldbeconsulted.undercertaincircumstances,itmaybenecessarytosign
anon-disclosureagreementorthereportsmaybemanagedundertheattorney-cli-
entprivilege.Itisfurthermorenecessarytoetablishdetailedrulesforthedistribu-
tionofreportstootherunitsthatareonlyindirectlyafectedbytheaudit(e.g.,the
legaldepartment,thecomplianceoice).Pastauditreportscanonlybeforwarded
tonewpeopleresponsibleintheareatobeauditediftheCAEhasgivenhisorher
approval.
HintsAndtiPs ;
• Auditorsmustchecktheauditreportdistributionlistsregularlyandalert the
peopleinchargeofthenecessaryupdates.
5.2 Standard Report Package for Audits
5.2.1 Audit Report Index
KeyPoints •••
• heauditreportindexisthetableofcontentsforthestandardreportpackage.
• Itcontainsinformationonstandardauditreportcomponentsandappendices.
• Audit-speciic details such as the audit name and number are entered in the
headeroftheauditreportindex.
hestandardreportpackagestartswiththeauditreportindex.hisindexisagen-
eraloverviewofallreportcomponentsofoperationalreporting(notincludingre-
portstotheBoard)onstandardandspecialaudits.Itisthetableofcontentsofthe
standardreportpackageconcerned.
In theheaderof theaudit report index, theauditorenters theorganizational
unitandthenumberoftheauditreport,whichhasbeenassignedintheauditan-
nouncement.hisnumbercanberetrievedfromthecentraldataserveratanytime.
heauditoralsohastoprovidethetitle,whichmustbethesameasthatusedinthe
auditannouncement.
hestandardreportpackagecomprisesthefollowingcomponents:
• management summary to provide information to operational and regional
management;
• implementationreportwhichcontainstheauditindings;and
• classiication and audit status overview, which are descriptive elements that
provideimportantinformationinthestandardreportpackage(seeSectionB,
Chapter5.2.2).
tableofContentsofthestandardReportPackage
tableofContentsofthestandardReportPackage
otherinformationintheAuditReportindexotherinformationintheAuditReportindex
ComponentsofthestandardReportPackage
ComponentsofthestandardReportPackage
The SAP®-Audit Roadmap as a Working Basis for Internal Audit
Reporting
Standard Report Package for Audits
B|5|5.2
256
hestructureoftheauditreportindexisthesameforbasicauditsandfollow-ups,
but therearediferenceswithregard tocontent.hefollowingchapters relate to
basicauditreporting(forfollow-upauditreportingseeB,Chapter6.3).
heauditreportindexcontainsstandardsuggestionsoffrequentlyusedreport
appendicesatSAP.heauditorscanchangeappendicesasrequired.Importantap-
pendices are lists and directories compiled by Internal Audit or original source
documentssuchasorganizationchartsandsignatureprotocols.Ifappropriate,the
decisionastowhethertoincorporatesuchdocumentsshouldbemadeaterconsul-
tationwiththeauditleadandtheAuditManager.hereportpackagesshouldin-
clude(excerptsfrom)originalsourcedocumentsthatprovideevidencefortransac-
tionsandauditobjectsandthussupporttheauditindings.However,theauditors
shouldtrytokeepareasonablebalancebetweenthesizeofthereportandthesize
oftheannexes.
BasicAuditandfollow-Up
BasicAuditandfollow-Up
AppendicesAppendices
Organizational unit: Report No.:
Global Internal Audit Services
Conducted in Accordance with the International Standards
for the Professional Practice of Internal Auditing.
2
3
1 Management Summary
Audit Title
Audit Implementation Report
5
6
4 Software Contracts
Appendix
Organization Chart
Approved Signatories
Fig. 18 Audit Report Index
257
HintsAndtiPs ;
• Aterauditorshavecompletedtheirreports,theyshouldcheckthattheinforma-
tionintheauditreportindexiscorrectandcomplete.
• Auditorscanusepreviousauditstogetafeelingforthenatureandextentofthe
annexesusedsothattheycanmakeanadequateselectionwhentheyconduct
theirownaudits.
5.2.2 Classification
KeyPoints •••
• Auditindingsshouldbeclassiiedtomakesurethattheyareimplemented.
• Adetailedsystemofindicatorswithweightingscanbeusedforthispurpose.
• Alternatively,indingsmayalsobeclassiiedbasedonauditorjudgmentaccord-
ingtocertaincriteria.
• Whateverthemethod,theauditorsshouldmakesurethatthoseresponsiblegive
properattentiontotheindingsandrecommendedmeasures.
Whentheindingsandobservationsareclassiiedaspartofreporting,theyareal-
waysassignedclearresponsibilitiestoensurethattherecommendationsareappro-
priatelyimplemented.Indoingsotherelevantlevelofmanagementresponsibility
isassignedtoeachitem.helevelsareasfollows:
• he“Board”levelrepresentsindingsrelevanttotheBoard(identiiedwiththe
letterB).
• he“regionalManagement”levelisforindingsthatfallundertheresponsibil-
ityofseniororregionalmanagement(identiiedwiththeletterr).
• he“localManagement”levelcomprisesallotherindings,whicharethere-
sponsibilityofoperationalmanagement(ofasingledepartmentorlocalsubsid-
iary,identiiedwiththeletterl).
Whenassigningindingsandobservations,theauditorsmusttakeintoaccounta
numberofindicators,whicharebasedonthestructureoftheriskcategoriesused
byriskmanagement.Signiicantfactorsincludetheorganizationalunit,theareaof
responsibility,thenumberandassessmentoftherisks,theimpactonotherareas,
thenumberofpeopleinvolved,apossiblelinktofraud,externalperceptions,and
legalinterestsinthebroadestsense.Additionalclassiicationbyinancial,organiza-
tional,structural,andproduct-relatedvariablescanalsobeuseful.hesecriteria
maybesupplementedspeciicallyfortheauditedarea.Indoingso,itmaybehelpful
toweighttheselectedindicatorswithequivalencies.heresultingassessmentma-
trixcanbeusedtoarriveatanoverallweightingforeachindingandthusassignit
tooneofthethreelevelsofresponsibility(fordetails,seeSectionD,Chapter7.2.1).
LevelsofResponsibilityLevelsofResponsibility
AssignmentontheBasisofindicatorsAssignmentontheBasisofindicators
B|5|5.2The SAP®-Audit Roadmap as a Working Basis for Internal Audit
Reporting
Standard Report Package for Audits
258
Analternativecourseofactionistomakeanassessmentaccordingtoauditor
judgment,usingcertaindecisionparameters.hebreakdownintoBoard-relevant,
regionallyrelevant,andlocallyrelevantindingsisbasedonthefactorsdescribed
below.hesefactorscanbeusedincombinationwithauditorjudgmenttocometo
clearlymotivatedassignments.
FindingsrelevanttotheBoardincludeallindingsthat
• directlyrefertoguidanceissuedbytheBoardorglobalpolicies,
• relatetoarisktheBoardshouldbeawareof,
• requireadecisionbytheBoard,
• necessitateactionbytheBoard,or
• areregardedasrelevantfortheBoardbyInternalAuditmanagement.
Auditindingsareregionallyrelevant,e.g.,ifthey
• refertoaguidelineunderregionalresponsibility,
• relatetoariskregionalmanagementshouldbeawareof,or
• causeregionalmanagementtotakeadecisionoraction.
Allotherindingsareautomaticallyassignedtolocalresponsibility.Forlocallyrel-
evantindings,allthenecessarydecisionsandactionscanbetakenbytheaudited
areaitselforbyoperationalmanagement.However,thisdoesnotmeanthatthese
indingsarelessimportant.Allindingsmustreceivethesameattention,andtheir
classiicationshouldnothaveanyinluenceonthequalityoftheimplementation
measures.Assignmenttoaparticularlevelofresponsibilityisonlyintendedtoen-
sureswitandeicientimplementationofthemeasuresattheappropriatelevel.
HintsAndtiPs ;
• AuditorsshouldrequesttheauditleadorAuditManagertoclassifytheindings
andcomparetheresults.
• Inaddition,auditorsshoulddiscusstheassignmentwiththepeopleresponsible
foroperations.
• Auditorsshouldgivethoughttoalternativecoursesofactionincasethepeople
responsibleaccordingtotheclassiicationfailtoimplementtherecommenda-
tionsandactionsrelatingtotheindings.
5.2.3 Implementation Report
KeyPoints •••
• heimplementationreportisthecoreelementofthereportingsystem.
• It is intendedprimarilyfortheauditedareaandmanagerswithdirectopera-
tionalresponsibility.
AuditorJudgmentAuditorJudgment
findingsRelevanttotheBoard
findingsRelevanttotheBoard
RegionallyRelevantfindings
RegionallyRelevantfindings
LocallyRelevantfindings
LocallyRelevantfindings
259
• Itlistsalltheobservationsandindingsandprovidesnotesinseparatecolumns
onhowtoeliminateweaknesses.
• heimplementationreportconsistsoftwosections:theactualauditresultsand
themonitoringsectionfortheimplementationupdateofnecessaryactions.
• When creating the implementation report, the drat stage is very important,
becausethisiswheretheinalauditstatementsareagreeduponwiththeauditee
intermsofformandcontent.
heimplementationreportformsthemainpartoftheauditreportpackage.Itis
compiledprimarilyfortheauditedareaanditsdirectoperationalmanagers.Ater
internalqualityassuranceby InternalAudit (seeSectionD,Chapter5.3),adrat
reportissenttothepeopleinchargeoftheauditedareatogivethemanopportunity
tocomment.heircommentsmaytaketheformofinsertions,corrections,orad-
ditionalevidence.Sometimesitispossibletopresentthedratreportsattheclosing
meetingsothattheindingscanbediscussedatthesametimeasthedratreport.
Butnormallydiscussionofindingsandofthedratreportaredealtwithseparately,
unlesstherearespeciicreasonstocombinethem(e.g.travelrequirements).
heabovediagramshowsthestructureof the implementationreport forabasic
audit.Firsttheaudit leadentersthereportnumberandthenameoftheaudited
MainPartoftheAuditReportPackageMainPartoftheAuditReportPackage
ReportstructureReportstructure
Fig. 19 Structure of the Implementation Report
The SAP®-Audit Roadmap as a Working Basis for Internal Audit
Reporting
Standard Report Package for Audits
B|5|5.2
260
unit,aswellastheauditstatusandthenamesoftheauditorsinvolved.heactual
reportsectionfollowsthisheaderinformation.herowstructureisdeterminedby
theauditcontent.heindividualitemswithineachtopicareshownindescending
orderofriskrating.
Among the items listed, a diferentiation is made between pure observations
and indings. he indings are shown irst according to their B (Board), r (re-
gional),andl(local)classiication(seeSectionB,Chapter5.2.2).heobservations
thenfollowinthesameorder.hemaindiferencebetweenthetwocategoriesisthe
degreetowhichtheyarebinding.observationsareidentiiedweaknesses,although
theycannotbebenchmarkedagainstanydesiredcriteria.Findings,bycontrast,are
weaknesses identiied always because of a deviation from required criteria. As a
result,theimplementationoftheactionsrecommendedaspartofindingsismore
binding and therefore more important. he auditors should ensure that recom-
mendedactionsarepresentedclearly(seeSectionB,Chapter5.1.1).hefollowing
shouldbenoted:
• Eachindingisreportedunderaseparateconsecutivenumber.Headingsorkey
wordsgivethereportastructurethatiseasytofollow.heyaresourcedinthe
workingpapers,especiallytheauditsummaryandtheworkdonesheets.
• Dependingonthecircumstances,theauditorsshouldalsopresentpositiveas-
pects,atleastinsummaryform.hisputstheoverallassessmentintoamore
objectiveperspectiveandhasapositive,motivatingefectontheauditees.
he titlesof theirst twocolumnsof the implementation reportareconsecutive
number(no.)andClassiication(seeSectionB,Chapter5.2.2).hefollowingmain
columnsarenext:
• observation/Finding,
• riskCategory,and
• recommendation.
hey represent the core of the implementation report and thus the actual audit
result.undertheheading“observation/Finding”theauditresultsaredescribed.In
addition,abriefdescriptionoftheriskconditionandtheriskconsequenceisgiven.
Statingtheriskcategoryensuresthattheriskattachedtoeachindingisidentiied,
thuspreparingittobeincorporatedintheriskmanagementsystem.Captureinthe
riskmanagementsystemfurthermorerequiresentryoftheriskinshortformand
anypossibleconsequences.
hemonitoringsectionisthesecondimportantblockinthereportstructure.
Ithasacolumnfor“Action/Managementresponses,”wherethemanagementof
theauditedareacanaddcomments.hefollowingcolumnscontainthenamesof
thoseresponsibleforimplementationandthecompletiondate.helasttwocol-
umns relate to the follow-up process and are therefore described in Section B,
Chapter6.3.
Ithasalreadybeenmentionedthatthedratstageisparticularlyimportantfor
thecreationoftheimplementationreport.Atthisstage,contentandwordingare
carefully coordinated, taking cultural aspects into account. his is a revolving,
Presentationofobservations
andfindings
Presentationofobservations
andfindings
ColumnsoftheimplementationReport
ColumnsoftheimplementationReport
MonitoringsectionMonitoringsection
importanceofthedraftstage
importanceofthedraftstage
261
sometimestime-consumingprocess.Sincethisprocessleadstothepresentationof
theactualauditresult,theauditorsmustcompleteitwithamaximumofquality
andobjectivity.Inadditiontooicialqualitychecks,itisotenadvisabletoperform
internalqualityreviews(seeSectionD,Chapter5.3).
HintsAndtiPs ;
• Auditorsshouldconsidercarefullywhethereachauditresultisanobservation
orainding.
• Italsomakessensetodiscusstherecommendationswithauditorsfromother
teamsandtomakecomparisonswithexistingreports.
• Ifpossible,auditorsshouldwaitatleasttwodaysatertheyhaveinishedwriting
thereportandthenrereadthecompletedocument.Ifitthenseemsconsistent
andlogical,theycansendittotheauditlead.
5.2.4 Management Summary
KeyPoints •••
• hemanagementsummaryisusedtopresentallaudititemsthatareofinterest
orimportancetooperationalandstrategicmanagement.
• Inadditiontoinformationontheauditobjectivesandtheoverallauditstate-
ment, theauditorscan include individual itemsofsigniicanceorsummarize
indingsfromtheimplementationreport.
• Each itemmustbe referencedagainst theindings in the implementationre-
port.
• heoverallauditstatementformanagementispresentedintheformofatraic-
lightratingsystem.
hemanagementsummaryisusedtoprepareallsigniicantindingsforpresenta-
tion to operational and regional management. only indings and observations
identiiedbytheappropriateclassiicationareincluded(seeSectionB,Chapter5.2.2
andSectionD,Chapter7.2.1).ItemsthatarerelevantfortheBoardortheregion
shouldbeincludedinthemanagementsummary.Board-relevantitemsshouldbe
incorporatedunchanged;regionallyrelevantitemscan(butdonothaveto)besum-
marized.
he following igure shows the template for the management summary. he
headershowstheaudittitleandthereportnumber.hesecondrowprovidesinfor-
mationon theaudit type(standard, special,orad-hocaudit),audit status (basic
audit,statuscheck,follow-upIorII),andtheexecution(start)dateoftheaudit.he
nextrowscontaininthesameorderaslisted:
• auditorsinvolved,includingguestauditorsandconsultants,
• managerresponsiblefortheauditedarea,
PreparationofAuditfindingsPreparationofAuditfindings
informationincludedinformationincluded
B|5|5.2The SAP®-Audit Roadmap as a Working Basis for Internal Audit
Reporting
Standard Report Package for Audits
262
• dateoftheclosingmeeting,
• participantsintheclosingmeeting,and
• distributionlistofreportaddressees.
An overview of the most signiicant speciic audit objectives follows in the next
row.
heheaderareaisfollowedbyadatedlistoftheindingsandobservations.heitems
listedherearebasedontheimplementationreportaccordingtotheclassiication
mentionedaboveandarecross-referencedagainsttheimplementationreport.he
entriesmadeinthe“Findings/recommendations”ieldarequotedunchangedor
summarized.Inthemanagementsummary,theoverallauditstatement(seeSectionD,
findingsandobservations
findingsandobservations
Global Internal Audit ServicesManagement Summary
Conducted in Accordance with the International Standards for the Professional Practice of Internal Auditing.
Audit Type: Audit Status: Basic Audit
Date Audit RatingOverall Audit Statement/
Scoring
New:
Reasonably controlled:
In process:
Overview/Audit Objectives:
Audit Status
(please tick)Fin d in gs / R e c o m m e n d a t io n s
Ref. Impl
Report
GIAS Pending:
Done:
Open:
Mgmt. disagreed:
Audit Report No.:
Participants of Closing Meeting:
Distribution List:
Audit Title:
Date of Audit:
Auditor(s): Date of Closing Meeting:Executive Responsible:
Basic Audit
Follow-up
Audit I
Substantial Weakness
Weak
Needs Improvement
Meets Standard
Exceeds Standard
Status Check I
Status Check II
R Y G
R Y G
R Y G
Fig. 20 Management Summary
263
Chapters7.2.1)ispresentedvisuallyintheformofatraic-lightsystemasdemon-
stratedintheigureabove,assigningcolorstothefollowingcategories:
• red:“SubstantialWeakness”,“Weak”.
• Yellow:“needsImprovement”.
• Green:“MeetsStandard”,“ExceedsStandard”.
Astheauditcycleproceeds,themanagementsummarywillalsocontaininforma-
tiononthestatuscheckandthefollow-up(seeSectionB,Chapter6)toshowthe
entirehistoryoftherespectiveauditcycle.
HintsAndtiPs ;
• Beforesendingthemanagementsummaryforapproval,auditorsshouldreview
itwiththeAuditManagerincharge.
• Auditorsshouldensurethatthecontentsoftheindingscorrespondtotheaudit
objectives.
• Auditorsshouldkeepalist,sortedbyrating,oftheauditstheyhaveconducted
so that theycancheck theoverallobjectivityof theirassessmentsbymaking
comparisons.
5.2.5 Board Summary
KeyPoints •••
• heBoardsummarypresentsallBoard-relevantindingseitherforinformation,
fordecision,orforaction.
• heBoardsummaryisproduced,distributed,anddiscussedwiththeCEosep-
aratelyfromtheimplementationreport.
• PriorityBoardissuesarereservedformattersthatmustbereportedduringan
auditandallowInternalAudittoinvolvetheBoardactively.
heBoardmustbeinformedoftheauditresultsproducedbyInternalAudit.he
classiication into Board-relevant, regionally relevant, and locally relevant items
(seeSectionB,Chapter5.2.2andSectionD,Chapter7.2.1)isafeasiblemethodto
ilteroutnoteworthyitemsfromalargernumberofindings.Allindingslabeled
Board-relevantmustbeincorporatedintheBoardsummary.
heheaderareaoftheBoardsummarytemplatecontainsthetitle,number,and
dateoftheaudit.heoverallauditstatement(seeSectionD,Chapters7.2.1)isshown
as a traic light status. he Board summary also states the audit objectives. he
standardtemplatehascolumnsfortheindingsandrecommendations,theman-
agerresponsible,andthereferencetotheappropriateitemintheimplementation
report.hereferenceisparticularlyimportantifdirect(online)accesstotheap-
propriateindividualindingisrequired.Arowatthebottomcontainsinformation
onthepriority,statingwhethertheindingisreportedforinformation,foradeci-
informationfortheBoardinformationfortheBoard
structureofthestandardtemplatestructureofthestandardtemplate
The SAP®-Audit Roadmap as a Working Basis for Internal Audit
Reporting
Standard Report Package for Audits
B|5|5.2
264
sion,or foractionby theCEo.hestandard template is freelyadaptable,which
meansthatitcanbesettooneortwoindingsperpage,forexample.hefooterarea
containsthecreationdate,thelocationoftheaudit,andthenamesoftheauditors.
TolettheBoardmembersknowthatthereportsarecompleteanddonothave
anyomissions,aBoardsummarymustbecreatedforeachaudit.Ifnoindingsof
relevancetotheBoardweremadeduringanaudit,theBoardsummaryshouldstate
this.
heBoardsummaryandthecompletedimplementationreportsarecompiled
anddistributedonlyaterthereportshavebeendiscussedwiththeauditedarea.
Aterthereportshavebeendistributed,theauditresultsrelevanttotheBoardare
normallydiscussedatregularmeetingsbetweentheCEoandtheCAE.Atthese
meetings,theCEoandtheCAEalsotakethenecessarydecisionsandinitiateac-
tionsaccordingtohowtheindingsarelabeled.Aterthemeeting,executiveman-
agementoftheareaisinformedoftheindingsrelevanttotheirarea.Sinceaudit
indingsarenormallyassociatedwithinancialrisks,theCForeceivescopiesofall
Boardsummaries.
PriorityBoardissuescomplementtheBoardsummaries.heirformandstruc-
turearethesameasthoseoftheBoardsummary,buttheyarecreatedwhilethe
auditisstillinprogressorbeforetheinalreportissubmitted.Insteadofauditind-
fullReportingfullReporting
CommunicationtotheBoard
CommunicationtotheBoard
PriorityBoardissuesPriorityBoardissues
Fig. 21 Board Summary
265
ings,theyrecordthestatusofmattersandproblemsinprogress.herecommenda-
tioncontainssuggestedoptionsforaction.PriorityBoardissuesthuscontainhighly
conidentialinformationaboutauditsnotyetcompletedandgiveInternalAuditthe
opportunitytoreporturgentmatterstotheBoardinadvance,agreedecisionsorac-
tionsonfurthertestprocedureswithitsmembers,andthusactivelyinvolvethemin
ieldwork.Memorandumsareusediftheinformationismorecomprehensive(see
SectionB,Chapter5.3.1).SincethistypeofreportmaycompromiseInternalAudit’s
independence,auditorsshoulduseitonlyinjustiiedexceptionalcircumstances.
HintsAndtiPs ;
• Auditors shouldwrite theBoardsummary last, aterall theother reportele-
ments,becauseonlythenwilltheyhaveageneraloverviewofthelogicaland
timesequenceoftheindingsandhowtheyinterrelate.
• AuditorsshouldalignthecontentsoftheBoardsummarywiththecontentsof
theotherreportsand,togetherwiththeirauditlead,prioritizetheactionsthat
theBoardneedstotake.
Fig. 22 Priority Board Issues
The SAP®-Audit Roadmap as a Working Basis for Internal Audit
Reporting
Standard Report Package for Audits
B|5|5.2
266
• IfpriorityBoardissuesarenecessary,theauditorsshouldbeawareoftheobjec-
tivesandaskallmembersoftherelevantauditteam,theAuditManagerrespon-
sible,andtheCAEtoreadthem.
5.3 Other Report Formats
5.3.1 Memorandum
KeyPoints •••
• Memorandumsareusedtopresentspeciiccomplexmatters.
• heirpurposeistoshowthecircumstancesandtheresultingactionforaspe-
ciicpreliminaryresult.
• Memorandumscanalsobeusedtoincludesupplementarydocumentationand
toprovideadditionalexplanations.
• heyareveryadaptableandcanbeusedforavarietyofaudit typesandser-
vices.
hereareanumberofauditsandotherservicesforwhichconventionalreports(see
SectionB,Chapter5.2)areonlyrarelytheappropriateformofcommunication.he
reasonsmaybecontent(e.g.,verycomplexcircumstances)orthefactthatitmaybe
impossibletofollowtheAuditroadmap.Amemorandummaybeusedasanad-
ditionalreportformatinsuchcases.hememorandumisaclosedpresentationof
anindividualtopicthatisnormallycomplexinnature.
Memorandumsarepreparedespeciallyinthefollowingcircumstances:
• heauditresultcanbestbepresentedintheformofadescription.
• hesuggestionsareofageneralnatureorrelatetospeciiccases,sothatexplicit
recommendationsregardingtheimplementationofactionsarenotnecessary.
• heinformationisconidentialandshouldbesenttoalimitednumberofad-
dresseesonly.
• heindingspresented inan implementationreportorspecialreportrequire
additionalverbalexplanations.
• Apreliminaryresultistobereported.
• Detailedexplanationsofbackgroundfactsorexplanatorynotesonrelatedtop-
icsarenecessary.
Memorandumsaremostsuitableforcertaintypesofservices,suchaspre-investiga-
tions,reviews,andcertainsupportandconsultingservices(seeSectionA,Chapter
7).Memorandumsmayalsobewritteninconjunctionwithregularreports,forex-
ampleasasupplementtotheBoardsummary.
Amemorandumstartswiththeusualheaderinformation,followedbytheac-
tualreportsection.Typically,amemorandumisstructuredasfollows:
• backgroundandcurrentsituation/request,
deinitiondeinition
ReasonsforaMemorandum
ReasonsforaMemorandum
UseoftheMemorandumUseoftheMemorandum
MemorandumstructureMemorandumstructure
267
• auditcontentandobjectives,
• summaryofresults,
• auditsteps,
• results,
• requiredaction,and
• furtherinformation.
As inallotherreport formats, it is important topresent the informationclearly.
Especiallyforpre-investigations,amemorandumcanincludeargumentsforques-
tionsaboutfurtherstepsorpendingdecisionsandactions.Iffurtherieldworkis
performedaterthememorandumhasbeencompleted,thesubsequentauditre-
portmustreferencetothememorandum.
Animplementationreportisadditionallywritteniftheauditorswanttoaddress
the risk exposure of process steps in connection with a memorandum. In some
cases,thiscourseofactionisadvisable,becausetheimplementationreportcreated
togetherwith thememorandumwillassign therequired follow-upsteps toeach
indingorrecommendation.
It should also be pointed out that the report memorandum described here
shouldnotbeconfusedwiththememorandumcreatedatworkingpaperlevel.Al-
thoughtheformatsaresimilar,theircontentsarediferent.
HintsAndtiPs ;
• An impartial colleague in Internal Audit should read the memorandum and
checkthatitmeetsitscommunicationobjective.
• Whenpreparingamemorandum,theauditorsmustdecidewhetheranimple-
mentationreportwillhavetobecreatedinadditiontothememorandum.
5.3.2 Results Presentation
KeyPoints •••
• resultspresentationsaresuitableforpresentingthecontentofanaudit ifthe
auditorswanttointroduceresultsortestprocedurestootherpartiesordiscuss
themduringoratertheaudit.
• heauditresultshouldbesummarizedinaconclusiveandmeaningfulway.
• Aresultspresentationmayalsoprovideaninterimstatusofauditwork.
• Apartfromaudits,resultspresentationsareparticularlybeneicialforcustomer
projectreviewsandotherinternalprojects.
• Ifthediscussionoftheresultsdeliversnewinsights,theycanbedirectlyincor-
poratedinthepresentation.
formofPresentationformofPresentation
MemorandumandimplementationReportMemorandumandimplementationReport
ReportingVersusWorkingPapersReportingVersusWorkingPapers
The SAP®-Audit Roadmap as a Working Basis for Internal Audit
Reporting
Other Report Formats
B|5|5.3
268
oncetheauditorshavecompletedanaudit,itmaybehelpfultocondensethere-
sults inapresentation, inadditiontoall theotherreport formatsmentionedal-
ready.Todoso,theauditorsshouldprepareaconclusive,meaningfulsummaryof
thekeypointsof theaudit.Aresultspresentationotenhas the followingstruc-
ture:
• purposeoftheaudit,
• descriptionoftheauditexecution,
• resultsoftheaudit,
• monitoringactivitiesduringtheaudit,
• costimpact,
• recommendations,
• alternativesforaction,
• furthersteps,and
• explanationsanddiagrams.
hepresentationmustnotrevealanydetailsabouthowtheauditwasconductedor
anyconidentialinformation.
Aresultspresentationmayalsogiveaninterimreportonieldwork.Byprovid-
inganinterimreport,theemployeesinvolvedinanauditandthoseinchargeofthe
auditedareacanbekeptinformedofthelatestauditresultsandworkprogress.To
keepsuchstakeholdersinformed,thecontentofthepresentationisdevelopedover
acertainperiod.hisgivespresentationsatwofoldpurpose:Tocommunicatethe
resultsandtofunctionasanaudittool.heinformationthathasbeencondensed
inaresultspresentationismoreeasilyabsorbedbytheaddressees,andtheimpact
canbehighlightedduringthemeeting,andplacedintherelevantcontext.
hestrengthofaresultspresentationisenhancedthroughinteractionbetween
auditorsandauditees,aswellasinthewaygraphicsanddiagramsareused.Graphs
anddiagramsmakecontenteasier tovisualize,andtheauditresultscanthusbe
communicatedmoreefectively.hismakesresultspresentationsparticularlysuit-
ableforcustomerprojectreviews.Inaddition,resultspresentationscanbeusedto
communicateinformationoninternalchangemanagementprojectsandcomplex,
cost-intensiveaudits.Formanagement, theauditresultscanbeanalyzedstatisti-
callyandtheprocesseddatacanbeshownincondensedform.Presentationsalso
allowlargergroupsofpeopletodiscusstheresults,anddiferentopinionscanbe
identiiedduringthepresentationorprovidedtoalargeraudiencefordiscussion.
Implicationsfromaresultspresentationcanbeincludedinanotherreport,such
astheimplementationreportoramemorandum.
HintsAndtiPs ;
• Whencreatingapresentation,anauditorshouldobtainsupportfromcolleagues
whohaveexperiencewithpresentations.
• Itisagoodideatopracticegivingthepresentationusingtheauditteamastrial
audience.
structureoftheResultsPresentation
structureoftheResultsPresentation
PresentationofinterimResults
PresentationofinterimResults
AdvantagesofResultsPresentations
AdvantagesofResultsPresentations
RelationtootherReportformats
RelationtootherReportformats
269
5.4 Periodic Reporting
5.4.1 Annual Report to the Audit Committee
KeyPoints •••
• Inaddition toaudit-relatedreports, InternalAuditalsopreparesperiodicre-
ports.
• heannualreporttotheAuditCommitteeprovidesacompletesummaryofthe
eventsthatoccurredinInternalAuditduringayear.
• It shouldcoverevents that tookplace in thepastaswellas include forward-
lookingstatements.
• heannualreporttotheAuditCommittee,canalsobesenttootherunits.
Inadditiontothecomprehensiverangeofdirectlyaudit-relatedreportsandanaly-
ses(seeSectionB,Chapters5.2and5.3),thereportsproducedbyInternalAuditalso
includeperiodicreports,althoughtheirstructuredifersfromtheactualauditre-
portsintermsofpresentationandinformationdensity.
DetailsofInternalAudit’srelationshipwiththeAuditCommitteeareprovided
in Section A (see Chapter 2.5.2). In addition to communicating details of audit
eventsverballytotheAuditCommitteeatregularintervalsoruponrequestinwrit-
ing,thewrittenannualreportisthefocalpointoftheinformationexchange.
heannualreporttotheAuditCommitteehasadeinedstructurecoveringthe
followingmainpoints:
• organizationalstructureofInternalAudit,
• auditperformancerecordofthepreviousyear,
• summaryofsigniicantindingsandimplementationactionsfromvariousau-
dits,
• auditplanforthecomingyear,
• supportactions,audits,andtestsscheduledinaccordancewithSoX,
• fraud,
• safeguardingrevenuerecognition,
• supportinotherprojects,
• internalprojectsofInternalAudit,
• cooperation,especiallywiththeexternalauditors,
• specialhighlightsinthedepartment,e.g.,signiicantinnovations,
• long-termplanningofInternalAudit,and
• majorauditfocusareasforthefuture.
hediferenttopicsarepresentedinaggregatedform.Inaddition,examplesofone
ortwoimplementationreportsshouldbeattachedtogivetheAuditCommitteea
feeling for the speciicproblems facedby InternalAudit.hereport shouldalso
includeayear-by-yearcomparison,whichshowschanges in InternalAudit’skey
iguresovertime(seeSectionD,Chapter7).
PeriodicReportsPeriodicReports
exchangeofinformationwiththeAuditCommittee
exchangeofinformationwiththeAuditCommittee
ContentoftheAnnualReportContentoftheAnnualReport
summarizedPresentationsummarizedPresentation
The SAP®-Audit Roadmap as a Working Basis for Internal Audit
Reporting
Periodic Reporting
B|5|5.4
270
BeforetheannualreporttotheAuditCommitteeisdistributed,itissubmitted
totheBoardmemberincharge.heChairmanoftheAuditCommitteethendis-
tributesthereporttoitsmembers.InternalAuditarchivesthereportsinchrono-
logicalorder.hereportsplayanimportantroleforpeerreviews(seeSectionD,
Chapter9),becausetheyareawayforInternalAudittodocumentthatitismeeting
itsreportingobligations.Ifrequired,theannualreporttotheAuditCommitteecan
additionallybedistributedtotheexternalauditors.Alternatively,theexternalaudi-
torsmayjointheAuditCommitteemeetingduringwhichthereportispresented.
HintsAndtiPs ;
• Allauditorsshouldkeepinmindthattheirworkwillbeincludedintheannual
reporttotheAuditCommittee.
5.4.2 Other GIAS Information Services
KeyPoints •••
• heGIASletterisusedtoprovideinformationtotheBoardandotherdecision
makers;itcontainsinformationaboutInternalAuditactivityduringthelastsix
months.
• hequarterlybenchmarkingreportlooksatselectedkeyiguresinternallyand
externallyandcomparesthemtothepreviousyear’siguresforthepurposeof
internalcontrolandinformingspeciicareasofthecompany.
• GIAS@Work is a department-internal summary of the main work results
of the lastmonth. It isusedwithinGIAStoexchange informationamong its
employees.
InadditiontotheannualreporttotheAuditCommittee,thefollowingmediaare
usedatSAPtocommunicateinformationabouttheworkofInternalAudit:
• GIASletter,
• Benchmarkingreport(seeSectionD,Chapter7),and
• GIAS@Work.
Alltheabovereportsareissuedperiodically.heyprovidesummarizedinforma-
tionforspeciictargetgroupsandthusgiveaquickoverviewofthelatesteventsin
InternalAudit.
heGIASletterispublishedtwiceayear;itcontainssummarizedinformation
formembersof theBoardandotherdecisionmakers.Apart fromtherecipients
deinedinthedistributionlist,thisreportmayonacase-by-casebasisbesentto
otherorganizationalunits.heGIASletterisstructuredasfollows:
• structure,distribution,andnumberofGIASteammembers,
• auditsconductedandotherservicesperformed,brokendowninto
distributionoftheAnnualReport
distributionoftheAnnualReport
otherPeriodicReportsotherPeriodicReports
GiAsLetterGiAsLetter
271
■ scheduledaudits,
■ ad-hocaudits,
■ safeguardingrevenuerecognition,and
■ supportactionsandauditsinconnectionwithSoX,eachincludingthemost
signiicantauditindingsandactionsinitiated,
• signiicantInternalAuditprojects,and
• othersupportservicesprovidedbyInternalAudit.
he GIAS letter only contains selected key igures. hese are reported in much
greaterdetailinthequarterlybenchmarkingreport,whichlooksatkeyiguresof
InternalAuditinternallyandexternallyandcomparesthemtothepreviousyear’s
igures,thushighlightingimportantdevelopmentsforongoingcontrolandplan-
ning.BenchmarkingisusedfortheinternalcontrolofInternalAuditandtopro-
videinformationtoselectedareasofthecompany(seeSectionD,Chapter7).
ner,aone-pagesummaryprovidesinformationonthemainworkresultsofeach
regionalteamaswellastheSoXandtheITteam,sothateachInternalAuditem-
ployeecandevelopanunderstandingofthecurrenttasksandresultsofotherre-
gionalteams.Itallowsthedepartmenttoidentifyquicklyanysynergiesthatcanbe
exploited.Atthesametime,itprovidesadepartment-wideforumwhereemployees
cancontributetheirownresultsandsignaltheiropennesstocooperatewithpeople
experiencingthesameorsimilarproblems.Publishedmonthly,GIAS@Workisa
department-internalpaperthatmustbetreatedwithutmostconidentiality.
BenchmarkingReportBenchmarkingReport
GiAs@WorkGiAs@Work
B|5|5.4The SAP®-Audit Roadmap as a Working Basis for Internal Audit
Reporting
Periodic Reporting
272
6 Follow-UpPhase6.1 Basics of the Follow-Up Phase
KeyPoints •••
• hefollow-upphaseservestoensurethatallrecommendationsgivenaterthe
basicauditareimplementedbythedeadline.
• hefollow-upphasebreaksdownintofoursub-phases:statuscheckI,follow-up
I,statuscheckII,andfollow-upII.
• Diferentareasofresponsibilityaredistinguishedintheoverallprocess.
• InadditiontoInternalAudit,otherpartiesmaybe involved in the follow-up
process.
hereleaseoftheinalauditreportmarkstheconclusionofthebasicaudit.Accord-
ingtotheAuditRoadmap,thisiswhenthefollow-upphasebegins.hemainobjec-
tive of this phase is to test whether the auditees have actually implemented the
recommendations that Internal Audit has made. he recommendations may in-
volveactionsthataresourgentthattheyneedtobeperformedpromptly.Other
recommendations may only be implemented in the medium to long term. Staf
shortages,changesintheorganizationalstructure,orchangestothecontentofpro-
cessesthatimpacttheindingsandrecommendationsalreadymademaydelaytheir
implementation.
hefollow-upphaseisaprocesswithwhichInternalAudittestswhetherthe
implementationactionsthemanagementoftheauditedareahasputinplaceare
adequateandefective,andwhetherdeadlinesweremet.heindingsandrecom-
mendations documented in the implementation report (see Section B, Chapter
5.2.3)ofthebasicauditformthebasisforthefollow-upphase.heseindingsmay
alsobebasedoninformationprovidedbyexternalauditorsandotherparties,such
asexternalconsultants,independentexperts,attorneys,etc.,whomayalsobein-
volvedinthefollow-upifnecessary.hefollow-upprocessmaysometimesresultin
newieldworkactivitiesbecausethefollow-uphasraisednewissues.Afollow-up
maythereforeleadtoieldworkwithregardto
• theactionsimplemented,and
• additionalindingsidentiiedasaresult.
Inaddition,ieldworkmayalsoresultfromnewindependentaudittopicsthatare
auditedduringthefollow-up.
he follow-up phase has four sub-phases: status check I, follow-up I, status
checkIIandfollow-upII.hespeciicpurposeofeachsub-phaseisexplainedbe-
low(seeSectionB,Chapter6.2).
Asshownintheigurebelow,theGIASfollow-upprocessdistinguishesbetween
astandardandanescalationprocess.Duringthestandardprocess,thestatuscheckI
(SCI)isperformed6-9monthsatertheendofthebasicaudit.Subsequently,the
follow-upI(FUI)isconducted12-15monthsatertheendofthebasicauditand,if
needforimplementingRecommendations
needforimplementingRecommendations
DeinitionDeinition
sub-Phasessub-Phases
timeframeforstandardandescalationProcess
timeframeforstandardandescalationProcess
273
necessary,isfollowedbyastatuscheckII(SCII)ater18to21months.hetime-
frameduringanescalationprocessistightenedasshownintheigurebelow.Ad-
ditionally,thereisanoptionalfollow-upII(FUII)auditincludedinthisprocess.
hebasicauditistheexclusiveresponsibilityofInternalAudit,butresponsibility
forthefollow-upphaseisshared:Managementmustimplementtheactions,and
managementandInternalAuditjointlymonitorimplementation.However,thefol-
low-upauditisconductedexclusivelybyInternalAudit.
Managementhasoverallresponsibilityforimplementingtherecommendations
made.he independent statusof InternalAuditprohibits internalauditors from
interferingwiththisprocess.Atbest,InternalAuditcanmonitortheactionswhile
theyarebeingimplementedorprovideconsultingsupport.However,thisfunction
canalsobeperformedbydepartmentsotherthanInternalAudit(e.g.,Corporate
ManagementAccountingorCorporateFinancialReporting).Insuchcases,Inter-
nalAuditisnot,oronlymarginally,involvedintheprocess.
InternalAudit’snextcontributionismadewhentheimplementationoftheau-
ditrecommendationsmustbeassessedfromanassurancepointofview,because
Internal Audit is the only body that can do so objectively and independently. If
ResponsibilitiesResponsibilities
involvementofthirdPartiesinvolvementofthirdParties
implementationAssessmentimplementationAssessment
Audit Phase
Follow-Up AuditsMonitoring and Status Check
2 weeks
draft period
and
2 weeks
�nal
version
discussion
FU I 4–6 and FU II 8–12 months
after end of Basic Audit
FU I 12–15 months after end
of Basic Audit
SC I 2–3 and SC II 6–9 months
after end of Basic Audit
SC I 6–9 and SC II 18–21 months after
end of Basic Audit
Audit
1month
Report
1month
1–2 weeks
preparation
and
1–2 weeks
execution SC I
SC I
0 21
SC IIFU I FU II
SC IIFU I
2–3 4–6 6–9 8–12
6–9 12–15 18–21
Standard ProcessStandard Process
Escalation Process
Follow-Up Phase
Fig. 23 Sub-Phases of the Follow-Up
The SAP®-Audit Roadmap as a Working Basis for Internal Audit
Follow-Up Phase
Basics of the Follow-Up Phase
B|6|6.1
274
other parties have been involved in the implementation of actions, the auditors
shouldcooperateandconsultwiththemclosely.
Eachsub-phaseofthefollow-upphasetakesplacewithinstrictlydeinedtime-
frames.heendofthefollow-upIImarkstheendoftheAuditRoadmapandthus
alsoofthecurrentauditcycle.
Audit topics oten change over time, primarily due to changing processes or
organizationalchangeswithinthecompany.Wheneverthathappens,theauditors
havetoredeinetheaudittopicsforthefollow-uporsometimesevenspecifynew
topics.hismakesitsigniicantlyhardertoupdatetheaudithistoryandtokeepit
comparable.HereitmaybeusefultomakecomprehensiveuseofITsystemsforthe
administrationandorganizationofthereportsanddocuments.
HintsAnDtiPs ;
• During theaudit,auditors shouldmakecontactwithall theparties tobe in-
volvedinthefollow-up.
• Ifaspectsoftheimplementationactionsarequeried,auditorsmustbecareful
nottoallowtheindingstobereinterpreted.
• Auditorsmustmakesurethatthedeadlinessetforimplementingrecommenda-
tionsaremet.heyshoulddocumentdelayssothattheycangivereasonsfor
anydelayifrequested.
LinKsAnDReFeRences e
• InSTITUTE OF InTERnAl AUDITORS.2001.Practice Advisory 2500-1: Monitoring
Progress. AltamonteSprings,Fl:heInstituteofInternalAuditors.
• InSTITUTEOFInTERnAlAUDITORS.2001.Practice Advisory 2500.A1-1: Follow-up
Process.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• KEATInG,G.1995.heArtoftheFollow-Up.Internal Auditor(April1995):59–62.
6.2 Follow-Up Phase in Detail
6.2.1 Status Check
KeyPoints •••
• hestatuscheckgivesseniormanagementtheopportunitytoactivelypartici-
pateintheimplementationmonitoringprocess.
• hestatuscheckisnormallyperformedinconjunctionwiththeemployeesof
theauditedarea.
• heaimistoreceiveinformationontheimplementationstatusasindicatedin
theimplementationreportbythemanagersresponsible.
LinkwiththeAuditRoadmap
LinkwiththeAuditRoadmap
changestothecontentofAudittopics
changestothecontentofAudittopics
275
• hestatuscheckformspartofthemonitoringprocessandshouldbeusedasthe
basisforalong-termrelationshipwiththeauditedareas.
hemonitoringoftheimplementationofauditrecommendations, i.e., thestatus
check, is performed separately from the actual follow-up audit (see Section B,
Chapter6.2.2)inordertoprovideaclearstructureandhighlightthedistinction.At
SAP,themonitoringprocessbreaksdownintothefollowingsteps:
• hemanagementresponsible,inconjunctionwiththeauditedarea,hastocon-
tinually monitor the progress of implementation actions, based on Internal
Audit’srecommendations.
• Managemententerstheresultofthemonitoringactivitiesinthe“StatuslocalMan-
agement”columnoftheimplementationreport(seeSectionB,Chapter5.2.3).
• hereportwiththeilledcolumn“StatuslocalManagement”issenttosenior
management:
■ Seniormanagementmustmonitorandconirmtheactionstakenbythere-
sponsiblemanagementandsendsthereporttoGIAS.
■ GIASinallycreatesastatuscheckreportandmakesanassessmentbasedon
“StatuslocalManagement”.
hestatusofoperationalmanagementcanbeclassiiedasfollows(seeSectionB,
Chapter5.2.3):
• Open:Recommendationhasnotyetbeenimplemented.
• Inprocess:hepersonsresponsiblehavestartedtoimplementtherecommen-
dation.
• Closed:Implementationoftherecommendationhasbeencompleted.
hestatus isnotupdatedbyInternalAudit,butby theoperationalmanagement
oftheauditedarea.hebackgroundtoandknowledgeaboutthestatuscheckpro-
cedureiscommunicatedtothosewhowereassignedresponsibilityattheclosing
meetingofthebasicaudit(seeSectionB,Chapter4.1.1).Anotherimportantpoint
isthatthe“GIASstatus”columnofthereportwillnotbeusedandupdatedduring
thestatuscheck(seeSectionB,Chapter5.2.3).
Duringtheimplementationprocess,operationalmanagementensuresthatthe
auditedareaassignstheappropriateimportancetotheimplementation.hestatus
checkisperformedbyseniormanagementandtheriskmanagementdepartmentin
conjunctionwith themanagersof theauditedarea.Ater the statuscheck, there
maybefurtherexchangesofinformationbetweenInternalAuditandtheaudited
area,aimedatclarifyingunresolvedquestionsorincorporatingchangedenviron-
mentconditions.
HintsAnDtiPs ;
• Auditors should try to clarify unresolved items directly and without oicial
meetings.
elementsofthestatuscheckelementsofthestatuscheck
operationalManagement’sstatusoperationalManagement’sstatus
importanceofthestatuscheckimportanceofthestatuscheck
The SAP®-Audit Roadmap as a Working Basis for Internal Audit
Follow-Up Phase
Follow-Up Phase in Detail
B|6|6.2
276
• Auditorsshouldmakeanoteofespeciallycriticalpointsthatshouldbeimple-
mentedanddiscussthemwiththeauditlead.
6.2.2 Follow-Up Audit
KeyPoints •••
• Afollow-upauditisintendedtoensurethatalltherecommendationsfroman
audithavebeenimplemented.
• Itisaspeciicsequenceofselectedieldworkactivities.
• hefollow-upassessestheimplementationstatusofeachrecommendation.
• Sometimes,newaspectsofabasicaudit(newcontent)canbeaddedtothefol-
low-up.
• Asecondfollow-upauditisschedulediftheirstfollow-upaudithighlightsre-
sultsthatdonotmeetthequalityrequirements.
• Ifthenecessaryimplementationisdelayedforaprolongedperiod,theauditors
shouldthinkaboutinstitutingconsequences.
hefollow-upprocessisoneofthephasesoftheAuditRoadmap.heirstfollow-
upauditshouldbescheduledaround12to15monthsatertheendofthebasicaudit.
hefollowingelementsarefeasibleforafollow-upaudit:
• follow-upieldworkonthebasisofpreviousindingsandrecommendations,
• individualprocessesorcomponentsofabasicaudit (dependingon theaudit
topic),
• importantissuesthattheBoardorregional/localmanagementhavelaggedup
sincethebasicaudit,and
• otherimportantissuesthatcometolightduringfollow-up.
Afollow-upmustbeconductedforeachstandardandspecialaudit.Ad-hocaudits
mayalsohavefollow-upaudits.Incaseofonlyafewminorindingsthereisthe
optiontoclosetheauditcycleaterstatuscheckI.Afollow-upaudittakesanaver-
ageoftwotothreeweekstoconduct.Iftheauditcontentisexpanded,thetimeit
takestoconductthefollow-upauditincreasesaccordingly.heincreaseinauditing
timeshouldbeinreasonableproportiontothestandardfollow-uptime, i.e., the
timetakenshouldnevermorethandouble.
Afollow-upauditnecessitatesthefollowingactivitieswithregardtotheindings
andtheimplementationofrecommendations:
• recordingtheactualimplementationstatusoftherecommendationsontheba-
sisofinformationordocumentssubmittedbytheauditees,
• gathering evidence that implementation has in fact taken place and the new
situationispracticedonaday-to-daybasis,and
• updatingtheauditreport(seeSectionB,Chapter6.3.1).
elementsoftheFollow-UpAuditelementsofthe
Follow-UpAudit
needfortheFollow-UpAudit
needfortheFollow-UpAudit
ActivitiesDuringtheFollow-UpAudit
ActivitiesDuringtheFollow-UpAudit
277
helastpointoftheabovelistisparticularlyimportantduringthefollow-upaudit,
whereInternalAudit’sstatuscanbeupdatedasfollows:
• In process: Implementation of the recommendation has not yet been com-
pleted.
• Reasonablycontrolled:InternalAudithasperformedainaltest.
• Open:Recommendationhasnotyetbeenimplemented.
• Done:Amattercanberesolvedconclusively.
Forvariousorganizationalorcontent-relatedreasons,InternalAuditmaybeunable
todetermineifrecommendedmeasureshavebeenimplementedasrequired.Fol-
low-upauditsmaybeimpededbystafbeingunavailable,newguidelineshaving
beenissued,organizationalstructureshavingchanged,orfunctionsandprocesses
nolongerbeingapplicable.Insuchcases,InternalAudit’sstatusmustbeinterpreted
inthelightofthelatestcircumstancesintheauditedarea.
In terms of content, two diferent scenarios are conceivable for a follow-up
audit:
• heimplementationreportformstheworkingbasisforallfollow-upauditac-
tivitiesthatresultfromindingsofthebasicaudit.Itthusreplacestheworkpro-
gramofthebasicaudit.Dependingontheparticularrequirements,ieldwork
may have to be performed and working papers created. he follow-up audit
shouldalsohaveanopeningandaclosingmeeting.
• Ifnewaspectsandissuesareaddedtothefollow-upaudit,theAuditRoadmap
shouldbeappliedbyanalogytothesenewelements.hismeansthataseparate
workprogrammustbecompiledforthenewaspects,whicharethendealtwith
aspartofanewbasicauditconductedatthesametimeasthefollow-upaudit.
hiskindofadd-onshould,however,remainanexception.Inthecaseofaudits
thatrequireextensivetraveling,theremaybeeconomicreasonsforaddingto
thefollow-upauditnewtopicsthatwerenotpreviouslypartofthebasicaudit.
Even if elementsofbasicaudit and follow-upaudit arecombined, theymustbe
presented in separate reports,becausea cleardistinctionbetweenaspectsof the
follow-upauditandthosefromtheadditionalbasicaudit,i.e.,betweenoldandnew
elements,hastobemade.
Iftheauditorsindoutduringthefollow-upIthattheimplementationofrec-
ommendationsandactionsisnothavingthedesiredsuccessandiftheratingofthe
basicauditwasredtheescalationprocesswillproceedandaterastatuscheckII,
theauditorswillscheduleafollow-upIIaccordingtotheGIASescalationprocess
timeschedule(seeSectionD,Chapter6).hefollow-upIIdealsexclusivelywith
theitemsstilloutstanding.
hefollow-upIIisonlyconductedifnecessaryandisthereforeoptional.Ifthe
traiclightstatusisred(seeSectionB,Chapter6.3.2)atthefollow-upI,afollow-up
II ismandatory.heresultof the follow-upII isinalandshouldbereportedas
such.Iftheresultisunsatisfactory,theBoardshouldreprimandtheauditedunit.If
internalAudit’sstatusinternalAudit’sstatus
impededFollow-UpAuditimpededFollow-UpAudit
Follow-UpAuditscenariosFollow-UpAuditscenarios
ReportingonacombinationofBasicAuditandFollow-Up
ReportingonacombinationofBasicAuditandFollow-Up
Follow-UpiiFollow-Upii
UnsatisfactoryFollow-UpUnsatisfactoryFollow-Up
B|6|6.2The SAP®-Audit Roadmap as a Working Basis for Internal Audit
Follow-Up Phase
Follow-Up Phase in Detail
278
eventhefollow-upIIleavesissuesunresolved,theauditorsmustdecideonthebasis
ofthecaseinquestionhowtoproceedfurther(seeSectionD,Chapter6onescala-
tion).
Completionoftheentirefollow-upphasemarkstheendoftheauditcycle.In-
ternalAuditisresponsibleforconductingfollow-upaudits,andnormallytheteam
thatconducted thebasicauditwillalsoperformthe follow-up. Insomecases, it
may,however,makesensetouseadiferentauditteamtotheonethatconducted
thebasicaudit.likewise,itispossibletouseguestauditors(seeSectionD,Chapter
10).hisdecisionshouldinparticularbemadeinlightofindependenceconsider-
ations,becauseadiferentteamofauditorsmeansthatimplementationisnotmon-
itoredbythesameauditorswhomadetheindings.
HintsAnDtiPs ;
• Whenpreparingforafollow-upaudit,auditorsshouldfamiliarizethemselves
withchangesincircumstancesandotherinluencingfactors.
• Auditorsmustagreeanychangestotheoriginalauditrecommendationswith
theauditlead.
6.3 Reporting During the Follow-Up Phase
6.3.1 Updating the Audit Report
KeyPoints •••
• heresultsofthefollow-upphasemustbecarefullydocumented.
• hisappliestoboththestatuscheckIandIIandthefollow-upIandII.
• heappropriatereferencingmustbeincludedinthedocumentation.
• hemanagement summaryand theBoard summaryadditionally contain re-
marksonthequalityoftheimplementationstatus.
heresultsofthestatuscheckandthefollow-upauditmustberecordedcarefullyin
theauditreports,i.e.,theauditreportsmustbeupdated.First,theresultofthesta-
tuscheckisdocumentedonthebasisoftheimplementationreport(seeSectionB,
Chapter 5.2.3). his is done with a copy of the implementation report used as a
templateforthestatuscheckreport.Onlymanagement’sstatusisupdatedinthis
copy.However, themanagementsummary isnotchanged.Audit leadandAudit
Managerareresponsiblefordistributingthestatuscheckreporttotheauditedunit
and operational management, the senior managers concerned, and the relevant
membersoftheBoard.
heactualfollow-upauditreportplaysadiferentrole,asshowninthediagram
below.heauditorsshouldshowaclearlinktothepreviousreportsbycompleting
Responsibilityandindependence
Responsibilityandindependence
Documentingthestatuscheck
Documentingthestatuscheck
DocumentingtheFollow-UpAudit
DocumentingtheFollow-UpAudit
279
aseparatereferencecolumn,where theyenter thereference toindingsmade in
previous reports.At the same time, theauditors shouldupdate the statusof the
indingstransferredfrompreviousreports.heycanalsoincludenewindingsin
thereport,initiallywithoutreference.InthemanagementsummaryandtheBoard
summary,thestatusofindingsisshowninaseparatecolumn.Alsonotethatthe
follow-upstatusisreportedtotheBoardinareporttemplatespeciicallydeveloped
forthispurpose.
Inthecaseofanewbasicaudit,anyunresolvedindingsareenteredinadvancein
thenewbasicauditreport.heauditorsmustpointoutthattheseindingscome
fromanearlierauditcycleandthattherecommendedactionshavenotyetbeen
implemented. Even if, because of extraordinary circumstances, the second basic
auditimmediatelyfollowsthestatuscheckandwithoutirstconductingafollow-up
audit, the transferof theunresolvedindingsmustbeclearlydocumented.Each
indingmustbedocumentedwithoutanygapsuntilsuccessfulremediationofthe
indingcanbedemonstrated.
DocumentinganewBasicAuditDocumentinganewBasicAudit
Fig. 24 Follow-Up Report Template
The SAP®-Audit Roadmap as a Working Basis for Internal Audit
Follow-Up Phase
Reporting During the Follow-Up Phase
B|6|6.3
280
HintsAnDtiPs ;
• Auditorsshouldensurethatstatementscontainedinearlierreportsdonotcon-
lictwiththecurrentdocumentation.
• Auditors should always report to the management in charge and the Board
when the status of signiicant indings and implementation actions has been
updated.
6.3.2 Measuring Audit Outcome
KeyPoints •••
• Toguaranteethattheresultsofthefollow-uparereportedaccuratelyandclearly,
anassessmentandratingisproducedforeachinding,andthusforeachreport.
hissupportsimplementationmonitoring.
• ItisaprerequisitethattheB,R,andlclassiicationismaintainedandthefol-
low-upstatusiscarefullyandregularlyupdated.
• heratingofeachindingproducesanoverallresultandanoverallratingfor
eachfollow-upreport.
• heresultsarealsopresentedinatraiclightsystem,indicatingthestatusas
green,yellow,orred.
• heratingoftheresultscanalsobeusedforbenchmarkingandtrendanalysis,
whichprovidesinformationonhowthoseresponsiblehavegoneaboutimple-
mentingInternalAudit’srecommendations.
Toemphasizetheimportanceofthefollow-upphase,it isnecessarytomakethe
outcomeofeachofitssub-phasesmeasurableanddisplayitindiagramsortables.
Iftheimplementationmeasuresareclearlyandtransparentlyratedandvisualized
inaformatthatiseasytofollow,itiseasierforInternalAuditandtheauditeesto
analyzetheresultsofthefollow-upphase.
Ratingthefollow-upmeans:
• hestatusofthefollow-upmustbeclearlydeined.
• Eachfollow-upreportissubjecttoafullratingprocess(seeSectionD,Chapter
7.2.3).
• Eachindinginthefollow-upreportisthereforerankedaccordingtoanindi-
vidualassessmentandweighting.
• heB,R,andlclassiications(seeSectionB,Chapter5.2.2)areanimportant
basisfordeterminingthefollow-uprating(seeSectionD,Chapter7.2.3).
Inthefollow-up,theeiciencyoftheimplementationprocess ismeasuredwhile
theoverallauditstatementforthebasicauditshowsthenumberandsigniicanceof
auditindingsintermsofcontent.
needforMeasuringsuccess
needforMeasuringsuccess
RatingtheFollow-UpRatingtheFollow-Up
281
he results of the follow-up and the respective follow-up rating support the
monitoringprocessoftheimplementation.hismonitoringfunctionisanintegral
partof the follow-upphase.Reportingprovidesevidenceof the implementation
actions and thus ensures Internal Audit’s own protection, because it ultimately
demonstratesthesuccessoftheauditcycle.Ifafollow-upidentiiescompletelynew
auditindings, theywillbe includedintheassessmentandbenchmarkingof the
follow-upprocess.
Consistent,stringentmonitoringensuresthat:
• thesustainabilityofInternalAudit'srecommendationsisexplainedtothosere-
sponsible,
• follow-upscanbemeasuredandcompared,thusmakingtheoverallsuccessof
theauditcyclemeasurable,andthat
• allthepeopleresponsible,includingmanagementandtheBoard,areinvolvedin
thefollow-upprocess.
InthemanagementsummaryandtheBoardsummarythefollow-upresultisrated
withatraiclightsystemofgreen,yellow,orred(fordetailsoftherating,seeSec-
tionD,Chapter7.2.3).Ifthestatusis“red,”explanatorycommentsmustbeadded.
Auditorsmaintaineachreportcarefullyandupdateitregularlytoensurethatall
itemsareincludedintheoverallfollow-uprating.AuditleadandAuditManager
areresponsibleforenteringtherelevanttraiclightstatusinthereports.
hekey indicators fromthe follow-upphasealso formpartofahigher-level
performancemeasurementprocessforInternalAudit(seeSectionD,Chapter7),
where they constitute one of the key variables (average implementation rating),
thusmakingasigniicantcontributiontodeterminingtheefectivenessoftheinter-
nalauditdepartment.Whenthisratingisbenchmarkedbetweendiferentdepart-
mentsandagainstinternalauditdepartmentsinothercompaniesandanalyzedover
severalyears,itproducestrendinformationonchangesinthequalityofauditim-
plementation.
hetraiclightsystemformonitoringthefollow-upprocessisaprocess-based
quality controlof the implementationprocess.All stagesof the follow-upareof
coursesubjecttothesameformalqualitycriteriaasthoseofthebasicaudit, i.e.,
workprogressischeckedandapprovedonthebasisofeachqualitygate(seeSectionD,
Chapter5).
HintsAnDtiPs ;
• Sometimesitmaybenecessarytoclarifywhethermeasurescanrealisticallybe
implemented,orwhetherthenecessaryprerequisitesareveriiablynotinplace.
• Information on slow implementation or reasons for delays should be docu-
mentedintheworkingpapers.
MonitoringFunctionoftheRatingMonitoringFunctionoftheRating
MonitoringResultMonitoringResult
traic-Lightsystemtraic-Lightsystem
UpdatingandAdaptingtheReportsUpdatingandAdaptingtheReports
Higher-LevelPerformanceMeasurement
Higher-LevelPerformanceMeasurement
QualityGatesQualityGates
B|6|6.3The SAP®-Audit Roadmap as a Working Basis for Internal Audit
Follow-Up Phase
Reporting During the Follow-Up Phase
282
7 SpecialAuditRoadmaps7.1 Objectives of Special Audit Roadmaps
KeyPointS •••
• heAuditRoadmapisaframeworkthatcanbeadaptedtodeinemodiiedpro-
cedures.
• heseincludefurtherdevelopmentofthestandardAuditRoadmapandhigh-
lightingindividualprocessmodels.
• here are many diferent reasons for special Audit Roadmaps: Increasingly
complextopics,useofIT,diferenttargetgroups,blurringofauditcategories,
standardizationofalternativeservices,andmodularbreakdownoftheservices
providedbyInternalAudit.
heongoingdevelopmentoftheAuditRoadmap,whichhastoincorporatethetop-
icspresentedinSectionD,isoneofthemainlong-termobjectivesofInternalAudit
atSAP.hishelpsguaranteecompliancewiththeauditingstandardsandthesecu-
rityofInternalAudit’sownprocessandcontrolchecksunderSOX.Foranumberof
importantaudittopics,thestandardAuditRoadmaponlyprovidesaframeworkof
basicmethodsandtechniques,inspiteofitscomplexity.Elementsofcontentand
otherinluences,suchastheregionalaspectsofanauditortheproceduresthatre-
sultfromtherelevantauditields,makehavingadditionaloradaptedAuditRoad-
mapsseemagoodidea.hereasonsareasfollows:
• he increasing complexity of topics oten calls for speciic question catalogs,
testingprocedures,andworkingpapers.heresultingspecializationmoreover
otenentailsadditionalauditstepsortheinvolvementofexternalexperts,which
inturnrequiremoreconsultationanddocumentation.
• hegrowinguseofITandtheincreasingnetworkingofmoderncommunica-
tionshaveledtomodiiedauditmethodsbeingused.However,forcertainaudit
topics,conidentialityrequirementsallowforcertaintypesofmeetings,suchas
telephoneorvideoconferences,onlyifadditionalnon-disclosuredeclarations
andsecurityarrangementsareinplace.
• herisingnumberofdiferenttargetgroups(e.g., theDisclosureCommittee,
compliancedepartments)ofaninternalauditdepartmentalsomakesitneces-
sarytousenon-typicalauditprocedures.Examplesincludeadditionalprelimi-
narymeetings,internationalconsultation(e.g.,withregardtointernationalse-
curitystandards),andspecialreportingrequirementsthattakeculturalaspects
andinterdisciplinarycontactsintoaccount.
• heincreasingdiferentiationbetweenlocal,regional,andglobalauditsonthe
onehand,combinedwiththeneedtostandardizetheseauditsontheother,re-
quiresinterfacesandconsultationmechanismstobedeinedamongallemploy-
eesinvolved.hediferentauditcategorieswillhaveanincreasinglydiversemix
oftopicsinthefuture,makingitevermorediiculttoassignaspeciicauditto
onecategoryoranother.
ReasonsforSpecialAuditRoadmaps
ReasonsforSpecialAuditRoadmaps
increasingComplexityoftopics
increasingComplexityoftopics
Useofinformationtechnology
Useofinformationtechnology
DiferenttargetGroupsDiferenttargetGroups
BlurringofAuditCategories
BlurringofAuditCategories
283
• hediferentservicesthataninternalauditdepartmentwilloferinthefuture
may require that some procedures are modiied. To this end, special Audit
Roadmaps for pre-investigations, reviews, and audit-related implementation
supportmayconceivablybeused;attheirvariousstagestheywillrequiretheuse
ofspeciicprocedures.Forexample,cataloguingthemeasurestobeperformed
isanimportantaspectofreviews.Specialproceduresalsohavetobedeinedfor
thenon-auditrelatedservicesofInternalAudit.hismayleadtooverlap,aswell
asadditionsandinterfaceswithregardtootherprocessmodels,e.g.,theaudit
processmodel.However,aspartofthisprocess,theaudit-speciiccontentofthe
AuditRoadmapisnotbeingsubsumedintotheprocessmodelsofothercorpo-
rateunits,suchasRiskManagement.hedualismoftheindependenceofthe
auditprocessanditsintegrationintootherprocedure-basedmodelsisamajor
challengeoffutureprocessstructuresinaudit-relatedareas.
• Acertainamountofdevelopment timewill stillbenecessarybefore Internal
Audit’sserviceproilescanbegeneralizedforexternaluse,butinitialsignscan
beidentiiedalready.AnimportantprerequisiteistobreaktheAuditRoadmap
downintomodules.Itwould,forexample,bepossibletoproduceaninternal
andexternalauditservicecatalogofInternalAuditunderwhichservicepack-
agesareprovidedforplanning,execution,andreportingindiferentlegalsys-
tems,sectorsoftheeconomy,andindustries.heAuditRoadmapisthusused
asastructuretoprocessspeciicauditcontentonanindividualandsoundsci-
entiicbasis.hisallowsauditorstoincorporateauditrequirements,procedures,
andresponsibilitiesthatarecommoninthesector,demandedbyindustryas-
sociations,ornecessaryintermsofsecurity.henextstepwouldbetocreate
comprehensiveservicecatalogsspeciictoeachphase,whichwouldalsosup-
portabillingsystemfortheservicesprovided.hiswouldcreatetheprerequi-
sitesforInternalAudittobestructuredandmanagedasalegallyand/orcom-
merciallyseparateentity.
he above reasons for developing special Audit Roadmaps explain that Internal
Auditisturningintoaservicedepartmentandcanthusmeetdiferentobjectives
andservediferenttargetgroups.heyhighlightlong-termdevelopmentperspec-
tives, especially since issues such as compliance, process efectiveness, and safe-
guardingofinternalcontrolsareincreasinglyimportantintheinternationalarena.
HintSAnDtiPS ;
• AuditorsshoulddiscussspeciicrequirementsontheAuditRoadmapwithother
teammembersandtheAuditManager.
• AuditorsshouldanalyzeanyexistingAuditRoadmapsandusethemforideasso
thattheycandeinetheirownindividualAuditRoadmapswhennecessary.
• Tothisend,auditorsshouldmakeanoteofallnoteworthyelementsthatcould
generallybeusedascriteriaforindividualAuditRoadmaps.
RangeofServicesRangeofServices
ModularBreakdownModularBreakdown
DevelopmentPerspectivesDevelopmentPerspectives
The SAP®-Audit Roadmap as a Working Basis for Internal Audit
Special Audit Roadmaps
Objectives of Special Audit Roadmaps
B|7|7.1
284
7.2 Audit Roadmap for Fraud Audits
KeyPointS •••
• Inthefraudauditield,aglobalauditdepartmentmustrespondreactivelywith
ad-hocauditsandproactivelywithpreventiveaudits.
• heScopeisbasedonprocessesandprocessweaknessesaswellasfraud-related
andcompliance-relatedmatters.
• ExperiencefromSOXauditsandfraudauditsareincorporatedinInternalAu-
dit’srisk-basedannualauditplanning.
• he preparation and execution of a fraud audit involves comprehensive fact
gathering,whichmustidentifyandassessallaspects.
• hereportsarebasedontheimportanceandimpactofthefraudcaseandthe
needforafollow-up.
heprocedureforfraudauditsdifersfromthatusedforotheraudits,whichmeans
thataspecialAuditRoadmapforfraudshouldbeapplied(fordetailsonhowInter-
nalAudithandlesfraud,seeSectionD,Chapter13).Itscontentisdiferentfromthe
standardAuditRoadmap,becausefraudauditsrequirespecialpreparationandfo-
cusondiferentviewsandworkaspects.Forad-hocfraudaudits,itisnecessaryto
gatherdetailedinformationwithinasshortaperiodoftimeaspossible.heinfor-
mationisusuallysubstantiallyaugmentedbycarryingoutbackgroundresearchto
shedlightonandassessthesituation.herestofthischaptershowsindetailfor
eachphasewhatthestandardAuditRoadmapandtheAuditRoadmapforfraud
auditshaveincommonandwheretheydifer.
Similar to the standard Audit Roadmap, the planning phase comprises the
Scopes, auditplanning, and, if applicable, theaudit request.heCoreScope for
fraudincludestheKeyScopesdeinedforthisauditield(seeSectionD,Chapter13)
whichrelecttheriskareasdeinedforfraud.heyarealsobasedonmattersrele-
vantundercriminalandcompliancelaw.heKeyScopesarethestartingpointfor
case-speciicfraudauditsandforthecreationofindividualworkprograms.hey
also form the basis for process-oriented preventive audits. he contents of the
Scopesbreakdownintointernallycommittedfraud(fraudcommittedbyemploy-
ees)andexternallycommittedfraud(fraudcommittedbythirdparties).
Audittopicsconnectedwithpossiblefraudulentactivitiesareconsideredinthe
annualauditplanningprocess(seeSectionD,Chapter3). In linewiththeAudit
Roadmapforfraud,theauditteamresponsibleinternallycollectsandassessescases
offraudthathaveoccurredinthecourseoftheyear.Sourcesmayincludethere-
sultsofad-hocaudits,weak-pointanalyses,SOXaudits,andstandardaudits.
In addition, speciic preventive audits (primarily process and transaction au-
dits)maybeincludedintheannualauditplan.InternalAuditmayalsoreceivere-
portsofcasesfromvariouscorporateunits,suchasthelegaldepartment,employee
FraudAuditRoadmapFraudAuditRoadmap
ScopeScope
AnnualAuditPlanningAnnualAuditPlanning
AnnualAuditPlanning:PreventiveAudits
AnnualAuditPlanning:PreventiveAudits
285
representatives,orthecompliancedepartment;thesecasesmayalsobeturnedinto
possibleaudittopics.
Ad-hocauditsaretriggeredbyauditrequests(seeSectionB,Chapter2.3).When
therequesthasbeenassessedbytherelevantAuditManageranddiscussedwiththe
CAE,acase-speciicad-hocauditorapreventiveauditmaybescheduledifappro-
priate.Suchauditsareimmediatelyaddedtotheexecutionplanning.
Duringthepreparationphase,InternalAuditmustgatherasmuchinformation
aspossibleaboutthefraudcase.Ifthefraudhasbeenreportedanonymously,this
information must be analyzed with special care. Additional information may be
obtainedbyusinginternalITsystemsorquestioningotheremployees:Wheninves-
tigatingananonymouslyreportedcaseoffraudulenttravelexpenses,forexample,
InternalAuditcangothroughrelevantdataanddocumentsinadvanceandobtain
informationabouttheaccusedemployeebyaskingspeciicquestions.Inthebest
case,theallegationcanberefutedbypresentingthefacts.However,ifthatisnot
possible,theauditorsmusttakefurthersteps,allofwhichhavetobedocumented
inaworkprogram.
heworkprogrammustbe tailoredto thesituation inquestionandmustbe
adaptable to all possible scenarios. Sometimes the main focus is on questioning
employees,butatothertimestheauditorsperformanalysesintheinternalsystems.
heworkprogramshouldnotbelimitedtothefactsthatareknownalready,but
allowtheauditorstotakeanyactionthatgivesthemascomprehensiveanoverview
ofthesituationaspossible.Newfactsmaycausethefocustoshitatanytimedur-
ing theaudit.Auditorsmayonlydrawconclusionsater thecompletionofaudit
activities,oncetheyhaveexhaustedallwaysofobtaininginformation.Hereitmay
happenthatdetailedanalysisofcertaintransactionsrevealsthatnofurtheraction
needstobetaken.
Auditorsshouldfamiliarizethemselveswiththefactsofthematterduringthe
preparationphase.heyshouldcompilequestioncatalogsaspreparationforinter-
views.heinterviewswillvarycasebycaseandshouldthereforebenewlyprepared
foreachaudit,althoughquestioncatalogsfrompreviousauditscanbeusedforguid-
ance.heauditorsalsoshoulddevelopa strategyas tohowandwhen tocontact
certainpeopleandestablishtowhatextenttheycandisclosethecontentoftheaudit,
andwhethersomeinterviewsmustbecoordinatedwithHumanResourcesandthe
legaldepartment.hey shouldalwaysdiscuss these steps inadvance in theaudit
teamandwiththeAuditManagerconcerned.Agoodwaytoprepareisthereforeto
holdaconstructivemeetingtogatherandcoordinateideasintheauditteam.
heobjectiveofauditexecutionistogatherfacts,e.g.,throughinterviews,sys-
tem analysis, collecting background information, etc. Auditors can use internal
and,asfarasaccessible,externalsystemsforthispurpose,eithertocollectdataor
toprocessdataforanalysis.Itisimportanttomakeanaccuraterecordinthework-
ing papers of the data analyzed and the results produced. he following are the
maindiferencesfromanormalaudit:
AuditRequestAuditRequest
CollectinginformationDuringthePreparationPhase
CollectinginformationDuringthePreparationPhase
WorkProgramWorkProgram
otherPreparationsotherPreparations
AuditexecutionAuditexecution
B|7|7.2The SAP®-Audit Roadmap as a Working Basis for Internal Audit
Special Audit Roadmaps
Audit Roadmap for Fraud Audits
286
• Specialdataprotectionrequirementsmustbeobserved.
• Sincethematterissensitive,theauditotenhastobeconductedcovertlyandthe
documentationadaptedaccordingly,includingdocumentsthatmaybeusedin
acourtoflaw.
• he entire audit must be conducted with the awareness that the results may
havetobemadeavailabletoexternalparties,suchasthecourtsorthedistrict
attorney.
• hereareuncertaintiesregardingtheexecution,outcome,andconsequencesof
theaudit,whichmayinluencethebehaviorofindividualauditors.
Detaileddocumentationsupportsthestrengthoftheevidenceprovidedbytheau-
ditresults.Tothisend,theauditorsshouldincludeasmuchindividualdataaspos-
sibleandaccuratelytracethetransactionhistoryinordertoproveanyirregulari-
ties.Inthecaseofpostingasupplierinvoice,forexample,thisincludes:
• receiptofinvoice,
• preliminarypostingofdocument,
• invoiceapproval(date,nameofauthorizingemployee),
• postingofinvoice(accounts,postingtext,postingdate),
• releaseforpayment(date,nameofauthorizingemployee),
• payment(bankaccounts,date),and
• archivingofsupplierinvoice(date,nameofarchivingemployee).
Auditexecutionalsoservestoindoutwhetherfurtherdamagehasbeendoneor
couldbedoneinthefuture.Fraudauditsthereforeincluderecordingtheprocesses
sincemostcasesoffraudarepossibleonlybecausethecontrolsareweakornon-
existent.hecombinationofindividual,normallyperson-related,one-timeaudits
with process audits causes the elements of the traditional audit to mix with the
specialaspectsofthefraudaudit:heobjectiveistomeasuretheextentofthedam-
ageandtobuildandstrengthentheprocessesandcontrols.
Reportsonfraudauditsmaybevaried,dependingonthetypeoffraudauditand
theensuingconsequences.Inthecaseofad-hocaudits,thesituationispresentedin
amemorandum,andtheindingsandrelevantrecommendationsareembeddedin
animplementationreport.hereportformatforpreventiveauditsisthestandard
reportpackage.
hefollow-upprocessisthesameasinthestandardAuditRoadmap.However,
insomecasesoffraudaudits,thefollow-upmustbeconductedearlierorimmedi-
atelyaterthereporthasbeenpresented.hishappensincases,forexample,where
theauditorsmustensurethattheaccountsarecorrectedimmediately.Moreover,if
measuresbythehumanresourcesdepartmentarenecessary,itmaybeimportant
forInternalAudittoindoutwhatmeasureshavebeentaken.hismaybeimpor-
tant for reporting the matter immediately to the Board and for complying with
deadlinesorreportingrequirementssetbylaborlaw.Ifafraudaudithasidentiied
DetailedDocumentationDetailedDocumentation
ProcessesandControlsProcessesandControls
ReportingReporting
Follow-UpFollow-Up
287
animmediatedangertothecompany,emergencymeasuresmayhavetobeintro-
duced,whichinturnmustbetestedimmediatelybyInternalAudit.
HintSAnDtiPS ;
• Auditorsalwayshavetoapproachthesituationtobeinvestigatedfromanim-
partialangle.
• heyshouldincludealleventualitiesintheirinvestigation.
• Itisbettertotestsomethingsuperluouslythantooverlooksomething.
LinKSAnDReFeRenCeS e
• INSTITuTE OF INTERNAl AuDITORS.2001.Practice Advisory 1210.A2-1: Auditor’s
Responsibilities Relating to Fraud Risk Assessment, Prevention, and Detection. Altamonte
Springs,Fl:heInstituteofInternalAuditors.
• INSTITuTEOFINTERNAlAuDITORS.2001.Practice Advisory 1210.A2-2: Auditor’s
Responsibilities Relating to Fraud Investigation, Reporting, Resolution, and Communica-
tion.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• MCCONNEll, J., K. DONAlD, AND G. BANKS.1997.heNewFraudAuditStan-
dard.CPA Journal (June1997):22–29.
• NyABuTO,S.,ANDB.MIIA.2007.IntelligentFraudFighting.Internal Auditor(Febru-
ary2007):45–50.
• MOyES,G.,P.lIN,ANDR.lANDRy.2005.RaisetheRedFlag.Internal Auditor(Oc-
tober2005):47–51.
• ZWIRN,E.2005.SoundSkepticism.Internal Auditor(February2005):73–77.
7.3 Audit Roadmap for Management Process Audits
KeyPointS •••
• For management process audits, the standard Audit Roadmap should be
adapted.
• Appropriate procedures and documents should be used to reconcile target
groupspeciic features to themethodsandproceduresof the standardAudit
Roadmap.
• Important modiications and additions include the description of the Key
Scopes,condenseddocumentationofauditobjectivesandprocessformanage-
ment,specialguidelinesforexecution,amodiiedreportingsystem,andaper-
sonalfeedbackdiscussion.
• Inthefuture,internationalpracticesandrequirementswillhaveaparticularly
stronginluenceonauditproceduresintheareaofmanagementprocessaudits.
The SAP®-Audit Roadmap as a Working Basis for Internal Audit
Special Audit Roadmaps
Audit Roadmap for Management Process Audits
B|7|7.3
288
Managementprocessaudits(seeSectionA,Chapter6.2.2andSectionC,Chapter
5.4)arebecomingincreasinglyimportant.Amajorreasonforthisisthatthework
ofmanagersisbecomingmoreandmorethefocusofexternalcontrolandduecare
requirements.ForInternalAudit,thisresultsintheneedtoprovideacleardeini-
tionofieldwork in thisauditield. Inaddition tocreatingadedicatedScope, it
helpstohaveinplaceamodiiedversionoftheproceduralauditmodel,theAudit
Roadmap.hismodiicationgainsinimportance,complexity,anddynamicswhen
theauditorslookatmanagement-speciicinterestsatdiferentmanagementlevels.
hefamiliarstructureoftheAuditRoadmapisnotsubstantiallychangedforman-
agementprocessaudits:hephasesremainintact,andmostofthesub-phasesalso
occur.Still,itisadvisabletoadaptorexpandcertainproceduresspeciicallyforthis
auditield.MoredetailedanalysisoftheAuditRoadmapintendedforthispurpose
revealsthefollowingspeciicfeatures:
ReasonsfortheModiiedAuditRoadmap
ReasonsfortheModiiedAuditRoadmap
MainFeaturesMainFeatures
Scopes
Audit
announce-
ment
Work
programFieldwork
Working
papers
Status
check
Follow-up
I + II
Annual
audit
planning
Audit
request
Dra
ft
Draft
Dis
cuss
ion
Discussion
Final
Rep
ort
Final Report
Arc
hivin
g
Archiving
Follow-upReportingExecutionPreparationPlanning
Management
process
audit Scope
Work program
with management
controls
Audit announcement
including management
process audit manual
Management
process audit
interview guidelines
Implementation reportFollow-up
feedback
Fig. 25 Audit Roadmap for Management Process Audits
289
• Whendescribingtheauditsegmentsasdetailedcontent,i.e.,theindividualKey
Scopes,theauditorsshouldpayparticularattentiontotheresponsibilitieslaid
oute.g.inthemanagementengagementmodelwithitsrespectivecomponents
(inance,compliance,operations,humanresources).Hereitmaybeanadvan-
tagetoaskthemanagerconcernedtoconirmtheresponsibilitiesinwritingaf-
tertheauditorshavediscussedthemwiththemanager.
• Incombinationwiththeauditannouncement,themanagersconcernedshould
begivenacondenseddocumentabouttheobjectives,background,andexecu-
tionofmanagementprocessaudits.his impartsknowledgeandsupportsan
openandconstructivebasisoftrust.
• heworkprogramalsofocusesonmanagementcontrols.Hereitisagoodidea
tocreatealinktootherdocumentedcontrolsystems,suchascontrolsimple-
mentedunderSOX,andtorefertothemasappropriate.
• Fortheexecutionoftheaudit,guidelinesandquestioncatalogsshouldbecre-
atedthattakedetailedaccountofthesocialandpersonalcomponentsofthis
typeofaudit.hisistoensurethattherelevantieldworkactivities,suchasin-
terviewswithmanagement,keepwithinaformalframework.
• Whenitcomestoreporting,itisusefultoprovidefurther-reachingreportfor-
mats.Reportsformanagementarenormallystructuredinstages,rangingfrom
general to detailed views. Portfolio analysis, key indicator reports, and trend
calculationsaresuitableforthistypeofpresentationbecausetheycanbeusedto
drilldowntothelevelofindividualindingsandtheunderlyingreasons.Itis
alsopossibletocompilemanagementauditreportsevenwithoutseparaterec-
ommendations foreachindingdependingonthemanagement levelandthe
signiicanceof individualindings.hepointofdeparturemaybetheoverall
auditstatementforthemanagementprocessaudit,sothatitcaneitherbecom-
paredwithotherauditsoracorrelationcanbeestablishedwiththeauditresults
oftheotherorganizationalunitsassignedtothismanager.
• Sometimestheauditeeinamanagementprocessauditmaybedeemedrespon-
sibleforsuggestingthenecessaryrecommendationsandimplementationsteps
fortheindingsandobservationsmadeduringtheaudit.
• Another feature of management process audits is that management can give
feedbackduring the follow-up.Tothisend, InternalAudit shouldschedulea
separatediscussionthatallowsthemanagertocommentpersonallyandincon-
idenceontheauditresultsandgivehisorheropinionontheauditanditsvalue
added.Itgenerallymakessensetoconductthisdialogonlybetweentheman-
agerandtheauditlead.
Dependingonthemanagementprocessauditconcerned,itisuptoInternalAudit
tomakespeciicadditionstotheabovemodiicationsoftheAuditRoadmap.Inthe
caseofinternationalmanagementprocessaudits,itremainstobeseentowhatex-
tentsuchauditscanalsobeconductedforresponsibilitiesthatspanseveralcoun-
tries.hiscouldresultinfurtheradjustments,e.g.,theinclusionofspecialinter-
ResponsibilitiesResponsibilities
informationfortheManagerConcernedinformationfortheManagerConcerned
otherDocumentedControlSystemsotherDocumentedControlSystems
SpecialGuidelinesSpecialGuidelines
Further-ReachingReportFormatsFurther-ReachingReportFormats
RecommendationsRecommendations
FeedbackDuringFollow-UpFeedbackDuringFollow-Up
otherAdjustmentsotherAdjustments
B|7|7.3The SAP®-Audit Roadmap as a Working Basis for Internal Audit
Special Audit Roadmaps
Audit Roadmap for Management Process Audits
290
view techniques. In this context, Internal Audit must take cultural aspects into
accountbecausenotallmanagersmayregarditastheirdutytogiveauditorsfrom
othercountriesorculturalgroupsinformationabouttheirareaofresponsibility.
HintSAnDtiPS ;
• heplanningofamanagementprocessaudit shouldbebasedon the special
AuditRoadmapasfaraspossible.AuditorsshoulddiscusstheRoadmapinad-
vancewiththeauditee.
• AuditorsshouldsuggesttheirownsolutionsfordevelopingthemodiiedAudit
Roadmapfurtheranddiscussthemwiththeauditlead.
• Auditorsshouldalsodocumenttheirexperienceswithmanagementprocessau-
ditsasanadditiontotherelevanttemplates.
LinKSAnDReFeRenCeS e
• TOROK,R.ANDP.CORDON.1997.Operational Proitability: Conducting Management
Audits.Hoboken,NJ:Wiley&Sons.
7.4 Audit Roadmap for IT Audits
KeyPointS •••
• Forcompaniesthatrelyheavilyoninformationtechnology,thedemandsonIT
systems,andITsecurityinparticular,areofcriticalimportancebecausethey
determinewhetherbusinesssuccesscanbesecured.
• he complexity in the area of information technology requires suitable audit
activities.
• Withthehelpofadocumentedsecurityguideline,InternalAuditcanquickly
getanoverviewofthecurrentstatusofITsecurityinthecompany.
Fororganizationsthatrelytoagreatextentoninformation-technology,e.g.compa-
niesthatuseanenterprisesystemlikeSAP,thedemandsonITsystems,andITse-
curityinparticular,areofcriticalimportancebecausebusinesssuccessdependson
them.Inordertomeetbasicbusinessrequirements,suchacompanymust:
• ensuretheintegrityofthedatastoredinitscomputersystems,
• protecttheconidentialityofsensitivedata,
• guaranteethattheinformationsystemsarealwaysavailable,and
• complywiththerelevantlaws,regulations,andstandards.
Internal Audit must evaluate in IT audits whether the existing level of security
meets the company’s business requirements in terms of securing information
DemandsonitSystemsandSecurity
DemandsonitSystemsandSecurity
DeinitionoftheContentoftheAuditobject
DeinitionoftheContentoftheAuditobject
291
againstunauthorizeduse,disclosure,change,andaccidentalormalicious lossor
damage.
COBIT®isusedasthebasisfortheITScope,becauseitcoversalmostallinter-
nationallyrecognizedstandardsandrecommendations.COBIT®isamodelofgen-
erallyapplicableandinternationallyacceptedITprocess-relatedcontrolobjectives.
Itisusedtoguaranteethatinformationtechnologyisreliablyapplied.heframe-
workhasbeendevelopedforthispurposebytheinternationalInformationSystems
AuditandControlAssociation(ISACA).
herearethreecategoriesintowhichtheseveninformationcriteriadeinedby
COBIT®canbeclassiied:
• ITqualitycontrol,whichisdeterminedbyefectivenessandeiciency,
• ITsecuritycontrol,whichisdeterminedbyconidentiality,integrity,andavail-
ability,and
• iduciarycontrolofIT,whichisdeterminedbyreliabilityandcompliancewith
legalrequirements.
like all operating resources, IT resources must be planned, developed, imple-
mented,operated,andmonitored.hefollowingfourdomains,i.e.,
• PlanandOrganize,
• AcquireandImplement,
• DeliverandSupport,and
• MonitorandEvaluate,
provide the basis for the audit topics of the IT and IT security audit ield (see
SectionA,Chapter6.2.5).COBIT®providesdetailedguidanceonprocesseswithin
each of these domains. Each of the processes are linked to the basic business
requirementsfordata:integrity,conidentiality,availabilityandcompliance.
AdequateplanningistheirststepnecessaryintheexecutionofanefectiveIT
audit.InternalAuditshouldperformanoverallriskassessmentandthendevelop
theannualauditplan,whichcontainstheauditobjectivesandtheactionsrequired
tomeettheseobjectives(seeSectionD,Chapter3).heScopesrelevantfortheIT
auditieldmustbedescribedindetail.heyformthebasisforthedesignofITwork
programs.heITareamayalsorequiread-hocaudits,e.g.withregardtourgent
issuesrelatingtoaccessauthorizationanddocumentsecurity.
heprocedurefortestinginternalcontrolsisdeinedduringauditpreparation.
heappropriatecontactperson(s)intheareastobeauditedshouldalsobedeter-
mined,aswellastheauditor’snecessarytechnicalskillsandtheresourcesrequired
tomeettheauditobjective.Forcomplextechnicalaspects,itmaybesensibletouse
experts (e.g.,databasespecialists)asguestauditors forsupport,e.g.,duringdata
analysis.heauditleadisresponsibleforcoordinatingtheemployeesinvolvedin
theauditandmustensurethattheauditobjectivesaremetandtheauditcomplies
withallrelevantstandards.
Inadditiontosystemanalysis,organizationalaspectsarealsoevaluatedduring
ITaudits.Althoughfollowingaspeciicsequenceofproceduresisnotmandatory
BasisoftheitScopeBasisoftheitScope
informationCriteriaunderCoBit®informationCriteriaunderCoBit®
AudittopicsAudittopics
AuditPlanningAuditPlanning
AuditPreparationAuditPreparation
WorkProgramWorkProgram
The SAP®-Audit Roadmap as a Working Basis for Internal Audit
Special Audit Roadmaps
Audit Roadmap for IT Audits
B|7|7.4
292
inITaudits,ITauditorswillnormallybasetheiractionsonastructuredworkpro-
graminordertounderstandtheauditobjectandbeabletoassessandtesttherel-
evantcontrolstructures.hefollowingareexamplesofwhatcanbeincludedina
workprogramforITsecurity:
• hedesign, implementation,andmonitoringofaccesscontrolsshouldbeas-
sessedtoensuretheintegrity,conidentiality,andavailabilityofinformation.
• hesecurityofthenetworkinfrastructureshouldalsobeevaluatedtoguarantee
theintegrity,conidentiality,availability,andauthorizeduseofthenetworkand
thetransmittedinformation.
• Toavoidorminimizelossofinformation,itisimportanttoassessthedesign,
implementation,andmonitoringofthecontrolenvironment.
• Physicalaccesscontrolsshouldalsobeassessedtoensurethatthelevelofpro-
tectionforinformationandinstallationsisadequateformeetingthecompany’s
businesstargets.
Auditexecutionisbasedonaworkprogram.Toobtainaninitialoverview,theau-
ditorsshoulduse informationsourcesrelatingto theexecutionof testsordocu-
mentation,suchaslowcharts,guidelines,standards,andworkingpapersfrompast
audits.Withthehelpofadocumentedsecurityguideline,theauditorsareableto
recordthecurrentstatusofITsecurityinthecompany.
Althoughauditorscandrawconclusions fromany formof suitableevidence,
somedocumentsaremorereliablethanothers.Factorsthatdeterminehowtoas-
sessthereliabilityofauditdocumentsinclude:
• Objectivityoftheevidence:Objectiveevidenceismorecrediblethanevidence
thatrequiressubjectivejudgment.AsystemanalysiscarriedoutbytheITaudi-
torisanexampleforobjectiveevidence.Informationthatisbasedondiscus-
sionswithcertainemployeesrequiressubjectiveinterpretation.
• Personalqualiications:Regardlessofwhethertheinformationordocumentary
evidenceissuppliedbyacompanyemployeeorathirdparty,ITauditorsshould
alwaystakethequaliicationsofthepersonconcernedintoconsideration.his
couldapplyalsotoITauditorsthemselves,sincetestresultsareonlyreliableif
theITauditorshaveproperlyunderstoodthetestorcontrol.
Beforecommunicatingtheauditresultstothemanagersincharge,indingsshould
be discussed with the employees of the audited area. Such a meeting should be
aimedatobtainingtheemployees’agreementwiththeindingsandtheircommit-
menttoimplementtherecommendations.heweaknessesandpotentialareasfor
improvementidentiiedshouldbeappropriatelydocumentedandbackedupwith
systemanalysesinordertoavoidanydisagreement.
hefollow-upforITauditsisnotmateriallydiferentfromthestandardproce-
dure(seeSectionB,Chapter6).Auditingtheimplementationoftherecommenda-
tionsrelatingtoorganizationalprocessessometimesrequiressubstantialieldwork.
heimplementationofsystemrecommendations,ontheotherhand,isrelatively
AuditexecutionandDocumentation
AuditexecutionandDocumentation
ReliabilityofAuditDocuments
ReliabilityofAuditDocuments
CommunicationofAuditFindings
CommunicationofAuditFindings
Follow-UpProcessFollow-UpProcess
293
easytoverifybyanalyzingtherelevantsettings.Especiallyforsecurity-relevantsys-
temsettings,whichrequireimmediaterealizationoftherecommendedmodiica-
tions,thecurrentstatuscanbeestablishedquicklywithasimplesystemanalysis.
HintSAnDtiPS ;
• Systemanalysesaremoreobjectiveandthusmoresuitableforuseasauditevi-
dencethaninformationobtainedthroughinterviews.
• use internationally recognized guidelines for IT audits, such as COBIT®, to
structuretheworkprogram.
LinKSAnDReFeRenCeS e
• INSTITuTEOFINTERNAlAuDITORS.2005.Global Technology Audit Guide 1: Infor-
mation Technology Controls.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• IT GOvERNANCE INSTITuTE. 2007. COBIT 4.1. Rolling Meadows, Il: IT Gover-
nanceInstitute.
• OlIPHANT, A. 2004. Auditing IT Infrastructures. Mission viejo, CA: Pleier
Corporation.
B|7|7.4The SAP®-Audit Roadmap as a Working Basis for Internal Audit
Special Audit Roadmaps
Audit Roadmap for IT Audits
296
1 Introduction
Section C of this handbook provides practical examples of internal audit work at
SAP. Chapter C.2 presents audit basics. Chapters C.3 and C.4 provide selected ex-
amples of inancial and operational audits while Chapter C.5 gives details of com-
bined audit topics. Chapters C.6 through C.9 deal with selected topics speciic to
SAP, and Chapter C.10 describes IT audits.
he audit topics and examples presented in this section are not intended to rep-
resent the complete audit universe. hey are a selection from the large number of
tasks handled by Internal Audit at SAP. he selection is intended to cover tradi-
tional audit topics, while providing an insight into the company-speciic realm of
internal auditing. Further, the chapters provide speciic information regarding the
processes and accounting transactions that the internal auditors would review dur-
ing a typical audit.
All practice-based examples given in the following chapters, including the ig-
ures quoted, are ictitious and are in no way related to real company data, igures, or
information of SAP, its (local) subsidiaries, or other companies that have dealings
with SAP.
SAP is listed on the NYSE, which means that SAP is subject to SEC oversight.
he company therefore has an obligation to prepare consolidated inancial state-
ments in accordance with U.S. Generally Accepted Accounting Principles (US-
GAAP) and SOX requirements. SAP’s local subsidiaries prepare their inancial
statements according to US-GAAP based accounting guidelines. SAP AG and its
local subsidiaries in the various countries recognize and report individual transac-
tions between reporting dates (in the SAP system in periods 1-12 for the months
January through December) uniformly in compliance with US-GAAP. Period 13 is
used for year-end entries. he values carried forward to the new iscal year are based
on the closing US-GAAP balance sheet from period 13. Since January 1, 2007,
the consolidated inancial statements are additionally being prepared according to
IFRS.
In the following chapters, the relevant inancial reporting standards used will
not be explicitly stated, because the focus is on the auditing procedure rather than
on speciic aspects of inancial reporting. In some cases, we give details of the rele-
vant US-GAAP rules in order to enhance understanding of the auditing procedure.
he examples are based on US-GAAP and follow SAP’s accounting guidelines.
GIAS uses the reports in the SAP system in all internal audits. Similar to other
companies, SAP’s auditors sometimes use application-based, SAP-speciic reports
and information, which is stored in the system. his section, however, does not
explicitly deal with the various reports and paths in the SAP system.
Structure and Content of Section C
Structure and Content of Section C
Selected TopicsSelected Topics
Fictitious DataFictitious Data
Financial Reporting at SAP
Financial Reporting at SAP
Relevant Accounting Principles
Relevant Accounting Principles
Reports in the SAP System
Reports in the SAP System
Examples from Audit Practice at SAP
IntroductionC | 1
297
LINKS AND REFERENCES e
• JARNAGIN, B. D. 2007. US Master GAAP Guide. Riverwoods, IL: CCH, Inc.
• NEw YORk STOCk EXCHANGE. 2003. Final NYSE Corporate Governance Rules.
http://www.nyse.com/pdfs/inalcorpgovrules.pdf (accessed May 31, 2007).
• U.S. CONGRESS. 2002. Sarbanes-Oxley Act of 2002. 107th Congress of the United States of
America. HR 3763. washington DC: Government Printing Oice.
298
2 AuditBasics2.1 Overview of the Audit Process
KeyPoints •••
• Beforethestartofstandardandspecialauditslistedintheannualauditplan,
InternalAuditshouldsendoutauditannouncementstotheauditees.
• heworkprogramiscompiledwithdueconsiderationfortheobjectivesofthe
audit.
• Anopeningmeetingwiththeauditeesisconductedbeforetheieldworkbegins.
Aclosingmeetingisheldaterieldworkiscompletetoreviewtheresultsofthe
auditieldwork.
• heauditreportcontainsinformationontheobjective,extent,andresultsofthe
audit.
• During the follow-upphase, InternalAuditcheckswhether theaudit recom-
mendationshavebeenimplemented.
InternalAudit'sauditworkcanbedividedintoivemainphasesaccordingtothe
AuditRoadmap(fordetails,seeSectionB).hepracticalexamplesofinternalau-
ditsatSAParepresentedinthefollowingchaptersusingthephasesoftheAudit
Roadmap.However,sincetheplanningphaseisaprocessindependentoftheactual
audits,itisdiscussedseparatelyinSectionB,Chapter2andSectionD,Chapter3.
hischapterbrielyexplainsselectedaspectsoftheAuditRoadmapbeforeprovid-
inganoverviewofthegeneralbasisofpracticalauditworkatSAP(seeSectionC,
Chapters2.2through2.4).
Auditeesareprovidedsuicientadvancenoticebeforethestartofanystandard
orspecialauditlistedintheannualauditplan(seeSectionB,Chapters2.2and3.1).
Ad-hocauditsgenerallybecomenecessaryduetosuddeneventsorauditrequests
andmustbeinvestigatedimmediately(seeSectionB,Chapter2.3).herefore,ad-
hocauditsarenotscheduledinadvanceandusuallynoannouncementsaremade
beforetheybegin.
Beforeauditorscanprepareforandconductanaudit,theymustcorrectlyand
fullyunderstandthetopicandobjectiveoftheaudit.Forstandardandspecialau-
ditslistedintheannualplan,theobjectiveisdeinedintheauditannouncement.
Forad-hocaudits,theauditobjectiveisusuallydeinedintheauditrequest.
Before the startofieldwork, InternalAudit sets the timeframe for theaudit,
selectstheauditteamandidentiiestheauditstepsnecessarytoachievetheobjec-
tivesoftheaudit.heseauditstepsaredescribedintheauditworkprogram.
he work program is created within the existing framework (see Section B,
Chapter3.2).Itincludestheauditcontentandthespeciicauditstepsnecessaryto
ensuretheinternalauditteamcanmeettheobjectivesoftheaudit.
Beforebeginningtheaudit,InternalAuditshouldconsultwiththeauditeesto
ensurethattheemployeesresponsiblefortheauditareawillbeavailableforinter-
AuditRoadmapAuditRoadmap
AuditAnnouncementAuditAnnouncement
AuditobjectiveAuditobjective
timeandAuditstepstimeandAuditsteps
WorkProgramWorkProgram
ConsultationwiththeAuditees
ConsultationwiththeAuditees
299
viewsandtherelevantworkingdocumentswillbeprovidedduringtheaudit.Inter-
nalAuditshouldpreparealistofrequiredinformationanddocumentsfortheaudit
andprovidethislisttotheauditeesaheadoftimesothattheymayassemblethe
items.hisfacilitatesthetimelycompletionoftheauditengagement.
henextstepduringauditpreparationistoensurethattheauditorshaveallthe
necessary system authorizations to avoid time-consuming problems, which can
signiicantlyhamperauditexecution.
Insimpliiedterms,ieldworkfollowsthissequence:
• openingmeeting;
• auditexecutiononsite:
■ analysisofthecurrentconditionoftheprocessesandstructurestobeau-
dited,
■ in-depthanalysisofindividualfacts,
■ identiicationanddeinitionofpotentialimprovements,
■ agreementontheauditindingsandrecommendationswiththeemployees
responsible,
• closingmeeting.
At the opening meeting, the internal audit team members introduce themselves
andtheinternalauditdepartmenttotheauditeesandprovideinformationabout
theauditprocess,explainingthemainaspectsoftheauditobjectives,content,and
procedure. he management of the division being audited should be given the
opportunitytocontributetheirownideasandsuggestions.Overall, thismeeting
shouldbeusedtocreateabasisoftrustamongthoseinvolved,especiallytheem-
ployeesconcerned.
Atertheopeningmeeting,thevariousauditstepsaretakenasdescribedinthe
workprogram.Duringieldwork,theauditorscollectandreviewrelevantcompany
policies, standards, guidelines, and similardocuments, including rulesofproce-
dure,organizationcharts,processdocumentation,projectdeinitions,andstrategic
andoperationalplanningpapers.heauditorsshouldcomparetheexistingcondition
oftheauditedunittothesecriteria.heauditorsderivevariousrecommendations
andimprovementsuggestionsfromthisanalysisiftheyhaveidentiiedanyweak-
nessesoropportunitiesforimprovement.
heauditsteps,observations,indings,andrecommendationsaredocumented
intheauditworkingpapers.heworkingpapersalsoincludeanyrelevantdocu-
mentationobtainedthroughoutthecourseoftheaudit.Workingpapersmustbe
accuratelyreferencedandcross-referencedasnecessary,suchthatanauditreviewer
caneasilynavigatethroughthepapersandunderstandthebasisfortheauditind-
ingsandrecommendations(seeSectionB,Chapter4.2.3).
heresultsoftheprocessanalysisandtheproposedimprovementsshouldbe
discussedwithmanagementirst.hentheemployeesresponsibleforimplementing
therecommendationsmustagreetothem.heinternalauditorsmusthavesui-
cient communication skills to convey the recommendationsand theirobjectives
systemAuthorizationsystemAuthorization
FieldworkFieldwork
openingMeetingopeningMeeting
AuditexecutionAuditexecution
WorkingPapersWorkingPapers
ConsultationConsultation
Examples from Audit Practice at SAP
Audit Basics
Overview of the Audit Process
C|2|2.1
300
such that they will be understood and carried out efectively. he audited unit
shouldacceptresponsibilityforandimplementtherecommendations.Finally,the
auditeesmustagreetoaplantoimplementtherecommendations(includingatime
frameforimplementation).
Aclosingmeetingtakesplaceattheendoftheaudit.Atthismeeting,auditors
discusstheirobservations,indings,andrecommendationswiththoseresponsible
intheauditedunit.
heauditreport,whichispreparedatertheaudit,containsinformationonthe
objectivesandextentoftheaudit,theauditresults,theauditors’recommendations
andtheagreedmeasures(seeSectionB,Chapter5).Adratreportissenttoman-
agementoftheauditedunitforcomment.hentheinalversionofthereportis
distributedaccordingtothedistributionlist.heAuditCommitteemayreceivethe
entireauditreportoranexecutivesummaryofimportantindings.
Atertheauditiscompleted,theinternalauditteamshouldperformafollow-up
audit to ensure that agreed improvement measures have been implemented as
planned.hiscanbeachievedwithastatuscheckandwithafollow-upauditonsite
(seeSectionB,Chapter6).
LinKsAndReFeRenCes e
• CASCARInO,R.AnDS.vAnESCH.2005.Internal Auditing: An Integrated Approach.
Lansdowne,SA:JutaandCo.
• SEARS,B.2002.Internal Auditing Manual.newYork,nY:Warren,Gorham&Lamont.
• SAWYER,L.B.,M.ADIttEnHOFERAnDJ.HSCHEInER.2003.Sawyer’s Internal
Auditing.5thed.AltamonteSprings,FL:heInstituteofInternalAuditors.
2.2 Tools Needed for the Audit
KeyPoints •••
• Duringauditpreparation,auditorsassembletherequireddocumentsandwork-
ingtoolstoensuretheauditcanbeperformedeicientlyandefectively.
• Ifapreviousauditofthespeciicareahasbeenperformed,theinternalaudit
teamshouldfamiliarizethemselveswiththeauditworkingpapersandreports
fromthosepreviousaudits.
Auditorsmust,ofcourse,takethenecessaryworkingmaterialsanddocumentsto
theaudit.normallythesewillincludealaptop,notepads,dividers,iles,pens,text
markers, sheetprotectors,andacalculator. Inaddition, theyshould thinkabout
othertoolsthatmaynotbeavailableonsite.Auditorsshouldalsotaketheiritiner-
ary,thetimescheduleformeetings,andotherdocumentscreatedorcollateddur-
ClosingMeetingClosingMeeting
AuditReportAuditReport
Follow-UpFollow-Up
PreparationPreparation
301
ingthepreparationphase(e.g.,workprogram,print-outsofannualinancialstate-
ments,minutesofmeetingswithcolleagues,etc.).Itmayalsobeusefultobringthe
auditannouncementand/orauditrequest.
Inaddition,ifpreviousauditsofthespeciicauditareahavebeenperformedthe
internal audit teammaybring theworkingpapersandaudit reports from those
audits.hesedocuments canprovideguidance for theperformanceof theaudit
activities.Further,theinternalauditteamshouldcomparethecurrentconditionof
theauditareawiththeconditiondocumentedduringpastaudits.hisallowsthe
auditteamtodetermineifprocessesorcontrolsystemshavechanged.
HintsAndtiPs ;
• Auditorsshouldbackup theirworkingdocumentsonacentralileserveror
otherstoragedeviceregularlythroughouttheaudit.
LinKsAndReFeRenCes e
• CASCARInO,R.AnDS.vAnESCH.2005.Internal Auditing: An Integrated Approach.
Lansdowne,SA:JutaandCo.
• SEARS,B.2002.Internal Auditing Manual.newYork,nY:Warren,Gorham&Lamont.
• SAWYER,L.B.,M.ADIttEnHOFERAnDJ.HSCHEInER.2003.Sawyer’s Internal
Auditing.5thed.AltamonteSprings,FL:heInstituteofInternalAuditors.
2.3 Auditor Skills
2.3.1 The Right Tone
KeyPoints •••
• Anauditmaybeadiicultandstressfulsituationfortheauditees.
• Auditorsmustbefair,objective,independent,honest,andreliable.
• heauditorshoulduseacooperativeanddiplomaticapproachandshouldbe
sensitivetotheconcernsoftheauditeestogainacceptance.
Anauditcanbeadiicultanduncertainsituationfortheauditees.noonelikesto
beaudited,andtheauditeesmayperceivetheauditasasignalofmistrust.Although
itissometimeseasieriftheunittobeauditedhasalreadyhadexperiencewithau-
dits,theauditeesmaystillbeconcernedandreluctanttocooperate.
Oneoftheauditors’tasksisthereforetoprovidebalanceinthesesituations.he
auditorsmayfaceprejudicesespeciallyifInternalAuditanditsemployeesarenot
yetknowntotheauditees.Oten,InternalAuditorsareperceivedas“police”–only
lookingtoinderrorsorfraudulentactivities.heauditeesmaynotrealizethatIn-
PriorWorkingPapersandAuditReportsPriorWorkingPapersandAuditReports
AuditsituationAuditsituation
eliminatePrejudiceseliminatePrejudices
Examples from Audit Practice at SAP
Audit Basics
Auditor Skills
C|2|2.3
302
ternalAuditcanalsoaddvaluetotheorganizationbyprovidingrecommendations
toimproveeiciencyandefectivenessofoperationsandreducerisk.Insuchcases,
theauditorsshouldtrytoeliminatetheseprejudicesinordertoconductasuccess-
fulaudit.
Auditorsneedgoodcommunicationskills.heymustcarefullyconsidertheir
wordstoensuretheyconveytheappropriatemessage.heobjectiveofauditwork
isnottoissueordersandinstructionsortrytopersuadetheauditees,buttocon-
vinceandtoidentifycommonground.
Aboveall,anauditormustbefair,objective,independent,honest,andreliable.
Afriendlyandpolite,yetprofessional,demeanorisessentialforgoodcooperation.
Inthisregard,itishelpfultogiveattentiontotheauditeesandtobelexible–e.g.,
byworkingaroundtheirschedules(fordetailsontheGIASCodeofConduct,see
SectionA,Chapters3.2and3.3).
Auditorsmustalwaystrytousetherighttonefortheemployeesofthedivision
beingaudited.Sensitivityisanimportantandusefulattributethatauditorscanuse
togainacceptanceinacooperativeanddiplomaticmanner.
HintsAndtiPs ;
• Auditorsshouldputthemselvesinthepositionoftheauditeesandimaginehow
theywouldfeeliftheirownunitwasbeingaudited.
• Auditors should treat the auditees in the same way as they would like to be
treatedinasimilarsituation.
LinKsAndReFeRenCes e
• CASCARInO,R.AnDS.vAnESCH.2005.Internal Auditing: An Integrated Approach.
Lansdowne,SA:JutaandCo.
• SEARS,B.2002.Internal Auditing Manual.newYork,nY:Warren,Gorham&Lamont.
• SAWYER,L.B.,M.ADIttEnHOFERAnDJ.HSCHEInER.2003.Sawyer’s Internal
Auditing.5thed.AltamonteSprings,FL:heInstituteofInternalAuditors.
2.3.2 Professional Auditor Conduct
KeyPoints •••
• Allauditorsareresponsible for theauditstepsandassociatedworktheyper-
form.
• Everyauditorshouldfeelresponsiblefortheoverallsuccessoftheaudit.
Each auditor has a certain level of responsibility, both for the audit and process
stepsthataretakenandfortheoverallsuccessoftheaudit.Overallsuccessinthis
contextmeans:
CommunicationskillsCommunicationskills
AuditorAttributesAuditorAttributes
sensitivitysensitivity
ResponsibilityoftheAuditorResponsibilityoftheAuditor
303
• heatmospherebetweenauditorsandauditeesiscooperativeandconstructive.
• Allimportantissuesarehandled.
• heauditobjectiveismetandthepurposeoftheauditisfulilled.
• Internal Audit adds value to the audited unit and thus to the company as a
whole.
Withthepurposeandobjectiveoftheauditinmind,auditorsmustrememberthat
theymustadheretoapresettimebudget.Importantly,throughouttheaudit,vari-
ousactivitiesmaybemoretimeconsumingthananticipated.Forexample,itoten
takeslongerthanexpectedtoreceiverequesteddocumentsfromtheauditees.For
thisreason,theauditteammustconcentrateonmaterialandparticularlyrisk-prone
auditobjects.Attheendoftheaudit,theymustbeconvincedthattheyhavecovered
andadequatelyauditedallrelevantaspectsoftheauditedunitandthattheiraudit
hasaddedvaluetotheorganization.hisdeterminationmaybediferentforeach
audit.herefore,theassessmentshouldbemadeusingtheappropriatecriteriafor
the speciicaudit (e.g. improvementof internalprocesses,monetaryadvantages,
reputationalbeneits).
Auditorshaveanobligationtoensurethattheirworkingpapersarecomplete
andconsistent.Allobservationsandresultsmustberecordedintherelevantdocu-
mentation(seeSectionB,Chapter5).heauditworkingpapersshouldincludethe
followingitems:
• purposeoftheauditstep,
• descriptionofthecurrentcondition(as-is)oftheauditarea,
• documentationoftestwork,ifapplicable,
• assessmentoftherelevantcontrolsystemswithregardtotheriskthathastobe
covered,
• conclusion,includingrecommendationsifapplicable,
• theresponsibleauditor’sname,
• thedateoftheauditwork,
• evidenceofreviewbytheauditlead,and
• appropriatereferencingandcross-referencing.
HintsAndtiPs ;
• tosavetime,itisusefultorequestdocumentsfordiferentpartsoftheauditat
thesametime.hisrequiresplanningandcoordinationbytheauditteam.
• Auditorsshoulddevelopprofessionalskepticismandaskallthequestionsthat
havearisenduringthecourseoftheaudit.
LinKsAndReFeRenCes e
• REDInG, K. F., P. J. SOBEL, U. L. AnDERSOn. etal. 2007. Internal Assurance and
Consulting Services.AltamonteSprings,FL:InstituteofInternalAuditors.
FocusonWhatisimportantFocusonWhatisimportant
documentationdocumentation
Examples from Audit Practice at SAP
Audit Basics
Auditor Skills
C|2|2.3
304
• CASCARInO,R.AnDS.vAnESCH.2005. Internal Auditing: An Integrated Approach.
Lansdowne,SA:JutaandCo.
• SEARS,B.2002.Internal Auditing Manual.newYork,nY:Warren,Gorham&Lamont.
• SAWYER,L.B.,M.ADIttEnHOFERAnDJ.H.SCHEInER.2003.Sawyer’s Internal
Auditing.5thed.AltamonteSprings,FL:heInstituteofInternalAuditors.
2.3.3 Team Work
KeyPoints •••
• Auditworkisusuallyteamwork.
• heentireauditteamisresponsiblefortheauditresult.
• Regularcommunicationsandacontinuousexchangeofinformationamongau-
ditorsareimperativeforconductingauditssuccessfully.
Auditsareusuallyperformedbyatleasttwoauditors,oneofwhomactsastheaudit
lead,althoughthechoiceofauditleaddifersfromaudittoaudit.heauditleadhas
operational responsibility for the audit (see Section A, Chapter 4.5), including
facilitationoftheopeningandclosingmeetings.
Usually,ieldworkisteamwork.Dependingonthetopic,theauditstepstobe
performedareassignedtotheInternalAuditemployeesinvolved.Sincethedifer-
entaudittopicsmayimpactoneachother,itiscriticaltoforwardtheinformation
gatheredintheindividualareastoallauditors.
teamworkincludes:
• workingtogether,
• sharingresponsibility,
• helpingandsupportingeachother,
• respectingandacceptingeachother,
• sharingknowledge,
• sharinginformation,and
• coordinatingworkeforts.
Permanent communication and a continuous exchange of information among
auditors are important criteria for conducting audits successfully. he team as a
wholeisresponsiblefortheauditresult.
Cooperationwithinanauditteampresentsachallenge.Mutualrespect,perma-
nentcommunicationandcoordinationareofparticularimportanceinlargerteams
(ofmorethantwoorthreemembers)orinmulticulturalteamsinglobalaudits.
AuditteamAuditteam
splittingFieldworksplittingFieldwork
teamWorkteamWork
CommunicationCommunication
CooperationCooperation
305
HintsAndtiPs ;
• takeintoconsiderationthateachauditorhasspecialskillsandknow-how.
• Forthisreason,animportanttaskwithinanauditteamistobeneitfromeach
otheronthebasisofacceptance,respect,andteamwork.
LinKsAndReFeRenCes e
• CASCARInO,R.AnDS.vAnESCH.2005.Internal Auditing: An Integrated Approach.
Lansdowne,SA:JutaandCo.
• REDInG, K. F., P. J. SOBEL, U. L. AnDERSOn. etal. 2007. Internal Assurance and
Consulting Services. AltamonteSprings,FL:heInstituteofInternalAuditors.
• SEARS,B.2002.Internal Auditing Manual.newYork,nY:Warren,Gorham&Lamont.
• SAWYER,L.B.,M.ADIttEnHOFERAnDJ.HSCHEInER.2003.Sawyer’s Internal
Auditing.5thed.AltamonteSprings,FL:heInstituteofInternalAuditors.
2.4 Scopes
KeyPoints •••
• Usuallyforeachauditobject,Scopesareavailable(CoreScopesandKeyScopes)
thatrepresentabasiccollectionofallpossibleaudittopicsandprovidedetailed
informationabouteachtopic.
• Scopesareusedasabasisforcompilingtheworkprogramduringauditprepara-
tion.
AtSAP,thepreparationandexecutionofthediferenttypesofaudit,suchasstan-
dard,special,orad-hocaudits(seeSectionA,Chapter6.5)areperformedonthe
basisofcomprehensivestandarddocumentsknownasScopes(seealsoSectionA,
Chapter5.3andSectionB,Chapter2.1).Scopescontaindetailedinformationabout
the audit area, including the processes, procedures, risks, and control systems.
hesedocumentsareimportanttoolsusedtoperformeicientandefectiveaudits.
Ifalocalsubsidiaryistobeaudited,forexample,auditorsmaypreparefortheaudit
andcreatetheworkprogrambyirstreviewingtheexistingCoreScopefromwhich
theycanselectthetopicstobeaudited(seeSectionC,Chapter5.1).heCoreScope
containsabasiccollectionofallpossibleindividualtopicsthatmaybeexaminedas
partofauditingasubsidiary.Ofcourse,anappropriateselectionofobjectstobe
auditedmustbemadeforaspeciicauditengagementonthebasisofthetimeavail-
ablefortheaudit,thesizeofthesubsidiary,andtheriskassessment.heseobjects
arethentransferredfromtheScopetotheworkprogramoftheaudit.
scopesasAuditBasisscopesasAuditBasis
Examples from Audit Practice at SAP
Audit Basics
Scopes
C|2|2.4
306
he following chapters show successively how audits for diferent topics are
structuredandperformedinpractice.heymainlyaddressthosetopicsonwhich
SAP’sInternalAuditprimarilyfocuses.
HintsAndtiPs ;
• Apartfromthetoolsusedduringauditpreparationandexecution,theauditor’s
mostusefulaidsarecommonsense,logicalthinking,experience,andanalytical
know-how.
PracticalApplicationPracticalApplication
307
3 SelectedFinancialAuditTopics3.1 Analytical Procedures
KeyPoinTS •••
• Analyticalproceduresconsistofananalysisofiguresandratiosand/orgroups
ofiguresandratiosandtheirdevelopmentoveradeinedperiod.
• Analyticalproceduresareimportanttoolsforefectivelyperforminganytypeof
audit.
• herearediferentcategoriesofanalyticalprocedures,e.g.,plausibilitychecks,
trendanalysis,andratioanalysis.
• Analyticalprocedurescanbeusedduringauditpreparation,auditexecution,
andreporting.
AsdescribedinSectionB,Chapter4.1.2,analyticalproceduresareanimportanttool
ofauditwork.heproceduresconsistofananalysisofindividualiguresandratios
and/orgroupsofiguresandratios.Analyticalproceduresalsoincludeanalyzingthe
developmentoftheseiguresandratiosoveradeinedperiod.heauditors’taskis
tousetheirjudgmenttoexaminecriticallyanyvariances(orthelackofvariances)
betweeniguresandgroupsofiguresandassesstheresults.Inthisprocess,forecasts
canbegeneratedbasedonexternalmarketandsectorinformationorcompany-in-
ternalinformation(strategy,processes,guidelines,budgets,prior-yearigures,etc.).
Analyticalproceduresareimportantfortheefectiveperformanceofanytypeof
audit,becausetheyhelpfocustheextentoftheauditworktobedone.heycanbe
usedtoobtainacomprehensivepictureoftheorganization’ssituationandtodesign
theworkprogram(seeSectionB,Chapter3.2).
Unlikesubstantive testing,analyticalprocedurescanbeusedtocoverseveral
audit objectives simultaneously, such as completeness, correct assessments, and
accuratestatements.Ifexecutedproperly,analyticalproceduresareasefectiveas
substantivetesting.Moreover,theycancombineseveralaudittopicsanduncover
errorsthatmayotherwisebeoverlooked.
herearediferent typesofanalyticalprocedures: InternalAuditatSAPuses
plausibilitychecks,trendanalysis,andratioanalysismostregularly.
Plausibilitychecks(alsoknownasreasonablenesstests)areusedtocomparei-
nancialaccountingdatawithdatafromotherareastotesttheaccuracyofinancial
accounting.heaimofsuchtestcalculationsistoestablishwhethertheamountof
therecordediguresseemsplausibleandreasonable.hefollowingictitiousexample
providesfurtherclariication.
Assumethattheplausibilityofpersonnelexpensesofalocalsubsidiary(asof
July31,2007)istobeexaminedonthebasisofindependentinternalinformation
suppliedbythehumanresourcesdepartmentandvariousexternalinformation(e.g.,
sectorsalaryandsocialsecuritycontributionlevels).Asaresultoftheseanalytical
BasicsBasics
SigniicanceSigniicance
RelationwithSubstantiveTestingRelationwithSubstantiveTesting
TypesofAnalyticalProceduresTypesofAnalyticalProcedures
PlausibilityChecksPlausibilityChecks
FictitiousexampleofaPlausibilityCheckFictitiousexampleofaPlausibilityCheck
Examples from Audit Practice at SAP
Selected Financial Audit Topics
Analytical Procedures
C|3|3.1
308
procedures,InternalAuditindsthatpersonnelexpenseshaverisendisproportion-
ately. here are two reasons for this increase: First, social security contributions
haverisenfrom24%to27%,andsecond,totalwagesandsalarieshaveincreasedby
7.7%.hisisduetoanincreaseinthenumberofemployeesinthelocalsubsidiary
andacorrespondingincreaseinsalaries.hefollowingdiagramshowstheresults.
Trendanalysisexaminesthedevelopmentofaparticularitem,(e.g.,anaccountor
certaintransactions)overtime,andidentiiestrends.Usingtrendanalysis,Internal
Auditcandeterminethemaindriversofthedevelopment.Trendanalysisisused,
forexample,toestimatesalesrevenueonthebasisofprioryearsorindustrytrends.
Ratioanalysisinvolvesexaminingrelationshipsbetweenkeyvariables,looking
atchangesinratiosinacompanyorregion,orcomparingtwoormorecompanies
orregions.
In the following ictitious example, country A’s six-month sales revenue
(EUR1,900,561) has fallen to less than half of the previous year’s igure
(EUR4,141,667). Against expectations, trade accounts receivable has risen by
EUR502,174anddayssalesoutstanding(DSO)(seeSectionC,Chapter3.2)hasin-
creased from 178 days in the previous year to 241 days as of June 30, 2007. he
generalbaddebtallowance,however,hasdecreasedbyEUR93,768.InternalAudit
investigatesandindsthatthematuritiesinanimportantconsultingprojecthave
been changed manually and invoices from 2006, which were due at that time,
areno longer regardedas“due”on June30,2007.heprojectmanagerprovides
asatisfactoryexplanationofthissituation.Additionalanalyticalprocedures,such
as a plausibility check on the general bad debt allowance, can deliver further
information.heneedfor furtheranalyticalprocedures isestablishedbyauditor
judgment.
TrendAnalysisTrendAnalysis
RatioAnalysisRatioAnalysis
FictitiousexampleFictitiousexample
Personnel expenses
%
July 31, 2006 Increase
€ 4,141,667 7.7
€ 994,000 21.2
355 5.6
€ 14,467
July 31, 2007
€ 4,462,500
€ 1,204,875
375
€ 15,113
absolute
Increase
€ 320,833
€ 210,875
20
€ 646 4.5
Wages and salaries
Social security contribution
Workforce
Personnel expense per head
Information from HR department (independently of accounting system)
reconciled to list of totals and balances as of July 31, 2006 and July 31, 2007
Variance analysis: Social security contributions increased from 24% to 27%.
Fig. 1 Fictitious Example of a Plausibility Check
309
Ananalyticalproceduremayalsocompriseacombinationoftheaboveprocedures
orcoverseveralperiods.Itisimportantthatauditorshaveagoodunderstandingof
therelevantdatarelationshipsbeforeselectingtheanalyticalproceduretobeused.
Analyticalprocedureshelptheauditorsobtainanoverviewandaninitialun-
derstanding of the information contained in the balance sheet and the income
statement.Whathaschangedandinwhichdirection?Howlargeisthediference?
hiskindofauditworksupportsthepreparationfortheauditandisparticularly
usefulwhencompilingarisk-basedworkprogram.Analyticalproceduresarepar-
ticularly important,becauseauditorscanperformthemwhilestill in theiroice
duringauditpreparationandnotyetintheield.hus,oncetheauditorsarriveon
sitetoperformtheaudit,theyalreadyhaveanunderstandingoftheauditedunit
andsomeofthespeciicissuesthatmayariseduringtheaudit.
CombinationsCombinations
PurposeofAnalyticalProceduresPurposeofAnalyticalProcedures
Examples from Audit Practice at SAP
Selected Financial Audit Topics
Analytical Procedures
C|3|3.1
June 30, 2007
Sales revenue
Country A
Country B
Country C
Trade accounts receivable
Country A
Country B
Country C
Country A
DSO
Country B
Country C
Country A
General bad debt allowance
in €
General bad debt allowance
as % of trade accounts
receivable
€
1,900,561
437,129
1,710,505
€
2,544,640
679,978
1,140,337
241
Days
280
120
€
559,821
22 %
€
4,141,667
952,583
3,727,500
€
2,042,466
626,356
1,276,541
178
Days
237
123
€
653,589
32 %
€
4,462,500
1,026,375
4,016,250
€
1,833,904
506,158
1,430,445
148
Days
178
128
€
623,527
34 %
Region Y
Region Z
Days
80
195
Days
76
161
Days
77
143
Reconciled to list of totales and balances
December 31, 2006 December 31, 2005
312,870 154,908 154,908Speci�c bad debt allowance
Fig. 2 Fictitious Example of Ratio Analysis
310
SAPalwaysusesanalyticalproceduresaspartofrisk-basedauditpreparation.
Atthisstage,auditorsdonotyethavecontactwiththepersonsresponsibleforthe
auditedareaoraccesstolocaldocumentsforanalysis.Analyticalproceduresused
during audit preparation identify audit content on which the ieldwork should
focusandwhichmustbeaddedtoormodiiedinthestandardworkprogram.Dur-
ingauditpreparation,theanalysisofthebalancesheetandincomestatementhelps
gainanup-to-dateunderstandingofthebusinessprocessesoftheareatobeaudited.
Inthiscontext,itisimportanttoincludeanalysesperformedbyAccountingand
ManagementAccounting.
Inaddition,analyticalprocedurescanbeusedasanadditionaltoolduringaudit
execution.heycanbeappliedtoproducemeaningfulresults,forexample,when
auditingspeciicareassuchaslicensefees,socialsecurityexpenses,anddeprecia-
tionofnoncurrentassets.heyalsohelpidentifyanduncoverfraud.
hefollowingaspectscontributetoperforminganalyticalproceduresefectively.
Auditorsmust:
• properlyunderstandtheobjectiveoftheanalyticalprocedure,
• recognizetherelationshipsamongthedata,
• analyzethedatatothenecessarylevelofdetail,
• besatisiedthattheunderlyingdataisreliable,and
• usetheirjudgmentwhenassessingtheresults.
he following factorsdeterminehowmeaningful the resultsof analyticalproce-
duresare:
• dataquality,
• precisionofwordingofthematterinvestigated,
• possibilitytoforecastthematterinvestigated,
• datacollection,and
• type of analytical procedure used (e.g., plausibility checks can produce more
accurateresultsthantrendanalysis).
he comprehensive ictitious example below shows how the standard work pro-
gramforlocalsubsidiaryauditscanbesupplementedormodiiedonthebasisof
analyticalprocedures.ItexaminesdatafromCompanyA’sinancialstatementsasof
April30,2007.helatestavailableinancials(inthiscasefromthestatementsasof
April30,2007)arecomparedwiththepreviousannualinancialstatementsandthe
relevantprior-yearperiod(asofApril30,2006).heincomestatementforthepe-
riodendedApril30,2007iscomparedwiththerelevantiguresfortheperiodended
April30,2006.Inaddition,InternalAuditcanalsousethepreviousyear’sincome
statementforthetwelvemonthspriortoDecember31,2006,scaleddowntofour
months,andcomparetheresultwiththeactualiguresasofApril30,2007.Tosim-
plify,thisictitiousexampleonlymentionsmaterialvariancesandfactsidentiied
withanalyticalprocedures.
optionsforUseduringAuditPreparation
optionsforUseduringAuditPreparation
optionsforUseDuringexecution
optionsforUseDuringexecution
MakingAnalyticalProceduresefective
MakingAnalyticalProceduresefective
MeaningfulnessofResults
MeaningfulnessofResults
FictitiousexampleFictitiousexample
311
Property, plant, and equipment: The amount
as of April 30, 2007 (EUR 1,900,000) consists
primarily of “leased vehicles” amounting to
EUR 1,350,000. Vehicle leases are classi�ed as
capital leases.
Trade accounts receivable has fallen by EUR
4,530,000. This is partly the result of an
increase in maintenance receivables by EUR
5,730,000, o�set by a fall in software
receivables by EUR 6,480,000.
The speci�c bad debt allowance on trade
accounts receivable of EUR 100,000 has not
changed from year to year. The speci�c bad
debt allowance relates to Customer 1.
In spite of a decrease in trade accounts
receivable by EUR 130,000, the general bad
debt allowance has increased.
The speci�c allowance for returns, discounts,
and rebates relates to Customer 2.
Notes receivable of EUR 270,000 consist
primarily of receivables from three
customers.
Other taxes receivable consist primarily of tax
deducted on license fee payments made in
prior years amounting to EUR 1,500,000.
Speci�c addition/modi�cation to the work
program: The correct classi�cation and US-
GAAP accounting treatment is to be checked
for �ve selected leases.
This matter is covered by the standard work
program.
Speci�c addition/modi�cation to the work
program: An analysis must be performed to
establish whether the speci�c bad debt
allowance has been correctly measured and
covers the full exposure.
Speci�c addition/modi�cation to the work
program: The trade accounts receivable
included in the general bad debt allowance
should be analyzed. Should items of the
general bad debt allowance be reclassi�ed to
the speci�c bad debt allowance?
Speci�c addition/modi�cation to the work
program: An analysis must be performed to
establish whether this speci�c allowance has
been correctly measured and covers the full
exposure.
Speci�c addition/modi�cation to the work
program: The auditors must establish how
these notes receivable have arisen and test
them for impairment.
Speci�c addition/modi�cation to the work
program: The auditors must establish how
these taxes receivable have arisen and test
them for impairment.
Assets
Result of analytical procedure Consequences for the work program
Fig. 3 Fictitous Example of Possible Results from an Analysis of Assets and its Consequences
for the Work Program
Examples from Audit Practice at SAP
Selected Financial Audit Topics
Analytical Procedures
C|3|3.1
312
HinTSAnDTiPS ;
• Auditorsshouldcriticallyexamineallresultsproducedthroughanalyticalpro-
cedures.
• hemeaningfulnessofanalyticalproceduresincreasesinproportiontothelevel
ofdetailwithwhichtheyareconducted.
The provision for other taxes relates to other
tax risks of EUR 900,000.
The prepayment of other taxes in country B,
which has been deducted from tax liabilities,
includes tax withheld by third parties on
export invoices.
Noncurrent lease obligations of EUR
1,800,000 include lease payments due with
maturities of more than one year.
Speci�c addition/modi�cation to the work
program: The auditors must establish how
these tax risks have arisen and whether the
provision has been correctly measured.
Speci�c addition/modi�cation to the work
program: The auditors must establish how
these tax receivables have arisen and test
them for impairment.
Speci�c addition/modi�cation to the work
program: The correct classi�cation and US-
GAAP accounting treatment is to be checked
for �ve leases.
Liabilities
Result of analytical procedure Consequences for the work program
Fig. 4 Fictitious Example of Possible Results from an Analysis of Liabilities and its Consequences
for the Work Program
Sales revenue has fallen by EUR 1,016,000. This is partly the result of a reduction in product sales revenue by EUR 2,250,000, partially ofset by an increase in consulting sales revenue by EUR 1,300,000. Many consulting projects and software contracts have been concluded with the public sector.
Speciic addition/modiication to the work program: If there are indications of possible diiculties in the public sector of the country under review, the receivables have to be tested for impairment and it must be established whether all revenue recognition requirements have been met.
Income Statement
Result of analytical procedure Consequences for the work program
Fig. 5 Fictitious Example of a Possible Result from an Analysis of the Income Statement and its
Consequences for the Work Program
313
LinKSAnDReFeRenCeS e
• AREnS,A.A.,F.J.ElDERAnDM.S.BEASlEy.2006.Auditing and Assurance Ser-
vices: An Integrated Approach.12thed.UpperSaddleRiver,nJ:PearsonPrenticeHall.
• CASCARInO,R.AnDS.vAnESCH.2005.Internal Auditing: An Integrated Approach.
lansdowne,SA:JutaandCo.
• REDIng, K. F., P. J. SOBEl, U. l. AnDERSOn, etal. 2007. Internal Assurance and
Consulting Services.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• RITTEnBERg,l.E.AnDB.J.SCHWEIgER.2005.Auditing: Concepts for a Changing
Environment.Mason,OH:hompson.
• SEARS,B.2002.Internal Auditing Manual.newyork,ny:Warren,gorham&lamont.
• SAWyER,l.B.,M.ADITTEnHOFERAnDJ.H.SCHEInER.2003.Sawyer’s Internal
Auditing.5thed.AltamonteSprings,Fl:heInstituteofInternalAuditors.
3.2 Trade Accounts Receivable Audits
KeyPoinTS •••
• Aprimaryobjectiveofauditingtradeaccountsreceivableistoensurethatthe
timingoftherecognitionofreceivablesisappropriate.
• Asecondauditobjectiveistoensurethatthereceivablesarecorrectlymeasured
andfullydisclosed.
• Althoughbalanceconirmationsdonotguaranteethatthecashwillbereceived,
theydoprovideassuranceoftheexistenceandtheamountofthereceivable.
• Keyactivitiesofatradeaccountsreceivableauditincludeevaluatingthetiming
oftherecognitionofthereceivables,analyzingtheopenitems,theageingstruc-
turelistsandtheDSOlist,examiningbaddebtallowancesonreceivables,and
assessingcurrencytranslation.
Whenauditingtradeaccountsreceivable,thetimingandappropriaterecognition
ofreceivablesiscriticallyimportant.Oneauditobjectiveistoensurethatthere-
ceivables are measured correctly. Receivables must be measured based upon the
amountoftheexpectedcashinlowforthecompany,whichmeansthattheymust
be tested for impairment. he investigation should also include a check as to
whetherthetradeaccountsreceivablearecorrectlyandfullyreportedinthebal-
ancesheet,thatis,whethertheyareclassiiedintocurrentandnoncurrentreceiv-
ables,domesticor foreignreceivables,or localor foreigncurrencydenominated
receivables.hefocusofInternalAudit’sworkincludesbothprocessandsystem
analysis.
AuditobjectsAuditobjects
Examples from Audit Practice at SAP
Selected Financial Audit Topics
Trade Accounts Receivable Audits
C|3|3.2
314
localsubsidiariesareauditedatvarioustimesthroughouttheyear(seeSection
C,Chapter5.1).Duringauditpreparation,theauditorsmustdeinethedatathey
willexamineduringtheaudit.generally,auditorsusetheigures fromthe latest
interiminancialstatementsasabasisfortheaudit.Itisessentialtoalsoconsider
theiguresofthelatestannualinancialstatements,oreventhosefromtheprior
year(fordetailsofanalyticalprocedures,seeSectionC,Chapter3.1).SAP’scorpo-
rateinancialreportingdepartmentproducesinancialstatementanalysesforsig-
niicant local subsidiaries between reporting dates. hese analyses may provide
valuablesupportduringauditpreparation.
Since theauditofa local subsidiary isaimedatensuring that tradeaccounts
receivablearenotimpaired,InternalAuditmayconsiderconductingbalancecon-
irmations,similartothoseperformedduringtheannualinancialstatementaudit
by the external auditors. To this end, Internal Audit should select a sample of
debtorsbeforethestartoftheaudit.Althoughtheconirmationofabalancedoes
not guarantee that the cash will be received, it does provide assurance of the
existenceandtheamountofthereceivable.
Inaddition,SAProutinelyconductscustomercontractconirmations,bywhich
itgathersinformationaboutexistingsotwarecontracts(fordetails,seeSectionC,
Chapter 9). hese conirmations can also be used as evidence of the existence
andtheamountoftradeaccountsreceivableandthecorrecttimingoftheirrecog-
nition.
Internal Audit must ensure that IT system authorizations grant maintenance
rightsforthecustomermasterdatatoarestrictedgroupofpeopleonly.Moreover,
InternalAuditmustenforcesegregationofdutytoensurethattheemployeewho
updatesthecustomermasterdataisnotauthorizedtoissuecreditnotes.Although
thesegregationofdutyismoreimportantwhenauditingliabilities(seeSectionC,
Chapter3.4), theprincipleofsegregationofdutyshouldalsobeexaminedwhen
auditingtradeaccountsreceivable.DependingontheITsystemused,InternalAu-
ditemployeesshouldusetheirauditorjudgmenttodecidewhetheritisnecessary
toperformareconciliationbetweensub-ledgeraccountsandthegeneralledger.In
theintegratedSAPlivesystem,thisreconciliationisperformedcontinuallyinreal
time.
hefollowingisamoredetaileddescriptionofimportantaspectsofconducting
atradeaccountsreceivableaudit:
• timewhenreceivablesarerecognized,
• analysisoftheopenitemslistandageingstructureanalysis,
• analysisofdayssalesoutstanding,
• baddebtallowancesonreceivables,and
• receivablesdenominatedinforeigncurrency/currencytranslation.
herecognitionoftradeaccountsreceivableisrelatedtosalesrevenuerecognition
(fordetails,seeSectionC,Chapter3.5).
AuditPreparationAuditPreparation
BalanceConirmationsBalanceConirmations
CustomerContractConirmationRound
CustomerContractConirmationRound
SystemAuthorizationandSegregationofDuty
SystemAuthorizationandSegregationofDuty
importantAspectsofAuditexecutionimportantAspectsofAuditexecution
TimeWhenReceivablesAreRecognized
TimeWhenReceivablesAreRecognized
315
Togainageneraloverviewofthetradeaccountsreceivable,itisusefultostart
byreviewingthereceivablesinanopenitemslist.hisstepshouldbesupplemented
with an analysis of the ageing structure of the receivables. Based on the results,
InternalAuditcanthenselectindividualreceivablesforfurtherexamination.heopen
itemslistcontainsalloutstandingreceivablespercustomerandprovidesanideaof
thetransactionsthathavebeenrecorded.Intheopenitemslist,itshouldbepossi-
bletosortandanalyzethedatabycriteriasuchasduedate,customername,and
amount.
heopenitemslistallowsanalysisofthefollowingcurrentreceivables(duewithin
<12months):“Tradeaccountsreceivable,owncountry”(bothlocalandnon-local
currenciesfromcustomersinowncountry)and“Tradeaccountsreceivable,other
countries”(bothlocalandnon-localcurrenciesfromcustomersinothercountries).
heageingstructurelistprovidescriticalindicatorsastowhethertradeaccounts
receivablemaybecollectibleornot.Itisstructuredbymaturity,providingaquick
overviewofcustomerswithoverduereceivablesandtherelevantamounts.
heageingstructure list identiiestheoutstandingreceivables foreachcustomer
per business unit, broken down by the number of days overdue. Due dates and
overdue thresholds can be set in the SAP system as required for individual
customers.heageingstructurelistisdividedintobusinessunitsandcanbesaved
asaspreadsheet.
US-gAAPpermitsgeneralbaddebtallowancesonlyifcertaincriteriaaremet.
heyarepermittedifevidencecanbeprovidedfrompastexperienceorthecurrent
economicenvironment.
Receivablesaremeasuredatnetsalesproceeds.Anallowanceisrecognizedfor
all receivables in the amount at risk from non-collectibility. In essence, this is
aspeciicbaddebtallowance,i.e.,eachreceivablemustbeassessedseparately.he
measurementoftheallowanceshouldbebasedonthebestestimate.Allowancesare
ofsetagainstassetsbydeductingthemfromreceivables.
openitemsListopenitemsList
AccountsincludedAccountsincluded
AgeingStructureListAgeingStructureList
ContentandStructureoftheAgeingStructureListContentandStructureoftheAgeingStructureList
GeneralBadDebtAllowancesGeneralBadDebtAllowances
BadDebtAllowancesonReceivablesBadDebtAllowancesonReceivables
Examples from Audit Practice at SAP
Selected Financial Audit Topics
Trade Accounts Receivable Audits
C|3|3.2
Business unit
A
B
C
D
Total
80,000
60,000
8,000
130,000
278,000
78,000
30,000
1,000
30,000
139,000
780
300
10
300
1,390
Total receivables
Fig. 6 Fictitious Ageing Structure List
316
heindividualoutstandingreceivablecanbeexaminedusingtheinformation
gainedduringanalysis.hereceivablestobereviewedareselectedonthebasisof
auditor judgmentor statistical sampling (seeSectionB,Chapter4.1.2).Together
withtheemployeeresponsibleintheinancialunit,InternalAuditmustexamine
criticallywhythereareoverduereceivablesandwhetherallowancesshouldberec-
ognized.Inthecaseofpaymentdiiculties,speciicbaddebtallowancesmustbe
recognized.Further,theauditorsmustestablishwhethercustomersarewithhold-
ingpaymentbecausetheyarenotsatisiedwiththeproductorservice.Todothis,
auditorsshouldcontacttheemployeesresponsibleinthebusinessunitconcerned
andaskabouttheirrelationshipwiththecustomer.Ifpaymentisdelayedbecause
thecustomer isnotsatisied,a speciicbaddebtallowanceshouldnotberecog-
nized,insteadasalesallowance,whichissimilar,shouldbeused.
Atleastattheendofeachquarter,eachlocalsubsidiarymustreviewallspeciic
baddebtallowances.heauditorsshouldaskforthelistofreceivablesforwhich
speciicallowanceshavebeensetupasof the latestannualinancial statements
auditedbytheexternalauditorsandcompareitwiththelocalsubsidiary’scurrent
list.Anyvariances,particularlyreversalsofspeciicbaddebtallowances,shouldbe
discussed with the people responsible in the local subsidiary. Analysis of the
above-mentioned open items list in conjunction with the ageing structure list
mayalsoprovideindicationsastotheneedforadditionalspeciicbaddebtallow-
ances.
hefollowingictitiousexampledemonstrateshowtosetupageneralbaddebt
allowance:
Totalreceivables(gross): EUR1,290,000
less:receivablesrequiringaspeciic
baddebtallowance(gross): EUR (100,000)
Subtotal: EUR1,190,000
lessvalueaddedtax(19%): EUR (190,000)
Receivables(net): EUR1,000,000
generalbaddebtallowance(1%): EUR (10,000)
hereceivablesforwhichaspeciicbaddebtallowancehasbeensetuparethose
receivablesthatweredepreciatedfollowingseparateevaluation.heydonotnec-
essarilyneedtobewrittenoftozero,butthefullamountofthespeciicbaddebt
allowancesisdeductedfromthebasisonwhichthegeneralbaddebtallowanceis
calculated.
Anotherwayofanalyzingtradeaccountsreceivableistoexaminetheturnover
rateofreceivablesmeasuredindays.hisisdoneusingthedayssalesoutstanding
(DSO) list.DSOis thenumberofdays fromthe invoicedate throughreceiptof
payment.
SpeciicBadDebtAllowances
SpeciicBadDebtAllowances
SpeciicBadDebtAllowancesRecognized
byLocalSubsidiaries
SpeciicBadDebtAllowancesRecognized
byLocalSubsidiaries
FictitiousexampleofGeneralBadDebt
Allowance
FictitiousexampleofGeneralBadDebt
Allowance
AnalysisofDaysSalesoutstanding
AnalysisofDaysSalesoutstanding
317
hefollowingictitiousexampledemonstrateshowtocalculateDSO:
Totalreceivables(net): EUR 1,200,000
Totalsalesrevenuefortheperiod: EUR10,000,000
DSOcalculation:
Totalreceivables(net)dividedbysalesrevenueperdayinperiod:
EUR1,200,000=43.8days
EUR10,000,000/365days
he result 43.8 indicates how many days it takes customers on average to settle
outstandingreceivables.
heDSOlistthereforeshowshowlongittakesalocalsubsidiaryonaverageto
collectitsreceivables.Butthisresultaloneisnotverymeaningful.Usefulconclu-
sionscanonlybedrawniftheauditorcomparestheigurewiththatofotherperiods
inthesamelocalsubsidiary,orwithotherlocalsubsidiariesforthesameperiod.
he auditors should, however, only compare local subsidiaries that operate in
a comparable economicenvironment, so that theycanassume similar customer
paymentbehavior. Itwouldnotmakesense tocompare theigure foracountry
with generally poor payment behavior with one where customers normally pay
promptly.
Signiicantly high DSO values for overdue receivables may indicate process
weaknessesinthedebtcollectionprocedures.HighDSOiguresalsoimpactnega-
tivelyontheliquidityofthelocalsubsidiaryinquestion.hereasonsforhighDSO
values,therefore,mustbeinvestigatedandanyprocessweaknesseseliminatedby
thelocalsubsidiary.
Sincethecollectibilityofreceivablesdependsmainlyonthesolvencyofthecus-
tomerinquestionandtheoutcomeofanylitigation,InternalAuditmustconsult
withthelegaldepartmentconcerned,theexternallocalattorney,orthecorporate
FictitiousexampleofHowtoCalculateDSoFictitiousexampleofHowtoCalculateDSo
AnalysisoftheDSoListAnalysisoftheDSoList
ConclusionsfromtheDSoListConclusionsfromtheDSoList
AssessmentofCollectibilityAssessmentofCollectibility
Examples from Audit Practice at SAP
Selected Financial Audit Topics
Trade Accounts Receivable Audits
C|3|3.2
Country
A
B
C
D
E
Total
16,000
500
50
20
0
16,570
Balance
93,000
4,000
500
200
400
98,100
Sales
62.8
45.6
36.5
36.5
0
61.7
DSO
Fig. 7 Fictitious Example of DSO Analysis
318
legaldepartmentandobtain the relevantconirmations fromtheattorneys.his
informationisalsousefulwhenassessingtheneedforanadditionalprovisionfor
litigationcosts(seeSectionC,Chapter3.3).Auditorsmustensurethattheyhave
usedallavailableinformationsourcesinthiscontextandthatthelistsarecomplete.
Allowancesdue tocustomerpaymentdiicultiesmustbedistinguished from
receivablesthatareuncollectibleduetocustomercomplaints.Separatesalesallow-
ancesmustbesetupforreceivablesrelatingtogoodsorserviceswithwhichcus-
tomersarenotsatisiedandwhichtheyarethereforeunwillingtosettleorwilling
tosettleonlypartially.heauditorsshouldtalkwiththeemployeesresponsiblein
theauditedunittogetafeelingforanyprojectswherecustomersmaybedissatis-
ied.
Receivablesinforeigncurrencyaremeasuredatthecurrentexchangerate.he
measurementisperformedattheendofeachmonth.Currencytranslationresults
inforeignexchangegainsorlosses.Auditorsshouldaskforalistoftradeaccounts
receivabledenominatedinforeigncurrencyandtestasampleofaccountstodeter-
mine whether the correct exchange rate has been used for measurement and
whetheranyforeignexchangegainsorlosseshavebeentakentotheincomestate-
mentaccordingtothecompany’saccountingguidelines.
HinTSAnDTiPS ;
• Auditors should not accept any statements without critically reviewing them
irst.
• heinformationobtainedbyanalyzingtheopenitemslistandtheageingstruc-
turelistshouldbeusedtoselectcertainreceivablesfordetailedtesting.
• Auditorsshouldbeawarethatassetsaremoresusceptibletoriskfromoverstate-
mentthanfromunderstatement.
LinKSAnDReFeRenCeS e
• SEARS,B.2002.Internal Auditing Manual.newyork,ny:Warren,gorham&lamont.
• SAWyER,l.B.,M.ADITTEnHOFERAnDJ.HSCHEInER.2003.Sawyer’s Internal
Auditing.5thed.AltamonteSprings,Fl:heInstituteofInternalAuditors.
3.3 Accrued Liabilities Audits
KeyPoinTS •••
• Whenauditingaccruedliabilities,oneofthemajorobjectivesistoensurethat
allmaterialriskshavebeencapturedandmeasuredasaccuratelyaspossible.
• Duringtheaudit,itisappropriatetofocusonthemainaccruedliabilities.his
includes, for example, vacation accruals, accruals for outstanding invoices,
UncollectibleReceivablesDueto
CustomerComplaints
UncollectibleReceivablesDueto
CustomerComplaints
ReceivablesDenominatedinForeign
Currency/CurrencyTranslation
ReceivablesDenominatedinForeign
Currency/CurrencyTranslation
319
bonusaccruals,accruals for losscontingencies,otheraccruals(legaldisputes,
legalandconsultingcosts),andtaxaccruals.
• Currently,SAPprimarilyauditsaccrualsaspartoflocalsubsidiaryaudits.
Whenauditingtheaccountingunitsoflocalsubsidiaries,InternalAuditmustal-
ways consider the US-gAAP accounting principles. According to US-gAAP,
accrualsarereportedunderliabilities.heaccrualsaccountunderliabilitiesonthe
balancesheetincludescontingentliabilities,whentheamountand/orbasisofthe
liabilitiesareuncertainbutanoutlowofeconomicresourcesisprobable.herec-
ognitionofaccrualsunderUS-gAAPdependsonwhetherthereisanobligation
towardathirdparty(externalobligation).Moreover,thefollowingcriteriamustbe
metbeforeanaccrualcanberecognizedasofthebalancesheetdate:
• hecauseoftheobligationmustbelegalorinancialinnatureandresultfrom
apastevent.
• heamountoftheobligationmustbedeterminable(i.e.,theamountoflosscan
bereasonablyestimated).
• heuseoftheobligationmustbeprobable(i.e.,lossisprobable).
Each accrual should be measured as the best estimate of most probable use. If
severalvaluesareequallyprobable, the lowestendofthemostprobablerangeis
recognizedunderUS-gAAP.
Amajorobjectivewhenauditingaccruedliabilitiesistoensurethatallmaterial
riskshavebeencapturedandmeasuredasaccuratelyaspossible.Inaddition,the
focusofInternalAudit’sworkotencomprisesprocessandsystemanalysis.Such
processanalysisisusefulforannuallyrecurringaccrualssuchasforbonuses,vaca-
tion,etc.
Itisappropriatetofocusonthesigniicantaccruedliabilitiesduringtheaudit.
Materialitycanbeassessedunderquantitativeandqualitativecriteria.hischapter
dealswithauditsofthefollowingtypesofaccruals:
• vacationaccruals,
• accrualsforoutstandinginvoices,
• bonusaccruals,
• accrualsforlosscontingencies,
• otheraccruals(legaldisputes,legalandconsultingcosts),and
• taxaccruals.
Accrualscanbetreatedasaseparateauditsegmentorexaminedaspartofsubsid-
iaryaudits.InternalAuditatSAPauditsaccruedliabilitiesprimarilywhenauditing
localsubsidiaries.hoseauditsmaybeperformedduringtheiscalyear(seeSec-
tionC,Chapter5.1).Asigniicantaspectofauditpreparationistodeinethedatato
be examined. normally it is expedient to use the igures from the latest interim
inancialstatementsandthecomparableprior-yearinancialstatementsasabasis
fortheaudit.Inaddition,theauditorsshouldalsoconsidertheiguresofthelast
twoannualinancialstatements.
SettingUpAccruedLiabilitiesSettingUpAccruedLiabilities
AuditobjectivesAuditobjectives
MainTypesofAccrualsMainTypesofAccruals
AuditPreparationAuditPreparation
Examples from Audit Practice at SAP
Selected Financial Audit Topics
Accrued Liabilities Audits
C|3|3.3
320
SAP’s corporate inancial reporting department produces inancial statement
analyses for signiicant subsidiaries during the course of the iscal year. hese
analysesmayprovidevaluablesupportduringpreparation.Auditorsshouldanalyze
thelateststatementofchangesinaccrualsandmajormovementsontherelevant
accrualaccountsanddiscussanymaterialorunusualvarianceswiththepersons
responsiblewithinthelocalsubsidiary.Astatementofchangesinaccruals(accruals
register)mustbeavailableatleastonceattheendoftheiscalyear.
Eachlocalsubsidiarymustcalculateitsvacationaccrualsmonthly,takinginto
accountlatestdevelopmentsandchanges,suchasvacationdaystaken,salaryin-
creases,etc.heamountofvacationaccrualdependsprimarilyonthenumberof
employees, the number of vacation days not yet taken (including any balances
broughtforwardfromthepreviousyear),andthesalaryofeachemployee.
When testingvacationaccruals, theauditorsmustconsider the followingas-
pects:
• heymustensurethatallemployeesareincludedinthecalculationofvacation
accruals.Auditorscandothisbyaskingthehumanresourcesdepartmentfora
listofallactiveemployees.hislistisnormallygeneratedintheSAP-internal
humanresourcessystemandcomparedwiththelistofvacationaccruals.gen-
erally,thereshouldnotbeanyvariances,butanydiferencesthatdooccurmust
beanalyzed.
• Auditorsalsomustensurethatallunusedvacationdaysareaccuratelyrelected
inthecalculations.notethatemployeeswhojoinedthecompanyinthecourse
of theyearwillhaveapro-ratedvacationentitlementonly.Whencalculating
theaccrualbetweenreportingdates(e.g.,forinteriminancialstatements),the
auditteamshouldrememberthattheentitlementfortheyeartodateislikewise
apro-ratedigure.heremaybecountry-speciicdiferencesat thispoint. In
somecountriesitisnormaltograntthefullannualvacationentitlementifthe
employeejoinsbeforeJune30ofayear.
• Inadditiontothenumberofunusedvacationdays,employees’salariesinlu-
encethevacationaccrual.heauditteamshouldexamineasampleofemployee
recordstoascertainwhetherthecorrectsalarydataisusedtocalculatetheac-
crual.Foreachemployeerecordincludedinthesample,theauditteamshould
comparethesalarydatafromtheaccrualtothedatafromthehumanresources
systemandtheemploymentcontracts.heteamshouldensurethatanysalary
increaseshavebeenincluded.
hecalculationofvacationaccrualsmustincludeallsalarycomponentstowhich
theemployeehasairmentitlement.heauditorsmustalsoconsiderthesocialse-
curitycontributionspayablebytheemployer.Itisusefultodetermineadailyrate
foreachemployeeandbasethevacationaccrualonthisigure.Sincetheaccrual
expressesinmonetarytermsthevacationentitlementthatemployeeshavereceived
butnotyettaken,itisalsoimportanttocalculatetheexpectednumberofworking
daysperyear.Forexample,theauditteamingermanyuses220daysperyearasa
AnalysesBeforetheStartoftheAudit
AnalysesBeforetheStartoftheAudit
VacationAccrualsVacationAccruals
TestingVacationAccruals
TestingVacationAccruals
CalculationofVacationAccruals
CalculationofVacationAccruals
321
guidancevalue.hisigureof220daysiscalculatedasfollows:365daysperyear-
104 days for weekends = 261 days – 32 days average vacation entitlement =
229days–9publicholidaysonaverage=220days.Individual localsubsidiaries
mayhavediferentiguresbecausetheymayhavediferentvacationentitlements
andpublicholidays.Duringtheaudit,theauditorsshouldestablishwhetherem-
ployeesarelegallyrequiredtotaketheirvacationbyacertaindate,becausecontra-
ventionscouldhavelegalconsequencesfortheemployer.
Ingeneral,theresponsibilitiesofthehumanresourcesdepartmentmustbesepa-
ratefromthoseoftheaccountingdepartment(segregationofduties).Itwouldnot
be appropriate if, for example, the accounting department were to originate and
subsequentlyalsoprocessdatathatisincludedinthecalculationofvacationaccru-
als.
he following is a ictitious example describing how to calculate a vacation
accrual.
Accrualsforoutstandinginvoicesaresimilartoaccrualsforotherobligations.he
primaryobjectiveofsettingupaccruals foroutstanding invoices is toaccurately
recordthosegoodsandservicesthatasupplierhasprovidedforthepreviousperiod
butnotyetinvoiced.
Eachlocalsubsidiarymustbeinapositiontoprovidereliableandaccurateesti-
matesforanyoutstandinginvoices.Torecordtheamountofoutstandinginvoices
for consulting services, local subsidiaries must have a functioning independent
projectcontrolsystem,whichtheycanuseatleastattheendofeachmonthtore-
portandanalyzethelatestprojectstatuses(seeSectionC,Chapter5.2).
Two points are of critical importance for Internal Audit when auditing out-
standinginvoices:
• Testing of the relevant project control process: his examines the extent to
whichalocalsubsidiaryhasimplementedafunctioningandindependentproj-
SegregationofDutiesSegregationofDuties
FictitiousexampleFictitiousexample
AccrualsforoutstandinginvoicesAccrualsforoutstandinginvoices
estimatesMadebyLocalSubsidiariesestimatesMadebyLocalSubsidiaries
TestsRelatingtooutstandinginvoicesTestsRelatingtooutstandinginvoices
Examples from Audit Practice at SAP
Selected Financial Audit Topics
Accrued Liabilities Audits
C|3|3.3
Contractual annual salary: €
€
€
€
Days
Average employer-paid contribution to social security:
Average number of days actually worked per month:
Equals daily rate of: 60.000 € divided by 12 months divided by 18.3 days:
Plus 20% social security:
Total daily rate:
Pro-rated vacation entitlement already earned (incl. amount brought forward):
%
60,000
20
18.3
273
55
328
25
Amount to be accrued: 328 € x 25 days = 8,200 €
Fig. 8 Fictitious Example for Calculating a Vacation Accrual
322
ect control system. A process that allows reliable estimates of the amount of
outstandinginvoicesmustbeinplace.
• Detailedtestingofaccrualamounts:heauditorsshouldaskforalistofunbilled
services(e.g.,thosesuppliedbyasubcontractor)forthereviewperiodthathas
just ended. To calculate the expected invoice total, the number of hours the
consultantshavespentonservicesismultipliedbythehourlyratesagreed.
Depending on the project in question, consultant hours for subcontractors and
otherlocalSAPsubsidiariescanbeenteredintheSAP-internalserviceentrysys-
tem.Ifso,auditorscancalluptherequiredinformationabouthoursentereddi-
rectlyintheITsystem.heexpectedinvoicetotaliscomparedtotheaccrualthat
hasbeensetup.Iftherearematerialdiferences,theyshouldbediscussedwiththe
personresponsible.Accrualsarealsosetupforseparatelybilledtravelexpensesand
non-deductibleinputtax.
Anotheroptionfortestingaccrualsforoutstandinginvoicesforconsultingser-
vices is to compare accruals recognized with the invoices actually received for
aspeciicproject.Ofcourse,theauditteamcandothisonlyforperiodsalreadyended,
however,itallowstheteamtoassessthereliabilityofaccrualestimatesforpastpe-
riods.
Accrualsforoutstandinginvoicesareenteredontherelevantaccrualsaccount.
Assoonastheinvoiceisreceived,theaccrualmustbereversedandaliabilityrec-
ognizedonthevendoraccount.
Inadditiontotheabove-mentionedoutstandinginvoicesforconsultingproj-
ects,accrualsforoutstandinginvoicesalsocoverotherexpenses,suchastelephone
charges,leaseservicecharges,andtravelexpenses.heexactamountsareverydif-
iculttodetermine,soitisbesttosetupaccrualsbasedonusualmonthlycharges.
Each local subsidiary can stagger bonus payments at its own discretion. he
amountofbonuspaymentisbasedontheachievementoftargets,whichinclude
individualemployeetargetsandothercomponents,suchasdepartmental,unit,and
localsubsidiarytargets.Eachemployeeshouldhavehisorherownbonusagree-
ment,whichprovidesdetailsofindividualtargets.heamountoftargetbonuscan
vary fromunit tounit.Oten, thevariablecomponentof targetcompensation is
higher in sales-related departments than in administration departments. Bonus
paymentsarenormallysubjecttosocialsecuritycontributions.
Auditorsshouldrecordtheprocessofsettingupbonusaccrualsandverifyona
samplebasisthattheprocesscontrolsareefective.Suchcontrolscantaketheform
ofdocumentsthatsetoutthebonusagreementsandthetargetsactuallyachieved
andissignedbytheemployeeconcerned,hisorherlinemanager,andanHRoicer.
heobjectiveoftheauditistoestablishthatrealisticbonusesareagreedaccording
toguidelinesandthatbonusachievementisadequatelymonitoredanddocumented
inwritingbythelinemanager.Bonuseshavetobepaidinlinewithtargetachieve-
ment.Totestthebonuses,theauditorsshouldcomparetargetachievementwiththe
actualbonuspaymentsmadefortheyear.Oten,aproportionofthebonusispaid
ComparisonBetweenCalculatedandAccrued
Amount
ComparisonBetweenCalculatedandAccrued
Amount
AlternativeTestingoption
AlternativeTestingoption
entriesentries
otherComponentsofAccrualsfor
outstandinginvoices
otherComponentsofAccrualsfor
outstandinginvoices
BonusAccrualsBonusAccruals
TestingBonusAccrualsTestingBonusAccruals
323
toemployeesasanadvanceinthecourseoftheyear.Ifthatisthecase,theauditors
mustensurethattheadvancepaymentdoesnotexceedthemaximumtheemployee
canachieve.Inthisregard,itwouldbeexpedientforthelinemanagertoanalyzethe
employee’sperformanceduringtheyear.
Ifcompanyperformanceisrelevantforthecalculationofbonuses,theestimate
oftheannualresultatthetimetheaccrualsarecalculatedshouldbecomparedwith
thetargetresultfortheyearonwhichthebonusagreementisbased.
Inaddition,itisusefultomakeanalyticalcomparisonswiththepreviousyear
andpastquarters(seeSectionC,Chapter3.1).Heretheauditteamcaninvestigate,
forexample,whetherbonuspaymentsaredevelopinginlinewithcompanyperfor-
manceandwhetherthebonuspaymentsofeachbusinessunitareplausible.
hefollowingisaictitiousexampleofhowtocalculateabonusaccrualasof
September30.
Todescribetheappropriatetestsofaccrualsforcontingentlosses,customer-spe-
ciicsotwaredevelopmentcontractsareusedinthefollowingasanexample.Atthe
startofadevelopmentproject,theprojectmanagershoulddrawupadetailedplan,
includingacostingofexternalandinternalresourcesatfullyabsorbedcost.Ifthere
aresignsthatthecostsofaixed-priceproject(seeSectionC,Chapter5.2),includ-
inganysubcontractorcosts,willexceedthecontractuallyagreedrevenue,thefull
anticipatedlossfromthisprojectmustimmediatelyberecognizedasanaccrualfor
contingentlosses.
RelevanceofCompanyPerformanceRelevanceofCompanyPerformance
AnalyticalComparisonsAnalyticalComparisons
FictitiousexampleFictitiousexample
AccrualsforContingentLossesAccrualsforContingentLosses
Examples from Audit Practice at SAP
Selected Financial Audit Topics
Accrued Liabilities Audits
C|3|3.3
Speciied target result of the local subsidiary:
Total local subsidiary bonus payable on 100% target achievement:
Forecast year-end result of the local subsidiary as of September 30:(forecast for December 31)
Year-to-date result of the local subsidiary as of September 30:
The accrual as of September 30 (if iscal year is the same as calendar year) is calculated as follows:
€
€
€
€
200,000
20,000
160,000
120,000
I
II
III
Forecast year-end result as of September 30Speciied target result for the year
160,000 €200,000 € = = 80%
Proportion of year-end result earned to September 30Forecast year-end result as of September 30
120,000 €160,000 € = = 75%
Amount to be accrued as of September 30:80% (from I.) x 75% (from II.) x 20,000 € (total bonus payable) = 12,000 €
Fig. 9 Fictitious Example for Calculating a Bonus Accrual
324
Testingaccrualsforcontingentlossesincludesthefollowing:
• hetestsmustverifythatthecostingoftheinternalresourcesincludesalldirect
andindirectcosts.heelementsofthiscostingarebasedonthebudgetedigures
andincludeanysalaryincreases.heauditteamshouldthereforeusetheap-
provedbudgetasthebasis.hebasisfortheiguresshouldbereconciledandthe
calculationschecked,takinganysupplementarycosts,e.g.,travel,intoaccount.
• heprojectcostingshouldalsorelect thetermsandconditionsagreedupon
withanysubcontractors.Toverifythese,theinternalauditteammustanalyze
thecontractscarefully.
• heteammustalsoensurethattherevenueassumptionsarerealisticbyanalyz-
ingthesignedcontractsandreconcilingthedatathecontractscontaintothe
projectcosting.
• Overall,auditorsshouldgetanoverviewofthestatusoftheprojectinorderto
assesswhetherandtowhatextentprojectcostsexceedprojectedrevenue.
Whentestingotheraccruals–e.g.,forlegaldisputesorlegalandconsultingcosts
–auditorsprimarily checkwhether the local subsidiary’s estimatesare complete
andtheamountsrealistic.Toassesslegaldisputes,auditorsmustmeetwithlocal
externalattorneysandthecorporatelegaldepartmentbeforethestartoftheaudit.
heyshouldrequestattorneyconirmationsfromlocalexternalattorneysandalso
obtaintaxconsultantconirmations.Insomecasesitmaybeappropriatetoobtain
opinionsfromexternalexperts.Inaddition,itisusefultoanalyzethecustomerac-
countsforanynewaccrualsneeded(seeSectionC,Chapter3.2).Auditorsshould
ensurethatthelegaldisputesarecorrectlyandfullycapturedinthebalancesheet.
Accruals for legalandconsultingcostsprimarilycompriseaccruals forattor-
neysandexternalaudit fees.Attorney feescanbeclariiedbyrequestinga letter
fromtheattorneysormeetingwithlocalexternalattorneys.heauditfeescanbe
takenfromtheexternalauditors’engagementletterorcontract.hepreviousyear’s
feecanalsobeusedforguidancepurposes.Betweenreportingdates,costsshould
berelectedprorata.
Testingoftaxaccrualsincludestradetaxandcorporateincometax.heaccrual
isrecalculatedattheendofeachquarterandadjustedaccordingly.heparameters
onwhichthecalculationisbased,e.g.operatingproitbeforetax,shouldbechecked.
Todoso,itisusefultoaskforareconciliationtotheinancialstatementsprepared
undertaxlaw.hecountry-speciictotaltaxrateshouldbemultipliedbytheex-
pectedtaxableincomeandcomparedwiththeaccrualactuallyrecognized.Advance
taxpaymentsandtaxlosscarryforwardsmustbedeductedfromtheexpectedtax
expense.Foreachtypeoftax,theauditteamshouldexaminewhethertheadvance
paymentexceedstheexpectedtaxpayable.Ifso,theresultingreceivablemustbe
reportedunderotherassets.Auditorsmustarrangeameetingwith the local tax
consultant, the localexternalauditors,andthecorporate taxdepartmentso that
theygetanideaofanyproblemsfromanindependentthirdparty.
TestingAccrualsforContingentLosses
TestingAccrualsforContingentLosses
otherAccruals–LegalDisputes
otherAccruals–LegalDisputes
otherAccruals–LegalandConsultingCosts
otherAccruals–LegalandConsultingCosts
TaxAccrualsTaxAccruals
325
HinTSAnDTiPS ;
• Whenauditingaccruals,auditorsshould,aboveall,makesure thatallaccru-
alsfullyrelectanticipatedvolumesandvaluesandfollowUS-gAAPrequire-
ments.
• Problemsareotencausednotbytheaccrualsrecordedinthebalancesheet,but
bythosethathavenotbeensetup,althoughtheyshouldhavebeen.
LinKSAnDReFeRenCeS e
• JARnAgIn,B.D.2007.US Master GAAP Guide.Riverwoods,Il:CCH,Inc.
• SEARS,B.2002.Internal Auditing Manual.newyork,ny:Warren,gorham&lamont.
• SAWyER,l.B.,M.A.DITTEnHOFERAnDJ.H.SCHEInER.2003.Sawyer’s Internal
Auditing.5thed.AltamonteSprings,Fl:heInstituteofInternalAuditors.
3.4 Trade Accounts Payable Audits
KeyPoinTS •••
• Testingthattradeaccountspayablearefullycaptured,correctlymeasuredand
properlyreportedonthebalancesheetisasigniicantauditobject.
• Whenauditingtradeaccountspayable,itisveryimportanttotestthesegrega-
tionofdutiesandcorrectperiodallocation.
• Completenessoftradeaccountspayableiscrucial.herefore,balanceconirma-
tionsshouldbeobtained.
• he following aspects should be considered when auditing current trade ac-
counts payable: Time of recognition, reconciliation between sub ledger and
generalledger,liabilitiesdenominatedinforeigncurrency/currencytranslation,
liabilitiestoailiatedcompanies,criticalauthorizationsandcreationofmaster
data,approvalofpurchaseorder requisitions, testingof substantiveaccuracy,
approvalofpaymentproposallists,andefectingofpayments.
hischapterdealswithtradeaccountspayableaudits.Accountspayablearebroken
down into current and non current liabilities. Current liabilities are due within
twelvemonths.hetimingofrecognizingaliabilityisofcriticalimportance.Test-
ingthattradeaccountspayablearefullycapturedandcorrectlymeasuredisasig-
niicantauditobjective.US-gAAPrequiresthatliabilitiesarerecognizedatpresent
value. Current liabilities are always recognized at the invoice amount. Auditors
shouldalsoexaminewhethertheliabilityiscorrectlyreportedinthebalancesheet.
heyalsomustensurethatonlyarestrictedgroupofpeoplehasmaintenancerights
forthevendormasterdataintheITsystem.Whenauditingtradeaccountspayable,
BasicsBasics
Examples from Audit Practice at SAP
Selected Financial Audit Topics
Trade Accounts Payable Audits
C|3|3.4
326
itisthereforeveryimportanttotestsegregationofdutiesoftheresponsibleemploy-
eesinvolved.
Asigniicantaspectofauditpreparationistodeinethedatatobeexamined.
generallyitisexpedienttousetheigures(e.g.,currentliabilities)fromthelatest
monthlyorquarterlyinancialstatementsasabasisfortheauditandcomparethem
withthepreviousyear’sigures.Inaddition,duringauditpreparationtheauditors
shouldalsoconsidertheiguresofthelast(orthelasttwo)annualinancialstate-
ments.SAPalsoconductsauditsof local subsidiaries,which(can) include trade
accountspayableaudits,betweenreportingdates(seeSectionC,Chapter5.1).SAP’s
corporateinancialreportingdepartmentproducesinancialstatementanalysesfor
selectedsubsidiariesbetweenreportingdates.heseanalysesmayprovidevaluable
supportduringpreparation.Inadditiontoinancialdata,thefocusofInternalAu-
dit’sworkcomprisesprocessandsystemanalysis.
Whenauditingalocalsubsidiary,theauditorsshouldconsiderobtainingbal-
anceconirmations,aspracticedduringtheauditoftheannualinancialstatements.
Unlikereceivables,theselectionoftradeaccountspayabletobeconirmedisnot
basedonthehighestindividualbalancesbutonthehighestsalesthatavendorhas
made toSAP in theperiodunderexamination.heselectionofvendors is thus
derivedfromdataintheinancialstatement.Alternatively,InternalAuditcantest
randomlyselectedsamples(seeSectionB,Chapter4.1.2).
heieldworkactivitiesaretakenfromtheworkprogram,whichiscompiled
beforetheaudit.hischapterdealsprimarilywiththefollowingaspectsofauditing
currenttradeaccountspayable:
• pointintimewhenliabilitiesarerecognized,
• reconciliationbetweensub-ledgerandgeneralledger,
• liabilitiesdenominatedinforeigncurrency/currencytranslation,
• liabilitiestoailiatedcompanies,
• criticalauthorizationsandcreationofmasterdata,and
• approval of purchase order requisitions, testing of substantive accuracy, ap-
provalofpaymentproposallists,andefectingofpayments.
Similartoreceivables,tradeaccountspayablearebrokendownbymaturity.Rec-
ognitioninthebalancesheetisrelatedtothecontractpartner’sreceiptofthegoods
orservices.Whiletheinvoiceamountforthegoodsandservicesisnotyetixed,
anaccrual foroutstanding invoices issetup(seeSectionC,Chapter3.3). If the
invoiceamountisknown,aliabilityforsupplierinvoicesnotyetreceivedshould
be recognized. Trade accounts payable are normally reported under current
liabilities.
hetradeaccountspayableinthegeneral ledger(balancesheetaccounts)are
derived from the sub-ledgers. Entries are always made against the vendor itself.
Depending on the IT system used, the auditors should use auditor judgment
to decide whether to perform a reconciliation between sub-ledgers and general
ledger.
AuditPreparationAuditPreparation
BalanceConirmationsBalanceConirmations
SelectedAspectsofTradeAccounts
PayableAudits
SelectedAspectsofTradeAccounts
PayableAudits
TimeWhenLiabilitiesAreRecognized
TimeWhenLiabilitiesAreRecognized
ReconciliationbetweenSub-LedgerandGeneral
Ledger
ReconciliationbetweenSub-LedgerandGeneral
Ledger
327
Inaddition,theauditorsshouldrequestanopenitemslist,whichcomplements
thelistofbalances.Itshowsallunsettledinvoicesenteredforaparticularvendor.
Auditorswillusetheopenitemslist,forexample,totestwhetherallvendorentries
havebeenmadeinthecorrectperiod.It isusefultotakeasampleofvendorsto
checkcorrectperiodallocation.verifywhetherentryanddeliverydateareinthe
sameperiod.Iftheauditorsestablish,forexample,thatthegoodsorserviceswere
provided in thepreviousperiod,but the invoicewasonlyreceived in thesubse-
quentperiod,theymustascertainwhetheranaccrualforoutstandinginvoiceswas
setupandtheliabilitywasrecognizedinthecorrectperiod.Iftheliabilityorac-
crualrelatestoexpenseitems,therelevantefectontheincomestatementmustbe
takenintoaccount.Ifthegoodsorservicesaresuppliedinthepreviousperiod,but
onlyrecognizedinthenextperiod,theincomeforthepreviousperiodwillbeover-
stated.
vendorswithdebitbalancesshouldbeexaminedcriticallyand,ifappropriate,items
shouldbereclassiiedtoreceivablesorotherassets.Reasonsthatvendorsmayhave
debitbalancescouldbeoverpayments,credits,orsimultaneous,reversedpayment
obligations.
Ascanbeseenintheabovetable,theopenitemslistshowsliabilitiesbroken
downbycurrency.liabilitiesinforeigncurrencyaremeasuredatthecurrentex-
changerate.hemeasurementisperformedatthecurrentrateattheendofeach
month.hisresultsinforeignexchangegainsorlosses.Onceauditorshavecreated
anopenitemslistintheITsystem,theymustuseauditorjudgmenttodecideifthey
shouldtestwhetherthecorrectexchangeratehasbeenusedformeasurementand
anyforeignexchangegainsorlosseshavebeentakentotheincomestatementac-
cordingtothecompany’saccountingguidelines.
Whenauditingtradeaccountspayable,theauditormustensurethatliabilitiesto
ailiated companies are examined separately. Although liabilities to ailiated
companiesarealsoreportedundercurrentliabilities,theyarenormallycaptured
openitemsListopenitemsList
VendorswithDebitBalancesVendorswithDebitBalances
LiabilitiesDenominatedinForeignCurrency/CurrencyTranslation
LiabilitiesDenominatedinForeignCurrency/CurrencyTranslation
LiabilitiestoAiliatedCompaniesLiabilitiestoAiliatedCompanies
Examples from Audit Practice at SAP
Selected Financial Audit Topics
Trade Accounts Payable Audits
C|3|3.4
Total for all company codes of accounts analyzed,
in EUR (closing date: Dec. 31, XXXX)
Total liability:
Debit
Credit
150,000
700,000
550,000 –
500,000 –
10,000 –
5,000 –
5,000 –
30,000 –
Per currency:
AUD
CHF
GBP
USD
15,000 –
7,500 –
3,500 –
35,000 –
Fig. 10 Possible Structure of a Fictitious Open Items List, Broken Down by Currency
328
separately.liabilitiesarebrokendownbycreditorgroupsonthefaceofthebalance
sheet,unlessthisisdoneinthenotestothebalancesheet.heauditorsshoulden-
surethatbalancesarereconciledregularly,atleastannuallyattheendoftheiscal
year.
Criticalauthorizationsrelatingtothecreationofmasterdataareaparticularly
sensitiveissue.Sometimes,employeesareauthorizedbothtoupdatevendormaster
dataandtoefectpayments.InsuchcasesInternalAuditmustconsidertheriskof
fraud:Iftheemployeeisauthorizedtocreatevendorsandalsotomakepayments
tovendors,fraudistheoreticallypossible.Auditorsthereforemustensurethatthe
samepersoncannotmaintainvendormasterdatawithbankinginformationand
also make payments. If there is not enough employee capacity to issue separate
authorizations,additionalinternalcontrolmechanismsmustbeinplace(e.g.,dual
control).
InSAP’spurchasingunit,variouscontrolsaremappedinautomatedITprocess
steps.hisincludes,forexample,thatemployeesrequestapprovalsforpurchasing
goodsandservices(purchaseorderrequisitions)throughtheworklow.hesepur-
chaseorderrequisitionsareapprovedbythemanagerresponsibleandreleasedas
purchaseorders(fordetailsonpurchasing,seeSectionC,Chapter4.1).Apurchase
ordernumberiscreatedinSAP’ssystem.Auditorsshouldverifythatanappropriate
approvalguidelineexistsandthatthelimitsandapprovalproceduresarerelected
intheITsystem.
he “testing substantive accuracy” process control is examined in a separate
step.heemployeeresponsibleshouldcheckeachincominginvoiceforfactualcor-
rectnessandreleaseitintotheworklowbeforeitisaddedtothepaymentproposal
list.heauditorshouldtakeasuitablenumberofsamplestoshowthatthechecks
havebeenmadeanddocumented.heauditorshouldalsotestwhethertheinvoices
havebeencorrectlyreleasedandthisisproperlyrelectedinthelivesystem.Audi-
torscanalsoverifythatthetotalinvoiceamountdoesnotexceedtheamountstated
onthepurchaseorders.
Onceinvoiceshavebeenexaminedforfactualcorrectness,apaymentproposal
listiscreated.Controlsshouldbeinplacetoensurethatthislistcontainsonlyin-
voicesthathavebeenfactuallychecked.hislistshould,forexample,bechecked
andreleasedby theheadof theinancedepartmentor theheadof theaccounts
payable department. Auditors must verify that an appropriate process has been
implementedandthecontrolshavebeencarriedout.Again,compliancewiththe
dualcontrolprincipleisabsolutelyessential.
Paymentsarenormallymadebyelectronicbanktransfer.Asmentionedbefore,
onlyaverylimitedgroupofemployeesshouldbeauthorizedtotriggerpayments.
heaudit includesobtainingawrittenbankconirmationof thesigningpowers.
heauditorshouldalsoreconcilethetotalofthepaymentproposallisttothetotal
ofthebankstatement.
CriticalAuthorizationsandCreationofMaster
Data
CriticalAuthorizationsandCreationofMaster
Data
ApprovalofPurchaseorderRequisitions
ApprovalofPurchaseorderRequisitions
TestingSubstantiveAccuracy
TestingSubstantiveAccuracy
ApprovalofPaymentProposalLists
ApprovalofPaymentProposalLists
efectingofPaymentefectingofPayment
329
HinTSAnDTiPS ;
• Whenauditingliabilities,auditorsshouldensurethatallliabilitiesfullyandcor-
rectlyrelectactualvolumesandvalues.
• Auditorsshouldalsomakesurethattheimplementedprocesseshavesuicient
internalcontrols,e.g.,theuseofthedualcontrolprinciple.
LinKSAnDReFeRenCeS e
• JARnAgIn,B.D.2007.US Master GAAP Guide.Riverwoods,Il:CCH,Inc.
• SEARS,B.2002.Internal Auditing Manual. newyork,ny:Warren,gorham&lamont.
• SAWyER,l.B.,M.ADITTEnHOFERAnDJ.H.SCHEInER.2003.Sawyer’s Internal
Auditing.5thed.AltamonteSprings,Fl:heInstituteofInternalAuditors.
3.5 Revenue Audits
KeyPoinTS •••
• herevenuerecognitionregulationsrelevanttoSAPunderUS-gAAParepri-
marilyfoundinSOP97-2andSOP81-1.
• heobjectiveofrevenueauditsistoensurethattherevenuesareclassiiedcor-
rectlyandstatedintheappropriateamountandperiod.
• Duringauditpreparation,InternalAuditshouldobtainageneraloverviewof
thelargestrevenueamountsrecognizedduringtheperiodunderreview.Ofset-
tingaccountanalysisisagoodtooltouseforthispurpose.
• Moreover,revenueauditsshouldincludeanalyticalprocedures.
here are various general, as well as sector-speciic, guidelines for recognizing
revenueunderUS-gAAP.Forthesotwaresector,andthusalsoSAP,veryimportant
rulesarecontainedinStatementofPosition(SOP)97-2(SotwareRevenueRecog-
nition), as amended by SOP 98-9 (Modiication of SOP 97-2, Sotware Revenue
Recognition, With Respect to Certain Transactions). Another set of guidelines
relevantforsotwareaccountingatSAPisAccountingReviewBulletin(ARB)45
(long-TermConstruction-TypeContracts),asinterpretedbySOP81-1(Accounting
forPerformanceofConstruction-TypeandCertainProduction-TypeContracts).
Inadditiontotheaboveregulations,thefollowingstatementsmustbeobservedin
theaccountingsystem:
• Pronouncementsthatspeciicallycommentonandexplaincertainsectionsof
SOP97-2.
• PronouncementscoveringthosetransactionsatSAPthatarenotregulatedby
SOP97-2.Someoftheseare:
RevenueRecognitionunderUS-GAAPRevenueRecognitionunderUS-GAAP
Examples from Audit Practice at SAP
Selected Financial Audit Topics
Revenue Audits
C|3|3.5
330
■ TechnicalPracticeAidsforSOP97-2(TPA)5100.38etseq.
■ EITF00-21:RevenueArrangementswithMultipleDeliverables.
■ EITF01-09:AccountingforConsiderationgivenbyavendortoaCustomer
(IncludingaResellerofthevendor’sProducts).
■ EITF99-19:ReportingRevenuegrossasaPrincipalversusnetasanAgent.
■ SAB104:RevenueRecognition.
• SOP81-1:AccountingforPerformanceofConstruction-TypeandCertainPro-
duction-Type Contracts. SOP 97-2 requires the application of the guidance
providedbySOP81-1toelementstowhichSOP81-1 isapplicable inthecase
ofcontractsthateither(a)requiresigniicantproduction,modiication,orcus-
tomizationofthesotware,or(b)wheretheserviceelementdoesnotmeetthe
criteriaforseparaterecognition.
UnderSOP97-2,revenuecanberecognizedforsotwaresoldwithoutsigniicant
modiicationonlywhenallofthefollowingfourcriteriaaremet:
• Persuasiveevidenceofanarrangementexists.
• Deliveryofthesotwarehasoccurred.
• hefeeisixedordeterminable.
• Collectibilityisprobable.
heobjectiveofarevenueauditistoensurethattherecognizedrevenuehasinfact
beenrealized,iscorrectlyapportioned,andreportedinfull,andthattheappropri-
ateamounthasbeenbookedonthecorrectaccountaccordingtoUS-gAAPand
SAP’saccountingpolicies.Revenuealsomustbeclassiiedcorrectlyandmustnot
beoverstatedorunderstated.Revenueauditsarecloselylinkedtoauditsofthecor-
respondingbusinessunits.AtSAP,revenueismainlygeneratedfromlicensesand
Maintenance(seeSectionC,Chapter5.3),aswellasConsultingandTraining(see
SectionC,Chapter5.2)whicharethereforesubjecttorevenueaudits.
Duringauditpreparation,theauditteamshouldgainageneraloverviewofthe
largestrevenueamountsrecognizedduringtheperiodunderreview.hisisdone
by analyzing the relevant revenue accounts, a task assisted by ofsetting account
analysis in the SAP system. Ofsetting account analysis is a report of all entries
madetoaspeciicaccountinacertainperiod,withinformationontheofsetting
accountsused foreach transaction.On thisbasis, theaudit teamcandetermine
howmuchrevenuehasbeengeneratedwithwhichcustomersintheperiodunder
reviewforeachrevenuearea.hisallowstheauditteamtopre-selecttherevenues
theyintendtoanalyzemorecloselywhenonsite.Ofsettingaccountanalysisalso
shows which other accounts have been used for entries in addition to customer
accounts,e.g.vATaccounts,deferralaccounts,accountsforrevenueadjustments,
etc.Inaddition,italsoprovidesinformationandkeyiguresthatmaybeusefulfor
detailedanalysis,suchasaverages,percentagesandthenumberofentries.Ade-
tailedstudyoftheresultsoftheofsettingaccountanalysisisexcellentpreparation
fortheon-siteworkandwillallowtheauditorstoconductawell-structuredaudit.
RevenueRecognitionCriteria
RevenueRecognitionCriteria
AuditobjectiveAuditobjective
ofsettingAccountAnalysis
ofsettingAccountAnalysis
331
Customers,suchasthosewiththehighestrevenuefortheperiod,areselected
forinclusionintheauditforeachrevenuearea(licenses,Maintenance,Consulting,
Training)onthebasisoftheofsettingaccountanalysisperformedinadvance.Itis
importanttoensurethatthebusinessvolumeofeachrevenueareaissuiciently
coveredbyaudits.Inaddition,entriesofrevenuedeductionsarealsoexamined(see
SectionC,Chapter3.2).Anycreditnotesissuedshouldalsobeanalyzedbecause
thisallowstheauditorstoidentifycircumstancesinwhicharevenueadjustment
shouldhavebeenrecorded.herevenueauditalsolooksatUS-gAAPadjustments
andperiod-enddeferrals.
hespeciicrevenuesthathavebeenselectedareanalyzedindetail,checkingthe
transactions underlying the revenue from each customer. Again, the auditors
shouldselectdataforacountry,aregion,orglobaldataaccordingtoriskprobabil-
ities.herecognizedrevenuebeinganalyzedmayrelatetoaconsultingproject,a
trainingevent,alicenseagreement,ormaintenance.AuditsoftheareasofConsult-
ing,licenses,andMaintenancearedescribedindetailintherelevantchapters(see
SectionC,Chapters5.2and5.3).Inadditiontorevenue,thecustomeraccounten-
triesmustbeexaminedforaccuracy,receiptofpaymentandtheagreedpayment
terms, any bad debt allowances, and revenue deductions. It is also important to
performadditionalanalyticalprocedures(seeSectionC,Chapter3.1)aspartofthe
revenueaudit,focusingonthefollowingaspects:
• changesinreceivables(comparedwiththepreviousyearandchangessincethe
startoftheiscalyear),
• marginanalysis,
• revenue-to-ordersratio,
• analysisofcreditnotesissued,
• analysisofwrite-ofsandbaddebtallowances,
• analysis of revenue distribution by business area (licenses, Consulting, and
Training)andofchangesinrevenueovertime,and
• analysisofthebonus-to-revenueratio.
Arevenueauditrequirescloseconsultationwithotherauditteamswhoareevaluat-
ing individual business areas. In addition to the SAP-speciic areas mentioned
above,thisincludes,forexample,theauditingofaccountsreceivable(seeSectionC,
Chapter3.2),accountspayable(seeSectionC,Chapter3.4),accruals(seeSectionC,
Chapter3.3)and,inthecaseofmanufacturingcompanies,inventories.Itisimpor-
tantthatauditorsexchangeinformationallthetimeandensurethattheinterfaces
betweenindividualauditsegmentsaretakenintoaccount.
Oncetheactualieldworkhasbeencompleted,theregularreportsareproduced
(seeSectionB,Chapter5),followed,ateradueperiod,bythestatuscheckandthe
follow-up audit (see Section B, Chapter 6). Revenue audits run through all the
phasesoftheAuditRoadmap.
FieldworkFieldwork
TestProceduresinDetailTestProceduresinDetail
ConsultationRequirementConsultationRequirement
endoftheAuditendoftheAudit
Examples from Audit Practice at SAP
Selected Financial Audit Topics
Revenue Audits
C|3|3.5
332
LinKSAnDReFeRenCeS e
• ARB45:long-TermConstruction-TypeContracts.
• EITF99-19:ReportingRevenuegrossasaPrincipalversusnetasanAgent.
• EITF00-21:RevenueArrangementswithMultipleDeliverables.
• EITF01-09:AccountingforConsiderationgivenbyavendortoaCustomer(including
aResellerofthevendor’sProducts).
• JARnAgIn,B.D.2007.US Master GAAP Guide.Riverwoods,Il:CCH,Inc.
• SAWyER,l.B.,M.A.DITTEnHOFERAnDJ.H.SCHEInER.2003.Sawyer’s Internal
Auditing.5thed.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• SEARS,B.2002.Internal Auditing Manual.newyork,ny:Warren,gorham&lamont.
• SOP81-1:AccountingforPerformanceofConstruction-TypeandCertainProduction-
TypeContracts.
• SOP97-2:SotwareRevenueRecognition.
• SOP 98-9: Modiication of SOP 97-2, Sotware Revenue Recognition, with Respect to
CertainTransactions.
333
4 SelectedOperationalAuditTopics4.1 Purchasing
KeyPOinTS •••
• Purchasingauditscanbeconductedatastrategicoroperationallevel.
• Purchasingauditsshouldincludeafocusonfraudprevention.
• Supplier selection is alsoaprimary focusof apurchasingaudit.Properdoc-
umentation should be in place to allow the supplier selection process to be
tracked.
hepurchasingfunction(i.e.,procurement)contributestosecuringandenhancing
acompany’slong-termpotentialforsuccessbyinluencingcriticalsuccessfactors,
suchascosts,qualityandtime.hus,auditsofthepurchasingprocessareespecially
important.heextent towhich thepurchasingprocessafects thesuccessof the
organizationdependson the targetsandobjectives thatmanagementhas set for
purchasing,andwhetherthedepartmentisembeddedwithinthecompany’ssupply
chain management function, or whether it merely needs to meet the company’s
operationaldemands.
Whenassessingthepurchasingfunction,auditorsshouldbeginwiththeobjec-
tivessetforpurchasing,whichcanbeexaminedfromseveraldiferentperspectives.
Firstofall,theobjectivespursuedbypurchasingcanbecategorizedasformaland
technicalobjectives.heprimaryformalobjectivesofanorganizationincludecost
reductionsandperformanceimprovements.hekeytechnicalobjectiveistoensure
thepartsandsuppliesnecessaryforoperations.Forthelongterm,meetingthese
objectives includes both opportunities and risks for a company, because factors
maychangewithinthecompanyorintheprocurementmarket.
hefollowingstrategicpurchasingobjectivesofacompanycanbeidentiied:
• securingtheprocurementmarketposition,
• qualityassurance,
• supplysecurity,
• safeguardingthestatusoftechnology,and
• safeguardinglexibility.
heseobjectivescanbecondensedintogroupsasfollows:
• cost reduction (reduction of prices, process costs, cost of materials and ser-
vices),
• diferentiation(qualityandserviceimprovements,participationintheexpertise
andimageofthesupplierorserviceprovider),and
• supplysecurity.
AtSAP,thepurchasingfunctionincludesbothoperationalrequirementsandthe
procurementofgoodsandservicesthatmayormaynotbebilledtocustomers.he
procurement of goods and services, which are part of SAP’s operational supply
chain,makeupalargepercentageofSAP’spurchasingvolume.
importanceofPurchasingimportanceofPurchasing
FormalandTechnicalObjectivesFormalandTechnicalObjectives
StrategicObjectivesStrategicObjectives
RoleofPurchasingatSAPRoleofPurchasingatSAP
Examples from Audit Practice at SAP
Selected Operational Audit Topics
Purchasing
C|4|4.1
334
In a live (computerized) system, purchasing tasks can be processed with the
MaterialsManagementcomponentor,intheB2Barea,withanSRM(supplierrela-
tionshipmanagement)system.MaterialsManagement(MM)isafullyintegrated
moduleoftheSAPsystem.
Overthepastfewyears,thepurchasingfunctionhasbecomeincreasinglyim-
portantforcompanyactivitiesbecausethepotentialofthepurchasingfunctionto
addvaluetocompanysuccesshasincreasinglybeenrecognized.Onewaythatthe
purchasingfunctionaddsvalueisbyprocuringgoodsandservicesatminimized
costundertotal-cost-of-ownershipcriteria,whichlookatallcostdriversalongthe
supplychain.
In addition, the purchasing function can assist operating departments when
theyinitiatepurchasesfromthirdparties.hisserviceaddsvaluewithinthecom-
pany,forexample,becauseontheonehand,theexchangeofinformationsupports
thedevelopmentoforchangestoproductsandservices,whileontheotherhand,
accurate market and price knowledge puts the company in a better negotiating
position. By optimizing and securing supplies for the organization as a whole,
purchasingalsogeneratesaddedvalue.Moreover,qualityassuranceinprocurement
isgivenhighpriorityineveryorganization,mainlyforreasonsofproductliability
andtheriskofadverselyafectingsalessuccess.hisfactorisbecomingallthemore
noticeablebecauseoftheincreasingimportanceofprocurementforoperatingsuc-
cess. Speciically, procurement accounts for a high proportion of costs, ranging
from40%to90%ofsalesdependingonthesector.
heauditfocusareasaredeinedduringauditplanning(seeSectionB,Chapter2).
Audit preparation varies according to these speciic focus areas. When auditing
strategicfunctions,theelementsaresubjectedtospotplausibilityandcompleteness
checks.Inthecaseofoperationalauditsofpurchasing,InternalAuditcanexamine
eitherthepurchasingprocessasawhole,orindividualsub-processes.
Beforetheinitiationofthepurchasingaudit,theauditannouncementinforms
thedepartments concernedof the impendingaudit (seeSectionB,Chapter 3.1).
Dependingonthecircumstances,departmentssuchasthepurchasingunitofthe
subsidiaryorthecentralunitoftheparentcompany,Accounting,and/orthede-
partment placing purchase orders could be included in the audit. he audit can
haveitsstartingpointindiferentareasandentaildiferentapproaches,depending
onthecircumstancesoftheauditandtheauditobjective.Forexample,theaudit
couldbeginwith thepurchasingprocess (e.g.,purchaseorder,purchase requisi-
tion)or,onthevendorsidebyanalyzingthevendoraccounts.Itisalsopossibleto
conductanauditfromthelegalperspectivewithafocusoncontractarrangements.
Dependingontheauditobjectiveandauditobject,itmaybeexpedienttoselect
asamplefortestinginadvance.AtSAP,theselectioncanbemadewiththeuseof
severaldatasources,e.g.,theSAP-speciicGlobalContractInformationDatabase.
his database contains various criteria by which contracts and master agree-
mentscanbeselectedforauditing.Criteriaincludethenameofthesupplierandthe
PurchasingSystemPurchasingSystem
ValueAddedThroughProcurementwith
Minimizedexpenditure
ValueAddedThroughProcurementwith
Minimizedexpenditure
OtherFormsofValueAdded
OtherFormsofValueAdded
AuditPreparationAuditPreparation
informationoftheAreatoBeAudited
informationoftheAreatoBeAudited
SampleSelectionSampleSelection
GlobalContractinformationDatabase
GlobalContractinformationDatabase
335
inancialcontractvolume.Dependingontheselectioncriteriaapplied,thesystem
displays the relevant contracts, including all speciic details and the original
contract.InternalAuditcanthenselectandauditindividualpurchaseorderrequi-
sitions,purchaseorders,orinvoicesrelatedtotheselectedcontracts.
InadditiontotheaboveSAP-speciicGlobalContractInformationDatabase,
theMaterialManagementPurchasingAreacreatespurchasingreports,whichgives
auditorsmanyoptionsforselectingpurchaseordersbecausethereportisbasedon
thedataoftheliveSAPsystem,whichcontainsalltransactiondata.heaimisto
obtainanoverviewofallthepurchaseordersrelevantfortheauditsegmentcon-
cerned.heselectionfocusesonthesamecriteriaasinthecaseoftheGlobalCon-
tractInformationDatabase.Ofcourse,thereareothercriteriathatcandetermine
inclusionin,anddeinetheextentof,anaudit,includingdetailsofthedevelopment
ofsupplierrelationsorcostanalyses.
Oncethesamplehasbeendetermined,thedepartmentstobeauditedshouldbe
informedsothatallthenecessaryprocessdocumentationandrecordsareavailable
whentheauditbegins.
ACoreScope(seeSectionB,Chapter2.1)hasbeendeinedasthecollectionof
allpotentialaudittopicsinrelationtoaspeciicauditarea,includingPurchasing.
heremayalsobeotherScopes(e.g.,theCoreScopeforAccountsPayable),that
haveanimpactonthepurchasingfunction.heexactspeciicationsoftheextentof
theauditareincludedintheworkprogram(seeSectionB,Chapter3.2).
Purchasingcanbeauditedeitherseparatelyorasasub-sectionoftheauditof
asubsidiary(seeSectionC,Chapter5.1).Forthisreasonitisimportantthatinternal
auditteamsconsultwithoneanothersothattheycancoordinatetheaudittopics
andtherelevantauditactivities.hespeciicworkprogramisthendeinedonthe
basisofthiscooperation.
Oten, audits are conducted in Purchasing with very speciic work programs
thatarepreventive innature.Forexample,purchaseorderswithacertainorder
volumemaybeexamined,particularlywithregardtoreleaseandreleasestrategies.
Anotherpreventiveauditapproachincludesauditsthatfocusonsupplierselection
andtherelateddocumentation.Supplierselection,which isahighriskareaand
verypronetomisuse,isoneofthemostimportantelementsofapurchasingaudit
(fordetailsonfraudprevention,seeSectionD,Chapter13).
hecombinationoftheend-to-endconceptoftheScopeandtheadaptabilityof
theworkprogramisanidealwayofmeetingalltherequirementsofauditplanning
andexecution.helevelofdetailoftheworkprogramcanalsorelectandsupport
speciicnuancesforeachaudit.
heMaterialManagementPurchasingAreamentionedaboveisusedtoverify
thesampleselectionintheSAPsystemandtoearmarkitforsubsequentauditing.
Various tools and templates are available to auditors for conducting the audit,
includinglivesystemreports(purchaseorderanalyses,G/Laccountanalyses,one-
timeanalyses)and/ortherelevantpurchasingandconductguidelines.
PurchasingReportPurchasingReport
CommunicatingtheSampleCommunicatingtheSample
ScopeandWorkProgramScopeandWorkProgram
needforCoordinationneedforCoordination
PreventiveAuditsPreventiveAudits
WorkProgramWorkProgram
ToolsandTemplatesToolsandTemplates
Examples from Audit Practice at SAP
Selected Operational Audit Topics
Purchasing
C|4|4.1
336
SAP’sglobalpurchasingpolicyprovidestheframeworkwithinwhichthestrate-
gicandoperationalprocessesrelatingtopurchasingaremanaged.Importantele-
mentsof theseguidelines includetheroleofpurchasing in theorganization, the
objectivesofpurchasing,etc.
heCodeofBusinessConductappliesthroughouttheSAPGroupandmustbe
signedbyeachemployee.Contraventionsof theCodemayresult indisciplinary
action.Forpurchasing,therulesonacceptinggitsandoncustomerandsupplier
relationsareofparticularrelevance.Speciically,toensurethatemployeesdonot
favorvendorswhoprovidelavishgits,lowmonetarythresholdslimitthevalueof
gitsorfavors(includingmeals)employees(orthecompanyasawhole)mayaccept
fromvendors.Internalauditsofthepurchasingdepartmentwillexaminecompli-
ancewiththesepolicies.
heauditactivitiesmayalso include the strategicpurchasing functions.Pur-
chasingisofstrategicimportancebecauseofitsresponsibilityforexploitingcost
reductionandperformanceimprovementpotential.Purchasingisresponsiblefor
supportingtheentiresotwaredevelopmentprocess,fromthedevelopmentofnew
productsthroughshippingtheinalproduct.
Cost savings potential is the company’s ability to reduce costs. his can be
achievedwithmake-or-buydecisions,demandpooling,andstrategicsupplierrela-
tions.Moreover,processoptimizationanddemandanalysiscanalsodelivercost
savings.hewayinwhichpurchasingisorganizedalsounlockssavingspotentialin
thepurchasingarea.Forexample,thecostsavingspotentialofotherdivisionsofthe
companycanbeinluencedbycentralizingpurchasing.
Whencompanies takemake-or-buydecisionson thebasisof strategicobjec-
tives, the decision is driven by their focus on core competencies. Before such a
decision is taken, a number of analyses should be performed so that the core
competenciescanbedeterminedconclusively.heseincludedetailedcostanalyses,
competitoranalysis,andcustomerproitability.Inaddition,theentirevaluechain
shouldbeexaminedtoestablishwhetherornotbuyingfromathirdpartyispoten-
tiallymoreproitable.Auditorsprimarilyexaminetheplausibilityoftheseanalyses
andtherelateddocuments.
Becauseoftheirknowledgeandexperience,Purchasing’semployeesnodoubt
formpartofitsinternalpotential.Moreover,thedesignoftheorganizationaland
processstructuresalsorepresentssuccesspotential.Itispossible,aspartoftheprocess
structure,toimprovethequalityofprocessesbyspecialization.Boththeorganiza-
tionalandprocessstructuresofpurchasingshouldbetestedforefectivenessand
eiciency.
FromInternalAudit’spointofview,alltasksandphasesofpurchasingareeli-
gibleaudittopics.hetotalprocurementprocesscanbebrokendownintoseveral
phases,towhichindividualtaskscanbeassigned:preparation,initiation,andaward
ofcontract.
Duringthepreparationphase,demandformaterialsorservicesariseseitherin
theoperatingdepartmentsoraspartofmaterialsplanning.Formaterialsdeinedin
PurchasingGuidelinesofSAP
PurchasingGuidelinesofSAP
CodeofBusinessConduct
CodeofBusinessConduct
AuditsofStrategicFunctionsofPurchasing
Management
AuditsofStrategicFunctionsofPurchasing
Management
CostSavingsPotentialCostSavingsPotential
Make-or-BuyDecisionMake-or-BuyDecision
internalPotentialofPurchasing
internalPotentialofPurchasing
AuditingOperationalFunctionsofPurchasing
Management
AuditingOperationalFunctionsofPurchasing
Management
DeterminingDemandDeterminingDemand
337
thematerialmasterofthesystem,thesystemchecksthereportedinventorylevel
anddeterminesthematerialstobereordered.Purchaserequisitionscaneitherbe
generatedbyauthorizedoperatingdepartmentemployeesorautomaticallybythe
system.
heinitiationphasestartswithdeterminingtheprocurementsource.heSAP
system supports operating departments in determining possible procurement
sources,takingpastpurchaseordersorexistingcontractsintoaccount.hisaccel-
eratesthecreationofrequestsforquotations,whichcanthenbesentdirectlytothe
requiredsupplierselectronically.hequalityofthesuppliermasterdataisanim-
portant element when auditing procurement sources. hey should therefore be
included inanyaudit,at leastbywayofsamples,witha focusonsupplierswith
duplicatesystementriesthatneedtoberemoved.heSAPsystemcansimulatepricing
scenariostofacilitatecomparingthequotationsreceivedandselectingasupplier.
hecontractawardphasebeginswiththeprocessingofthepurchaseorder.he
SAPpurchasingsystemtakestheinformationfromthepurchaserequisitionand
thequotationandgeneratesapurchaseorder.
Tomonitortheorderingprocess,theSAPsystemcheckstheresubmissioninter-
valsandautomaticallyprints remindersat theappropriate times. Itprovides the
currentstatusofallpurchaserequisitions,quotations,andpurchaseorders.
hedispatchandgoodsreceiptdepartmentscanconirmthereceiptofgoodsby
enteringtheordernumberinthesystem.Buyersareabletotolerateover-andun-
der-deliverieswithinlimitsbyspecifyingthepermissibleoverandunderdelivery
tolerancelevels.
hesystemalsosupportsinvoiceveriication:Whenauditorsaccessorderpro-
cessesandgoodsreceiptentries, theyarealerted toanyquantityandpricevari-
ances.
Aspartofanaudit,itshouldbepossibletoretracealltheabovetasksofeach
phaseoftheprocurementprocess.Inrelationtothesizeandworkforcecapacities
oftheSAPsubsidiaries,thesystem-basedpurchasingprocesscanbesetupinthe
systemindiferentways.Forthisreason,theauditorsshouldrecordtheprocesses
andthesystembeforetheaudit.Further,theauditorsshouldexaminetherelevant
documentationforcompletenessandvalidity,andensurethatthesysteminforma-
tionagreeswiththepaperdocuments.
Whenauditingthepurchasingfunction,itisveryimportanttoincluderelease
strategiesintheexamination.Releasestrategiesdeinewhomaygrantapprovalfor
certainprocessesunderwhatcircumstances(dependingonthegoodsandvolume)
andinwhatsequence.Withinthepurchasingprocess,theremaybeanumberof
releasesteps.Fromacontrolperspective,delegatingthereleaseofcertainprocess
stepsshouldberestricted toaminimumandthedualcontrolprinciplemustbe
maintained.heauditfocusesonthefollowing:
• Approvalforrelease:Hasanapprovalforreleasesystembeeninstalledforim-
portantprocesses?Approvalforreleaserequestsarenormallyforwardedtothe
nexthigher-rankinglevel(e.g.,costcentermanager)intheworklow.Itisalso
DeterminingtheProcurementSourceDeterminingtheProcurementSource
OrderProcessingOrderProcessing
OrderMonitoringOrderMonitoring
GoodsReceiptandinventoryManagementGoodsReceiptandinventoryManagement
invoiceVeriicationinvoiceVeriication
TakingtheDocumentationintoAccount
TakingtheDocumentationintoAccount
AuditingReleaseStrategiesandAuthorizations
AuditingReleaseStrategiesandAuthorizations
Examples from Audit Practice at SAP
Selected Operational Audit Topics
Purchasing
C|4|4.1
338
possibletosetupasecondlevelforapprovalintheSAPsystem,e.g.,inancial
controlforreleasingbudgetsforinternalprojects.
• Purchasingasacontrolbody:Inthiscontext,purchasingemployeesexaminethe
purchaserequisitionsoftheoperatingdepartmentsbeforeconvertingtheminto
purchaseorders,checkingdetailssuchassupplier,quantities,speciication,etc.
• Authorizations:Employeeauthorizations,whichgivethemthepowertorelease
orderslinkedtothebudgetvalue,areanimportantcontroltoolinthepurchas-
ingarea.
• Releaseacrossseverallevelsofhierarchy:hedualcontrolsystemcanalsobe
maintainedbyinvolvingseveralhierarchylevels.hismaybesensibleforhigh-
valueordersorforotherspeciicinstancesdeinedbythecompany.
InternalAuditshouldasktheglobalpurchasingdepartmentfordetailsoftherele-
vantauthorizations.Itisalsopossiblethatanauditormaybeauthorizedtoobtain
therelevantsettingsdirectlyfromthesystem.Dependingontheauditfocus,Inter-
nal Audit should examine all the authorizations for purchase requisitions and
purchaseordersofthelocalsubsidiaryaswellasthereleasesettingsfromtheglobal
purchasingdepartment.
Increasingprocesscomplexityhascausedprocurementcontroltochangecon-
siderably in thepast fewyears.hepurecost focusof thepasthasgivenway to
astrongerprocessfocus.Undertheconventionalapproach,costcenterexpenses
werecomparedtobudgetsandchangesinmaterialprices.Moremodernapproaches
strivetoimprovethecoststructureandsupplierperformance,thusgivingpurchas-
ingan increasinglystrategicorientation.hechangeshaveadded to the tasksof
procurementcontrol,whichnowincludethefollowing:
• monitoringandratioanalysis,
• involvementindratingtargetagreements,
• preparationfordecisions,
• buildingofstrategicprocurementprinciples,
• analysisofthestrengthsandweaknessesofprocurementpotential,
• strategiccomparisonofto-beandas-issituations,and
• controlmeasuresincaseofvariancefromtargets.
Everycompanyisexposedtotheriskoffraud(seeSectionD,Chapter13).Fraud
maybecommittedbyemployeesatanylevelandunderalargevarietyofcircum-
stances.Companymanagementmusttakeallcasesoffraudseriously.Fraudfalls
intotwocategories:embezzlementofcompanyassetsandmisstatingthecompany’s
inancialposition.Inpurchasing,thefollowingprocessesareparticularlyexposed
tofraud:
• supplierselection,
• changesofsuppliermasterdata,and
• paymentsandmoneytransfer.
informationonReleaseAuthorizations
informationonReleaseAuthorizations
AuditingProcurementControl
AuditingProcurementControl
RiskofFraudRiskofFraud
339
During supplier selection, it is possible to give preferential treatment to certain
providers,otenbypassingoninternalinformationaboutthedemandortheinvita-
tiontobid.heinternalinformationisusuallycriticaltothebiddingprocess,e.g.,
prices,speciications,andthesupplyandpaymenttermsofcompetitors.hismay
impactthecompanyinanciallybywayoflessfavorabletermsandconditionsbe-
cause such insider action circumvents a truly competitive process. here is also
apossibilityofunauthorized signatures andcontracts.Preventivemeasuresmay
includethefollowing:
• rotationofbuyers’responsibilities,
• requirement for buyers to make a declaration about the supplier’s indepen-
dence,
• codeofconductandpurchasingguidelines,and
• contractnegotiationandcontractawardsincompliancewiththedualcontrol
principle.
hedualcontrolprinciplehelpsminimizefraudulentchangestoormanipulations
ofsuppliermasterdata,althoughInternalAuditshouldstillexaminethisdatafor
anychangesmade.hejustiicationforanychangesmustbeproperlydocumented.
SuchchangescanbetrackedintheSAPsystem.Frequently,automatedcontrolsare
partoftheintegratedSAPsystem.
Misuseofpaymentandmoneytransfersystemsispossibleifcontrolsarenotin
placeordonotfunctionproperly.Variousactionscanbetakentopreventfraud,for
example by implementing a “secure” process, i.e., a process where the necessary
controlsareinplace.Inaddition,employeesshouldbegrantedauthorizationrights
selectively.
In purchasing, supplier tests are an additional preventive measure. Internal
Auditcantestthecreditworthinessofthesupplierbyusinggeneralinformationor
creditbureaus.heauditteamcanalsocheckthesupplier’sreputationinthemarket
onthebasisofpressreportsenteredindatabasesorthroughcompetitorsurveys.It
is also important to check the validity and existence of the supplier in order to
detectthecreationofictitioussuppliers.On-sitesuppliertestsareotenacriterion
duringsupplierselection,becauseasupplier’sreadinesstoallowatestforquality
assurancepurposesisseenasapositivesignwhenselectingtheshortlist.On-site
suppliertestscantaketheformofeitheraprocessauditoranITsystemaudit.Ifthe
focus isonprocesses,auditorscheckqualitycontrol, supplier resources, systems
used,andemployeesofthesupplier.AnITsystemauditinvolvesatestofthesup-
plier’sITsystems.hewayasuppliertestisconductedonsiteistoalargeextent
determinedbytheagreementsconcludedatthetimedealingscommencewiththe
supplierandby the relationshipbetweencustomerandsupplier.Allpersons in-
volvedintheprocessshouldtakepartinplanningandexecutingsuchatestsothat
inputistakenonboardfromdiferentareas,suchasprocurement,qualityassur-
ance,andproduction.
FraudDuringSupplierSelectionFraudDuringSupplierSelection
ManipulationofSupplierMasterDataManipulationofSupplierMasterData
UnauthorizedPaymentsUnauthorizedPayments
SupplierTestsSupplierTests
Examples from Audit Practice at SAP
Selected Operational Audit Topics
Purchasing
C|4|4.1
340
HinTSAnDTiPS ;
• Purchasing’sdocumentation(e.g.ofsupplierselection),shouldneverleaveany
gapsthataresigniicantinriskandimpactandshouldcorrespondtotheinfor-
mationcontainedinthesystem.
• Whenconductingapurchasingaudit,itisessentialtohaveanoverviewofthe
purchasingorganizationanditsprocesses.
LinKSAnDReFeRenCeS e
• JARnAGIn,B.D.2007.US Master GAAP Guide.Riverwoods,IL:CCH,Inc.
• SEARS,B.2002.Internal Auditing Manual.newYork,nY:Warren,Gorham&Lamont.
• SAWYER,L.B.,M.A.DITTEnHOFERAnDJ.H.SCHEInER.2003.Sawyer’s Internal
Auditing.5thed.AltamonteSprings,FL:heInstituteofInternalAuditors.
4.2 Sales Processes
KeyPOinTS •••
• hesalesprocessisanimportantobjectofInternalAudit'swork
• Animportantdistinctionismadebetweenservicecontractsandlicenseagree-
ments.
• Salesprocessescanbetestedforcomplianceusingwalk-throughprocedures.
• BeforeSAPentersintoasalescontractwithanotherparty,thecustomersupport
oicerandthesalesmanagerperformariskassessment.
• heSAPsystemprovidescertain toolsand templates toensure reliableaudit
execution.
• heobjectivesofa salesauditare toensure that salesprocessescomplywith
policiesandproceduresandtoidentifypotentialrisksinthesalesentities.
hesalesprocessisanimportantobjectoftheauditworkperformedbyInternal
Audit at SAP. SAP’s local subsidiaries are separate legal entities that act as sales
companies.Internalagreementsthatgovernthesaleofsotwarebylocalsubsidiar-
iesareinplace.Inaddition,thelocalsubsidiariesofertheircustomersconsulting
andtrainingservices.SAPproductscanalsobemarketedthroughresellersinthe
indirectsaleschannel.Underthistypeofarrangement,theresellersenterintocon-
tractswiththeendcustomer,andthelocalSAPsubsidiaryisthereseller’scontract
partner.
Localsubsidiariesvaryinsize,whichisrelectedinthewaytheyareorganized.
During the audit, Internal Audit must take account of the organization of the
subsidiaries,aswellasoflocalaspectsandguidelines.However,forconsolidated
reportingpurposes,theaccountingtreatmentofalltransactionsmustcomplywith
US-GAAP.hesalesprocessrangesfrominitialcustomercontact,throughbidding
SalesProcessatSAPSalesProcessatSAP
RequirementsontheSalesProcesses
RequirementsontheSalesProcesses
341
andcontractconclusion,toenteringthetransactionandprovidingongoingsup-
porttothecustomer.Salesprocessauditsarecloselyrelatedtootherauditsandare
oten,atleastpartially,conductedalongsidelicenseorconsultingaudits.hismeans
that they are, in part, an integral component of such audits, which in turn may
bringupissuesofrevenuerecognition.Formoreinformationonrevenuerecogni-
tion, refer to thedescriptionof revenueaudits inSectionC,Chapter3.5, license
auditsinSectionC,Chapter5.3,andrevenuerecognitionassuranceinSectionC,
Chapter9.
LikeallauditsatSAP,salesprocessauditsfollowthegeneralprocedureofthe
AuditRoadmap.hebasisisformedbyrecordinganddocumentingtheindividual
processesandcomparingthecurrentconditiontothedesiredcriteria.Todothis,
theauditteamconductsinterviewsandreviewsgenerallyaccessibleorspeciically
requesteddocumentsandprocessdescriptions.Withthisinformation,theauditors
canconductawalk-throughtoverifywhetherthedocumentedprocessisfollowed
inreality.Inawalk-through,theauditorsirstselectadocumenttypefromthede-
scribedprocess,e.g.,licenseagreements.hentheyselectasampleofdocuments
(license agreements) from the total population and follow the complete process
usingthesampledocuments,toensurecomplianceallthewaythroughtransaction
entry,includingthedocumentedinternalcontrols.
Inaddition,itisusefultoexamineindividuallicenseagreements(seeSectionC,
Chapter5.3).Byreviewingoriginaldocuments,theauditteamcantesttheirexis-
tenceaswellasformalities,includinginternalcontrolssuchaslegalsignatures.
Since it is impossible, of course, to test all contracts, especially in larger
subsidiaries, the auditors should select suitable samples (see Section B, Chapter
4.1.2).Inadditiontousingstatisticalsamplingmethods,selectioncriteriasuchas
thecontractvolumeandthetimeofrecognitionareusefulforchoosingajudgmen-
talsample.
Animportantobjectiveinherentineveryinternalauditistotestwhetherthere
isafunctioninginternalcontrolsystem.hisisofparticularimportanceinapro-
cessthatisastightlymanaged,fromalegalpointofview,asthesalesprocess.In
detail,thisinvolvesensuringthatinternalandexternallegalrequirementsaremet
ineachphase.hesalesarea’sinternalcontrolsystemisaboveallaimedatensuring
legalandaccountingcompliance.hisiswhyeachstepofthesalesprocessincludes
speciictypesofcontrolanddocumentation(e.g.SAP'sGlobalContractApproval
Form).
Salesprocessauditsarealwaysincludedintheworkprogramsforlocalsubsid-
iaryaudits(seeSectionC,Chapter5.1).Inaddition,thesalesprocessmayalsobein
focuswhenensuringthatrevenueisrecognizedcorrectly,e.g.inrelationtocompli-
ancewiththelegalframework.hisisparticularlyimportantwhentherearepublic
invitationstobid.Atthesametime,theauditteammustcarefullyconsiderinternal
rules,suchasthecodeofconduct.
hecontractsconcludedwithcustomersareanimportantelementofsalespro-
cessaudits.Asignedcontractdocumentstheresultofnegotiations.SAPhasseveral
typesofcontracts,includingbutnotlimitedtocontractsrelatedpurelytosotware
TestProceduresTestProcedures
TestingofindividualContractsTestingofindividualContracts
SelectionofAuditObjectsSelectionofAuditObjects
internalControlSysteminternalControlSystem
RelationshipwiththeSalesProcessRelationshipwiththeSalesProcess
ContractTypesatSAPContractTypesatSAP
Examples from Audit Practice at SAP
Selected Operational Audit Topics
Sales Processes
C|4|4.2
342
andmaintenance(licenseandmaintenanceagreements)orincludingsotwareim-
plementation and training (service contracts). SAP also concludes development
cooperationagreementsinthecontextofsotwaredevelopment.heseagreements
canbeconcludedasseparatecontractsorunderamasteragreement.
Licenseagreementsincludetheextentoflicenses,thecustomer’spermittedlevel
ofusage,theprice,andthepaymentterms(formoredetails,seeSectionC,Chapter
5.3).
Servicecontractsareusuallyverycomplexandcustomized.heyarebasedon
anumberofdocuments,suchasfeasibilitystudies,casestudies,proofsofconcept,
etc.herearediferentoptionsforthepaymentarrangements,dependingonwhether
the project is billed on a ixed-price basis, on a time and material basis, or on
amaximumpricebasis(seeSectionC,Chapter5.2.1).Inaddition,thistypeofcon-
tractincludesprojectplans,projecttargetagreements,andfunctionlists.heproject
targetagreementssetoutclearlytheprojectmilestonesforacceptancebythecus-
tomer and the payment amounts and dates due to SAP (see Section C, Chapter
5.2.3).
Developmentcooperationagreementsmayrelate toadd-ons tobe integrated
intothesotwareasastandardsolutionortoprojectssetupspeciicallyforindi-
vidualcustomersorpartners.
Apartfromthesalesdepartment,theauditofsalesprocessesinvolvesthecon-
tract department, the relevant inance unit, and Corporate Financial Reporting.
heframeworkandrequirementsforthesalesprocessesarespeciiedanddocu-
mentedbythemanagementofthesalesarea.heworkoftheemployeesresponsible
forimplementingasalesprocessisalsounderscrutinyintheaudit.hefollowing
paragraphsgiveabriefdescriptionofthepositionsinvolvedinatypicalsalespro-
cess.
he(global)customersupportoicer,whoworksunderthesalesmanager,has
overallresponsibilityforcontractnegotiationsandthecontractitself.Itislikelythat
thesalesmanagermayalsoreviewtheworkoftheglobalcustomersupportoicer.
Dependingonthevolumeofthecontracttobeconcludedwiththecustomer,vari-
ousSAP-internalapprovalstepsmustbecompliedwithandriskassessmentsmust
beperformed.hecontractsmustalsobeagreedwiththecontractandlegaldepart-
ments.hesetwodepartmentsareresponsibleforwordingstandardcontracts,but
ifrequiredtheywillalsoprovidesupportforthedesignofindividualcontracts.
Inthecaseofservicecontracts,theheadofconsultingisinvolvedinthecontract
designandlaterprovidesinformationonprojectprogresssothatrevenuecanbe
recognizedappropriately.Insomeinstances,heorshecontrolsthisprocessincon-
junctionwiththecustomer.
Ifsupportandtrainingservicesareofered,theproductsupportandtraining
oicersarealsoinvolvedinthecontractdesign.heyshapetheseoferingsaspart
oftheoverallcontract.
hevirtualcustomerandsales-orientedteamismadeupofexpertswithknowl-
edgeoftheproductitselfandonsector-speciicsolutions.hisisofparticularim-
portanceinglobalcorporategroupswithvariouscontactsfromdiferentregions.
LicenseAgreementsLicenseAgreements
ServiceContractsServiceContracts
DevelopmentCooperationAgreements
DevelopmentCooperationAgreements
OtherDepartmentsConcerned
OtherDepartmentsConcerned
(Global)CustomerSupportOicer
(Global)CustomerSupportOicer
HeadofConsultingHeadofConsulting
ProductSupportandTrainingOicers
ProductSupportandTrainingOicers
CustomerandSalesOrientedTeam
CustomerandSalesOrientedTeam
343
Riskmanagementand thedepartments involved in it alsoplayan important
roleintheoverallsalesprocessbecausetheyensurethattherequirementsofrisk
management guidelines and processes are communicated and implemented and
thatthereportingsystemiscompliant.Riskmanagementisdescribedbelowinthis
chapterasitrelatestothesalesprocesses.
hecontractprocessconsistsofseveralseparatestages,startingwithcontract
developmentandendingwithformalcontractapproval.hecreationofthecon-
tract isbasedon the resultsof a formal assessmentof theproject andcustomer
risks, such as their liquidity and creditworthiness. he risk assessment must be
takenintoaccountduringtheentirecontractprocess.
Whenplanningasalesprocessaudit,italsoisimportantfortheinternalaudit
teamtoreviewpastevents.Salesunitsthathavehadrepeatedproblemsinthepast
should be examined with greater priority. Likewise, current sales-related events
mayinluencetheselectionoftheprocesstobetested,e.g.restructuringinthesales
areaorknowledgeofnon-compliancewithregulatoryrequirements.InternalAudit
alsomustconsideranypartnercompaniesinvolvedinserviceperformance.
hegroupofpersonsafectedbytheauditdependsontheprocessandisthere-
forenotsubjecttoanyspecialrestrictions.he(global)customersupportoicer,
theheadofconsulting,theproductsupportandtrainingoicers,andthevirtual
teamsupportingtherelevantcustomerarealleligiblefortheaudit.
Duringasalesprocessaudit,theinternalauditteamshouldreviewthefollowing
contractsanddocumentsforaccuracyandcompleteness:
• Contract:Adistinctionismadebetweenlicense,service,andmaintenancecon-
tracts.Acontractcanconsistofseveralsections,whichmaybeinterdependent,
thusmutuallydeterminingtheamountandtimingofthelicenserevenuetobe
recognized.
• Bid: Customers request a bid from SAP, either directly or through a general
invitationtobid.
• non-disclosureagreement(nDA):hisisacontractdocumentthatbindstwo
contractingparties toconidentiality, thusensuringthatpatentrequirements,
forexample,aremet.
• Addendums:Addendumsareannexestoacontract.heycancontainadditional
explanationsorsubsequentadditions.
• Acceptancelog:histypeofdocumentissignedbythecustomerindevelop-
ment or consulting projects according to the contract arrangements for each
projectmilestonetoconirmthattheserviceshavebeendulyperformed.
heScopeforsalesprocessauditsdescribesthegeneralcontentandextentofsuch
auditswhiletheworkprogramdetailsthetermsofspeciicaudits.Inaddition,the
Scopesandworkprogramsofrelatedauditsegmentsandareas,e.g.forlocalsubsid-
iaryaudits(seeSectionChapter5.1)orlicenseaudits(seeSectionC,Chapter5.3),
maycontainfurtherrelevantauditspeciications.
Mostofthefunctions,processes,andobjectstobeauditedcanbetakenfrom
theoverallsalesprocessdescription.hisdescriptioncanbeusedtocreatethework
RiskManagementRiskManagement
CreationofContractCreationofContract
SelectionoftheSalesProcessesforTestingSelectionoftheSalesProcessesforTesting
PersonstobeAuditedPersonstobeAudited
ContractandAddendumsContractandAddendums
ScopeandWorkProgramScopeandWorkProgram
AspectsofAuditexecutionAspectsofAuditexecution
Examples from Audit Practice at SAP
Selected Operational Audit Topics
Sales Processes
C|4|4.2
344
program necessary for the audit, in combination with pre-deined and existing
workprograms.heauditcanbeconductedeitherindependentlyorinconnection
withalicenseauditunderalocalsubsidiaryaudit.Inordertodelineatetheaudit
segmentsandcoordinatetheselectionofcontractsamples,itisthereforeimportant
toagreewithcolleaguesifanyauditareasaretobeadded.
Audit-relevantdataandinformationcanbeobtainedinanumberofdiferent
ways.Itis,however,importanttoassessitsrelevancetotheauditobjective.Minutes
ofmeetings,announcements,ortheelectronicarchivesofthedepartmentcontain
informationthatiseasytounderstand,butotenunstructured.hesesourcesmay
alsoprovideinformationaboutthelowofinformationwithinadepartment.Com-
pliance in the sales process is, to a considerable extent, assured with adequate
internalcontrols.Independentlyofthecontractitself,acontractsupplementpro-
videsadditionalguaranteesforallrelevantaspectsofthecontractandinvolvesthose
responsible in the approval and release process. his document is an important
basisforauditsconductedbyInternalAudit.
heachievementofgoalsdeinedaskeyperformance indicators canprovide
informationonprocesscompliance,forexamplethepercentageofrisksinaproject
notpreviouslyidentiiedintheriskproile.
heSAPsystemofersanumberofoptionsforretrievingdiferentreports.Dur-
ing audit planning, each auditor should have, or apply for, the requisite system
authorizationsinordertoaccessallrelevantinformation.
Inadditiontoensuringthatsalesprocessesarecompliant,anotherimportant
objectiveof the salesprocessaudit is to identifypotential risks in thisarea.he
rangeofriskmanagementcoverstheentiresalesprocess.SAP’sperspectiveisthe
primaryfocusoftheaudit,butasfaraspossible,thecustomeraspectshouldalsobe
included,becausecustomerriskmayalsoleadtoriskforSAP.Riskmanagementin
thesalesareaispartofglobalriskmanagementandissubjecttothemethodologies,
terminologies, processes and content requirements deined by SAP’s global risk
managementdepartment.Beforeacustomercanbeinvolvedinanewproject,the
riskassessmentandthepreventiveriskmitigationmeasuresmustbeperformedfor
thisproject.InternalAuditusesthespeciiedriskprocesstotestcompliancewith
andimplementationofriskmanagementrequirementsinthesalesprocessandhow
theyhavebeendocumentedintheformofriskproilesandrisksummaries.
heriskproileisaquestionnairetodeterminesigniicantrisksassociatedwith
atransaction.Itmustbecompiledduringtheinitiationandevaluationphaseand
approvedandsignedbytherelevantlevelofmanagementofSAP.heriskproileis
usedtoidentifypotentialrisksthatimpacttheproitabilityoftheprojectandthe
contractitself,aswellasfunctionalandtechnicalrisks.
Generally,withregard toriskmanagement, twophasesofcustomerrelation-
ships are distinguished in a sales cycle. Risk management during the initiation
phase necessitates risk assessment during the bidding and contract phase. Risks
thatareidentiiableinadvancemustbedocumentedintheriskproile,andthere-
sultsof theriskevaluationmustbe incorporated intocontractdesign.hereare
Obtainingandevaluatinginformation
Obtainingandevaluatinginformation
indicationsofnon-CompliantProcesses
indicationsofnon-CompliantProcesses
ToolsandTemplatesToolsandTemplates
RiskManagementinSalesProcesses
RiskManagementinSalesProcesses
RiskProileRiskProile
RiskManagementDuringtheinitiation
Phase
RiskManagementDuringtheinitiation
Phase
345
technicalandconsultingservicesthatcanbeusedforproactiveriskminimization
duringthesalesprocess,includingcustomerevaluationorprojectsituationassess-
mentonthebasisoffeasibilitystudies.InternalAuditshouldtestthechronological
andformaluseofriskmanagement,i.e.,whethertheriskminimizationprocedures
werecompliedwithbeforethebidwassubmittedandthecontractsigned.Signii-
cantchangestothecontractsituationalwaysrequiretheriskstobereassessed.
Risk management forms an integral part of project management during the
sotwareimplementationphaseandcouldalsocoverthecustomersupportphase.
InternalAudit tests theaccuracyof the riskmanagementdocumentationof this
phasewith regard to formandcontent, suchas the resultsofquality reviewsor
meetingsoftheprojectsteeringcommittee.
Riskassessmentisalsoimportantwithregardtocooperationwithpartnersdur-
ing implementationprojects.Suchprojectsmaygive rise tovariouscooperation
issuesbetweenSAP,itspartners,andcustomers.hisafectsabovealltherolesand
responsibilitiestobedeinedaspartoftheproject.hepeopleinvolvedmustbe
speciiedacrossthevariousprojectobjectives,workpackages,tasks,andtopicsand
assessedintermsofrisk.
HinTSAnDTiPS ;
• heselectionofcontractstobeauditedshouldincludediferentcontracttypes.
• Auditorsshouldcheckeachdocumentforpossibleinconsistencieswithother
documents.
LinKSAnDReFeRenCeS e
• JARnAGIn,B.D.2007.US Master GAAP Guide.Riverwoods,IL:CCH,Inc.
• SEARS,B.2002.Internal Auditing Manual.newYork,nY:Warren,Gorham&Lamont.
• SAWYER,L.B.,M.A.DITTEnHOFERAnDJ.H.SCHEInER.2003.Sawyer’s Internal
Auditing.5thed.AltamonteSprings,FL:heInstituteofInternalAuditors.
RiskManagementduringtheimplementationPhase
RiskManagementduringtheimplementationPhase
RiskManagementforPartnerCooperationRiskManagementforPartnerCooperation
Examples from Audit Practice at SAP
Selected Operational Audit Topics
Sales Processes
C|4|4.2
346
5 CombinedAuditTopics5.1 Subsidiary Audits
KeyPoinTs •••
• Subsidiaryauditsarepreformedusingastandardworkprogram.
• Subsidiary-speciicmattersareaddedtothisstandardworkprogrambasedon
analyticalauditproceduresperformedduringauditpreparationandthemeet-
ingsheldwithcolleaguesfromthevariouscorporatedepartments.
• Signiicantaudittopicsinasubsidiaryauditare:Generaltopics,inancialrepor-
ting,consulting,licenses,humanresources,purchasing,andriskmanagement.
Asexplainedpreviously(seeSectionB,Chapter3.2),aworkprogramiscompiled
foreachauditbasedontherelevantScope.hereisastandardworkprogramfor
subsidiaryaudits,whichcomprisesthebasicaudittopicsandieldworkactivities
thatshouldbecoveredbyasubsidiaryaudit.Mattersspeciictothesubsidiarybe-
ing audited are added to the standard work program. hese speciic matters are
normallybasedontheresultsoftheanalyticalauditproceduresperformedonthe
subsidiary’sinancialstatementsduringauditpreparation(seeSectionC,Chapter
3.1)andoninformationanddocumentationobtainedinmeetingswithcolleagues
fromvariouscorporatedepartments.
hestandardworkprogramforauditingasubsidiarybreaksdownintothefol-
lowingmainareas:
• generaltopics,
• inancialreporting,
• consulting,
• licenses,
• humanresources,
• purchasing,and
• riskmanagement.
In addition, GIAS’ SOX audit team conducts separate audits to analyze SOX-
relevant issuesandcircumstances (seeSectionC,Chapter8;SectionD,Chapter
14).
Whenpreparingforasubsidiaryaudit,auditorsshouldarrangeameetingwith
thelocaltaxconsultantandthelocalexternalauditorstogetanideaofanyissues
andrisksfromanindependentthirdparty.Inaddition,auditpreparationincludes
thefollowingactivities:
• performinganalyticalauditproceduresontheinancialstatementsofthesub-
sidiary,
• examining the consulting and license contracts concluded in the period and
selectasampleineachcase,
standardWorkProgramstandardWorkProgram
structureofthestandardWorkProgram
structureofthestandardWorkProgram
AuditPreparationAuditPreparation
347
• gatheringfurther informationinmeetingswithcolleaguesfromothercorpo-
ratedepartments(e.g.,Accounting,ManagementAccounting,Legal,Taxes,and
Treasury)
• creatingthespeciicworkprogrambyaddingsubsidiary-speciicmatterstothe
standardworkprogram,andusingariskassessmenttodeterminewhichaudit
topicstoselectandwhichieldworkactivitiestoconduct,
• dispatchingalistofrequirementstotheheadofaccountinginthesubsidiary
andcontacthimorher;ifthe(consulting,license,etc.)contractsarenotina
languagetheauditorsunderstandwelltheyshouldobtaintranslations,
• preparingfortheopeningmeeting,
• discussingtheworkprogramwiththeAuditManagerandobtainapproval,and
• assigningtheaudittopicstoauditors.
Duringauditpreparation, theaudit teamshouldperformanalyticalauditproce-
duresontheinancialstatements.heyshouldcomparethecurrentbalancesofthe
balancesheetandincomestatement(asoftheauditdate)withthoseoftheprevious
yearandthoseofthepreviousbalancesheetdate(seeSectionA,Chapter6.2.4and
SectionC,Chapter3.1).
Byanalyzingtheinancialstatementsforchangesinbalances,theauditteamcan
obtain valuable initial information about the subsidiary, e.g. its business perfor-
mance,specialexpenditure,changesinreceivablesandrevenue,etc.heanalysis
mayhighlightareas thatshouldbemorecloselyexaminedwhenconducting the
auditonsite.Duringpreparationsitmayalsobeexpedienttotakeacloserlookat
speciicinancialstatementaccounts,suchasprovisions,receivables,liabilities,and
revenue.ItmayalsobesensibletoreviewthecentralSOXprocessdocumentation
beforetheactualaudit.
Fortheconsultingandlicensestopics,itisalsonecessaryandusefultomake
preparationspriortotheaudit.heauditteamshouldobtainareportfromtheIT
systemwithalltheconsultingcontractsconcludedintheperiodunderreview.he
SAP-speciic consulting information system allows the audit team to generate
reportsonixed-priceprojectsandprojectschargedonatimeandmaterialbasis.
SAPalsoconcludesmaximumpriceprojectswithcustomers,whicharesimilarto
ixed-priceprojectsfromariskpointofview.Forthesamplingprocedureandother
possibleieldwork,seeSectionB,Chapter4.1.2.
heauditteamshouldalsoobtainareportfromtheITsystemwithalltheli-
censeagreementsconcludedintheperiodunderreview.heSAP-speciicContract
InformationSystem(CIS)allowstheauditorstocallupreportsforselectinglicense
agreements.helicenseadministrationdepartmentofthesubsidiaryshouldhave
scannedalllicenseagreementsintothesystem,whichcanbetestedduringaudit
preparation.
Duringauditpreparation,atertheauditannouncementhasbeensentout,itis
agoodideatomakepersonalcontactwithandsendalistofrequirements,detailing
AnalyticalProceduresontheFinancialstatementsAnalyticalProceduresontheFinancialstatements
ChangesinBalancesandindividualAccountsChangesinBalancesandindividualAccounts
ConsultingContractsConsultingContracts
LicenseAgreementsLicenseAgreements
ListofRequirementsListofRequirements
Examples from Audit Practice at SAP
Combined Audit Topics
Subsidiary Audits
C|5|5.1
348
thedocumentstobeprepared,totheheadofaccountingforthesubsidiary.Atthe
sametime,theauditteamshouldarrangeformeetingswiththerelevantcontacts
andoicersfromthediferentareas(managingdirector,headofaccounting,head
oflicenseadministration,headofconsulting).Alistofrequirementsmayinclude
thefollowingitems,forexample:
• organizationchart,
• riskmanagementinformation,
• listofthesubsidiary’sattorneys,
• contactinformationforthesubsidiary’staxconsultants,
• signaturepolicy,
• companyguidelines(companycars,travel,cellphones,etc.),
• purchasingguidelines,
• salesprocessdescriptions(consulting,licenses),
• intra-groupcontracts,
• extractfromthecommercialregister,and
• authorizedbanksignatories.
Beforethestartoftheaudit,theworkprogramisdiscussedwithandapprovedby
theAuditManager.hisapprovalformspartofInternalAudit’squalityassurance
andthusrepresentsaqualitygate,i.e.,aqualityassuranceprocedurewhichmustbe
performedtomovetheaudittothenextphase(seeSectionD,Chapter5.3).
Before the audit, the audit team lead assigns the topics to the diferent team
members,possiblyaterconsultingwiththeAuditManager.heauditisconducted
basedonthespeciicworkprogram,andeachauditorcompletestheaudittopics
assignedtohimorher.
Attheopeningmeeting,theauditteamintroducesitselftothemanagingdirec-
torandtheheadofaccountingofthesubsidiaryanddiscussestheprocedureforthe
audit.hereisatemplatefortheagendaoftheopeningmeeting,whichshouldbe
adaptedtothespeciicauditcontentinquestion.InternalAuditalsousesthisop-
portunitytopointouttheauditsurvey(seeSectionD,Chapter7.2.2),whichthe
peopleresponsibleintheauditedareausetogiveInternalAuditfeedbackaterthe
audit.
Duringauditexecution,auditorslookatgeneralissuessuchasextractsfromthe
commercial register, list of authorized signatories, and corporate guidelines (on
travel,purchasing,signaturepolicy,companycars,etc.).hebasicdataofthesub-
sidiary is recordedirst.his includes checking the existenceandvalidityof the
extractfromthecommercialregister,examiningminutesofshareholderordirec-
tors’meetings,andcheckingintra-groupcontractsandguidelinesforplausibility,
completeness,validityandconformitytogrouprequirements.
Inadditiontothebusinessunits,anauditofasubsidiary’sinancialreporting
alsoincludesreceivables,provisions,liabilities,cash,andbankbalances.Inother
words, signiicantinancialaccountsareexamined.Revenue isusuallyexamined
whentheindividualareas,suchaslicensesandconsulting,areaudited(seeSectionC,
MeetingwiththeAuditManager
MeetingwiththeAuditManager
AssignmentofAuditTopics
AssignmentofAuditTopics
PreparationfortheopeningMeeting
PreparationfortheopeningMeeting
GeneralTopicsGeneralTopics
FinancialReportingFinancialReporting
349
Chapters5.2and5.3).Asampleoflicenseagreementsandconsultingcontractsare
audited,aswellastheUS-GAAPreceivables,provisions,anddeferralsandaccruals
associatedwiththesebusinessunits.
Additionalaccountsmaybeaddedonthebasisoftheinsightsgainedduringthe
analytical audit procedures. he analysis of the inancial statements performed
duringauditpreparationisasigniicantfoundationforauditinginancialreporting
andprovidesadditionalinformationforfurtherieldworkactivities.Forexample,if
theanalyticalproceduresindthatreceivablesaresigniicantlyhigherthaninthe
previousyear,butrevenueisonlyupbyasmallamount,thismaymeanthatcus-
tomersareexceedingtheirpaymenttermsandthattheaccountsreceivableshould
beexaminedforoverdueamounts(DSOanalysis).hesubsidiary’spaymentreceipt
monitoringandreminderprocessesshouldalsobeexaminedinthiscontext.he
auditorscanalsoinvestigatetheextenttowhichmanagementfromlicensing,sales,
and consulting are involved in this process and whether the incentive or target
agreementsofsalesandconsultingemployeesincorporatethetargetthatcustomers
settlereceivablesinatimelymanner.Inasfarastheseissuescanbeassignedtothe
audits of the respective SAP business areas (licenses, consulting, training), the
necessaryieldworkactivitiesshouldbeperformedwhenthesetopicsaredealtwith.
helistofobservationsfromanalyticalproceduresperformedontheinancialstate-
mentscouldbecontinuedatlength(formoredetails,seeSectionC,Chapter3.1).
In addition to the inancial accounts identiied by the analytical procedures,
auditorsshould,basedontheirjudgment,addotheraccountsfortesting,suchas
noncurrentassets,otherassets,otherliabilities,andequity.
Consulting audits comprise aspects such as processes, ixed-price projects,
maximum-priceprojects,consultingservicesprovidedbythirdparties,andcon-
sulting-speciicriskmanagement.heauditorrecordstheprocessesandexamines
theprojectsonasamplebasis,takingintoaccountbothixed-priceandmaximum-
priceprojects.Insomecases,itmayalsomakesensetoincludeprojectschargedon
atimeandmaterialbasis.Itisimportantforprojectauditstoinclude:
• costtracing,
• projectmonitoring,
• examinationofthelowofinformationbetweenConsulting,Accounting,and
ManagementAccounting,
• considerationoftheinvolvementofRiskManagementinprojectinitiationand
processing,
• examinationofthetreatment(orders,processing)ofthird-partyproviders,and
• examinationofthecorrectallocationofcostsandrevenuesandperiod-endac-
cruals.
For intra-group supplies, auditors must ensure that the internal costs are allo-
catedcorrectly.Formoredetailsonauditingconsultingcontracts,seeSectionC,
Chapter5.2.
Licenseauditsinthesubsidiariesfocusonrecordingtheprocessesandtesting
thelicenseagreementsonasamplebasis.Inthisregard,itisparticularlyimportant
insightsfromtheAnalyticalProceduresinsightsfromtheAnalyticalProcedures
AuditorJudgmentAuditorJudgment
ConsultingConsulting
LicensesLicenses
Examples from Audit Practice at SAP
Combined Audit Topics
Subsidiary Audits
C|5|5.1
350
toensure thatpricing iscorrect,maintenance isbilledcorrectly,contractdata is
appropriatelyentered in the system, themaintenancearrangementsareproperly
relected,andtherelevantUS-GAAPrequirementsaremet(formoredetails,see
SectionC,Chapter5.3).
Anauditofthehumanresourcesfunctioninasubsidiaryshouldfocusprimarily
onthebasicarrangementsforthesubsidiary’sincentiveandcompensationsystems
foremployees.Auditorsshouldobtainanoverviewofthemethodsthesubsidiary
uses.Forexample,theincentivesystemforsalesemployeesshouldbelinkedtopay-
mentsreceived fromcustomers.heplausibilityof thecalculations for incentive
paymentprovisionsshouldbetestedonasamplebasisandindividualitemsshould
berecalculated(seeSectionC,Chapter3.3).Inthisregardtheauditorsshouldnote,
forexample,
• onwhichprocessthecorrectincentivecalculationisbased,
• whichinternalcontrolsareimplemented,
• whetherthelowofinformationbetweenHumanResources,Accounting,and
ManagementAccountingisworking,and
• howthedatafromManagementAccounting,Accounting,andHumanResources
islinkedtoeachother.
Asubsidiaryauditalsoincludesthepurchasingfunction.Unlikeexclusivepurchas-
ing audits, audits of purchasing within the bounds of a subsidiary audit cannot
achievethesamelevelofdetailedanalysisbutinsteadmustfocusonthemainpoints
(formoredetails,seeSectionC,Chapter4.1).heauditorsshouldgetanoverview
ofexistingguidelinesandobtainthenecessaryauthorizations,recordtheprocess,
andconductsampletestsondiferentinternalcontrols.Itisalsoimportanttoper-
formageneraltest inthesystemtoestablishwhichemployeesareauthorizedto
editvendormasterdata(forauditsofITsecurityandsystemauthorizations,see
SectionC,Chapter10),theextenttowhichthesameemployeesareauthorizedto
editbankmasterdataandwhatcontrolmechanismsareinplace.
Toexamineriskmanagement, theauditors shouldensure that thecompany’s
globalriskmanagementguidelinesareknown,used,andimplemented.GlobalRisk
Managementisavirtualformoforganizationthatcoverstheentirecompanystruc-
ture. Each region and subsidiary should have implemented the company’s risk
strategyandadaptedittolocalandregionalcircumstancesandguidelines.Auditors
shouldsatisfythemselvesthat:
• thereisa(localand/orregional)riskmanager,
• theriskmanagerdoesnotreportdirectlytotheheadofconsulting,
• theriskmanagerisinvolvedinlocalstrategicbusinessdecisions,
• theriskmanagerisinvolvedinday-to-daybusiness,
• project-speciicriskanalysesareperformed,and
• anyrisks identiiedareenteredandregularlyupdatedintheappropriateSAP
system.
HumanResourcesHumanResources
PurchasingPurchasing
RiskManagementRiskManagement
351
Reporting and follow-up occur ater the on-site subsidiary audit has been com-
pletedanddocumentedintheworkingpapers(fordetails,seeSectionB,Chapters
5and6).
LinKsAndReFeRenCes e
• JARnAGIn,B.D.2007.US Master GAAP Guide.Riverwoods,IL:CCH,Inc.
• SEARS,B.2002.Internal Auditing Manual.newYork,nY:Warren,Gorham&Lamont.
• SAWYER,L.B.,M.A.DITTEnHOFERAnDJ.H.SCHEInER.2003.Sawyer’s Internal
Auditing.5thed.AltamonteSprings,FL:heInstituteofInternalAuditors.
5.2 Consulting Project Audits
5.2.1 Classification of Consulting Projects
KeyPoinTs •••
• Consultingprojectscanbecategorizedasshort-termorlong-termprojects.
• Adistinctionisalsomadebetweenixed-priceprojects,cost-pluscontracts(i.e.,
timeandmaterialcontracts),andmaximum-priceprojects.
ConsultingcontractsatSAPcoveranagreementbetweenthecompanyandthe
customerontheprovisionofconsultingservicesintheareaofsotwareimplemen-
tation. Consulting contracts can be classiied by maturity into short-term and
long-termcontracts,andbycompensationintoixed-priceprojects,cost-pluscon-
tracts,alsoknownas timeandmaterialcontracts,andmaximum-priceprojects
(i.e.,timeandmaterialcontractswithacap).normally,revenueisrecognizedon
thebasisoftheservicesperformed,takingcertaincriteriaintoaccount(seeSec-
tionC,Chapter 5.2.3). Implementationsupport, (e.g., foracomprehensive sot-
waresystem), isnormallya long-termconsultingproject.Long-termconsulting
projectsarepartofthefamilyoflong-termconstructionprojects,similartothose
undertakenintheconstructionsector.hesetypesofconsultingprojectsmaybe-
gininoneiscalyearandbecompletedinthenextiscalyear,orevenintheyear
aterthat.
Fixed-priceprojectsarecontractsunderwhichdeinedconsultingservicesare
performedandforwhichthetotalcompensationiscontractuallyagreedfromthe
startoftheproject.hefollowingaretypicalcharacteristicsofixed-priceprojects:
• heprojectprocessisdividedintoindividualmilestones.
• SAPperformstheindividualservicesaccordingtoadeinedplan,basedonthe
milestones.
• SAP also invoices according to a contractually deined plan, which does not
normallytrackprojectprogress.hisplanusuallyprovidesforanadvancepay-
ReportingandFollow-UpReportingandFollow-Up
ClassiicationofConsultingContractsbyMaturityandCompensation
ClassiicationofConsultingContractsbyMaturityandCompensation
Fixed-PriceProjectsFixed-PriceProjects
Examples from Audit Practice at SAP
Combined Audit Topics
Consulting Project Audits
C|5|5.2
352
mentoncontractsignature,furtherpaymentsasservicecomponentsareper-
formedandaccepted,andainalpaymentatercompletionoftheproject.
• heprovisionofindividualservicesandtheiracceptancebythecustomerare
documentedinacceptancelogs.
• Insomecountries,itiscommonbusinesspracticetowithholdpartofthein-
voiceamount (approx.5%)asaguaranteeduring theproject term,until the
projecthasbeencompleted.
Cost-pluscontracts(alsoknownastimeandmaterialcontracts)arecontractsunder
whichdeinedconsultingservicesareperformed,althoughthetotalcompensation
isnotixedinthecontract,butrelatestocostsincurred.Underthistypeofcontract,
onlyadailyrate isspeciiedforeachconsultantgroup(juniorconsultant,senior
consultant,etc.).Similartoixed-priceprojects,theprovisionofindividualservices
and their acceptance are documented in writing. Depending on the contractual
arrangementandcountry-speciicbusinesspractice, timespenton theproject is
agreedindiferentways,e.g.intheformofasignedlog,bye-mail,orverbally.Internal
Auditshouldverifywhetherthechosenformisrecognizedaslegallybindinginthe
countryconcernedandwhetherithasbeencarriedoutaccordingtocontract.
Maximum-priceprojectsarecontractsbasedontimeandmaterial,butwithan
upperpricelimitagreedinaddition.Similartotimeandmaterialcontracts,acer-
tainconsultingservicemustbeperformed.henumberofpersondaysneededto
completetheprojectislimitedbyspecifyingamaximumprice.hedailyratefor
eachconsultantgroup(juniorconsultant,seniorconsultant,etc.)iscontractually
agreeduponbeforetheinceptionoftheconsultingproject.Similartoixed-price
projectsandtimeandmaterialcontracts,theprovisionofindividualservicesand
theiracceptancearedocumentedinwriting.Recordsofthetimespentareagreed
withthecustomer,accordingtowhatisstipulatedinthecontract.
HinTsAndTiPs ;
• Auditorsmustbeclearaboutthecategorytowhichaconsultingprojectisas-
signed,becausethismayprovideindicationsaboutpossiblerisksandappropri-
ateaccountingtreatment.
• Whenindividualcontractsaretested,anyrelevantmasteragreementsalsomust
beexamined.
LinKsAndReFeRenCes e
• JARnAGIn,B.D.2007.US Master GAAP Guide.Riverwoods,IL:CCH,Inc.
• SEARS,B.2002.Internal Auditing Manual.newYork,nY:Warren,Gorham&Lamont.
• SAWYER,L.B.,M.A.DITTEnHOFERAnDJ.H.SCHEInER.2003.Sawyer’s Internal
Auditing.5thed.AltamonteSprings,FL:heInstituteofInternalAuditors.
TimeandMaterialContracts
TimeandMaterialContracts
Maximum-PriceProjectsMaximum-PriceProjects
353
5.2.2 Audit Preparation and Execution
KeyPoinTs •••
• Beforethestartofanauditofconsultingprojects,auditorsshoulduseanalytical
procedurestogainanoverviewoftheconsultingprojectstobeexamined.
• Whenauditingconsultingprojects,auditorsirstrecordtheprocesses,thende-
terminewhethereachprocessiscarriedoutasdesigned,andinallyassesscon-
sultingprojectsonasamplebasis.
• hestandardworkprogramforconsultingprojectsincludesthefollowingmain
components:Reviewofprocessesandthewaytheyareorganized,integration
oftheriskmanagementsystem,andtheprojectmanager’sroleandcooperation
withconsultingcontrolandtheaccountingdepartment.
• Auditorsalsoexaminetheproitabilityofconsultingprojects.
Analyticalauditprocedures(seeSectionC,Chapter3.1)performedduringauditprep-
arationhelptheauditorgainanunderstandingofthecompany’ssituationandshould
beusedasthebasisforcreatingaspeciicworkprogramforconsultingprojects.Such
analysisnotonlyprovidesageneral insight intothecompany’scurrentsituation, it
alsorevealswhetherthecompanyhasconcludedmostofitsconsultingprojectcon-
tractswiththeprivateorthepublicsector.hisinformationmayimprovetheauditor’s
assessmentofcontractcomplexity.heanalysisalsotellsInternalAuditwhetherthere
areanycustomerswithpaymentdiiculties.heauditteamshouldalsoascertainthe
proportionofixed-priceprojects,maximum-priceprojects,andtimeandmaterial
contractsthecompanyhasconcludedintheperiodunderreview.Moreover,auditors
needageneralideaofprojectproitability(grossreturnonsales,fromnowonreferred
toas“proitability”).Projectsthatarebarelyproitableorloss-makingshouldbein-
cludedinthesampleselected.
Beforethestartofanaudit,InternalAuditshouldsendalistofrequirementsto
theunittobeaudited.hislistcoversthefollowingmainpoints:
• processdescriptionforconsultingprojects,
• documentsregardingprocessandinformationlow,
• calculationoffullyabsorbedcostsfortheperiodtobeanalyzed,
• calculationofconsultantmarketratesorstandarddailyratesfortheperiodtobe
analyzed,
• signaturepolicyforconsultingprojectsandbids(Whomustsignwhat,when,
andwhy?),
• delegationofauthorityarrangementsifthepersonsresponsibleforconsulting
projectsandbidsareunavailable(Whoactsasdelegate?),
• intra-groupconsultingcontracts,
• signiicantcontractswithconsultingsubcontractors,
AuditPreparationAuditPreparation
ListofRequirementsListofRequirements
Examples from Audit Practice at SAP
Combined Audit Topics
Consulting Project Audits
C|5|5.2
354
• listofallconsultingcustomersforwhomaspeciicbaddebtallowancehasbeen
recognized,and
• listofallconsultingcustomerswithpaymentdiiculties.
Inaddition,theauditleadshouldarrangemeetingswiththepersonsresponsiblefor
consultingprojectsandwiththeheadofthelocalinanceunit.Also,InternalAudit
shouldrequestinputfromRiskManagementtoobtainvaluableinformationabout
projectsexposedtorisk.
heauditorsshouldusetheirjudgmenttoselectasampleofconsultingprojects
forreview(onsampling,seeSectionB,Chapter4.1.2).Approximatelyfourweeks
beforethestartoftheaudit,theselectionispresentedtotheheadofthelocali-
nanceunitsothatheorshecanmaketherelevantcontractsavailable(intranslation
ifnecessary)atthestartoftheaudit.heauditorsmayalsoneedtohaveatranslator
onsiteduringmeetings.
Itmaybeuseful to includeprojects thathaverecentlybeencompletedorare
scheduledtobecompletedshortly(withinapproximatelyoneortwomonthsfrom
thetimeoftheaudit),orprojectstheproitabilityofwhichhasfallenshortofexpec-
tations.Inaddition,contractswiththepublicsectorcanbeverycomplexandthere-
foreshouldbeincludedintheauditsampleaswell.Forexample,theymayrequire
compliance with EU competitive bidding regulations or observance of country-
speciiccircumstances.
heKeyScopesrelevanttoauditingconsultingprojectsareselectedfromthe
total of all Scopes (see Section B, Chapter 2.1). he work program is developed
basedontheseScopes(seeSectionB,Chapter3.2).
Whenauditingconsultingprojects,theirststepistorecordtheprocesses.next,
theauditorsshoulddeterminewhethertheinternalcontrolshavebeendesignedto
adequatelymitigateriskandwhethereachprocessisexecutedasdesigned.Finally,
theauditorsshouldexaminetheprojectsincludedinthesample.hislaststepcan
alsobecarriedoutwhenauditingprocessefectiveness.hestandardworkpro-
gramforconsultingprojectsincludesthefollowingmaincomponents(seebelow
fordetails):reviewofprocessesandthewaytheyareorganized,integrationofthe
riskmanagementsystem,andtheprojectmanager’sroleandcooperationwithcon-
sultingcontrolandtheaccountingdepartment.
As formanyotherareas,SAPhasdevelopedaprocess (ASAPRoadmap) for
carryingoutconsultingprojectswhichensuresareliableinternalcontrolsystem.If
theprocessiscarriedoutasintended,informationwilllowreliablytoandfromthe
consultingdepartment.Atthesametime,theintegrationoftheriskmanagement
department,consultingcontrol,thelegaldepartment,andtheaccountingdepart-
ment must be guaranteed and function efectively. Process organization should
preferablyfollowthedualcontrolprincipleandappropriatesegregationofduties
andshouldsupportthedetectionoffraud.Consultingcontrol,whichisanaccount-
ingfunction,alsoperformsanalysesonconsultingprojects,independentlyofInternal
Audit,andisthereforeabletoproducereportsonthebasisofspeciiccriteria.In
addition,theconsultingdepartmentpreparesabriefquantitativesummaryofthe
sampleselectionsampleselection
specialAspectsofsampleselection
specialAspectsofsampleselection
scopeandWorkProgram
scopeandWorkProgram
AuditexecutioninGeneral
AuditexecutioninGeneral
ConsultingProcessanditsorganization
ConsultingProcessanditsorganization
355
mostimportantpointsofeachconsultingcontractforconsultingcontrolandthe
accountingdepartment(e.g.,costplanning,term,dailyrates,freetrainingorfree
consultingservices,aswellasproject-speciictopicssuchasinformationonwhether
theconsultingservicesandknow-howareessentialforimplementingthesotware
productsuccessfully).
Potentialindicationsofpoorprocessdesignandorganizationinclude:
• heprocessdoesnotfunctionasdesigned.
• heinformationlowbetweendepartmentsdoesnotserveitspurpose,isinsuf-
icient,subjecttodelays,orinefective.
• heconsultingdepartmentdoesnotforwardinformationonvariancesfromthe
plannedprojectprocedureandtheplannedprojectcoststoconsultingcontrol
inatimelymanner.
• Consultingcontroldoesnotevaluateeachproject.
• he structure and design of the process organization do not follow the dual
controlprinciple.
• hecontrolandapprovalproceduresdonot takeplaceorarenotperformed
accordingtotheprocessdescription.
Efective process design is not always achieved in practice. Internal Audit must
analyzetheprocessesoftheauditedunitcarefullytoestablishwhetherthereareany
variancesbetweenthecurrentsituationandtheprescribedprocesses.Todoso,the
auditors should familiarize themselves with the process description provided by
e.g. theSOXdocumentation.Furthermore, theycanmeetwiththeriskmanager
andthepersonresponsibleforconsultingprojectstoconirmtheirunderstanding
oftheprocessdescriptionsandclarifyanyotherissuesorquestions.Auditorsalso
needtoassesswhether,intheiropinion,allsigniicantcontrolsareworkingefec-
tively and whether the set up of the organization and functions is adequate.
Findingsandrecommendationsforimprovementaredocumentedintheworking
papers(seeSectionB,Chapter4.2).
heprojectmanagershouldcooperatecloselywiththecompany’sriskmanager,
whoperformsanindependentassessmentofanyrisksassociatedwiththeproject,
includingprobabilitiesandimpacts,beforeaformalbidforconsultingservicesis
senttothecustomer.heriskmanagermonitorsthisassessmentduringthecourse
oftheprojectandupdatestherisksifnecessary.
hefollowingcriteriamayindicatethattheriskmanagerisinefective:
• heriskmanager’spositionintheoverallorganizationdoesnotallowhimor
hertoperformanindependentandefectiveevaluationofprojectrisks.
• heriskmanagerdoesnothavethenecessaryknowledgeofconsultingproject
management,themarket,ortheproducttobeabletoidentifyalltherisksef-
fectively.
• heriskmanagerdoesnot identifyandevaluate theproject risks ina timely
manner.
• heriskmanager’srecommendationsarenotimplementedinthecompany.
PotentialindicationsofdeicienciesPotentialindicationsofdeiciencies
Auditor’sActivitiesAuditor’sActivities
involvementofRiskManagementinvolvementofRiskManagement
PotentialindicationsofdeicienciesPotentialindicationsofdeiciencies
Examples from Audit Practice at SAP
Combined Audit Topics
Consulting Project Audits
C|5|5.2
356
• heriskmanager’sreportsarenotcompletedinduetimeorareonlyoflimited
usefulness.
Inordertotestwhethertheriskmanagementsystemisadequatelyintegratedinto
the consulting project process and the internal controls are working efectively,
auditorsshouldirstobtaincopiesoftherelevantprojectrisksummariesforasample
ofprojects.Inaddition,theyshouldidentifythemostimportantinternalcontrols
andtestonasamplebasiswhetherthecontrolswerecarriedoutandwerefunction-
ingasintended.hisinvolvesassessinginparticularwhethermostoftheriskshave
beenfullyidentiiedinatimelymannerandproperlyevaluatedbeforethestartand
duringthecourseoftheproject.Findingsandrecommendationsforimprovingthe
integrationoftheriskmanagementsystemareincludedintheworkingpapers.
Foreachconsultingproject,theorderprocessingdepartmentcreatesanorderin
theconsultinginformationsystem.heconsultingcontrollercheckswhetherthis
informationhasbeenenteredcorrectlyandinatimelymanner.Controlactivities
andtherelevantpostingrecordsaresupportedbyadequateITtools,(e.g.thecon-
sultinginformationsystemforixed-priceprojectsintheSAP-internallivesystem).
hefunctionofconsultingcontrolistoperformregularchecksonautomaticac-
counting entries and on the quality of the system reports. his department also
ensuresthattheorderprocessingdepartmentcreatesinvoicesintimeandthatin-
voiceandrevenueblockingisinplaceincaseUS-GAAPcriteriahavenotbeenmet.
hecontrollersarealsoresponsibleforcheckingthatallconsultanthourshavebeen
fullyrecorded,irrespectiveofwhethertheycanbebilledtothecustomerornot.For
ixed-priceprojects,consultingcontrolcheckswhether thepercentageofproject
completionhasbeencalculatedcorrectlyandwhetherthedataenteredrelectac-
tualprojectprogress.Ifnecessary,andaterconsultationwiththeprojectmanager,
consultingcontroladjuststheamountsrecognized.
heprojectmanagerensuresthatconsultanthourshavebeenrecordedcorrectly,
brokendownintobillableandnon-billableservices,andthattheyhavebeenallo-
cated to the appropriate project. he project manager forwards information on
variances from the planned project procedure and the planned project costs to
consultingcontrolbynolaterthantheendofthemonth.Consultingcontrol, in
conjunctionwiththeprojectmanager,checks that theconsultanthoursare fully
recordedasoftheendofthemonthandthattheassociatedrevenueandcostsare
properlyrecognized.Consultingcontrolandprojectmanageralsohavetoensure
thatallcosts,e.g.thosethatcanimpactonthepercentageofcompletioninixed-
priceprojects,areallocatedtothecorrectperiod.Contractlossaccrualsaresetup
ifnecessary,i.e.whenprojectcostsexceedorareexpectedtoexceedtheixedprice
fortheproject.
heprojectmanager’soperationalknowledge,(e.g.withregardtoprojectde-
lays,adjustmentstototalprojectcosts,newcustomerrequirements,availabilityof
requiredresources, etc.)playsavery important rolewhen it comes to takingall
Auditor’sApproachAuditor’sApproach
PurposeofConsultingControl
PurposeofConsultingControl
CooperationBetweenProjectManagerand
ConsultingController
CooperationBetweenProjectManagerand
ConsultingController
importanceofConsultingControl
importanceofConsultingControl
357
materialaspectsoftheprojectintoaccountcorrectlyandinatimelymanner.Inthis
regard, the consulting controller’s responsibility includes the correct assessment
andrecordingintheinternalinformationsystemoftheinancialimpactthatthese
aspectsmayhave.hismayresultinadjustmentstoprojectrevenue.Forthisreason
itisessentialthatinformationbetweenprojectmanagerandconsultingcontroller
canlowunhindered.
hefollowingcriteriamayindicatethatconsultingcontrolandtheprojectman-
agerarenotworkingcompliantly:
• heprojectmanagerdoesnotregularlyre-evaluatethetotalcostsofeachproj-
ect.
• he project manager does not forward information on variances from the
plannedprojectprocedureandtheplannedprojectcoststoconsultingcontrol
inatimelymannerordoesnotevaluatesuchinformationcorrectly.
• heinformationlowisnottimelyorefective.
Consultingcontrolandtheaccountingdepartmentarejointlyresponsibleforde-
terminingthedailyratesforeachconsultantgroupatfullyabsorbedcostsandfor
updatingtheminthesystem.heyalsoneedtoensurethattheprojectsaremea-
suredbasedontheinternalaccountingguidelinesandthatthenecessaryaccruals
forrevenuearerecordedincasethattheconsultantratesinvoicedtocustomersdo
notcorrespondtostandardmarketratesforconsulting.
hefollowingcriteriamayindicatethatconsultingcontrolandtheaccounting
departmentarenotworkingcompliantly:
• heconsultingcontroller’sreportsarenotcompletedinduetimeorareonlyof
limitedusefulness.
• hedailyratesatfullyabsorbedcostandthestandarddailyratesarenotreliably
determined.
• heconsultingcontroller’spositionintheorganizationdoesnotallowhimor
hertoperformindependentandefectiveassessmentsofprojectperformance
andrelatedcosts.
Auditorsmustidentifythekeyinternalcontrolsinconnectionwithconsultingcontrol
activitiesandtestasampleofcontractstodeterminewhetherthecontrolsareefec-
tive.Auditorsshouldalsoinvestigatewhetherallexpectedmaterialcontrolproce-
duresrelatingtoconsultingcontrolarefullyandefectivelyaddressed.Findingsand
recommendationsforimprovementaredocumentedintheworkingpapers.
Belowisalistofthemostimportantieldworkactivitiesandrelateddocuments
thatInternalAuditusesinauditingindividualconsultingprojects.Auditorsshould
analyzethecontractinquestion,summarizeitsmainelements,identifyandevalu-
ateallmaterialrisks,andcoordinateorenhance(ifnecessary)theirunderstanding
oftheprojectrisksbytalkingtotheprojectmanagerandtheriskmanager.Further
ieldworkactivitiesdependonthetypeofcontract.
PotentialindicationsofdeicienciesPotentialindicationsofdeiciencies
CooperationbetweenAccountingandConsultingControl
CooperationbetweenAccountingandConsultingControl
PotentialindicationsofdeicienciesPotentialindicationsofdeiciencies
TestingofinternalControlsTestingofinternalControls
importantFieldworkActivitiesimportantFieldworkActivities
Examples from Audit Practice at SAP
Combined Audit Topics
Consulting Project Audits
C|5|5.2
358
Whenexaminingixed-priceprojects,auditorsshouldfocusonthe following
questions,inparticular:
• IsSAPabletodeterminereliablythetotalprojectcostsandthepercentageof
completionoftheproject?
• IsSAPabletomeettheprojectplanintermsofqualityanddeadlines?
• DoesSAPincurcontractpenaltiesifmilestonescannotbemetintime?
• Doesthecustomerhavetheoptiontoquerymilestonesalreadyacceptedfrom
anoverallperspectiveattheendoftheproject?
• DoesSAPhavetheresourcesandtheknow-howtoresolveprojectdiiculties
successfully?
• Doestheprojectrelatetotheimplementationofsotwareproducts,forwhich
acertainregion,forexample,temporarilyhasinsuicientconsultantcapacity?
• AreconsultingservicesforSAPsotwareandtheknow-howessentialforimple-
mentingthissotwareproductsuccessfully(seeSectionC,Chapter5.2.3)?
• Are the roles and responsibilities of both SAP and the customer clearly de-
ined?
• IsSAPrequired toprovideexceptionalguarantees (for longer thanusual, for
exceptionalamounts,ortoanunusualextent)?
• DoesSAPhavetheleadroleinandcontroloftheproject?
• Ifnot,isSAPabletodetermineadequatelythepercentageofcompletionandthe
totalcostsoftheproject?
• Forixed-priceprojectswithcustomerswhere the servicesareprovidedbya
subcontractor,hasaback-to-backixed-priceagreementbeenconcludedwith
thesubcontractor?
• Iftheservicesofaprojectareperformedjointlywithotherconsultingirms,is
thereaseparateagreementthatclearlyassignsthetasksandresponsibilitiesand
deinesliabilityetc.?
• Are thereixed-priceprojectsbetweencompanies in theconsolidatedgroup?
Cantransferpricesexposethecompanytotaxrisks?
• Arethereacceptancelogsapprovedbythecustomer?
• Hasthecustomeralreadypaidthemostrecentinvoices?
Whenauditingtimeandmaterialcontracts,auditorsshouldlookatthefollowing:
• Isthecontractbasedonactualtimeandmaterialcosts,orhasamaximumprice
beenagreed?
• Isthereariskthatthecustomermightnotacceptanyoftheconsultingservices
performed?
• Arethereacceptancelogsapprovedbythecustomer?
• Hasthecustomeralreadypaidthemostrecentinvoices?
Auditorsshouldobtainacopyoftheconsultingproject’scostingsheet,determine
whethertheschedulewascreatedatthestartoftheproject,andcarryoutaplausi-
importantFieldworkActivitiesforFixed-Price
Projects
importantFieldworkActivitiesforFixed-Price
Projects
importantFieldworkActivitiesforTimeand
MaterialContracts
importantFieldworkActivitiesforTimeand
MaterialContracts
ProjectProitabilityProjectProitability
359
bility check. hey should also note whether the project manager has signed the
costingsheettodocumentthatareviewoftheschedulehastakenplaceasaninter-
nal control. next, auditors should compare the planned project proit with the
actualproitgeneratedindiferentperiodsanddetermineanymaterialvariances
thatcouldbeasignofpoorprojectcontrol.hefollowingdiagramisaictitious
exampleofthestructureofaconsultingreport.
Auditorsshouldalsogather informationaboutwhetherandwhyresources from
otherlocalSAPsubsidiariesorexternalsubcontractorshavebeenusedintheproj-
ect.Ifaprojectusesintra-groupservices,theymustbeaccountedforaccordingto
SAPguidelines.
Fixed-priceprojectsareinvoicedaccordingtothemethodagreeduponinthe
contract.Inaixed-priceproject,partialproitrecognitiononthebasisofamounts
alreadyinvoicedisnotsuitablefordeterminingcorrectperiodallocationofrevenue,
becausetheinvoicesrelatetothematurityofpartialpaymentsratherthanoverall
projectprogress(seeSectionC,Chapter5.2.3).Bycontrast,monthlyinvoicesare
normallyproducedformaximum-priceprojectsandtimeandmaterialcontracts.
heservices tobe invoicedonthebasisofpersondaysareagreedwith thecus-
tomer.
UseofexternalResourcesUseofexternalResources
invoicinginvoicing
Examples from Audit Practice at SAP
Combined Audit Topics
Consulting Project Audits
C|5|5.2
Customer 1
Project A
Actual
€
Actual/target
%
Invoiced sales
Accrued sales
Total sales
External (subcontractor) costs
Internal consulting costs
Total costs
Contribution margin
Target
€
1,300.00
1,300.00
520.00
630.00
1,150.00
150.00
11.54
400.00
530.00
930.00
450.00
400.00
850.00
80.00
8.60
30.77
71.54
86.54
63.49
73.91
53.33
Fig. 11 Fictitious Consulting Report
360
HinTsAndTiPs ;
• Analyzethecontracttobeauditedcarefullywithregardtotheconditionsand
obligationsitcontainsandthepossibleprojectrisksitposes.
LinKsAndReFeRenCes e
• JARnAGIn,B.D.2007.US Master GAAP Guide.Riverwoods,IL:CCH,Inc.
• SEARS,B.2002.Internal Auditing Manual.newYork,nY:Warren,Gorham&Lamont.
• SAWYER,L.B.,M.A.DITTEnHOFERAnDJ.H.SCHEInER.2003.Sawyer’s Internal
Auditing.5thed.AltamonteSprings,FL:heInstituteofInternalAuditors.
5.2.3 Special Aspects of Consulting Project Audits
KeyPoinTs •••
• Changes in project data of ixed-price projects may lead to larger or smaller
luctuationsthatimpactthepercentageofcompletion.
• Revenuefromconsultingprojects isrecognizedaccordingtoefectiveproject
progress.
• Under multiple element arrangements, SAP ofers maintenance, consulting,
development,training,andotherservicestogetherwithsotwarelicenses.Ifa
multipleelementarrangementexists,sotwarerevenueisrecognizedaccording
totheresidualmethod.
ComplementingSectionC,Chapters5.2.1and5.2.2,thischapterprovidesdetailsof
specialaspectstheauditteammayencounterwhenauditingdiferenttypesofproj-
ects.First, the focus isonixed-priceprojects and thepercentageof completion
methodthatmustbeconsideredfortheseprojects.
Calculatingthepercentageofcompletionisnotalwaysstraightforwardinprac-
tice.SAPusesthecost-to-costmethodtocalculatethepercentageofcompletionby
comparingactualcoststototalestimatedcosts(budgetedcosts).hismethodcan
beusedeitheratoverallprojectleveloratsub-project/milestonelevel.
hefollowingtableusesaictitiousexampletoshowthediferentresultsobtained
whenlookingataprojectattheoverallprojectlevelascomparedtothesub-project
level(permilestone).
specialAspectsinday-to-dayAuditing
specialAspectsinday-to-dayAuditing
CalculationofthePercentageofCompletion
CalculationofthePercentageofCompletion
FictitiousexampleFictitiousexample
361
hepercentageofcompletionattheoverallprojectlevelof67.96%hasbeencalcu-
latedbycomparingtotalcostsincurredamountingtoEUR4,200andtotalbudgeted
costsofEUR6,180.Iftheprojectisanalyzedatsub-project(milestone)level,the
percentageofcompletioncanbecalculatedforeachsub-project.hemathemati-
callycalculatedpercentageofcompletionmaydiferfromactualprojectprogress.
Forexample,thepercentageofcompletionforsub-project10iscalculatedat89.12%,
althoughtheactualpercentageofcompletionis100%(evidenceprovided,e.g.on
thebasisofsub-projectacceptancebythecustomer).
Intheaboveexample,projectprocessingproblemsnowrequireanadjustment
tothebudgetedcosts(estimatedtotalcosts),fromEUR6,180toEUR9,860asof
March31,2006(seeigurebelow).hisresultsinachangeofthecalculatedpercent-
ageofcompletionto50.61%.
ChangeinthePercentageofCompletion
ChangeinthePercentageofCompletion
Examples from Audit Practice at SAP
Combined Audit Topics
Consulting Project Audits
C|5|5.2
S ub -
project/
mile-
stone
Overall
project
total
Costs
Budget
10
20
30
40
50
60
965
1,035
1,240
910
1,100
930
6,180
Accrued at project level:
(67.96% * € 6,800- € 2,180 = € 2,441)
€ € € €
860
1,080
1,330
930
0
0
4,200
€
Actual
89.12
104.35
107.26
102.20
0.00
0.00
67.96
%
Calcu-
lated
100.00
100.00
100.00
100.00
%
Actual
1,110
1,080
1,400
990
1,230
990
6,800
1,100
1,080
0
0
0
0
2,180
0
0
1,400
990
0
0
2,390
1,100
1,080
1,400
990
0
0
4,570
2,441 4,621
€
Budget Actual
(A)
Accrued
(B)
Total
(A + B)
Percentage of
completion
Sales revenue
2,180
Fig. 12 Fictitious Project A as of December 31,2005
362
Inaddition,anaccrualforfutureprojectlossesshouldbecreated,becausethebud-
getedcosts(EUR9,860)exceedbudgetedrevenue(EUR6,800)byEUR3,060.he
audit team must ensure that the appropriate departments are informed of any
changestoprojectdatainatimelymanner.
herulesoflong-termconstructionprojectsareappliedtoconsultingprojects
asappropriate.Iftheprojectisaixed-priceproject,revenueisrecognizedaccord-
ingtoefectiveprojectprogress,ifthefollowingcriteriaaremet:
• hecompanycanprovidereliableestimatesoftotalrevenue,totalcosts,andthe
percentageofcompletion.
• hecontractclearlyandunambiguouslydeinestheservicestobeperformed.
• Paymenttermsandprojectprocessingmethodhavebeendetermined.
• Paymentfortheservicesperformedisprobable(revenuecanberealized).
• It isprobable that thecompanyperforms the servicesagreedunder thecon-
tract.
otherConsequencesotherConsequences
AccountingTreatmentofConsultingProjects
AccountingTreatmentofConsultingProjects
Sub-
project/
mile-
stone
Overall
project
total
Costs
Budget
10
20
30
40
50
60
860
1,080
1,330
930
4,760
900
9,860
Accrued at project level:
(50.61%* €6,800- €2180 = €1,261)
€ € € €
860
1,080
1,330
930
790
0
4,990
€
Actual
100.00
100.00
100.00
100.00
16.60
0.00
50.61
%
Calcu-
lated
100.00
100.00
100.00
100.00
16.60
%
Actual
1,110
1,080
1,400
990
1,230
990
6,800
1,100
1,080
0
0
0
0
2,180
0
0
1,400
990
204
0
2,594
1,100
1,080
1,400
990
204
0
4,774
1,2612,180 3,441
€
Budget Actual
(A)
Accrued
(B)
Total
(A + B)
Percentage of
completion
Sales revenue
Fig. 13 FictitiousProjectAasofMarch31,2006afteradjustmenttobudgetedcosts
363
hefollowingictitiousexampleshowspossibleaccountingentries.
herelevantaccountingentriesforthisprojectareasfollows:
Account
Unbilled Accounts Receivable (Germany)
Revenue Accrual Fixed-Price Project
Revenue Accrual Fixed-Price Project
Advance Payments
Accounts Receivable
Revenue Fixed-Price Project
Unbilled accounts receivable (Germany)
Revenue Accrual Fixed-Price Project
Revenue Accrual Fixed-Price Project
Advance Payments
Accounts Reveivable
Revenue Fixed-Price Project
1,050
1,100
700
1,200
1,100
1,200
1,100
1,200
1,050
1,100
700
1,200
Income statement
Debit Credit Debit Credit
Balance sheet
(assets/liabilities)Description
Invoice for milestone # 10
Invoice for milestone # 20
Fig. 15 FictitiousFixed-PriceProjectB–AccountingEntries
FictitiousexampleofAccountingentriesFictitiousexampleofAccountingentries
ExamplesfromAuditPracticeatSAP
CombinedAuditTopics
ConsultingProjectAudits
C|5|5.2
Milestone
10
20
30
950
1,050
1,000
3,000
900
600
1,200
2,700
1,100
1,200
1,200
3,500
1,100
1,200
1,200
3,500
30
50
90
100
Costs
Budget
€ € € € %
Actual ActualBudget
Sales revenue Percentage of
completion
Fig. 14 FictitiousFixed-PriceProjectB–ProjectData
364
If the above criteria are not met, the costs incurred are expensed. Under this
method,revenueisnotrecognizeduntiltheprojectiscompletedoruntilallcriteria
forrecognizingrevenueaccordingtoefectiveprojectprogressaremet,whichever
occursirst.
Iftheprojectbeingexaminedisnotaixed-priceproject,butatimeandmate-
rialproject,revenueisrecognizedaccordingtoserviceperformanceiftheperfor-
manceoftheserviceisrepresentativeforthestageofcompletion.Itisenteredas
showninthefollowingictitiousexample.
heictitioustimeandmaterialprojectChasthefollowingbasedata:
• Planmonthlyserviceperformance:50consultantdaysatEUR20perday.
• Actualmonthlyserviceperformance:
- Month1:50consultantdaysatEUR20perday
- Month2:30consultantdaysatEUR20perday
- Month3:70consultantdaysatEUR20perday
• Projectterm:12month.
• OptionA:Monthlyinvoicingandrecognitionofrevenue.
• OptionB:Quarterlyinvoicingandmonthlyrecognitionofrevenue.
AccountentriesforTimeandMaterialProjects
AccountentriesforTimeandMaterialProjects
FictitiousexampleFictitiousexample
Account
Unbilled Accounts Receivable (Germany)
Revenue Accrual Fixed-Price Project
Revenue Accrual Fixed-Price Project
Advance Payments
Accounts Receivable
Revenue Fixed-Price Project
Unbilled Accounts Receivable
Revenue Accrual Fixed-Price Project
Advance Payments
Unbilled Accounts Receivable
1,400
1,200
350
3,500
1,200
3,500
1,200
1,400
1,200
350
Income statement
Debit Credit Debit Credit
Balance sheet
(assets/liabilities)Description
Invoice for milestone # 30
Closing
Fig. 15 (continued)
365
ExamplesfromAuditPracticeatSAP
CombinedAuditTopics
ConsultingProjectAudits
C|5|5.2
Account
Customer 123
Consulting revenue
Customer 123
Consulting revenue
Customer 123
Consulting
1,000
1,400
600
1,000
600
1,400
Income statement
Debit Credit Debit Credit
Balance sheet
(assets/liabilities)Description
Month 1
Month 3
Month 2
Option A:
Customer is invoiced at the end of the month
Fig. 16 FictitiousTimeandMaterialProjectC,OptionA:AccountingEntriesforTimeandMate-
rialProjects(Monthly)
Account
Option B:
Customer is invoiced quarterly
1,000
Income statement
Debit Credit Debit Credit
Balance sheet
(assets/liabilities)Description
Services not yet invoiced,
time and material projects
Consulting revenue,
time and material projects
1,000
Month 1
600
Services not yet invoiced,
time and material projects
Consulting revenue,
time and material projects
600
Month 2
Fig. 17 FictitiousTimeandMaterialProjectC,OptionB:AccountingEntriesforTimeandMate-
rialProjects(Quarterly)
366
normally,ainalversionoftheconsultingcontractmustbesignedbythecustomer
andSAPbeforeanyconsultingrevenuecanberecognized.Ifthecontracthasnot
beeninalizedandnegotiationswiththecustomerareongoing,noconsultingrev-
enuecanberecognized.Insuchacase,thecostsalreadyincurredareexpensed.If
thecontractisnotsignedwithinaspeciiedperiod(e.g.,threemonths),theaudi-
torsshouldfollowupwithmanagementandreviewtheprocess.
Anotherparticularaspectofconsultingprojectsmayariseforauditorsinrela-
tiontomultipleelementarrangements.Undermultipleelementarrangements,SAP
sellsmaintenance,consulting,development,training,andotherservicestogether
withsotwarelicenses.Ifamultipleelementarrangementexists,sotwarerevenueis
recognizedaccordingtotheresidualmethodatSAP.Underthismethod,revenue
thatwillberealizedinthefutureformaintenance,consulting,orotherservicesstill
tobeprovidedisdeterminedonthebasisofstandardprices,deductedfromthe
totallicensecontractvalue,andrecognizedoncetherelevantservicehasbeenper-
formed. he standard prices are market prices at which SAP ofers goods and
servicesindividually.ForgoodsandservicesthatSAPhastodatenotoferedonan
individualbasis,astandardpricesetbycompanymanagementisused,providingit
isprobablethatthispricewillnotchange.Anyresidualamountisallocatedtosot-
warelicensesandrecognizedassotwarerevenueifalltheotherrequirementsof
SOP97-2havebeenmet.
LinKsAndReFeRenCes e
• JARnAGIn,B.D.2007.US Master GAAP Guide. Riverwoods,IL:CCH,Inc.
• SAWYER,L.B.,M.A.DITTEnHOFERAnDJ.H.SCHEInER.2003.Sawyer’s Internal
Auditing. 5thed.AltamonteSprings,FL:heInstituteofInternalAuditors.
RecognitionofCostsandRevenue
RecognitionofCostsandRevenue
MultipleelementArrangements
MultipleelementArrangements
Customer 123
Consulting
3,000
3,000
Account
1,400
Income statement
Debit Credit Debit Credit
Balance sheet
(assets/liabilities)Description
Services not yet invoiced,
time and material projects
Consulting revenue,
time and material projects
1,400
Month 3
Invoice at end of quarter
Fig. 17 (continued)
367
• SEARS,B.2002.Internal Auditing Manual.newYork,nY:Warren,Gorham&Lamont.
• SOP81-1:AccountingforPerformanceofConstruction-TypeandCertainProduction-
TypeContracts.
5.3 LicenseAudits
KeyPoinTs •••
• Akeyaspectofauditpreparationforlicenseauditsisdeiningtheappropriate
sampleandtestingthesystemdata.
• During audit execution, auditors primarily test contract design and content,
archiving,pricing,productdelivery,approvalprocedures,andtheaccuracyof
accountentries.
• BecauseoftheneedtocomplywithUS-GAAPrequirements,theauditshould
alsoincluderevenuerecognitioncriteriaandanyassociatedissues.
When using sotware developed by SAP, the customer usually pays a one-time
licensefeeandmaintenancefeesduringthelicenseterm.helicensefeeistheprice
paidforusingthesotware,andthemaintenancefeeispaidfortechnicalsupport,
upgradesandenhancements.Duetothevarietyoflocalrequirements,marketcon-
ditions,andspecialcustomerneeds,thereisawiderangeoflicensecontracttypes
andcontents.
hesotwarecanbesoldthroughdirectorindirectchannels,dependingonthe
productandthemarketsituation.Directsalemeansthesotwareissoldthrough
oneofSAP’slocalsubsidiaries.Ifthecustomerbuysthesotwarethroughathird
party(i.e.,areseller),itiscalledanindirectsale.Incaseofindirectsale,thecus-
tomerconcludesthelicenseagreementdirectlywiththereseller.SAPandthereseller
havesignedamasteragreement.Dependingonlocalrequirementsandprocedures,
thecustomerconcludesthemaintenancecontracteitherdirectlywithSAPorwith
thereseller.
Inalicenseagreement,thefollowingitemsareagreeduponwiththecustomer:
• licensedproduct(s),
• licensefee,
• maintenancefee,
• paymentterms,and
• deliveryprocedures.
hefollowingdocumentsmaybeincludedasappendicestothelicenseagreement:
• electroniccostingsheet,
• customer-provided evidence regarding the use of the sotware for statistical
businesspurposes(SolutionAddendumForm(SAF)),and
• generaltermsandconditions.
softwareLicensessoftwareLicenses
salesChannelssalesChannels
ContentofaLicenseAgreementContentofaLicenseAgreement
AnnexestotheLicenseAgreementAnnexestotheLicenseAgreement
ExamplesfromAuditPracticeatSAP
CombinedAuditTopics
LicenseAudits
C|5|5.3
368
Licenseagreementscanbeauditedincombinationwithotherauditsegmentsoras
aseparateaudittopic.helicenseaudit ispartofeverystandardauditofa local
subsidiaryand,dependingonthetopic,mayalsobeconductedaspartofaspecial
audit.hemainauditobjectiveoflicenseauditsistoassurecorrectrevenuerecog-
nitionandtoensurethatall internalcontrolsare inplacetomeetSOXandUS-
GAAPrequirements.Inadditiontostandardandspecialaudits,InternalAuditalso
performsunannouncedlicenseauditsandcustomercontractconirmationsinthe
localsubsidiaries(seeSectionC,Chapter9).
heirst stepof thepreparationprocess is toselecta sampleofcontracts for
testing,takingintoconsiderationtheperiodtobeexamined,thesizeofthelocal
subsidiary,andtheavailableauditingtime.
Informationaboutthecontractsconcludedwithintheperiodtobeexamined
shouldbeobtainedfromthesystem.heauditteamshouldexportthedataintoan
Excel spreadsheet in order to edit it according to the chosen sampling method.
Underpurposivesampling(seeSectionB,Chapter4.1.2),theauditorsshouldtake
thefollowingcriteriaintoaccount:
• contractvolume,
• postingdate in theSAPsystemimmediatelyprior to theclosingdate for the
monthorquarter,
• typeofcontract(directorindirectsales),and
• previousauditorexperience.
As an alternative to purposive sampling, auditors can choose from a number of
statisticalrandomsamplingmethods.Value-basedstatisticalsamplingisusedfor
thecustomercontractconirmationprocessaspartofrevenuerecognitionassur-
ance(seeSectionC,Chapter9).
Duringauditpreparation,auditorsshouldgetanoverviewoftheCoreScopefor
licenseagreements,especiallyiftheydonothaveanyexperienceinthisarea.he
CoreScopecoversthekeyfunctionsandprocessesthatcouldenhancetheauditors’
understandingofthiscomplextopic.SeeFig.18foranexcerptfromthe“License
Agreements”CoreScope.
Derived from the Core Scopes for License Agreements and the relevant Key
Scopes,theworkprogramisthebasisfortheieldworkandguidesthewholeaudit-
ingprocessfrompreparationthroughreporting(seeSectionB,Chapter3.2).he
workprogramshouldbeadjustedforeachauditaccordingtotheaudittypeandthe
localcharacteristicsofthesubsidiarytobeaudited.
Duringauditexecution,auditlistsandquestioncatalogsmayfacilitatetheaudi-
tors’tasks(seeSectionB,Chapter4.1.3.1).heextenttowhichsuchtemplateswill
beusedisspeciiedduringauditpreparation.Iftheyarebeingused,theyneedtobe
iledasworkingpapers for therespectiveaudit.hefollowingquestionsmaybe
includedinanauditlistforlicenseagreements:
• Isthecontractavailableinoriginalform?
AuditofLicenseAgreements
AuditofLicenseAgreements
RepresentativesampleofContractsforTestingRepresentativesampleofContractsforTesting
PurposivesamplingPurposivesampling
RandomsamplingRandomsampling
CorescopeforLicenseandMaintenance
Contracts
CorescopeforLicenseandMaintenance
Contracts
WorkProgramWorkProgram
AuditListsandQuestionCatalogs
AuditListsandQuestionCatalogs
369
• Dotheamountspostedinthesystemmatchtheoriginalcontract?
• Doesthecontractpriceconformtothelocalpricelist?
• Dotheusersandfunctionalitieslistedinthesystemmatchthecontract?
• DidSAPandthecustomersignthecontract?
• AretheSAPsignatoriesauthorizedtosignthecontract(comparedtolocalsign-
ingpolicy)?
• Isitclearwhosignedthecontract(namesalsoinblockletters)?
• Whatisthesigningdateofthecontract?
• Isthereproofofsotwaredelivery?
• Wasthesotwaredeliveredbeforerevenuewasrecognized?
• Arethereanyunusualclausesinthecontractthatmayafectrevenuerecogni-
tion?
Toensureeicientieldwork,alldataavailableregardingtheselectedlicenseagree-
mentsshouldbecollectedinthepreparationphase.hemostimportantsourceof
informationonlicenseagreementsatSAPistheContractInformationSystem(CIS)
reportingsystem,whichcontainsallrelevantcontractdata.hisdataismaintained
by the licenseadministrationdepartments in the localsubsidiaries.heauditors
should print out all the information about the sample contracts selected, and
examinepreviouscontractstogainanoverviewofthecustomerhistory.Acopyof
theoriginalcontractforeachpostingshouldalsobescannedintotheSAPsystem.
CheckingdatainthesAPsystemCheckingdatainthesAPsystem
Bidding Delegation of
Authority,
Contract
Approval,
Pricing Policy,
Migration
Strategy,
Global Risk
Management.
Technical Sales,
License
Agreement
Administration,
Accounting,
Consulting
Department,
Training
Department,
Legal Depart-
ment,
Local Manage-
ment,
Executive Board,
Sales,
Development.
Bidding process,
Free-of-charge
services,
US GAAP
processing,
Ramp-up
process,
Future
functionality.
Maintenance fee,
License fee,
Discounts,
Migration credits,
Contract,
Addendums,
Bid,
Master price list,
Local price list,
Product
availability
matrix,
Costing sheet,
Package
specification,
User specifica-
tion.
Key Scope
Content Strategies/
Policies/
Procedures
Functions/
Business
Processes
Processes Objects
Fig. 18 ExcerptfromtheCoreScopeforLicenseAgreements
ExamplesfromAuditPracticeatSAP
CombinedAuditTopics
LicenseAudits
C|5|5.3
370
hefollowingisadescriptionofhowanauditoflicenseandmaintenancecon-
tractsisconducted.Itsstructureisbasedontheworkprogramderivedfromthe
Scope.
Auditorsshouldnotethefollowingwithregardtoarchivingimportantdocu-
ments. he original contract, along with other legally relevant documents (e.g.
annexes,addendums,andminutes),shouldbearchivedinaireproof,lockedcabi-
net, and only a limited number of persons should have access to the key. hese
documentsshouldalsobescannedandrelectedinthesystementries.heother
relevantdocuments,suchasdeliverynotes,correspondenceetc.,shouldbereason-
ablyandsystematicallystoredinthecustomerile.
he master price list for sotware is issued by the parent company. he local
subsidiariesadaptthelisttolocalcircumstances.Auditorsshouldchecktheadapta-
tionandensurethatthecontractpricesagreedwiththecustomercorrespondwith
thecurrentlocalpricelist.
Productdeliveryisacriterionforrevenuerecognition.Customershaveaccess
tothesotwaretheyhavepurchasedthroughelectronicorphysicaldelivery.Incase
ofelectronicdelivery,thecustomersreceiveapasswordthatallowsthemtodown-
loadtheproduct.Incaseofphysicaldelivery,theproductissentonaCDorDVD
tothecustomer.hedaterelevantforrevenuerecognitiondependsonthetermsof
thecontractortheGeneralTermsandConditions.Proofofdeliveryisrequiredfor
eachlicenseagreement.
Toguaranteethatsuicientinternalcontrolsareinplace,eachlocalsubsidiary
musthaveasigningpolicyandapprovalprocedures.hesigningpolicyshouldbe
basedonthedualcontrolprincipleandprovideappropriatedelegationofauthority
arrangements. During the audit of the license agreements, compliance with the
signing policy must also be assessed. he current signing policy should be re-
quested,checked,andiledamongtheworkingpapers.
heSAPsystemshouldcontainall informationaboutproductsandpayment
termsasagreedinthecontract.herefore,theauditorsmusttestwhethertheinfor-
mationintheSAPsystemhasbeenenteredcorrectly.Incorrectentriesandpostings
couldleadtoimproperinvoicingandincorrectrevenuerecognition.
According toUS-GAAP, revenue fromsotware salescanonlybe recognized
whenallofthefollowingcriteriaaremet:
• Persuasiveevidenceofanarrangementexists.
• Deliveryofthesotwarehasoccurred.
• hefeeisixedordeterminable.
• Collectibilityisprobable.
Ifoneormorecriteriaarenotmet,revenuemustnotberecognized(seeSectionC,
Chapter3.5).hemaingoaloftheieldworkistoensurethatallcriteriaweremet
atthetimeofrevenuerecognition.Inthefollowing,theabovecriteriaarebriely
discussed.
AuditexecutionAuditexecution
ArchivingArchiving
PricingPricing
electronicorPhysicaldelivery
electronicorPhysicaldelivery
signingPolicysigningPolicy
entriesinthesAPsystem
entriesinthesAPsystem
RevenueRecognitionCriteria
RevenueRecognitionCriteria
371
here is evidence that an arrangement exists with a customer: A contract is
availableandsignedbybothpartiesbeforerevenuerecognition(contractsigning
dateisdecisivecriterion).
SAPmusthavedeliveredthesotwarephysicallyorelectronically,andthesot-
waremustbeinfunctioningorder.Writtenproofofdeliveryisneeded.
Atthetimeofdelivery,thepricemustbeixedordeterminable,andcollectibility
mustbeprobable.Todeterminecollectibility,thepaymenthistoryofthecustomer,
payment terms, cancellationprivileges, acceptanceprovisionetc. shouldbeana-
lyzed.
IfSAPsellsacombinationofdiferentproductsandservicestoitscustomers
underoneormorecontracts,thismayconstituteamultipleelementarrangement,
whichmayhaveanefectonrevenuerecognition.Duringeverylicenseaudit,the
existence of a multiple element arrangement and its impact should therefore be
reviewed(seeSectionC,Chapter5.2.3).
HinTsAndTiPs ;
• Auditorsshouldtrytocollectandanalyzeallpossible informationbeforethe
auditieldworkbegins.
• AuditorsshouldusetheITsystemsavailableandclarifyallunclear issuesdi-
rectlywiththecorporatedepartments.hiswillsavetimeduringieldwork.
LinKsAndReFeRenCes e
• JARnAGIn,B.D.2007.US Master GAAP Guide.Riverwoods,IL:CCH,Inc.
• SEARS,B.2002.Internal Auditing Manual.newYork,nY:Warren,Gorham&Lamont.
• SAWYER,L.B.,M.A.DITTEnHOFERAnDJ.H.SCHEInER.2003.Sawyer’s Internal
Auditing. 5thed.AltamonteSprings,FL:heInstituteofInternalAuditors.
• SOP81-1:AccountingforPerformanceofConstruction-TypeandCertainProduction-
TypeContracts.
• SOP97-2:SotwareRevenueRecognition.
• SOP98-9:ModiicationofSOP97-2,SotwareRevenueRecognition,WithRespect to
CertainTransactions.
evidenceofArrangementwithCustomer
evidenceofArrangementwithCustomer
deliveryMadedeliveryMade
PriceFixedandCollectibilityProbablePriceFixedandCollectibilityProbable
MultipleelementArrangementsMultipleelementArrangements
ExamplesfromAuditPracticeatSAP
CombinedAuditTopics
LicenseAudits
C|5|5.3
372
5.4 ManagementProcessAudits
5.4.1 BasicsofManagementProcessAudits
KeyPoinTs •••
• A management process audit is the evaluation of individual management-
relatedprocessesandtheassociatedmanagementskills.
• Amanagementprocessauditprovidesimportantorganization-relatedinforma-
tionthatcanbeusedasabasisforprocessoptimizationandanassociatedincrease
ineiciency.
• hefocusofmanagementprocessauditsisonprocesses,controls,compliance,
andriskmanagement.
• Managementprocessauditsshouldnotbeusedtoassessthemanager’sperson-
alityorindividualbehavior.
• Suchauditscanbeconductedindependently,orasadditionalauditcomponents
inordertotestmanagement-relevantprocessesindetailwheneverrequired.
ManagementprocessauditsarearelativelynewauditieldforInternalAuditand
are increasingly incorporated intoInternalAudit’sactivitiesatSAP.herequire-
mentsthatSOXplacesonmanagementhaveincreasedtheimportanceofperforming
theseaudits(fordetails,seeSectionC,Chapter8;SectionD,Chapter14).
Amanagementprocessauditevaluatesindividualmanagement-relatedleader-
shipanddecisionprocessesandinternalcontrols,aswellasthemanagementskills
thatarenecessaryduringtheseprocesses.Inadditiontoclassicriskevaluationsand
theresultingsupportinminimizingrisk,thecoretasksinthisauditieldinclude
advisingmanagementaboutuntappedsuccesspotentialinthecompany.
hroughoutSAP,thehumanresourcesdepartmentisresponsibleforassessing
individualperformanceandpersonalmanagement skills aspartofmanagement
evaluation.AuditsconductedbyInternalAuditconsequentlydonotfocusonthe
managerorthemanager’spersonality,butontheapplicationandimplementation
ofthemanagementprocessesandcontrolsrepresentedbythemanager.heseaudits
are referred toas “managementprocessaudits” tomake thedistinctionclear. In
combination with the performance evaluation conducted by Human Resources,
theycanproduceacompletepictureofamanager’ssuccessfactors(seeSectionA,
Chapter6.2.2).
Inpractice,themanagers(i.e.,theauditees)arelikelytoopposemanagement
processaudits.Atleastsomeofthisoppositioncanbeavoidedbyconsistentlyrefer-
ringtoanddesigningtheauditasamanagementprocessaudit.InternalAudituses
themethodsgenerallyapplicableforallauditstofacilitateconstructivecooperation
with the auditee (see Section C, Chapter 5.4.2) and to ensure that objectivity is
maintained.Itismoreoverimportanttodistinguishbetween,
• auditdocumentsthatrelateexclusivelytoprocesses,controls,andrisks,and
newAuditFieldnewAuditField
deinitiondeinition
distinctionfromManagementAppraisal
distinctionfromManagementAppraisal
AcceptanceAcceptance
373
• documentsthatpermitdrawingconclusionsaboutthemanager’spersonalcon-
ductandqualities.
Intheformercase,documentscanbetreatedaccordingtoInternalAudit’sgeneral
reportingprinciples,butdocumentsinthelattercasearesubjecttospecialconi-
dentialityrequirements.
Managementprocessauditshavethefollowingobjectives:
• providingimportantinformationoncompanyorganizationasabasisforstrate-
gicdecisions,
• ensuringcompliancewithlaws,e.g.,SOX,andwithSAP-internalguidelinesand
principles,e.g.,codeofbusinessconduct,
• testingtheefectivenessandproitabilityofmanagementprocesses inday-to-
dayoperations,
• supportingmanagementtoimprovemanagementprocessesbyidentifyingim-
provementpotentialin:
– businessprocessesandtheirimplementation,
– managementskills,
• providingoperationalsupporttostrategicdepartments,suchasHR,orMan-
agementAccounting,ifnecessary,
• supportingcommunicationandinformationlowsinglobalandvirtualteams
bytestingstandardinformationexchangeprocesses,and
• presenting ratio-based analysis for reporting on management process audits
(performanceindicators,balancedscorecardpresentations,etc.)andformak-
ingtheresultscomparable.
herearediferentreasonsforintroducingandimplementingmanagementprocess
audits, depending on those involved and the groups at which they are targeted.
FromInternalAudit’sperspective,auditingmanagementprocesses,includingman-
agement’sinvolvementininternalcontrolprocesses,isbecomingincreasinglyim-
portant.Inaddition,actssuchasSOXortheprovisionsoftheGermanStockCor-
porationAct(seeSectionA,Chapter1.3)havehadadecisiveimpactonthecontrol
andriskmonitoringfunction,thusmakingitnecessarytoincorporatemanagement
processauditsintoInternalAudit’swork.Managementprocessauditsprovidethe
Boardwithamoredetailedoverviewofdepartmentsbyshowinghowleadership
processesarebeingusedtoimplementexistingguidelinesbasedonexternalregula-
tions.Atthesametime,theyalsomaphowtheseleadershipanddecisionprocesses
inluenceandguaranteetheresultsofday-to-daybusinessoperationsintermsof
qualityandquantity.Anotherrelatedaspectisthatthiskindofauditshowswhether
therulesapplicabletobusinessactivitiesexistonlyonpaperorwhethertheyare
actuallyimplementedinpractice.Managementprocessauditsprovidesupportto
managerswith regard toprocessoptimization,because InternalAudithighlights
criticalprocessesintheirareasofresponsibility.Insummary,themotivationofthe
mainpartiesinvolvedinmanagementprocessauditscanbeshownasfollows:
objectivesobjectives
MotivationofThoseinvolvedMotivationofThoseinvolved
ExamplesfromAuditPracticeatSAP
CombinedAuditTopics
ManagementProcessAudits
C|5|5.4
374
Fig. 19 MotivationofPartiesInvolvedinManagementProcessAudits
Management process audits focus primarily on compliance and on eiciency
achieved by implementing best practice processes. he result of a management
process audit is the identiication of improvement potential and support of any
restructuringmeasures,ifrequired.heareastobeinvestigatedincludeprocesses,
controls,andriskmanagement.Foramoredetailedassessment,theauditorsmust
considerthatmanagementresultsaredrivenbythefollowingthreecomponents:
• performanceofeachmanager,
• cooperationandperformanceinthemanagementteam,and
• functioningmanagementprocessesintheorganization.
Amanagementprocessauditshouldthereforetesttherobustnessofallthreecom-
ponentsandexaminehowtheyinteractwitheachother.hetransitionsbetween
theauditedfunctionsandprocessesareblurred,whichiswhyInternalAuditand
HRputdiferentemphasisonthemintheircoverage.
ItisalsoimportanttocoordinateactivitieswithRiskManagement,withclose
cooperationbeingakeyrequirement,especiallyatertheaudit.Possiblerisksiden-
tiiedduringamanagementprocessauditmustbereportedtoRiskManagement.
Cooperationshouldalsogotheotherway,thatis,RiskManagementshouldinform
InternalAuditofunitsinthecompanythatareparticularlyexposedtorisk.
SOXauditsareconductedbyadedicatedSOXteam,andagaincloseconnec-
tionsandahighdegreeofoverlapmakeitimportantforbothgroupstoagreeon
FocusofManagementProcessAudits
FocusofManagementProcessAudits
RiskManagementRiskManagement
soXsoX
375
ajointprocedure.SOXregulationsgiverisetospeciicrequirementsforallstrategic
andoperationallevelsofmanagement(managementcontrols,controlsoverman-
agement).Eachmanagerisresponsibleforensuringthatallprocessesandcontrols
applicableinhisorherunitarefullydocumentedandimplemented,includingany
changestotheprocessesorcontrols.Fromthisbasicresponsibilityderivestheob-
ligationtoprovidethecontrolbodies,asdeinedbySOX,withadequateevidence
thattheprocessesexistandthenecessaryinternalcontrolsareworking(fordetails,
seeSectionC,Chapter8;SectionD,Chapter14).InternalAuditcantestgeneral
compliancewithSOX-relatedmanagementresponsibilities,eitheraspartofSOXor
management process audits. At SAP, testing management controls is an integral
partofSOXwork.
he audit is based on the relevant Core Scope for management audits. Since
managementprocessesmakeupthemainobjectoftheaudit,appropriateprocess
descriptionsmustbeinplacewhichcanbeusedtospecifytargetsfortheaudit.If
therelevantdescriptionsarenotavailable,theauditresultsmayincludearecom-
mendationtocreatesuchdescriptions.Itmustbepossibletorelatetorecommen-
dationsthatarebasedonexperienceandgeneralapplication.Forexample,onthe
basis of practical working experience, a suggestion to hold regular coordination
meetingstoimprovecommunicationcouldmakesenseeveniftherewasnohard
andfastruletothatefectinthepast.
Amanagementprocessauditcaneitherbescheduledasaregulareventorcon-
ductedasanad-hocaudittosupportdecisionindingifmanagementquicklyneeds
anobjectivepresentationofthemanagement-relevantprocessesofadepartment.
Amanagementprocessauditcanbeorganizedasaseparateindependentaudit,but
itcanalsobeaddedasacomponenttodepartmentorlocalsubsidiaryaudits(see
SectionC,Chapter5.1).hisrequirescloseconsultationandcoordination in the
relevant audit team and inclusion in the work program. he advantage is that
strategicandoperationalareasof investigationarespeciicallydividedintoman-
agementprocessesandday-to-daybusiness,andthatInternalAudit’sperceptionby
managementwillbeincreased.
HinTsAndTiPs ;
• Inamanagementprocessaudit,auditorsshouldirstgetaclearideaaboutthe
roleofthemanagerresponsible.
• Duringtheaudit,auditorsshouldinteractwiththeresponsiblemanagerscon-
structively.
LinKsAndReFeRenCes e
• SAWYER,L.B.,M.A.DITTEnHOFERAnDJ.H.SCHEInER.2003.Sawyer’s Internal
Auditing. 5thed.AltamonteSprings,FL:heInstituteofInternalAuditors.
AuditobjectivesAuditobjectives
eventTriggeringtheAuditeventTriggeringtheAudit
ExamplesfromAuditPracticeatSAP
CombinedAuditTopics
ManagementProcessAudits
C|5|5.4
376
• SEARS,B.2002.Internal Auditing Manual.newYork,nY:Warren,Gorham&Lamont.
• U.S.COnGRESS.2002.Sarbanes-Oxley Act of 2002. 107th Congress of the United States of
America. HR 3763.WashingtonDC:GovernmentPrintingOice.
5.4.2 AuditPreparationandExecution
KeyPoinTs •••
• he relevant Key Scopes and the resulting work program form the basis for
managementprocessaudits.
• Predeinedquestionnaires,whichcanbecompletedbythemanagerbeingau-
ditedforpreparationpurposes,increasetheeiciencyoftheaudit.
• Afolderwithinformationonthemanagementprocessauditisprovidedtothe
managerbeingauditedattheopeningmeeting.
• In management process audits, Internal Audit cooperates closely with other
units,suchastheHRdepartment,thusagreatdealofcoordinationisrequired.
• Managementprocessauditsaimatprovidingsupportfortheauditedmanager.
Amanagementprocessauditshouldproduceforward-lookingresultsthatsupport
managementonissuessuchasillingafuturevacancyoridentifyingpotentialfor
improvementinanexistingposition.Ingeneral,therearethreelevelsofmanage-
ment:
• managerswhomanageemployees,
• managerswhomanagemanagers,and
• managerswhomanageorganizations.
Although in principle, these diferent management categories are subject to the
samequalityofmanagementanddecisionprocesses,therearequantitativedifer-
enceswithregardtothelevelofdetailandresponsibilityattachedtotheindividual
managementfunctions,e.g.,thesizeoftheareamanaged.However,therearealso
managementfunctionsthatexistexclusivelywithinaspeciicmanagementlevel,e.g.
managingtheoverallinformationstrategyinthemanagementoforganizations.
An importantstep is todeine theextentof the testing foreachof theabove
managementcategories.Usingthelistofauditsegmentsrelevantforthisauditield,
InternalAuditcanmakeaqualitativeandquantitativeselectionforeachmanage-
mentlevel.heCoreScopeformanagementprocessauditsincludesthefollowing
KeyScopes:
• Budget/Proitability,
• CostManagement,
• ApprovalProcedures,
• MethodsandMethodKnowledge,
ManagementCategoriesManagementCategories
BreakdownofCorescope
BreakdownofCorescope
377
• Communication,
• ManagementDevelopment,
• Crisis/EmergencyManagement,
• TargetAchievement,
• PerformanceManagement,
• HumanResourcesProcessManagement,and
• CompensationManagement.
GIAShascompiledastandardworkprogramonthebasisoftheCoreScopefor
managementprocessaudits.hisprogramcanbeadaptedtospeciicrequirements
andformsthebasisofeachauditconducted.hemanagementprocessauditalso
follows internal principles and guidelines as well as external (legal) regulations,
suchasKonTraGorSOX.heauditshouldbereferencedagainstdesiredcriteria
suchasthosedetailedinspeciiccorporateguidelines.hesearesetfortherelevant
operating departments and contain processes relevant to the departments and
management-speciicfunctionsoraspectsimpactingthem.Forexample,theprod-
uctlifecycleortheproductinnovationcyclewouldapplytodevelopmentdepart-
ments,andthecustomerbusinesscyclewouldapplytoSales.Managementprograms
suchas“GlobalManagement&Leadership”or“ManagementExcellence”andthe
“SAPCodeofBusinessConduct”(businessprinciplesforemployees)havegeneral
validity.
Sincemanagementprocess auditsmustbeas eicientaspossible inorder to
makebestuseofmanagers’limitedavailability,InternalAuditatSAPhascreated
predeined question catalogs to complement the work program (see Section B,
Chapter 4.1.3.1). hese catalogs allow auditors to work quickly toward their
objectivesandgivemanagersanopportunitytogetadvanceinformationoncertain
topicsandtostructuretheirresponse.
Inaddition,InternalAudithaspreparedaninformationfolderformanagement
processaudits,whichprovidesanoverviewof InternalAuditandhowtheaudit
processworks.ItincludesInternalAudit’scharterandinformationonpossibleben-
eitstheauditmaydeliver.hisdocumentationisintendedtominimizeanyresis-
tanceandfacilitatetheauditfortheauditteam.Ingeneral,goodauditpreparation
andeicientproceduresduringexecutionwillgoa longwaytowardeliminating
reservationsaboutandresistancetoamanagementprocessaudit.hemanagement
process audit information folder is handed to the manager being audited at the
openingmeeting.
hedocumentsandprocessestobeauditedareotenofastrategicnature,and
auditorsthereforeneedageneralunderstandingofthedataandinformationthey
receive.Forexample,toassessperformanceindicatorsorabalancedscorecardsys-
tem,auditorsmustbeawareoftheframeworkunderwhichsuchsystemshavebeen
deined.Individualobjectivesshoulddovetailintotheoverallcorporateobjectives,
andthetargetsandobjectivesofabalancedscorecardmustfollowadeinedmethod
WorkProgramWorkProgram
PredeinedQuestionCatalogsPredeinedQuestionCatalogs
informationFolderinformationFolder
documentandProcessTestingdocumentandProcessTesting
ExamplesfromAuditPracticeatSAP
CombinedAuditTopics
ManagementProcessAudits
C|5|5.4
378
againstwhichtheycanbetested.Furtherinformationmaybefoundintheminutes
ofmeetings,internalmemos,orindepartmentdirectories,whichcanprovidede-
tailsoftheinformationlowinadepartment.
Managementknowledgeandskillsintheapplicationofguidelinesandmeth-
odsare also investigated in theaudit.For example, sotwaredevelopmentmust
baseitsoperationsontheproductinnovationcycleprocessandprovideevidence
thatithasintroducedandimplementedthisprocess.hesalesandconsultingor-
ganizationmustimplementanddocumenttheirtasksonthebasisofthecustomer
businesscycle.InternalAudittestsinrelationtothediferentrequirementswhether
there isevidence that theguidelineshavebeen implemented.At theBoardand
strategic management level, processes such as compliance with internal control
managementorcontingencyplansareaudit-relevant.SOX-relevantprocesses(e.g.
controlsovermanagement)areauditedwiththesupportoftheSOXteam(seeSec-
tionC,Chapter8).
Anotherareatobetestedisthemanager’sknowledgeanduseofgenerallyap-
plicableandSAP-speciicmanagementpractices.hesetypesoftestsareintended
to establish whether information is exchanged regularly with the diferent levels
andwhethertheinformationistailoredtoitsrecipients.Auditorsmustseekoutthis
information,whichisotenqualitative,andmakeanappropriateassessment.Akey
prerequisiteforthemtobeabletodosoisthattheyhavesoundknowledgeofthe
department’sprocesses.
Since it isnotalwayspossible todistinguishclearlybetweenpersonal factors
and the implementation of performance-critical management processes, there is
aneedtocoordinatetheresultsofthemanagementprocessauditwithHumanRe-
sources.Likewise,HumanResources’evaluationofmanagersmayprovideuseful
informationforamanagementprocessaudit.However,InternalAuditinvariably
focuses on the relevant processes, although they may also have an efect on the
manager’sordepartment’sperformance.
hecommunicationandassessmentoftheieldworkresultsshouldpredomi-
nantlybemadewiththeaimofprovidingsupportforthemanager.heseresults,
which are highly conidential, are intended to identify weak points, but also
strengths,inthemanager’sareaofresponsibility.heresultsofmanagementpro-
cessauditswillonlyidentifyseriousweaknessesiftheauditorsindthattheman-
agerhasclearlycircumventedguidelines. If that is thecase, InternalAuditmust
followtherulesandalsoreporttheauditresulttotheBoard.
Generally,feedbackfromamanagementprocessauditshouldalsoberegarded
aspossiblesupportfromanindependentbody,whichteststherelevantprocesses
objectivelyanddrawsconclusionsaboutanyoptimizationpotential.hiseiciency-
enhancingefectshouldbeacknowledgedduringtheclosingmeetingandinthe
reportsthatfollow,butgenerallytheauditorsshouldnotleavethefeedbackuntil
the end of the audit, instead they should keep the manager informed about the
statusofindings.Althoughthiskindofinteractiontakesmoretime,itfacilitates
cooperationbecauseauditorsalsomustrelyonthemanager’swillingnesstoshare
information.
UseofGuidelinesandMethods
UseofGuidelinesandMethods
ManagementProceduresandKnowledge
ManagementProceduresandKnowledge
ManagementPerformance
ManagementPerformance
AuditResultAuditResult
FeedbackFeedback
379
HinTsAndTiPs ;
• Whereverpossible,experiencedauditorsshouldbeselectedtoconductmanage-
mentprocessaudits.
• Ahead of the audit, auditors can also obtain personal information about the
managerssothattheycanpreparethemselvesfortheirdealingswiththem.
LinKsAndReFeRenCes e
• SEARS,B.2002.Internal Auditing Manual.newYork,nY:Warren,Gorham&Lamont.
• SAWYER,L.B.,M.A.DITTEnHOFERAnDJ.H.SCHEInER.2003.Sawyer’s Internal
Auditing.5thed.AltamonteSprings,FL:heInstituteofInternalAuditors.
ExamplesfromAuditPracticeatSAP
CombinedAuditTopics
ManagementProcessAudits
C|5|5.4
380
6 BusinessReview
KeyPoints •••
• hebusinessreviewisnotoneofInternalAudit’straditionalaudittasks.
• Projectswithcustomers(consultingordevelopment)orothermattersarising
from SAP’s relations with customers or partners may be examined during a
businessreview.
• hereviewfocusmaydifer,dependingonthecircumstancesandthespeciic
request. Its focus may be one of the following: Pure implementation perfor-
mance,contractualandinancialaspects,orthenatureanddesignofbusiness
relations.
• Abusiness reviewnormally involves several roundsofmeetingsbetween the
customerand the relevantmanagementatSAP,where the current status, in-
terimresults,proposals,andactionsarediscussed.
• Finally,areportiscreatedfortheBoardmemberinchargeandforthecustomer,
explainingthemattersidentiiedandtheactionproposalsdiscussed.
hebusinessreviewisnotoneofthetraditionalaudittasksofInternalAudit(for
thedistinctionbetweenauditandreview,seeSectionA,Chapter6.2.7).AtSAP,
this special, innovative formof reviewhas itsorigins inday-to-dayauditwork.
Projectswithcustomers(consultingordevelopment)orothermattersarisingfrom
SAP’srelationswithcustomersorpartnersmaybetheobjectsofabusinessreview.
Dependingonthecomplexityoftherequest,areviewofthiskindcantakeseveral
weeks.hischapterdealswithconductingbusinessreviewsinpractice(fordetails
onbusinessaudits,seeSectionA,Chapter6.2.7).Aboveall,abusinessreviewex-
aminesanas-is(current)situation.hereviewinvolvesfewerieldworkactivities
thananauditandfocusesmoreonconclusionsordratingsolutionsjointlywith
colleaguesfromotherdepartmentsinordertoachieveanimprovementofthesitu-
ation. In this regard, reviews help prevent escalations, especially since they are
conductedbyInternalAuditandarethusintendedasinterventionbytheBoard
withafocusonde-escalation(formoreonescalation,seeSectionD,Chapter6).
Businessreviewsarenormallyrequestedad-hocandthereforenotincludedin
theannualauditplan(seeSectionB,Chapter2.2).Inthiscase,InternalAuditre-
ceivesarequest,forexample,fromtheCEOtoinvestigatecertainaspectsofday-to-
daybusiness.
Preparationdifers,dependingonthecircumstancesandthespeciicrequest.
Forexample,thereviewofacustomerconsultingprojectforpuresotwareimple-
mentationrequiresdiferentpreparationfromareviewofcontractualorinancial
aspectsofbusinessrelations.Oten,itisnoteasytokeepthesemattersseparate,but
areviewrequestmayresultindiferentemphases.
Irrespectiveofthetypeofrequestandtheresultingemphasisduringthereview,
InternalAuditconsultswithrelevantcolleaguesinthecustomersupport(sales)and
BusinessReviewasaspecialFormofReview
BusinessReviewasaspecialFormofReview
RequestRequest
PreparationPreparation
supportProvidedbyothersAPDepartments
supportProvidedbyothersAPDepartments
Examples from Audit Practice at SAP
Business ReviewC|6
381
consultingdepartments.herelevantcustomersupportoicerinsalesisresponsible
foransweringinquiriesonallcustomermattersandthegeneralbusinessrelation-
ship with the customer. For a consulting project, Internal Audit’s contacts may
includetheheadofconsultingandthelocalprojectmanager,andforadevelopment
projectthecontactwillbetherespectiveprojectmanagerfromthedevelopment
unit.Fromageneralperspective,CorporateRiskManagementisalsoanimportant
contact.
Further informationonthecustomerandtheprojectorsituationconcerned,
suchascustomermasterdata,licenserevenue,consultingrevenue,paymentbehav-
ior,etc.,canberetrievedfromtheSAPsystem.
Ifthereviewfocusesonsotwareimplementation,InternalAuditshouldcon-
siderincorporatingintotheauditteamconsultingcolleagueswhoarefamiliarwith
implementingthespeciicSAPsystemcomponents(e.g.,inanceandpurchasing).
heseconsultantscanprovide InternalAuditwith technical support throughout
thereview.Insuchcases,InternalAuditassumescontrolandcoordinationofthe
technicalprojectreview.Inaddition,InternalAuditinvestigatescontractual,legal,
andinancialaspectsoftheproject.
Forareviewfocusingoncontractualandinancialaspects,InternalAuditirst
examinesthecontractswiththecustomerconcernedforexistingobligationsand
performsadetailedanalysisoftheinancialprojectdatafromtheSAPsystem.
Iftherequestasksforthereviewtofocusoncustomerandbusinessrelations,
theauditorswillalsoneedtogatheravarietyofinformationaheadofthereview,
e.g.,on the sectorof industry, sizeof thecustomer, the relevantcontacts,or the
qualityofthecustomerrelationship.hisinformationcanbeobtainedbyconduct-
inginterviewswiththerelevantcustomersupportoicer,theheadofconsulting,or
theprojectmanager,andbyanalyzingthelegalandinancialdatacontainedinthe
contractdocumentsandtheSAPsystem.
UseofthesAPsystemsUseofthesAPsystems
implementationReviewimplementationReview
ReviewofContractualandFinancialAspectsReviewofContractualandFinancialAspects
ReviewofBusinessRelationshipReviewofBusinessRelationship
382
hefollowingtableshowsotherpartiesthatmaybeinvolvedinabusinessre-
viewandtheirresponsibilities,dependingontherequestandcircumstances:
Fig. 20 Responsibilities of Parties Involved in a Business Review
Onthebasisofthepre-reviewpreparations,auditorsanalyzespeciicmatterson
site.Atthisstage,thefocusisalsooncontactwiththecustomer.Indiscussionswith
thecustomer,InternalAuditinvestigatesandanalyzesthecircumstancesandsitua-
tion on site. his entails various interviews with the project manager and the
customer’sprojectteamandalsowithmembersoftheSAPprojectteam.Diferent
solutionproposalsarepreparedonthebasisoftheinformationobtained.
otherinvolvedPartiesotherinvolvedParties
AspectsandProceduresAspectsandProcedures
Alloca-
tion of
roles &
responsi-
bilities
Board Internal
Audit
Sales/
account
manage-
ment
Active
global
support
Global
Risk
Manage-
ment
Review
program
Legal &
Contract
depart-
ment
Compli-
ance
O�ce
Customer
account
manage-
ment
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
nono
nono
Coordi-
nation
of service
delivery
Partner
manage-
ment
Risk
manage-
ment
Commer-
cial issue
resolution
Technical
issue
resolution
Code of
Business
Conduct
issues
yesyes
yesyes
yesyes
yes
yes
yes
no no
no
no
no
no
no
no
no
no yes
yes
yesyes
yesyes
yesyes
yesyes
yes
Examples from Audit Practice at SAP
Business ReviewC|6
383
Not leastbecauseof thedirect contactwithcustomers, abusiness reviewre-
quiresthatthewholeteamandtheindividualInternalAuditemployeesapproach
thematterwiththenecessarydiplomacyandsensitivity.InternalAudit’staskisto
dratasolutionfromaneutral,objective,andimpartialpointofview,ortosupport
andcontrolthedevelopmentofasolutionbasedontheinsightsgainedfromthe
reviewandtocommunicatetheresultsachieved.hedratedsolutionmustsatisfy
allpartiesinvolved,meetingtheirneedsandensuringthattheprojectobjectiveis
achieved.
Indetail,abusinessreviewconsistsofthefollowingsteps:
• Analysisofthelegalsituation/contractanalysis:
■ helegalsituationandbasisareanalyzedandpotentialrisksandobligations
highlighted.
■ hestatusquooftheprojectisreviewedonthisbasis.
• Analysisoftheinancialsituation/projectanalysisandcosting:
■ projectcosting,
■ comparisonofcurrentconditionanddesiredcriteria,
■ comparisonoftheperformanceagreedandperformancedelivered,and
■ attainmentofmilestonesandappropriateevidence.
• Analysis of the technical project status (if necessary with support from col-
leaguesfromConsultingorotherareas):
■ InternalAuditselectsateamwithknowledgeoftherelevantsotwareappli-
cations.
■ histeamexaminesonsite thecurrent implementationstatus in termsof
projectfulillmentandquality.
• Analysis of the customer-project relationship on the basis of interviews and
discussions with project managers and project team members, as well as the
customer.
AtthemeetingsbetweenInternalAuditandthecustomer,thecurrentsituationis
discussedandthecustomer’sopinionisestablished.hecustomer’ssuggestionsfor
improvement,complaints,requests,andcriticismregardingtheexistingbusiness
relationshiparecollectedandexaminedforpossibleimplementation.heresultsof
thesemeetingsareincludedinthebusinessreviewreportstothemanagersrespon-
sibleatSAP,includingtheBoard.
hereportsonthistypeofreviewusuallydiferfromInternalAudit’sregular
reporting(seeSectionB,Chapter5).Abusinessreviewnormallyinvolvesseveral
roundsofmeetingswiththecustomerandtherelevantmanagementatSAP,where
thecurrent status, interimresults,proposals, andpossible actionsarediscussed.
Finally,areportiscreatedfortheBoardmemberresponsibleandforthecustomer,
explainingthemattersidentiiedandtheactionproposalsdiscussed.Diferentre-
portformatscanbeused,dependingoncircumstances(formoreonthepossible
reportformats,seeSectionB,Chapter5).
RequirementsforinternalAuditemployees
RequirementsforinternalAuditemployees
ReviewstepsinDetailReviewstepsinDetail
informationProvidedbytheCustomerinformationProvidedbytheCustomer
ReportingReporting
384
7 GlobalAudits
KeyPoints •••
• Asthetrendtowardsglobalizationcontinues,InternalAuditmustrespondby
conductingglobalaudits.
• InternalAuditmustbeabletohandleglobaltopicsadequately,however,aspe-
cialprocessmodelforglobalauditsisnotnecessarilyneeded.
• Globalauditsentailgreatercoordinationandcommunicationeforts.
• Inglobalaudits,GIAScanuseitsstrengthswithregardtoglobalpresenceunder
centralizedmanagementwithdecentralizedoperations.
• Globalauditspresentspecialchallengesforeachauditor,whichcanhaveaposi-
tiveefectonhisorherpersonalcareerdevelopment.
SAPisaglobalcompanyinmanyrespects.SAPcurrentlyhascustomersinover120
countriesandoferssotwaresolutionsin31languages.Indeed,thereisworldwide
demandforSAPproductsandservices.Forthisreason,thecompanynowgener-
atesalargeproportionofitsrevenueincountriesoutsideEurope,particularlythe
UnitedStates.Further,theAsianmarketaswellascountrieslikeIndia,Russia,and
Brasilhavegainedconsiderablyinimportance.SAP’sshareholdersarealsointerna-
tional.Mostofthecompany’sindividualshareholdersarebasedintheUnitedStates.
Inaddition,SAP’sglobalorientationisrelectedintheinternationalcompositionof
its workforce. Approximately 40% of SAP’s employees are currently based in
Germany.heremaining60%aredistributedamongSAPsubsidiariesinover50
countries.
SomeofSAP’slocalsubsidiariesactfairlyindependently.Oten,itissensibleto
maintainlocalindependenceandcultureaspartoftheoverallcompanyorganiza-
tionsothatbusinessactivitiescanbetailoredtothemarketandcustomers.However,
the parent company must always be in a position to enforce necessary changes
globallyinordertoimplementglobalvalues,standards,andstrategicdecisionsin
allpartsofthecompany.hismeansthatglobalcompaniesmustbalancetheten-
sionbetweengloballyfocusedcorporatemanagementandstrategyandthespeciic
localrequirementsandcultures.
Internal Audit helps ensure that global companies can implement globally
mandatedstandardsintheirvariouslocations,withoutforsakinglocalneedsand
requirements.Inaddition,localstandardsandregulationsmayalsoafectaglobal
companyasawhole.Forexample,intheU.S.itiswidelyaccepted(andcurrently
protectedunderSOX806)thatemployeescanreportillegalorunethicalactivities
occurringwithintheirorganizationtotheappropriateauthorities.Asorganizations
becomeglobal,regionalpracticesandcustoms,suchaswhistleblowing,arebeing
widelyrecognizedthroughouttheorganization.
Inaddition,globalizationentailstheneedtoadaptquicklytochangeonaworld-
widescale.Itrefersnotonlytothepurelygeographicalspreadofacompanywith
globaloperations,whichrequirebusinessactivitiestobeconductedinallpartsof
sAPasaGlobalCompany
sAPasaGlobalCompany
tensionbetweenLocalandGlobalAspects
tensionbetweenLocalandGlobalAspects
supportforenforcingGlobalstandards
supportforenforcingGlobalstandards
supportfortheimplementationof
ManagementandControlFunctions
supportfortheimplementationof
ManagementandControlFunctions
Examples from Audit Practice at SAP
Global AuditsC|7
385
theworld,butalsotothegrowingtrendtowardoutsourcingandthevirtualization
ofbusinessrelationships.hisincludesnewbusinessandcompanymodels,which
poseanumberofdiferentdemandsontheorganization.Itisbecomingincreas-
inglydiiculttotellwhereacompanystartsandwhereitends.Duetoitsposition
inthecompany,InternalAuditcansupportexecutivemanagementinperforming
thenecessarymanagementandcontrolfunctions.
Ifacompanyhasaglobalorientation,InternalAuditalsomusthaveaglobal
structure.hisrequiresnotonlythatthedepartmenthaveaglobalpresence,but
alsothattheauditmethodcanadequatelycoverglobaltopics.However,thisdoes
notmeanthatthereshouldbeaspecialauditmodelfordealingwithglobaltopics.
Likeotheraudits,globalauditsincludeallthephasesoftheAuditRoadmap(fora
detaileddescription,seeSectionB).heyfollowthesametypology,i.e.,theycanbe
conductedasstandard,special,orad-hocaudits,andtheycanrunthroughtheen-
tireauditcycle,frombasicauditthroughstatuscheckandfollow-up.Nevertheless,
forglobalauditstobesuccessful,theyneedtohavespecialattributes,whichwillbe
discussedinmoredetailinthischapter.
Globalauditsrelatetoglobaltopics,issues,andprocesses.Whileinsomecases,
therelevantresponsibilitiesareclearlydeined,inmostglobalauditstheyarenot.
Undernormalcircumstances, InternalAudit is rarelyasked to investigateglobal
topics that have clearly assigned responsibilities and therefore high-quality pro-
cesses.Instead,itsservicesareusuallyrequiredforauditsofprocesseswhoseglobal
orientationcauseslocalandcentralcompetencestooverlap(e.g.,auditsoftherisk
managementfunction).
Atypicalscenarioofaglobalauditlooksataglobalbusinessunit,whichhasthe
solemandateforaglobalprocessbutinpracticemustrelyoninformalcooperation
withanumberofotherbusinessunits.Itisimportantthattheresponsibilityisgen-
uinelyglobal,i.e.,thesebusinessunitshavedirectreportinglinestotheirglobally
distributedemployees.heseemployeesthereforedonotreporttotheirlocalbusi-
nessunits,buttoaglobalmanagementunit.hisisthecase,forexample,wherethe
headoftheregionalpurchasingorganizationisdirectlyresponsibleforhisorher
region,butatthesametimereportsdirectlytotheheadofGlobalPurchasing.Many
centralbusinessunits,typicallytheadministrativeunitsoftheparentcompany,do
notmeet this criterion.Although suchunitsotencontrol centralprocessesand
have torelyonglobalcooperation, theyoperatewithoutassumingdirectopera-
tionalresponsibility.Day-to-daymanagementisthereforetheresponsibilityofthe
localunits.
Wheninvestigatingglobalaudittopics,InternalAuditshoulduselocalexpertise
whilemanagingtheauditscentrally.Forglobalaudits,theauditleadshouldbeap-
pointedfromtheregionthathasglobalresponsibilityfortheprocesstobeaudited.
Globalauditteamsconsistofmembersfromdiferentregionsandotenworkonan
auditprojectmainlyonavirtualbasisundercentralmanagement(seeSectionA,
Chapter4.4).Inthisway,InternalAuditoperatestrulyglobally,combiningitscen-
tralauditmodelundercentral supervisionwithregionalexpertise so that it can
investigateglobaltopicsproperly.
embeddingGlobalAuditsininternalAudit’sorganization
embeddingGlobalAuditsininternalAudit’sorganization
specialAttributesofGlobalAuditsspecialAttributesofGlobalAudits
GlobalAuditsintheCaseofWorldwideResponsibilities
GlobalAuditsintheCaseofWorldwideResponsibilities
GlobalApproachofinternalAuditGlobalApproachofinternalAudit
386
hisglobalapproachnotonlyhelpstheimmediateauditprocess,butInternal
Auditalsobeneitsasadepartment.GlobalauditteamshelpInternalAuditemploy-
eesbondandexchangepractice-basedexperienceofauditmethodsandprocedures.
Inaddition,globalauditspresentdemandingchallenges,whichprovidetheaudi-
torstheopportunitytogainspeciicexperience.hesuccessfulcompletionofaglobal
audit is thereforean important step inanauditor’spersonalcareerdevelopment
(seeSectionA,Chapter4.6).
Sinceglobalauditsareofgreatimportanceinternallyandexternally,theCAE
shouldbedirectlyinvolvedinconductingtheaudit,e.g.,byappointingtheaudit
leadpersonallyandaskingforregularauditprogressreports.
GlobalauditsfollowthegeneralprocessmodeloftheAuditRoadmap.However,
theabovespecialaspectsandthecomplexityofsuchauditsentailthateachphase
meetspecialrequirements,asexplainedbelow.
Globalauditsareconductedbyglobalauditteams.hismeansthattheregional
andglobalstaingplansmustbecloselycoordinated(seeSectionD,Chapter3.4).
Intheirstinstance,thismeansthatallteammembersmustrecognizethattheaudit
istrulyglobalandthereforemustbedesignatedandtreatedassuch.Globalaudits
aretime-consuming,notleastbecausetheytypicallyrelatetomorecomplexissues
thanlocalorregionalaudits.Moreover,theyrequiregreatercommunicationand
coordinationeforts(e.g.,acentralizedreconciledissue-logging),suchthatInternal
Auditshouldallowmoretimefortheplanningphaseofsuchaudits.Sincetheaudit
leadwillthereforeberequiredtoperformadditionalcommunicationandcoordi-
nationtasks,thisshouldbetakenintoconsiderationwhencompilingtheregional
executionplan.
Audit preparation (see Section B, Chapter 3) mainly includes the audit an-
nouncementandthecompilationofaworkprogram.Forglobalaudits,deiningthe
extentoftheengagementisofparticularimportance.Globaltopicstendtobemore
difuseandlessstraightforwardandnormallyafectseveralbusinessunitsandre-
sponsibilities.Itisthereforeessentialthatallauditorsinvolvedhaveathoroughand
completeunderstandingofthematter.hisisnecessaryfordeiningthefocusareas
for the audit. Audit leads must therefore be given an opportunity to familiarize
themselveswiththetopicbeforedistributingtheauditannouncement,whichin-
cludesaninitiallistoffocusareasfortheaudit.
Ifpossible,themembersoftheglobalauditteamshouldhaveanopportunityto
meetinpersonatapreparatoryconference.hismeetingcanbeusedtoadddetail
toaudittopicdeinitionsandtoine-tunetheworkprogramaspartofagenuinely
collaborativeprocess.heinvestigationofglobalissuesinparticularrequiresthe
useofdiferentexperiences,views,andskills.Inthiscontext,itisimportanttoen-
surethatauditorsareawareofallrelevantglobalguidelines.Butthemeetingshould
alsodealwithpracticalaspects,suchasspeciicstaingplans, theassignmentof
auditsegments,andthedeinitionandmandatingofmilestones.Otherpracticali-
ties include thecoordinationof itineraries, theauthorizationof ITaccess forall
auditorsinvolved,thecreationofasharedarchivingstructure,andagreementon
AdvantagesoftheGlobalApproach
AdvantagesoftheGlobalApproach
involvementoftheCAeinvolvementoftheCAe
specialAspectsWhenConductingGlobal
Audits
specialAspectsWhenConductingGlobal
Audits
AuditPlanningAuditPlanning
AuditPreparationAuditPreparation
CooperationoftheGlobalAuditteam
CooperationoftheGlobalAuditteam
Examples from Audit Practice at SAP
Global AuditsC|7
387
virtual cooperation (e.g., telephone and video conferencing). At the end of the
meeting, all audit team members must understand the contribution they must
makeinordertoturntheglobalauditintoasuccess.
hemembersoftheauditteamarenotaloneinneedingclear-cutagreementon
procedure.hisisalsoimportantfortheglobalunitsbeingaudited,whichiswhy
theauditleadshouldengagethemindialogatanearlystage.Informationaboutthe
organizationoftheauditmustbecommunicatedinastructuredandtimelyman-
ner. Cooperation between Internal Audit and the auditees is mostly of a virtual
nature,sothatclearlystructuredandunambiguouslyformulateddocuments,e.g.,
presentations,areanadvantagewhenexchanginginformation.
Whenconductingtheaudit(seeSectionB,Chapter4),auditleadshavetomake
surethattheworkprogramisstrictlyfollowed.heywillonlyhavelimitedoppor-
tunity for personal meetings to obtain certainty about the audit progress. It is
thereforeallthemoreimportantthateachauditorcomplieswiththeagreeddocu-
mentation requirements and immediately reports any delays or problems. he
membersoftheglobalauditteammaybebasedindiferenttimezones,whichmay
delaytheauditlead’sresponse.Notalltheteammemberswillbeabletocommunicate
intheirnativelanguage,sothatmisunderstandingsmayarisethatmustbecleared
up.Becauseoftheincreasedcommunicationandcoordinationrequirements,global
auditsneedagreatmeasureofdiligenceintheirexecutiontomakethemsuccess-
ful.
Withregardtoreporting,auditleadsmustmakesurethattheauditindingsare
consistentlyanduniformlydocumentedandmotivated(seeSectionB,Chapter5).
Inglobalauditsitisotendiiculttoindtherightaddresseesfortheindingsand
toidentifythepeopleresponsibleforresolvingthem.Auditleadsmustensurethat
theyaddressrecommendationstothosewhoaredirectlyresponsible.Itisalsotheir
dutytoconducttheclosingmeetingandpreparetheinalreport.hisalsoincludes
ensuringinternallyonaglobalbasisthattheauditdocumentsarecentrallyarchived
inastandardizedway.
hespecialaspectspresentedabovealsoapplytostatuschecksandfollow-ups
(seeSectionB,Chapter6)inconnectionwithglobaltopics.Inaddition,theaudi-
tors must remember that a global audit will require meeting with or contacting
anumberofpeopleresponsibleinvariouslocationstoobtaininformationabout
theimplementationoftheauditrecommendationsmade.
HintsAndtiPs ;
• Communicationisveryimportantinglobalaudits,i.e.,thereshouldbeanactive
exchangeofinformation.
• Eachauditorshouldpracticeusingvirtualworkingmethodsatanearlystage,
e.g.preparingforandconductingtelephoneconferences,netmeetings,etc.
• Membersofaglobalauditteammustbeverylexiblewithregardtotime,be-
causetheauditmayspanseveraltimezones.
CommunicationwiththeAuditeesCommunicationwiththeAuditees
AuditexecutionAuditexecution
ReportingReporting
Follow-UpPhaseFollow-UpPhase
388
LinKsAndReFeRenCes e
• CASCARINO,R.ANDS.vANESCH.2005.Internal Auditing: An Integrated Approach.
Lansdowne,SA:JutaandCo.
• REDING, K. F., P. J. SOBEL, U. L. ANDERSON, etal. 2007. Internal Assurance and
Consulting Services. AltamonteSprings,FL:heInstituteofInternalAuditors.
• SAWyER,L.B.,M.A.DITTENHOFERANDJ.H.SCHEINER.2003.Sawyer’s Internal
Auditing.5thed.AltamonteSprings,FL:heInstituteofInternalAuditors.
• SEARS,B.2002.Internal Auditing Manual.Newyork,Ny:Warren,Gorham&Lamont.
• U.S.CONGRESS.2002.Sarbanes-Oxley Act of 2002. 107th Congress of the United States of
America. HR 3763.WashingtonDC:GovernmentPrintingOice.
Examples from Audit Practice at SAP
SOX AuditsC | 8
389
8 SOX Audits
Key POintS •••
• herearethreetypesofSOXaudits:auditsoftheimplementationofSOXineach
ofthecompany’sunits,auditsofthequalityofSOXworkundertakenlocally,
andauditsofvariousSOX-relatedprocessgroups,processes,andcontrolsys-
tems.
• Preparation for a SOX audit for process groups is of crucial importance and
shouldincludethefollowingsteps:reviewoftheavailabledocumentationre-
gardingtheprocessestobeaudited,reviewoftheresultsofdesignassessments
andtestingprocedures,anddiscussionofissueswiththelocalSOXchampion
andthecentralSOXteam.
• heexecutionoftheSOXauditforprocessgroupsincludesreviewsofdesign
assessmenttests,controlefectivenesstests,andoftheexistinglowcharts.
• Auditorsmustensurethatthepopulationandanysampleshaveoriginatedin
thecurrentiscalyear.Samplestakenfromthepreviousyearcannotprovethat
thecontrolsareefectiveatthetimeoftheaudit.
• Auditorsmustdocumentthesamplingmethodsothattheauditcanbereper-
formed.
SOXauditsfocusonsection404oftheSarbanes-OxleyAct(ManagementAssess-
ment of Internal Controls). his section requires that management provide an
assessmentoftheefectivenessofinternalcontrolsaspartoftheannualinancial
reportingprocess.WithregardtosectionSOX404,therearethreepossibletypesof
auditthatInternalAuditmayperform(fordetails,seeSectionD,Chapter14):
• auditsoftheimplementationofSOX404inthecompany’sentities(localSOX
projectaudits),
• auditsofthequalityofSOX404measuresimplementedintheentities(focusing
oncompliancewiththeformalcriteriaandqualityassurancestandardsofthe
SOXprocess),and
• auditsofvariousSOX-relevantprocessgroups,processes,andcontrols in the
entities.
hischapterdealswiththethirdtypeofaudit:theauditofvariousSOX-relevant
processgroups.hisauditprecedestheexternalauditofthecompany’sinancial
statements. It should be conducted to ensure that all critical areas of individual
processgroupshavebeenidentiiedatthelocallevelandhavebeenproperlydocu-
mentedandassessed.hefollowingassumesthatacompanyhasaninternalcon-
trol frameworkbasedon theCOSOFramework (seeSectionA,Chapter 1.3and
SectionD,Chapter14.1.2).
heScopeofaSOXauditforprocessgroupsisclearlydeined.heauditrelates
onlytotheprocessgroupsidentiiedintheannual investigationasrelevantwith
regardtoSOX404.Speciically,theauditfocusesonthoseprocesseswhichafect
introductionintroduction
Procedures necessary for Audit PreparationProcedures necessary for Audit Preparation
390
theinancialreportingoftheorganization.heauditexaminestherequireddocu-
mentation,theassociatedcontrolobjectivesandrisksaswellastherelatedinancial
statement accounts related to those process groups. To prepare properly for the
audit,theauditteamshouldcompletethefollowingsteps:
• ContactthelocalSOXchampiontoobtainastatusupdateoftheprocessgroups
beingauditedand toensure that theprocessdocumentation isup-to-date. If
acentraltoolisusedforthispurpose(e.g.,atSAP,theinternalcontrolmanage-
menttool;seeSectionB,Chapter4.1.3.3),thedocumentationdoesnothaveto
bereviewedonsite,butcanbeaccessedinthesystempriortothestartofthe
audit.Ifthisisnotthecase,thelocalSOXchampionshouldprovidetheauditor
withelectroniccopiesofanyprocessgroupdocumentation.
• Reviewandunderstandtheprocessdocumentation,thepossiblerisks,andthe
inancialstatementaccountsfortheprocessgroupstobeaudited.
• Reviewthetestingresultsfordesignassessmentandcontrolefectivenessdocu-
mentedbythelocalSOXchampionfortheprocessgroupstobeaudited.his
mayonlybepossibleonsiteifnocentralizedtoolisinuse.
• Contactthecompany’scentralSOXteamtodiscussanyconcernsorissuesthey
mayhavewiththelocalentitybeingaudited.
• Preparetheprocessgrouptemplatesrequiredtocompletetheaudit.
• Preparetheopeningmeetingpresentation.
• Dividetheresponsibilitiesforthevarioustasksrequiredduringtheauditexecu-
tionphaseamongtheauditteammembers.
• ReviewpastInternalAuditreportsrelatingtothesamegroupofauditees.
Oncetheprocessgroupshavebeenselected,theauditorshouldreviewprocessand
controldescriptions tobecome familiarwith the localprocesses.he focushere
shouldbeonobtainingabasicunderstandingofwhatstepsaretakenaspartofthe
process and where the internal controls are located. A detailed analysis of the
processdocumentationwillbeperformedduringauditexecution(moredetailsbe-
low).
heauditorshouldalsocompleteapreliminaryreviewoftherisksassociated
withtheprocessgroupstobeaudited.Suchareviewisaimedatestablishingwhat
risksexistandhowsigniicanttheyare.hisgivestheauditoraninitialimpression
astowhethertheseriskshavebeenadequatelyaddressedwithintheprocess.
Areviewoftheinancialstatementaccountswillallowtheauditortodetermine
whichaccountsaresigniicantfortheprocessgroupstobeaudited.Anaccountis
signiicantifthereisaprobabilitythatitcontainsmisstatementsthatindividually,
orwhenaggregatedwithothers,couldhaveamaterialefectontheinancialstate-
ments.
heprocessandcontroldesignassessmentsandcontrolefectiveness testing
proceduresandresultsmustbedocumentedby the localmanagers responsible.
Priortoarrival,theauditorshouldanalyzetheproceduresandresultsdocumented
examination of the Process Documentation
examination of the Process Documentation
Preliminary Risk ReviewPreliminary Risk Review
Financial Statement Review
Financial Statement Review
Review of the Results Documented Locally
Review of the Results Documented Locally
Examples from Audit Practice at SAP
SOX AuditsC | 8
391
toensureconformitywithqualityassurancestandardssetbythecompany.Asec-
ondreasontoperformthisreviewbeforetheauditexecutionphaseistoobtainan
idea,inadvance,ofhowdetailedorhowplausibletheworkperformedlocallyis
and where there may be potential weaknesses that need extra focus during the
audit.
Oncethepreparatoryreviewiscompleted,theauditorshouldcompletethepro-
cess group templates. GIAS has prepared special spreadsheet templates for each
processgroup fordocumenting the following:designassessment, risks,inancial
statementaccounts,testingprocedures,testingissues,andtheassociatedindings.
Individualprocessandcontrolstepsshouldbecopiedtothetemplate,preliminary
questionsshouldbe formulatedconcerningtheprocessdescriptions,andtesting
proceduresshouldbedocumentedforthecontrolstobetested.
Aterpreparation,theauditexecutionphasebegins.Here,theauditorreviews
theproceduresalreadycarriedoutbytheSOXchampion.hismayincludethefol-
lowingsteps:
• detaileddeskreview,
• controlwalkthrough,
• reviewoftheindividualcontroldesigns,
• reviewoftheoverallprocessdesign,
• revieworre-performanceoftheinternalcontrolefectivenesstesting,and
• reviewofanyrelevantlowcharts.
Detailsofeachprocedurearegivenbelow.
Inordertoguaranteecontrolefectiveness,internalcontrolsmustbedesigned
adequately.headequacyoftheinternalcontroldesignmustbeassessedbothin-
ternallybythelocalorganizationaswellasbyitsexternalauditors.hedesignas-
sessmentshoulddeterminewhethertheinternalcontrolsareoperatingasintended.
Additionally,thedesignassessmentshouldtestwhetherthenecessarycontrolsare
inplace toprovidereasonableassuranceofaccurateaccountentries.Whenper-
formingthedesignassessment,theauditorshouldfollowtheproceduredescribed
below.
Adeskreviewisperformedirst.Itservestoobtainageneraloverviewofthe
process–whataretherisks,whataretheinternalcontrolobjectives,wherehavethe
signiicantcontrolsbeenintegrated,etc.hefollowingstepsshouldbetakenwhen
completingthedeskreview:
• Checkifcontroldescriptionisclear,comprehensive,andcomplete.
• Checkforpreventiveanddetectivecontrols.
• Checkformanualandautomatedcontrols.
• Checkforsigniicantcontrols.Ifsuchcontrolsseemtoexist,askwhetherthey
arereallysigniicantorwhethertheprocessgroupunderreviewdoesnothave
anysigniicantcontrols(signiicantcontrolsmustbedesignedinsuchawaythat
theycanpreventordetecterrorsorfraudthatcouldleadtomaterialmisstate-
mentsintheinancialstatements).
Process Group templatesProcess Group templates
test Procedurestest Procedures
Design Assessment Design Assessment
Desk ReviewDesk Review
392
• Checkiftheinternalcontrolsfullycoverallknownrisks.
• Checkifsigniicantandaccounting-relevantassertionsarecoveredbytheinter-
nalcontrols.
• Identifypointsintheprocesswherematerialmisstatementsand/orfraudcould
occur.
• Checkwhetherthecontrolswithinaprocessarepositionedproperly.
• Assesstheexistingdocumentationofthecontrolstoestablishwhetheritisad-
equatetotesttheefectivenessofthesecontrols.
• Developalistofquestionsandinformationnecessaryforconductingawalk-
through.
Nowfollowsadetaileddescriptionoftheirstsixstepsofadeskreview.
heinternalcontroldescriptionsshouldbereviewedtoensurecompliancewith
companyqualityassurancestandards.Controldocumentationshouldenable the
addresseetounderstandthelowofactivitiesrequiredtoinitiate,authorize,record,
andprocesstransactions,aswellascreatethenecessaryreports.Consequently,itis
vital that the control descriptions accurately explain how the activities are per-
formed.hebestwaytoensurecleardescriptionsisiftheyanswerquestionslike
“who?,”“what?,”“how?,”“when?,”“where?,”and“why?.”
Aterreviewingtheprocessandcontroldescriptionsforclarityandconsistency,
theauditorshouldexaminetheattributesofeachidentiiedcontrol.Examplesof
astandardsetofcontrolattributesthatareutilizedtofurtherenhancethecontrol
descriptionsareshownbelow.
he following table summarizes thedeinitionsof thecontrolattributevaluesof
signiicance,controlpurpose,andautomation.
internal Control Description
(Step 1)
internal Control Description
(Step 1)
Control Attributes (Steps 2–4)
Control Attributes (Steps 2–4)
Attributes Values
Signiicance Signiicant control, standard control
Purpose of control Preventive, detective
Automation Automated, semi-automated, manual
Date or event driven Date-driven, event-driven
Frequency (if date-driven) Continuous, daily, weekly, biweekly, monthly, quarterly, semi-annually, annually
Event description(if event-driven)
Description of event that triggers the process step or control
Fig. 21 Control Attribute Values
Examples from Audit Practice at SAP
SOX AuditsC | 8
393
Whenreviewingthegeneralattributes,theauditorshouldlookforanappropriate
balanceofcontrolcharacteristics.heauditorshouldbeabletoclearlydistinguish
betweenstandardandsigniicantcontrols.Additionally,agoodprocessdesignwill
containabalancedmixtureofpreventiveanddetectiveaswellasmanualandauto-
matedcontrols.
If an internal control is well described, the auditor should be able to clearly
determine thebusinessrisk that thecontrol isdesigned tomitigate.heprocess
ownersarerequiredtomapthecorrelationbetweenidentiiedinternalcontrolsand
inherentbusinessrisks.heauditor’staskistoverifythattheretrulyisacorrelation
betweenthedescribedcontrolandthebusinessrisktowhichithasbeenmapped.
Afailuretomapalltheriskstointernalcontrolsdoesnotnecessarilyindicatean
inadequatecontrollevel.heremaybelegitimatereasonswhynointernalcontrol
has been assigned to a deined risk. he general business risks identiied by the
companydonotalwaysapplytoalllocations.Oten,riskswithinoneprocessgroup
willbemitigatedbycontrolsinanotherprocessgroup.Inthiscase,anexplanation
shouldbeprovidedwithintheprocessdesignassessmentresults.Additionally,the
localentitymayhave internalcontrols inplace thathavenotbeendocumented.
Aindingshouldonlybemadeintheeventthatarelevantbusinessriskhasbeen
identiiedthatisnotmitigatedbyaninternalcontrol.
Inadditiontomappingthecorrelationbetweenidentiiedinternalcontrolsand
inherentbusinessrisks,theprocessownersmustalsodeterminewhichoftheasser-
tions listedbelowisassuredbythe internalcontrol inrelationtotherisk.Every
internalcontrolshouldcoveroneormoreofthefollowingaims:
• Completeness:All information is capturedduring thecourseof transactions,
processsteps,andactivities.
Audit FocusAudit Focus
Control Review (Step 5)Control Review (Step 5)
Risks Without internal ControlsRisks Without internal Controls
Control Assertion ReviewControl Assertion Review
Attributes
Signiicance Signiicant control If the control fails, a misstate-ment is very probable.
Automation Automated The control is performed auto-matically by a computer or en-forced by the system settings.
Detective Errors are retrospectivelyidentiied and corrected.
Semi-automated Automatic control, but requires manual start or validation.
Manual The control is efected exclusively by persons.
Purpose of control Preventive Errors are prevented.
Standard control Supporting control.
Values De�nitions
Fig. 22 Deinition of Control Attribute Values
394
• Accuracy:hefactualandformalcorrectnessofthedataanddocumentsused
fortheafectedprocessstepisguaranteed.
• Validity:Veriicationthatthedataorobjectsofgiventransactionstrulyexist(by
eitheranauthorizedpersonorthesystemitself).
• Restrictedaccess:Usersonlyhaveaccesstodataandfunctionsthatarerelevant
totheirresponsibilitiesandtheirroles.
Aswiththegeneralcontrolattributes,agoodprocessdescriptionshouldcontainan
appropriatebalanceofcontrolassertions.
Havingmappedtheinternalcontrolstotheirrespectiverisksandcontrolasser-
tions, process owners must then determine the correlation between the internal
controls and the corresponding inancial statement accounts they afect either
directlyorindirectly.hecompanyshouldhaveidentiiedinancialstatementac-
countsthatarerelevanttoeachprocessgrouponaconsolidatedgrouplevel.Once
auditorshaveidentiiedthesigniicantaccountsforthelocalentity,theymustthen
ensurethateachoftheseaccountsismappedtoaninternalcontrol.
heprocessownershouldalsomapeach internalcontrol toacorresponding
inancialstatementassertion.Everycontrolshouldcoveroneormoreofthefollow-
ingassertions:
• Existence or occurrence: Assertions about existence or occurrence address
whetherassetsor liabilitiesoftheentityexistatagivendateandwhetherre-
cordedtransactionshaveoccurredduringagivenperiod.
• Completeness:Assertionsaboutcompletenessaddresswhetheralltransactions
andaccountsthatshouldbepresentedintheinancialstatementsareincluded.
• Valuation or allocation: Assertions about valuation or allocation address
whetherasset,liability,revenue,andexpensecomponentshavebeenincluded
intheinancialstatementsatappropriateamounts.
• Rightsandobligations:Assertionsaboutrightsandobligationsaddresswhether
assetsaretherightsoftheentityandliabilitiesaretheobligationsoftheentityat
agivendate.
• Presentationanddisclosure:Assertionsaboutpresentationanddisclosuread-
dresswhetherparticularcomponentsof theinancial statementsareproperly
classiied,described,anddisclosed.
Oncethedeskreviewhasbeencompleted,theauditorshouldexamineeachcontrol
designindividually.hemostefectivewaytoconductthisreviewistore-perform
thewalkthrough.helocalSOXchampionshouldhavedocumentedtheprocedures
usedduringthewalk-through,andtheauditorwillnowtesttheseprocedures.he
purposeofthewalkthroughistoconirmwiththeprocessownertheoverallaccu-
racyof theprocessdocumentation. It shouldestablishwhether thenumberand
typeofcontrolsinaprocessaresuicienttominimizebusinessriskseiciently.he
followingstepsshouldbeperformed:
• heprocessownershouldexplaintheprocesstotheauditorsothattheresults
ofthedeskreviewcanbeveriied.
Review of Account Mapping
(Step 6)
Review of Account Mapping
(Step 6)
Financial Statement Assertions
Financial Statement Assertions
Walk-through ReviewWalk-through Review
Examples from Audit Practice at SAP
SOX AuditsC | 8
395
• heauditorshouldfocusonthepotentialrisksandformapreliminaryagree-
mentwithprocessownersonwhatthoseare.
• hemainemphasisshouldbeonsigniicantinternalcontrols.Suitableriskmin-
imizationmeasuresshouldbeagreeduponwiththeprocessowner.
• Foreachinternalcontrol,theauditorshouldrandomlyselectoneormoretrans-
actionsfromtheappropriatepopulation.
• heauditorsshouldtracethetransactionsfromthebeginningtotheendofthe
process.heyshouldchecktodeterminewhetherthereareinterfacestoother
processesandtoensurethatnotransaction-relatedinformationistransferred
bymistake.
• heauditorsshouldaskquestionsconcerningtheoperationofanysigniicant
controlsthatareinplacetodetectorpreventmaterialmisstatements(conirma-
tionoftheaccountmapping).
• Itisnecessarytoobtainsupportingdocumentationdemonstratingthatthecon-
trol isworkingasdocumented.heauditor shouldnotewhenever theactual
processdeviatesfromthedocumentedversion.
• Auditors should obtain screenshots for any part of the process that involves
computerinputorothercomputerprocedures.
• heauditorsshouldpreparetheinternalcontroltestingphaseandilethecol-
lectedresultsinbinders.
Onthebasisofthedeskreviewandwalk-throughresults,theauditormustdeter-
minewhetherornotthecontrolmaturityratingassignedbytheSOXchampionis
appropriate.hefollowingtableshowsanexampleofapossiblerating.
Oncethedeskreviewandwalk-throughhavebeencompleted,InternalAuditmust
reviewthecontroldesignassessmentmadebytheSOXchampion.hisrequiresthe
followingsteps:
• Ensurethecontroldescriptionisclear,comprehensive,andcomplete.
internal Controls Maturityinternal Controls Maturity
Review of the Control Design AssessmentReview of the Control Design Assessment
Unreliable Informal Standardized Monitored Optimized
Control activities
are not designed
or in place.
The environment
is unpredictable.
Control activities
are designed
and in place,
but they are not
adequately
documented.
Control activities
are designed,
in place, and
adequately
documented.
Controls are
integrated.
There is real-time
monitoring by
management
and continuous
improvement.
Fig. 23 Internal Controls Maturity Framework
396
• Examinetheinternalcontrolstoensuretheyaresuicienttofullyaddressrisks.
Makenotesofanydeiciencies.
• Examinehowriskshavebeenassignedtotheinancialstatementaccounts.
• Assessthecoverageofinancialstatementassertions.
• Assessthedocumentationofthecontrolstoestablishwhetheritisadequateto
audittheefectivenessofthesecontrols.
• Assesstheabilityofthecontrolownertoperformcontrol(skills,training,etc.).
• Describetheassessmentmade.
Havingcompletedtheirassessmentofeachindividualcontrolwithinaprocess,the
SOXchampionsmustthenprovideanassessmentoftheadequacyoftheoverall
processdesign.heprocessdesignassessmentshouldbeacumulativeevaluationof
eachof thecontrolassessmentswithintheprocess.heresultof thisassessment
maybeasfollows:
• Adequate:Allcontrolswithintheprocessarestandardized,orrisk-minimizing
controlsexist.
• Deicient:Oneormorecontrolswithin theprocess aremissing, informal,or
unreliable.
• Signiicantlydeicient:Signiicantcontrolswithintheprocessaremissingorun-
reliable.
Ifasinglecontrolassessmentdoesnotconformtothestandard,itdoesnotmean
thatthewholeprocessdesignisdeicient.Oten,informalorunreliablestandard
controlsaremitigatedwithoverridingsigniicantcontrols.However,anadequate
ratingshouldnotbegiventoaprocessdesignwhereasigniicantcontrolisunreli-
able.
OncetheauditorshaveanalyzedtheresultsoftheSOXchampion’sprocessde-
signassessment,theyperformtheirownreview.Ingeneral,athoroughassessment
shouldincludethefollowingsteps:
• Assess theadequacyof thedocumentation,verifying that it isclearlywritten
andcontainssuicientdetailtoenableathirdpartytoevaluatethecontrolde-
signandtotesttheoperatingefectiveness.
• Checkifthemixofpreventiveanddetectiveaswellasmanualandautomated
controlsissuicientlybalancedtomitigateprocess-inherentrisks.
• Testthesigniicantinternalcontrols.
• Examinehowriskshavebeenmappedtotheinancialstatementaccounts(in-
cludingtheexplanationofprocessrisksnotaddressed).
• Checkwhethercontrolswithinaprocessarelocatedintherightplace.
• Verifythateachriskofpotentialmaterialmisstatementaswellastherisk-mini-
mizingcontrolsaredocumented.
• Identifycontrols implemented todetectorpreventunauthorizedacquisition,
use,ordispositionofcompanyassets.
Review of the Process Design Assessment
Review of the Process Design Assessment
not all Controls Conform to Standard
not all Controls Conform to Standard
Process Design Assessment Steps
Process Design Assessment Steps
Examples from Audit Practice at SAP
SOX AuditsC | 8
397
heSOXchampionmustdocumenttheprocessandcontroldesignassessmentsin
detail.Inaddition,theauditorshoulddocumentthefollowingintheprocessgroup
templatesbasedontheinternalcontroldesignreview:
• proceduresperformed,
• expectedresults,
• auditevidence,and
• conclusiondrawnfromtheassessment.
If theauditordeterminesthat thedesignratingforaprocessorcontrol iseither
“deicient”or“signiicantlydeicient,”thenanappropriateindingmustbereported.
Findingsaredocumented in theprocessgrouptemplate. Itmaybeuseful touse
standardizedindingscategoriesforanalyticalpurposesonacompanylevel.Inthe
processofreportingindings,theauditormustassignapriority.Again,itmaybe
helpfultohavestandardizedprioritylevels(e.g.,high,medium,andlow)aswellas
aguidelineexplaininginwhatcaseseachpriorityapplies.Itmaynotbenecessary
todocumentadetailedremediationplanforeveryindingthatisnoted.Forexample,
thecompanymaydeterminethatdetailedremediationplansareonlyrequiredfor
issuesthatcannotbecorrectedwithinfourweeks.However,theremaybespeciic
topics(e.g.,indingsrelatingtorevenuerecognitionunderUS-GAAP)thatalways
requireremediationplans.
hecontrolandprocessdesignassessmentisfollowedbytestsoftheefective-
nessoftheinternalcontrolsputinplacetoensurethatthesecontrolsoperateas
planned.Byperformingsuchtests,theauditorcanshowthataninternalcontrol
processmaynotfunctionadequately,evenifitsdesignisadequate.hissituation
usuallyoccurswheninternalcontrolsarenotproperlymonitoredorimplemented.
InternalAuditmustdeterminewhetherthetechniquestheSOXchampionhas
usedtotestinternalcontrolefectivenessarereliable.Inaddition,theymustensure
that the testing techniques are compliant with the standards established by the
company(preferably, inconjunctionwiththeexternalauditor).Lastly,arandom
sampleofsigniicantcontrolsshouldbere-testedtoensurethattheresultsarecon-
sistentwiththoseoftheSOXchampion.
herearefourlevelsofappropriatetestingtechniques:
• interviewswithcompetentpersons,
• observationofprocessesinthecompany,
• testingoftherelevantdocumentation,and
• re-performanceofthecontrol.
helevelofsecurityincreaseswitheachlevel.Areliabletestingprocedureshould
haveabalancedmixofthesetechniques.
Inadditiontopropertestingtechniques,acompanyshouldalsoconsiderusing
mandatorytestingandre-testingparameters.heseparametersmustbeadheredto
inorderfortheexternalauditorstobeabletorelyupontheworkperformedlocally.
he irst set of parameters deals with the number of controls tested per process
group.Inallcases,allsigniicantcontrolsshouldbetested.However,acompany
Documentation During the Design Assessment Phase
Documentation During the Design Assessment Phase
FindingsFindings
need to test the efectiveness of internal Controls
need to test the efectiveness of internal Controls
Review of the tests Performed by the SOX Champion
Review of the tests Performed by the SOX Champion
Reliable testingReliable testing
introduction of Mandatory Parametersintroduction of Mandatory Parameters
398
mayalsodecide,forexample,totest10%to20%ofstandardcontrols,justtohave
additionalassurancewithinaprocessgroup.hesecondsetofparametersdeals
with the number of samples selected per test. In general, the number of testing
samplesincreasesdirectlywiththefrequencywithwhichthecontrolisperformed.
Aictitiousexampleofspeciicparametersforselectingtestingandre-testingsam-
plesizesisillustratedinthechartbelow:
Usually, it isnotpossible todetermine sample sizes for event-drivencontrols in
advance.Whentestingevent-drivencontrolsitisusefultoproceedaccordingtothe
samespeciicationsasinthecaseofdate-drivencontrols.hemoreotentheevent
occurs,thelargerthesamplesizeshouldbe.heultimatevalueisbasedonadate-
drivensamplesize.Itmustthereforebedeterminedhowotentheeventoccurson
average(e.g.quarterly,weekly,daily)andthecorrespondingsamplesizetaken.
Whenreviewingtheefectivenessof testingprocedures,auditorsshouldcon-
siderthetesters’independenceandexperience.Ingeneral,testersshouldalwaysbe
independentoftheprocesseswhichtheyaretesting.hatis,thetestshouldnotbe
Procedure for event-Driven Controls
Procedure for event-Driven Controls
tester independence and experience
tester independence and experience
Control
frequency
Sample size Number
of errors
Findings Re-testing No. of
additional
errors
Findings
Annually 1 1 Yes After
correction
Not
applicable
Not
applicable
Quarterly 2 1 to 2 Yes After
correction
Not
applicable
Not
applicable
Monthly 3 1 to 3 Yes After
correction
Not
applicable
Not
applicable
Daily 20 1 to 2 No 10 additio-
nal, imme-
diately
1 or more Yes
2 to 10 Yes After
correction
Not
applicable
Not
applicable
3 to 20 Yes After
correction
Not
applicable
Not
applicable
Several
times daily
30 1 to 3 No 15 additio-
nal, imme-
diately
1 or more Yes
4 to 30 Yes After
correction
Not
applicable
Not
applicable
Weekly 10 1 No 5 additio-
nal, imme-
diately
1 or more Yes
Fig. 24 Special Parameters for Selecting the Sample Size
Examples from Audit Practice at SAP
SOX AuditsC | 8
399
performedbytheprocessowner.However, thetestershouldbeexperiencedand
familiarenoughwiththeprocesstobeabletoformawell-foundedopinionregard-
ingtheefectivenessofthecontrols.
Beforetestingcanbegin,asetoftestingproceduresshouldbedocumentedlo-
callybyeachowner.hisallows theauditor tounderstandexactlyhowcontrols
weretestedforefectiveness.InternalAuditshouldalsodocumenttheseprocedures
intheprocessgrouptemplate.hefollowingitemsareofparticularnote:
• samplesize,
• sampleselection,
• testingapproachandmixoftestingtechniques,and
• expectedresults(typeofresult,formalandfactualaccuracy).
hefollowingareictitiousexamplesofproceduresfortestinginternalcontrols:
• heauditorsobtainalistofallpurchaseorderrequisitionscreatedin2005.Using
intervalsampling,theydeterminetheintervalforchoosingtherequisitionsat
random.heauditorsnotetherequestor,costcenter,costcentermanager,actual
approverandPRcontent.hey thendocument the results andcopy theirst
pageofeachpurchaseorderrequisitionasauditevidence.heyreferencethe
documentationandileitinthetestingbinder.
• heauditorsobtaincopiesofthequarterlyreportsfortwoquarterswithinthe
currentyear.Togetherwiththeprocessowners,theyreviewthereportstodeter-
minewhatistobecheckedhere.heprocedureisasfollows:
– hedocumentstobeexaminedarecopiedandreferenced,or
– theexceptionsarecopiedandthequarterlyreportsarecapturedelectronically.
heexceptionsandtheelectronicdocumentarereferenced.hedocumenta-
tionisiledinthetestingbinder.
Once the testing procedures have been completed, the results should be docu-
mented.
Examplesofhowtheresultsoftestingtheinternalcontrolscanbedescribedare
asfollows:
• All items in the samplemet therequiredcriteria.Noexceptionswere found.
hisprovidesevidencethatanefectivecontrolexists.Supportingdocuments
havebeencross-referencedandiledinatestingbinder.
• Outof30requisitionsreviewed,tenhadsomeformofexception.Eitherthere
was no formal approval for the order (ive times) or requestor and approver
werethesame(ivetimes).Allexceptionsanddocumentsreviewedwerecopied,
referencedandiled.hiscontrolissigniicantlydeicient.
SOXauditsalsorequirethepreparationofworkingpapersasauditevidence.hey
mustmakethefollowingitemstransparent:
• how the testing was performed (responsible employees interviewed and the
substanceoftheinquiries,includingadditionalcorroborativeresults),
test Documentationtest Documentation
Fictitious examples of internal Control testing Procedures
Fictitious examples of internal Control testing Procedures
Fictitious examples of Documenting test Results
Fictitious examples of Documenting test Results
Content of Working Papers Content of Working Papers
400
• thecontrolresults(anydocumentsexaminedandanidentiicationofthesam-
ples selected for testing, e.g. invoiceno. 1234,no. 2345etc.were selectedand
assessedforaccuracyofsignatureaccordingtotheapprovalmatrix),
• theresultsofthetesting(informationincludesthenumberanddescriptionof
anyexceptions,e.g.,allsamplesselectedhavebeenaccuratelysignedwiththe
exceptionofinvoiceno.2345wheretheapprovalsignatureismissing),
• thenatureofanyre-performanceoftests,and
• recommendationsforimprovement,whereappropriate.
Testingresultsandevidenceintheformofworkingpapersarecollectedintesting
binders.heresultsandevidenceshouldbereferencedsothatalinkcanbemade
tothecontrolsteptested.Inaddition,specifyingthedatethatthedocumentwas
copiedorreceivedandthesourceofthedocumenthelpsensurethatthedocumen-
tationcanalwaysbetracedbacktotheowner.
Finally,at theendofeach testingphase,ameetingshouldbeheldwitheach
processownerand/orprocessgroupownerinordertoconirmalltheresults(in-
cluding any indings and planned remediation). Once an agreement has been
reachedwiththeprocessowneronaindingandthecorrectionof itscause, the
exceptionscanbeinalizedandcorrectedintheprocessgrouptemplate.
Inadditiontoverballydescribingtheirinternalcontrolstructures,theprocess
ownersshouldalsoprepareprocesslowcharts(oneperprocessgroup).Acompany
mayhavedeinedstandardsymbolsandformatsthatshouldbeusedwhenprepar-
ingthesedocuments.heauditormustverifythattheselowchartscomplywiththe
company’squalityassurancestandards.Asanexample,aprocessgrouplowchart
mayconsistofthefollowingthreelevels:
• Level1:Overviewoftheprocessgroup.
• Level2:Breakingprocessgroupsdownintokeyprocesses.
• Level3:Breakingprocessesdownintokeytransactionsanddescribingwork-
lowsandcontrols.
Ingeneral,awellorganizedandproperlypreparedlowchartshould:
• usethestandardsymbolscorrectly,
• beclear,simple,andconcise,
• clearlyidentifythecontrols,includingtheirinputandoutput,
• demonstratethechronologicalsequenceofevents,
• usedescriptivetextconciselyandsparinglyandbeproperlyreferencedtopro-
videfurtherexplanation,and
• clearlyindicatewhoisperformingthecontrols.
Document FilingDocument Filing
Closing MeetingClosing Meeting
Flowchart ReviewFlowchart Review
Flowchart RequirementsFlowchart Requirements
Examples from Audit Practice at SAP
SOX AuditsC | 8
401
HintS AnD tiPS ;
Fordesignassessments:
• Auditors must ensure that the control assertions of completeness, accuracy,
validity, and restricted access are addressed in each process (not only in the
processgroup).
• Ingeneral,eachprocessmusthaveatleastonesigniicantcontrol.
• Ifacontrolcoversanumberofrisks,itisprobablyasigniicantcontrol.
• Forcontrolstepsthatincludesysteminputoroutputorsystematicprocedures,
therelevanttransactioncodesandresultreportsmustbespeciied.
Forcontrolefectivenesstests:
• Whenusingthetestprocedures,auditorsmustmakesurethattheyaretesting
thecontrolactuallydescribed.
LinKS AnD ReFeRenCeS e
• COMMITTEEOFSPONSORINGORGANIzATIONSOFTHETREADWAyCOM-
MISSION(COSO).2003.Enterprise Risk Management Integrated Framework. Newyork,
Ny:AICPA.
• DELOITTE.2005.Optimizing the Role of Internal Audit in the Sarbanes-Oxley Era.www.
deloitte.com/dtt/cda/doc/content/us_ERS_Internal%20Audit%20POV.pdf(accessedMay
31,2007).
• HAUSER,D.,R.HOPkINS,AND H.LEIBUNDGUT.2004.heSarbanes-OxleyAct
andtheRoleofInternalAudit.Der Schweizer Treuhänder(December2004):1057-1065.
• INSTITUTEOFINTERNALAUDITORS.2004.Internal Auditing’s Role in Sections 302
and 404 of the U.S. Sarbanes-Oxley Act of 2002.AltamonteSprings,FL:heInstituteof
InternalAuditors.
• PUBLICCOMPANyACCOUNTINGOVERSIGHTBOARD(PCAOB).2004.Audit-
ing Standard No. 2: An Audit of Internal Control Over Financial Reporting Performed in
Conjunction With an Audit of Financial Statements.http://www.pcaobus.org/Standards/
Standards_and_Related_Rules/Auditing_Standard_No.2.aspx(accessedMay31,2007).
• PUBLIC COMPANy ACCOUNTING OVERSIGHT BOARD (PCAOB). Staf Ques-
tions and Answers: Auditing Internal Control over Financial Reporting. http://www.pcaob.
org/standards/staf_questions_and_answers/2005/01-21.pdf(accessedMay31,2007).
• REDDING,k.,P.SOBEL,U.ANDERSON,etal.2007.Internal Assurance and Consult-
ing Services.AltamonteSprings,FL:heInstituteofInternalAuditors.
• RITTENBERG,L.E.ANDB.J.SCHWEIGER.2005.Auditing: Concepts for a Changing
Environment. Mason,OH:hompson.
• SAWyER,L.B.,M.A.DITTENHOFER,ANDJ.H.SCHEINER.2003.Sawyer’s Inter-
nal Auditing.5thed.AltamonteSprings,FL:heInstituteofInternalAuditor.
• SEARS,B.2002.Internal Auditing Manual.Newyork,Ny:Warren,Gorham&Lamont.
• U.S.CONGRESS.2002. Sarbanes-Oxley Act of 2002. 107th Congress of the United States of
America. HR 3763. WashingtonDC:GovernmentPrintingOice.
402
9 RevenueRecognitionAssurance
KeyPoints •••
• heGIASrevenuerecognitionassuranceprogramsupportsthecompanyinen-
suringcompliancewithrevenuerecognitionrules.
• hisconceptincludes,forexample,customerconirmationsandunannounced
licenseauditsthatareusedinadditiontoregularauditactivities.
• InternalAudit’sgeneralqualityassuranceprogramhasbeenadaptedtothespe-
cialrequirementsofrevenuerecognitionassurancework.
Compliancewith revenuerecognitionrules isan importantaudit topic.For this
reason,SAP’sInternalAudithasdevelopedanadditionalprogram,whichprovides
special work programs for this issue. Under this revenue recognition assurance
program,InternalAuditconductsunannouncedauditsoflicenseagreementsand
obtains contract conirmations from customers. Unannounced license audits
largelyfollowtheprocedureforstandardlicenseaudits(seeSectionC,Chapter5.3).
Customer contract conirmations involve writing to customers, asking them to
conirmthecomponentsandtermsandconditionsofcontracts.heobjectiveof
thesetestsistoensurethatthecontractdocumentationiscompleteandtoexclude
theexistenceofanysupplementaryagreementsthatarenotdocumentedortaken
intoaccount,aswellastoascertaintheamountofrevenuerecognized.
InternalAuditconductsthreecustomercontractconirmationcyclesperyearin
eachregiononaglobalbasis.hesethreecyclescovercontractssignedintheirst
quarter,contractssignedinthesecondandthirdquarters,andcontractssignedin
thefourthquarterrespectively.Eachconirmationcyclespansapproximatelyeight
totenweeks,fromcontractselectionthroughinalreport.Inaddition,theexternal
auditorsalsoobtaincustomercontractconirmationseveryquarter.However,In-
ternalAuditconducts itscustomercontractconirmationcycle independentlyof
theexternalauditors’conirmationprocess.
heentirecustomercontract conirmationcycleconsistsof sixmainprocess
steps:Preparation,distribution, inquiry I, inquiry II,alternativeauditwork,and
reporting.Ifallthecontractsareproperlyconirmedbycustomers,alternativeaudit
workisnotnecessary.Detailsofeachofthemainprocessstepsoftheconirmation
cycleareprovidedbelow.
Toprepareforcustomercontractconirmations,theinternalauditteamselects
thecountriestobeauditedthroughariskassessment.InternalAuditconductsthis
riskassessmentonceayearinNovember/Decemberwiththeinvolvementofother
departmentswithinthecompany.Forexample,CorporateFinancialReportingor
theregionalinancemanagersareaskedtogivetheirriskassessment.Onthebasis
of the feedback received and the risk assessments made, each regional unit of
InternalAuditselectsdiferentcountriesforeachcycle,inrelationtothesizeofthe
ConceptConcept
CustomerContractConirmationsinGeneral
CustomerContractConirmationsinGeneral
theCustomerContractConirmationProcess
theCustomerContractConirmationProcess
PreparationPreparation
Examples from Audit Practice at SAP
Revenue Recognition AssuranceC|9
403
region.Additionally,theresultsofthisriskassessmentarereviewedbeforethestart
ofthenextcustomercontractconirmationcycletoestablishiftheriskevaluation
isstilluptodate.
SinceSAP’sexternalauditorsalsoobtaincontractconirmations, the internal
audit teamhas toensure that a customer isnot contacted twiceabout the same
contract.herefore,aterselectingthecountries, InternalAuditrequestsa listof
contractconirmationssentoutbytheexternalauditors.Oncethisinformationis
available,InternalAuditselectscontractsforreview.Inreturn,InternalAuditthen
passesthecorrespondinginformationtotheexternalauditors.
Contractselectioninvolvesacombinationofindividualselectionaccordingto
auditorjudgmentandrandomselection.First,acompletelistofallcustomercon-
tractsshouldbecompiled.Tofacilitateselection,thislistmustbesortedbycontract
valueindescendingorder.Twogroupsofcontractsarecreatedonthebasisofthe
selectionmodel:GroupAincludesallcontractswhoseaccumulatedvolumemakes
up80%of the totalcontractvolumeonthe list for theselectedperiod.GroupB
containsallothercontracts.
• SelectionfromgroupA:Inclusionofallcontractsaboveacertainthresholdis
mandatory.histhresholdshouldbearoundtwicetheaveragecontractvaluein
groupA.Belowthisthreshold,internalauditorsinitiallyusetheirowndiscre-
tiontoselectfurthercontracts.Additionalcontractsarerandomlyselecteduntil
50%oftheremainingvalueofthecontractsnotalreadyselectedisreachedin
relationtocontractvolume(remainingvalueofcontractsnotalreadyselected
=groupA–contractsabovethethreshold–internalauditorselection–contracts
selectedbytheexternalauditorsnotyetincludedbytheinternalauditors).
• SelectionfromgroupB:hecontractsareselectedrandomlyand/oraccording
tointernalauditorjudgmentforupto20%ofthetotalvolumeofgroupB.
Basedonthisselectionmodel,at least75%of totalcontractvolumeisexamined
(includingthecontractsselectedbytheexternalauditors).
Oncethecontractshavebeenselected,thelocalandregionalmanagersarein-
formed by e-mail, which also serves as audit announcement (see Section B,
Chapter3.1).Soonatertheannouncement,theInternalAuditemployeeresponsible
forassuringrevenuerecognitioncontactsthelocalsubsidiary,requestingthenec-
essarycustomerandcontactinformation,e.g.,customercontactperson,telephone
number,anddateofirstdelivery(includingdeliverydocuments).
Becauseof themanydiferent languages, thecustomercontractconirmation
cycleisnormallysupportedbythelocalexternalauditorsifInternalAuditcannot
cover the relevant language internally.heyprovide InternalAuditwith transla-
tionsofthecustomercontractconirmationrequestsandofthemainpointsofthe
selectedcontracts.
Oncepreparationshavebeencompleted, i.e.,all the informationandtransla-
tionsareavailable,InternalAuditwritesthecontractconirmationletterfordistri-
butiontocustomers.EachcustomergetsanEnglishandalocallanguageversion.
CooperationwiththeexternalAuditorsCooperationwiththeexternalAuditors
ContractselectionContractselection
AnnouncementAnnouncement
LanguageProblemLanguageProblem
DistributionDistribution
404
Processsteps2(distribution)through6(report)aredocumentedinamonitor-
ingworkingpaper,whichreplacestheworkingpapersnormallyused.
hefollowingaudittasksshouldbeperformedanddocumentedduringthecus-
tomercontractconirmationcycle:
• hefollowingstandardauditworkisperformedbeforethecustomercontract
conirmationletterisreturned:
– Systemaccountingentriesarechecked.
– Licensepaymentsarechecked.
– Maintenancepaymentsarechecked.
– Deliveriesarechecked.
– Necessaryaccrualsanddeferralsarechecked.
• Callstocustomers(inquiryI).
• Onreturn,thecustomercontractconirmationletterischeckedforcomplete-
nessandaccuracy(inquiryII).
• Allauditstepsconductedduringalternativeauditwork.
• Allinformationreceivedorauditstepstakenbetweenthealternativeauditwork
andthereport.
Approximatelytwoweeksatertheconirmationlettersaresenttocustomers,all
customerswhohavenotreturnedthecontractconirmationshouldbecontactedby
telephone.Ifpossible,InternalAuditshouldobtainanddocumentverbalconirma-
tionthisway.IfInternalAuditcannotobtainaproperconirmation,thecontract
shouldbeearmarkedforalternativeauditwork.
Allcontractconirmationlettersreceivedfromcustomersmustbeexaminedfor
completenessandaccuracy.Ifthereareexceptions,thefollowingauditstepsshould
betaken:
• Ifpossible,theexceptionsshouldbeclariiedwiththecustomerbytelephone.
• Contactthelocalsubsidiary’saccountingdepartment,contractadministration
department,and/orsalesexecutiveforclariication.
If theexceptionscannotbeclariied, the internalaudit teamshouldearmarkthe
contractforalternativeauditwork.
Approximatelytwoweeksbeforethedatescheduledforalternativeauditwork,
InternalAuditevaluatesthecustomercontractconirmationstatus.heresultis
writtenintoareportanddistributedtothemanagersresponsibleinthelocalsub-
sidiary(atleasttotheheadoftheaccountingunit).Ifoneormorecontractshave
not been conirmed, the sales executive responsible in the local subsidiary can
assisttheinternalauditteamincontactingthecustomer.Allcontractsofaconir-
mationcyclethatarenotconirmedtoInternalAuditbythecustomerasofthe
scheduledstartingdateofthealternativeauditworkmustbeexaminedlocallyin
thesubsidiary.
DocumentationDocumentation
AudittasksduringCustomerContract
Conirmations
AudittasksduringCustomerContract
Conirmations
inquiryiinquiryi
ReturnedConirmationLetters
ReturnedConirmationLetters
inquiryiiinquiryii
Examples from Audit Practice at SAP
Revenue Recognition AssuranceC|9
405
hefollowinginformationisupdatedduringalternativeauditwork:
• Licensepaymentsarechecked.
• Maintenancepaymentsarechecked.
• Creditnotesissuedarechecked.
• heGlobalContractApprovalForms(GCAF)arechecked.
• It ischeckedifsalesconirmationlettershavebeensignedbytheresponsible
salesexecutive.
Inaddition,all furtherrelevant informationreceivedinthemeantimeshouldbe
processedanddocumented.Allavailabledocumentsrelatingtounconirmedcon-
tractsmustbereviewedlocallyinthesubsidiary,particularlytheoriginalcontract,
thedocumentsheldbythelicenseadministrationdepartment,andthecustomer
ilewithanycorrespondence.
heinalreportisthelastprocessstepofthecustomercontractconirmation
cycle.herearethreediferentreportinglevels(local,regional,andglobal).he
localreportsaredistributedtolocalmanagement.heregionalreportsincludean
overviewofallcountriesselectedforauditingintheregionconcerned,andaddi-
tionalinformationfromthelocalreport.hesereportsaresenttoregionalman-
agement.heglobalreportsarepreparedanddistributedbytheglobalcoordinator
fortheGIASrevenuerecognitionassuranceprogram.heglobalreportincludes
aglobaloverviewandtheregionalreports.hereportissenttothemembersofthe
Board and other afected parties, e.g. corporate departments and the external
auditors.
Ifthecustomercontractconirmationsresultinindingsthatrequirefollow-up,
aninternalimplementationreport(GIASonly)iscompiledinadditiontothere-
portontheconirmationcycleforuseasabasisforthefollow-up.
InadditiontoInternalAudit’sgeneralqualityassuranceconcept(fordetails,see
SectionD,Chapter5),aspeciicqualityassuranceprogramhasbeendevelopedand
introducedforthecustomercontractconirmations,intendedtoguaranteethefol-
lowing:
• efectivenessoftheconirmationcycle,
• compliancewithSAP-speciicstandardssetbyInternalAudit,
• compliancewithinternationalstandardsforInternalAudit,and
• continuousprocessimprovement.
AlternativeAuditWorkAlternativeAuditWork
ReportingReporting
CustomerContractConirmationFindingsCustomerContractConirmationFindings
QualityAssuranceDuringCustomerContractConirmations
QualityAssuranceDuringCustomerContractConirmations
406
heaboveigureshowsthequalitygatesthathavebeendeinedforthecustomer
contractconirmationprocess.hemeasuresrelatingtoqualitygatesaredeinedas
follows:
• Review:heauditobjectisinalizedbeforeitisforwardedforinalapproval.
• Approval:hisauthorizesthecompletionofthecurrentauditphase.
Allqualitygatesmustbedocumentedatleastelectronically.
Besides customer contract conirmations, unannounced license audits are the
second component of the revenue recognition assurance program. Unannounced
licenseauditsarenormallyad-hocauditsandlargelyfollowthestandardworkpro-
gramforlicenseaudits(seeSectionC,Chapter5.3).Everyyear,betweenthreeandsix
unannouncedlicenseauditsareconductedineachregion.Dependingonthesizeof
thelocalsubsidiary,theaudittakesthreetoivedaysiftwoauditorsareappointed.
QualityGatesQualityGates
UnannouncedLicenseAudits
UnannouncedLicenseAudits
Fig. 25 Quality Gates during Customer Contract Conirmations
Examples from Audit Practice at SAP
Revenue Recognition AssuranceC|9
407
heexecutionofunannouncedlicenseauditsislargelythesameaslicenseaudits
conductedaspartofabasicaudit,e.g.theselectionofthelocalsubsidiarytobeaudited
issubjecttothesameriskassessmentprocessasforcustomercontractconirmations.
However,therearediferencesduringpreparationandexecution:
• Contractselection:hecontractsareselectedtwodaysbeforethestartofthe
audit.hecontractsareselectedfromaspeciicperiodbeforetheauditdate.Out
ofthese,50%ofthecontractsareselectedonthebasisofcontractvolume(i.e.,
large-volumecontracts).heother50%ofcontractsaredeterminedbyauditor
judgment.
• Announcement:heauditisnotannouncedtothelocalsubsidiary.However,it
isacceptabletoinformtheheadoftheaccountingunitapproximatelyonehour
beforearrival.
• Closingmeeting:heclosingmeetingshouldbeattendedbyatleasttheheadof
theaccountingunit.heheadofthelocalsubsidiaryshouldalsobeinformed.
Dependingonthenatureoftheresults,additionalparticipantsmaybeincluded
intheclosingmeeting.
executionofUnannouncedLicenseAudits
executionofUnannouncedLicenseAudits
Fig. 26 Quality Assurance during Unannounced License Audits
408
• Reporting:hestandardreporttemplateisusedforunannouncedlicenseaudits
toproducethereport.Forindingsthatentailafollow-up,thesamefollow-up
processappliesasforregularauditengagements(seeSectionB,Chapter6).
hequalityassuranceconceptforunannouncedlicenseauditsisbasedonthegen-
eralqualityassuranceguidelinesfortheAuditRoadmap(seeSectionD,Chapter5),
buthasbeenadaptedtotakeaccountofthediferentauditprocess.
heirstqualitygateincludesareviewandapprovalofthecountriesselected
andtheworkprogram.hereviewisoptionalfortheregionalAuditManager,but
theapprovalismandatoryfortheglobalcoordinatorfortheGIASrevenuerecogni-
tionassuranceprogram.If thestandardworkprogramhasbeenchangedby the
auditteam,itmustbeexaminedbytheregionalrevenuerecognitionassuranceof-
icer.Itismandatoryfortheregionalrevenuerecognitionassuranceoicertocheck
theworkingpapersofthesecondqualitygate.hisreviewisoptionalfortheglobal
revenuerecognitionassurancecoordinatorand the regionalAuditManager.Ac-
ceptanceoftheabovetwoqualitygatesshouldbedocumentedonpaper,oratleast
bye-mail.helasttwoqualitygatesinFig.26arebroadlythesameasthoseinthe
generalqualityassuranceprogramofInternalAuditatSAP(formoreonquality
assuranceseeSectionD,Chapter5).
HintsAnDtiPs ;
• Whenmakingaconsciousselectionofcontracts,auditorsshouldtakeintoac-
countcriteriasuchaspostingdateandcontracttype.
LinKsAnDReFeRenCes e
• CASCARINO,R.ANDS.vANESCH.2005.Internal Auditing: An Integrated Approach.
Lansdowne,SA:JutaandCo.
• KIESO,D.E.,J.J.WEyGANDT,ANDT.D.WARFIELD.2004.Intermediate Account-
ing. 11thed.Hoboken,NJ:Wiley.
• REDING, K. F., P. J. SOBEL, U. L. ANDERSON, etal. 2007. Internal Assurance and
Consulting Services. AltamonteSprings,FL:heInstituteofInternalAuditors.
• RITTENBERG,L.E.ANDB.J.SCHWEIGER.2005.Auditing: Concepts for a Changing
Environment.Mason,OH:hompson.
• SAWyER,L.B.,M.A.DITTENHOFER,ANDJ.H.SCHEINER.2003.Sawyer’s Inter-
nal Auditing.5thed.AltamonteSprings,FL:heInstituteofInternalAuditors.
• SEARS,B.2002.Internal Auditing Manual.Newyork,Ny:Warren,Gorham&Lamont.
QualityAssuranceduringUnannounced
LicenseAudits
QualityAssuranceduringUnannounced
LicenseAudits
QualityGatesQualityGates
409
10 ITAudits10.1 BasicsandSystemConfiguration
KeyPoInTs •••
• Internalandexternalcomplianceandreliabilityrequirementsoninancialre-
portingmustbesupportedbyacompany’sinformationtechnology.
• heextentoftheITauditisinluencedbythedomainsofPlanandOrganize,
AcquireandImplement,DeliverandSupport,andMonitorandEvaluate.
• PossiblerisksforanITsystemincludenon-compliance,inconsistentdata,user
error,uncontrollability,andunreliability.
• Inadditiontosystemtests,theorganizationalanalysisoftheITsystemisakey
componentofITaudits.
SectionA(seeChapter6.2.5)providesinformationaboutthesigniicanceofInter-
nalAuditforcompaniesthatrelyheavilyoninformationtechnology.Especiallyin
globalsotwaregroupssuchasSAP,thereliabilityofinformationtechnologyforthe
supportofbusinessprocessesisakeyprerequisitefortheachievementofcorporate
objectives.Inaddition,thereareexternalrequirementsthatplacecleardemandson
informationtechnologytoensurethatthecompany’sinancialreportingiscompli-
ant.ITauditorsmustobservevariousinternalandexternalrules,includingcountry
speciicrules,relatingtotheproperoperationofITsystems,efectivesystemcon-
trols,andthewayinwhichcomputers,programs,anddataareused.
COBIT®(seealsoSectionA,Chapter6.2.5)identiiesthebasiccriteriaforqual-
ity,security,andcomplianceininformationtechnologyasfollows:
• conidentiality,
• integrity,
• availability,
• reliability,
• efectiveness,
• eiciency,and
• compliancewithlegalrequirements.
COBIT®alsoidentiiesfourdomainsofITgovernance.hesedomainsinluence
theextentofanITauditinensuringthattheoperationoftheITsystemiscompli-
ant.heyare:
• PlanandOrganize,
• AcquireandImplement,
• DeliverandSupport,and
• MonitorandEvaluate.
Eachofthesedomainsrepresentsaseparateauditobject,whichissuccessivelyinte-
gratedintoauditplanningfollowingitsevaluation.WhileCOBIT®providesinitial
ITAuditsatsAPITAuditsatsAP
InformationTechnologyCriteriaInformationTechnologyCriteria
FocusoftheITAuditProcessFocusoftheITAuditProcess
ExamplesfromAuditPracticeatSAP
ITAudits
BasicsandSystemConiguration
C|10|10.1
410
guidancebypresentingkeymeasuresforprocesseswithineachofthedomains,the
utilizationofthesemeasuresandtheidentiicationofadditionalmeasuresdepend
ontheextentoftheauditandthesophisticationofthetechnology.InanITstructure
ascomplexasthatofSAP,responsibilityforthediferentsystemsandapplications
isdistributedamongvariousorganizationaldepartments.Somedepartmentshave
theirownauditteamsforthediferentdomainsinordertoguaranteethatinternal
guidelinesareobservedandexternalrequirementsandcustomerrequestsaremet.
ManyITunitsatSAPareISOcertiiedforthisreason.Althoughthisinformationis
usefulduringauditplanning,ITauditorsstillneedtoformtheirownindependent
opinionastowhetheranITsystemiscompliantandhowthediferentorganiza-
tionalunitsinteract.
hefollowingdescriptionisnotintendedtoprovideadetailedpictureofallthe
elementsofITauditsbutitexplainstheprocedureofasystemaudit,usinganaudit
oftheclassicSAPsystemsasanexample.NewtechnologiessuchastheNetweaver®
platformrequirespecialieldworkactivities,whichwillbeanadditionalfocusofIT
auditsinthefutureandwillthereforehavetobescheduledandpreparedforac-
cordingly.hisispartofanothermajorchallengeforITauditors:torespondwith
adequateauditmeasurestotheeverfasterdevelopmentsintheworldofIT.
heaudit-relevantareasmustbedeinedduringauditpreparationinorderto
establishwhetherthesystemiscompliant.hefollowingITsystemriskshavetobe
takenintoaccount:
• non-compliance,
• inconsistentdata,
• usererror,
• uncontrollability,and
• unreliability.
herequirementsastohowandtowhatextentasystemauditmustorcanbecon-
ductedaredescribedinthegeneralScope(seeSectionB,Chapter2.1).heactual
ieldworkactivitiestobeincludedinthespeciicworkprogramarederivedonthis
basis.heauditguidelinesforSAPsystemsdevelopedbytheAuditWorkingGroup
areamongthedocumentsusedasabasisforcreatingtheworkprogram.hework
programforanSAPsystemaudittakesthefollowingintoaccount:
• systemconiguration,
• transportsystem,
• tableaccessandlogs,
• securityandaccessprotectioninuseradministration,
• interfaces,and
• jobawardprocedureanddocumentation.
AccordingtotheprocedureundertheCOBIT®framework,theaboveitemsareas-
signedtotheDeliverandSupportdomain(seeSectionB,Chapter7.4).
AnSAPsystemauditrequiresthatattentionispaidtoalargenumberofsecurity
andaudit relatedaspects.Forameaningfulaudit, ITauditorsmustat leasthave
FocusonsystemAuditFocusonsystemAudit
AuditPreparationAuditPreparation
scopeandWorkProgram
scopeandWorkProgram
TechnicalAspectsTechnicalAspects
411
abasicunderstandingofthecomplexstructureoftheSAPsystem.hemostimpor-
tanttechnicalaspectsofthesystemfromanauditingpointofviewinclude:
• transactions,
• ABAP(programminglanguageoftheSAPsystem),
• programs,
• tables,
• iles,
• authorizations,
• authorizationproilesandusermasterrecords,
• datamedia,and
• othersafeguards,e.g.,tablecategories,separationofdiferentclients(clientsare
thetop-levelorganizationalunitintheSAPsystem).
SAPprovidestherole-basedSAPAISsystemtosupportauditors.hedescription
oftheprocedureandcontentofanITsystemauditinthischapterareinpartbased
ontheSAPAIS.heSAPAISaccessesreportsandtransactionsthatexist inthe
SAPsystem.Auditorsshouldmakeuseofthisoptiontosupporttheirieldwork,
especiallywithaviewtosavingtime,becausemuchoftheinformationtheyneed
canbegeneratedfromthesystematthepushofabutton.
Apartfromthetechnicalaspectsofthesystemaudit,organizationalanalysisof
theSAPsystemisalsoofcrucialimportance,becauseitdeterminestheefectiveness
oftechnicalmeasuresimplementedtoguaranteeproperdataprocessing.heexis-
tenceofmeaningfuldocumentationhastobecheckedinrelationtotheorganiza-
tionalstatusofthesystem.hesystemsummarymustbesupplementedwithuser
samples(e.g.,regardingthetreatmentofuserauthorizations),systemdocumentation
samples(e.g.,regardingprogramandtabledocumentation),andsystemenviron-
mentsamples(e.g.regardingthegeneralhandlingofthesystemincaseofsystem
terminations).
Auditorsshouldgetanoverviewofoverallresponsibilityforthesystemsandthe
responsibilitiesregarding
• criticaldataandtables,
• authorizations,
• programsandinterfaces,and
• changestotheabove.
heongoingauditwillfurtherenhancetheinsightsgainedfromthisoverview.
Auditorsmustestablishwhatsystemsareinuseandwhichofthemareusedfor
live operations, or for development, testing, acceptance, or training purposes.
Auditorsmust test in the live system(auditsofwhichare themain focusof the
followingdescription)whatclientsareactiveinthisinstallation.
Auditorsshouldbegivendirectsystemaccesswiththeappropriateauthoriza-
tions.Auditorauthorizations shouldbe limited to readaccess toall applications
andbasicfunctionstoensurethatauditorsdonotchangeanydata.Inadditionto
displayingactivedata,auditorsshouldalsobeabletoviewchangedocuments.SAP
sAPAIssAPAIs
systemConigurationsystemConiguration
ResponsibilitiesResponsibilities
systemsinUsesystemsinUse
systemAuthorizationsforAuditorssystemAuthorizationsforAuditors
ExamplesfromAuditPracticeatSAP
ITAudits
BasicsandSystemConiguration
C|10|10.1
412
shipsstandardproileswithread-onlyaccess.ForconductingITaudits,thistypeof
accessissuicient.Ifaccessisgrantedtopersonaldata,theprovisionsofdatapro-
tection legislation (e.g. the Health Insurance Portability and Accountability Act
(HIPAA)andtheGramm-Leach-BlileyActintheU.S.orthedataprotectionactsof
othercountriessuchastheGermanDataProtectionAct)aswellasworksorcollec-
tivebargainingagreementsmustbeobserved.
AlldataintheSAPsystemismanagedonthebasisoftables.Anyinformation
displayedthatdoesnotrequireinteractiveuserentriesisreferredtoasanABAP
report.Herefollowsalistoftransactions,tables,andreportsrequiredforanSAP
systemaudit.
TransactionsnecessaryforanSAPsystemaudit:
• generaltabledisplay,
• ABAPprogramexecution,
• displayofsystemchangeoptions,
• tablemaintenance,
• displayofdumps(systemterminations),
• displayofupdatetaskterminations,
• displayofjobs,and
• displayofbatchinputsessions.
TablesnecessaryforanSAPsystemaudit:
• clients,
• companycodes,
• businessareas,
• plants,
• storagelocations,
• tableofprohibitedpasswords,
• technicaltabledata,
• technicaldescriptionofallsystems,and
• WBOT:Orderheader.
ABAPreportsnecessaryforanSAPsystemaudit:
• tableanalysisincludinghistoryadministration,
• analysisoftablelogdatabase,
• listofchangedocumentsrelatingtoauthorizations,
• listofsuperuserscreated,
• listofalluserswithcriticalauthorizations,
• listofchangedocumentsrelatingtousers,
• listofchangedocumentsrelatingtoproiles,
• listofchangedocumentsrelatingtoauthorizations,
• historyofsystemchangeoptions,and
• deinitionofbasicsystemparameters.
heirststepinasystemauditistorecordandanalyzethestructureimplemented
intheSAPsystemwithineachliveclient.Tomapthestructure,SAPmakesavail-
abletousersthedataandaccessstructurehierarchyin
necessaryTransactions,Tables,andReports
necessaryTransactions,Tables,andReports
BusinessstructureBusinessstructure
413
• client,
• companycode,
• businessarea,
• plant,and
• storagelocation.
HInTsAndTIPs ;
• AuditorsshouldincludetheAISasasupporttoolinieldworkbecauseitcan
helpimprovetheauditprocessandthusauditquality.
• ITauditorsshouldallowsuicienttimebeforetheaudittoensuretheyhavethe
necessaryauthorizationsforsystemaccess.
• Existing recognized IT audit guidelines (e.g., COBIT®) are useful for audit
executionandshouldbeused.
LInKsAndReFeRenCes e
• DSAG AUDIT WOrkING GrOUP. 1997.FI Audit Guide for SAP-R/3.www.sap.com/
germany/company/revis/pdf/plf-i-e-30d.pdf(accessedMay,312007).
• INSTITUTEOFINTErNALAUDITOrS.2005.Global Technology Audit Guide 1: Infor-
mation Technology Controls.AltamonteSprings,FL:heInstituteofInternalAuditors.
• ITGOvErNANCEINSTITUTE.2007.COBIT ® 4.1.rollingMeadows,IL:ITGover-
nanceInstitute.
• PFLEEGEr,C.,ANDS.L.PFLEEGEr.2003.Security in Computing. 3rded. UpperSad-
dleriver,NJ:PrenticeHall.
• U.S.CONGrESS.1999.Gramm-Leach-Bliley Financial Services Modernation Act. Public
Law No. 106-102, 113 Stat. 1338. WashingtonDC:GovernmentPrintingOice.
• U.S.CONGrESS.1996.Health Insurance Portability and Accountability Act of 1996. Pub-
lic Law 104-191.WashingtonDC:GovernmentPrintingOice.
• U.S.CONGrESS.2002.Sarbanes-Oxley Act of 2002. 107th Congress of the United States of
America. HR 3763.WashingtonDC:GovernmentPrintingOice.
10.2 SAPWorkbenchOrganizerandTransportSystem
KeyPoInTs •••
• heSAPWorkbenchOrganizerandtheTransportSystem(WBOT)areusedto
registerandfullydocumentallchangestosystemobjects.
• heyalsopreventparallelchangestoasystemobject.
• Possible risks associated with making system changes include the validity of
systemobjects, incorrect settings in thecorrections transport system, system
instability,ormanipulation.
ExamplesfromAuditPracticeatSAP
ITAudits
SAPWorkbenchOrganizerandTransportSystem
C|10|10.2
414
heSAPWorkbenchOrganizer(atoolfortheadministrationofcentralanddecen-
tralized development projects) and the Transport System (WBOT) are used to
registeranddocumentallchangesmadetosystemobjects(developmentobjects).
his includes, for example, elements in theDataDictionary (e.g., tables),ABAP
programs,screentemplates,interfacedeinitions,documentationcomponents,and
application-deined transport and customizing objects. hey are also used to
preventparallelchangestothesamesystemobjectbydiferentdevelopersandto
regulate the transfer and release of development objects between diferent SAP
systemsordiferentclientswithinthesameSAPsystem.
WBOT consists of the Workbench Organizer and Transport System compo-
nents.heWorkbenchOrganizerguaranteesthatthereisonlyoneoriginalobject
foreachexistingsystemobjectwithin(networked)SAPsystems.Changesarenor-
mallyonlymadetothisoriginalobjectandtransferredtootherSAPsystemsviathe
TransportSystem.heWorkbenchOrganizerstoresallchangestoDataDictionary
elementsandABAPprograms.Oldversionscanberestoredandcomparedwiththe
latestversion.heWorkbenchOrganizerisactivatedautomaticallyassoonasauser
attemptstochangeanobject.Userscanonlycreateorchangeobjectsiftheyhave
irstcreatedachangerequestintheWorkbenchOrganizerorareusinganexisting
changerequest.Whileataskisbeingentered,theobjectsareblockedforallother
developerstopreventparallelchanges.heblockisonlyremovedoncetherequest
hasbeenreleased.
Onrelease,thetasksaretransferredtotheTransportSystem,whichistoguar-
anteethatsystemobjectsandcustomizingsettingsaretransportedsafelyandwith
a traceable record.heTransportSystem is system-independent, i.e., the system
objectscanbetransportedbetweenalloperatingsystemssupportedbySAPsys-
tems.Anynecessaryconversionsarecarriedoutautomatically.
Changes to tables and programs cause changes to the system functions. One
controlobjectiveisthereforetheimplementationofprocedureswhichensurethat
onlyapprovedchangesbecomeefectiveandoverall functionality ismaintained.
Anothercontrolobjectiveistodocumentallsystemchangeswithoutexceptionand
thusmakethemretraceable.ChangesmustalwaysbemadeusingWBOT,taking
thefollowingintoaccount:
• Adequatemandatoryrulesmustbeinplaceforplacingorders(e.g.,forthecre-
ationofanABAP),carryingoutchanges,aswellasfortesting,acceptance,and
transferintotheliveenvironment.
• Eachchangemustbedescribedinadequatedetailandformallyapprovedbythe
dataowner.Approvalisrequiredforprogramchangesaswellasfordatatrans-
fers.
• Sincesystemobjectsarenormallyvalidthroughoutthesystem,thetestsystem
mustbeseparatefromthelivesystem.
• WBOTusesablockingmechanismtopreventparallelchangestoanobjectby
severaldevelopers.
WorkbenchorganizerandTransportsystemWorkbenchorganizerandTransportsystem
PurposeoftheWorkbenchorganizer
PurposeoftheWorkbenchorganizer
PurposeoftheTransportsystem
PurposeoftheTransportsystem
FunctionChangesFunctionChanges
415
• WhenusingtheWorkbenchOrganizer,changestosystemobjectsarerecorded
inthehistorybythesystem,i.e.,oldversionsofaprogramcanberecovered,for
example.
• he SAP naming conventions (name range for customer objects) must be
observed in order to avoid problems with future release changes or system
corrections.
• Self-deinedsystemobjectsmustbeadequatelydocumented.
• Acceptanceproceduresshouldfollowthedualcontrolprinciple,i.e.,theyshould
normallybecarriedoutbytheuserdepartment,independentlyoftheprogram-
mer.
• Incaseofprogramchanges,itshouldbeestablished,bycomparingtheresult
withthesourcecode,whethermodiicationsareinfactlimitedtotheprogram
sectiontobeupdated.
• heacceptancetestshouldbeperformedinanSAPsystemthatisseparatefrom
the live environment (quality assurance system), using a customizing that is
similartothelivesystemandasuitabledataset.
• heremustbeanorganizationalassurancethatnosubsequentchangesarepos-
sibleoncechanges/newdevelopmentshavebeenaccepted.
• Acceptanceandtransferintothelivesystemmustbedocumentedinwriting.
• herelevantevidence(e.g.,orderandreleaseform)mustbearchivedinaccor-
dancewiththeapplicablelegalorinternalregulations.
he Workbench Organizer and the Transport System are perfectly coordinated
witheachother.Atthestartofdevelopment,achangerequestandoneorseveral
tasksforallemployeesinvolvedarecreated.hentheafectedobjectsarecreatedor
modiied,andthisisregisteredontherequest.Attheendofthedevelopment,the
developers release their task(s), and thus, by releasing them, export the change
requestandallmodiiedobjectsfromthesourcesystem.heobjectisthentrans-
portedtotherelevanttargetsystematoperatingsystemlevel.Itispossibletocom-
bineseveralchangerequestsintoasingletransportrequest.
Forthepurposesofthecorrectionstransportsystem,theSAPsystemconsistsof
oneormoreSAPsystemsinthesameversionandofthesamedatabasesystem.To
distinguishbetweenthesesystems,SAPusesthefollowingterminology:
• (Special)developmentsystem:Separatedevelopmentofcriticalprojectcompo-
nentsinanisolatedenvironment.
• Integrationsystem:Developmentofnon-criticalapplicationsandsystemtests.
• Consolidationsystem(qualityassurance):Backsupdevelopmentlevelsandacts
asadistributorforsubsequentrecipientsystems.
• recipientsystem(livesystem):Automatictransferofsotwarefromconsolida-
tionsystems.heterm“recipientsystem”coversallofthesystemleveltrans-
ferredtothecustomer.
CoordinationofComponentsCoordinationofComponents
sAPsystemssAPsystems
ExamplesfromAuditPracticeatSAP
ITAudits
SAPWorkbenchOrganizerandTransportSystem
C|10|10.2
416
hecurrentstandardistouseonesystemlandscapewiththreeclients.hefollow-
ingdiagramisagraphicalrepresentationofthesystemlandscapewithtransport
routes:
Development
system
Quality
assurance
Live
system
Consolidation
route Supplyroute
Fig. 27 StandardSystemLandscapeIncludingTransportRoutes
Ifdevelopmentworkisperformedonsystemobjects,onesystemwithseveralcli-
entsfordevelopment,testing,andreleaseisnotsuicient,becausesystemobjects
normallyafectallclientsandanymodiicationscanhaveanimmediateimpacton
thelivesystem.Itmaythereforebenecessarytouseseveralsystems.
hegenerationofatransportrequestleadstothecreationofanauxiliaryileat
operatingsystemlevelwiththerelevanttransportcontent,whichthetransportpro-
gramanalyzeswhentheileisimportedintothetargetsystem.IftheSAPsystems
haveasharedtransportdirectory,atestimportisperformedautomaticallywhen
thetransportrequestsareexportedfromthesourcesystemtothetargetsystem.he
authorsofthetransportrequestarenotiiedofthesuccessorfailureoftheexportor
testimport.Transportlogscanbedisplayedbyusingtheinformationsystem.
Maintenancemayexposethesystemstodiferentrisks.Sincesystemobjectsare
generallyvalidthroughoutthesystem,themodiicationofanABAP,forexample,
mayafectallclientsoftheSAPsysteminquestion.Authorizationstomodifysys-
temobjectsinthelivesystemmustthereforebehandledveryrestrictively(e.g.,no
programmingauthorization).
heSAPsystemconsistsofdiferentchangeablecomponents,whichdependon
eachotherintheoverallschemeofthesystem.Duetothiscomplexity,improper
changesmayinsomecasesleadtouncertaintyandinstability,forexample:
• Errorscannotbedetectedimmediately.
• Dataisnotprocessed,processedincompletely,orprocessingisduplicated.
• herequiredavailabilityofsystemfunctionsisnotalwaysguaranteed.
• herearedelaysintheexecutionoffunctions(processlowreliability).
• Itmaynolongerbepossibletoexecutecontrols,whicharethusrenderedinef-
fective.
hismakesthesystemunreliable.Itisclearthatthisbearssigniicantrisks.
Uncontrolledchangescanleadtoprocessingerrors,whichcouldbemisused.If
adequatecontrolmechanismsarenotinplace,thereisapossibilityinprinciplethat
datawillbefurthermanipulated.
systemLandscapesystemLandscape
executionofTransportsexecutionofTransports
Validityofdevelopmentobjects
Validityofdevelopmentobjects
InstabilityInstability
ManipulationManipulation
417
During ieldwork on program maintenance procedures, auditors must irst
reviewtheoveralllistofuser-deinedsystemobjectsandallrelevantcorrections/
repairsperformedonSAPobjects.Inthiscontextitisimportantthataclearde-
scriptionoftheirfunctionisavailable.henthesystemisrecordedand,ifrequired
fortheaudit,thesystemmaintenanceandreleaseprocedureisdocumented.
he above SAP system requirements form the basis for auditing the concept
recorded.Inaddition,ageneraltestisperformedwithregardtotheobjectivesand
risksformulatedabove,payingparticularattentiontoanadequatesegregationof
functionsduringdevelopment,release,andtransport.
Compliancewiththeconceptistestedonthebasisofasampleofdevelopment
requestsandassociatedtestandrelease logs.hesetestsareperformedbothtop
down(i.e.,goingfromchangerequesttosystemobject intheliveenvironment),
andbottomup.
Onthesystem,theauditorsmusttestthesettingsforWBOTandsystemchange
options.Auditorsalsohavetoexaminehowtheappliedmethodfortheorganiza-
tion’schangeprocedureswasdetermined,andhowtheusersauthorizedtocreate
andreleaseatransportrequestaredeterminedinthecaseofcorrectionsandre-
pairs.
Developmentmustneverbecarriedoutinthelivesystem,butmustrunthrough
atransportsystem.Tableanalysisisusedtotestwhetherprogramshavebeencre-
atedinthelivesystem.
Othertestproceduresincludedeterminingtheuserswhocanperformimports
intothelivesystem,establishingwhatrulesareappliedtotheuseofthecorrection
andtransportsystem,checkingastowhethertheserulesarefollowed,andtesting
formanualinterventionintables.
Changestocustomizingsettingsmadeinthetestordevelopmentsystemand
transportedtothelivesystemwithWBOTareonlyloggedinthetestsystem.Ifthe
auditors need to trace any such changes, they should consult the change logs
there.
he SAP system has two distinct areas of system changes: irstly, the ABAP
Workbenchandcustomizingacrossallclients,andsecondly,client-basedcustom-
izing.Changeoptionscanbesetforeitherarea.ModiicationstotheABAPWork-
benchandcustomizingacrossallclientsareregulatedthroughglobalsystemchange
options.
Inthelivesystem,thesettingshouldbe“Globalsetting:Nochangespossible.”In
thetableitcanbespeciiedwhichobjectscanbechanged.hatway,itcanbeen-
suredthatnewobjectsandobjectchangescanonlygetintothelivesystemthrough
thetransportsystem.Inemergencies(e.g.,serioussystemerrors),thissettingcan
bechangedtemporarily.Suchemergenciesmustbehandledbywayofastandard-
ized,documentedprocedure,replicatedinthedevelopmentsystem,andtransported
tothelivesystemthroughthetransportsystem.
RecordingthesystemRecordingthesystem
TestingtheConceptTestingtheConcept
CompliancewiththeConceptCompliancewiththeConcept
FieldworkonthesystemFieldworkonthesystem
nodevelopmentdirectlyintheLivesystem
nodevelopmentdirectlyintheLivesystem
otherTestProceduresotherTestProcedures
ChangestoCustomizingsettingsChangestoCustomizingsettings
systemChangeoptionssystemChangeoptions
TablesettingsTablesettings
ExamplesfromAuditPracticeatSAP
ITAudits
SAPWorkbenchOrganizerandTransportSystem
C|10|10.2
418
HInTsAndTIPs ;
• ITauditorscanusetheAIStotestsystemsettings.
• Beforestartingatestofthesystemsettings,auditorsshouldobtainanoverview
of the system landscape by asking the IT manager responsible for a detailed
technicalsystemdescription.heyshouldmakesurethatthedescriptionrefers
tothesystemscurrentlyused.
LInKsAndReFeRenCes e
• SAPonlinedocumentationofWorkbenchOrganizerandTransportSystem.
10.3 TableAccessandLogs
KeyPoInTs •••
• heobjectiveofthetablechangeprocedureintheSAPsystemistoensurethat
thetablesettingsarecorrectandallchangesaretraceable.
• Allrelevantchangestotablecontentmustbelogged.
• Anauthorizationconceptmustbeinplacewhosefunctionsincluderegulating
whichuserIDsareauthorizedfortablemaintenance.
• Tablemaintenanceauditobjectsincludethetestandreleaseprocedure,there-
sponsibilitiesandtheauthorizationsystemfortablechanges,andthesettingsof
thetableloggingprocedure.
Atableisatwo-dimensionalmatrixthatdescribesarelationshipinthedatabase
system.Itconsistsofaheader,whichdeinestheields(attributes),andavariable
numberofsimilarlystructuredrows,whichcontainthedatavalues(datarecords).
Adatarecordisdividedintoaprimarykeyandafunctionalpart.heprimarykey
uniquelyidentiiesthedatarecordswithinatable.Itcanbecomposedofseveral
attributes.
hefollowingdiferenttypesoftablescanbedistinguished:
• tableswithsystemcontroldata,
• tableswithbasicbusinessdata,
• tableswithcompanystructuredata,and
• tablesforapplicationdata.
Tableswithsystemcontroldataareintendedtoenablecompany-speciicadapta-
tionstostandardsotwarewithoutmodifyingtheprograms.heycontainvariable
parametersfor:
• lowcontrolsystems(e.g.,accountassignment),
• logictests(e.g.,onlycertainvalueentriespermitted),
• calculationroutines(e.g.,calculationofvalueaddedtax),
deinitionofaTabledeinitionofaTable
TypesofTablesTypesofTables
TableswithsystemControldata
TableswithsystemControldata
419
• automaticallygeneratedevents(e.g.,postingofcashdiscountincome),and
• screenmodiications(e.g.,mandatoryentryintoaield).
heobjectiveofthetablechangeprocedureistoensurethatthetablesettingsare
correctandallchangesaretraceable.heterm“changes”inthisinstancerefersto
changestotablecontentintableswithsystemcontroldataofthefollowingdelivery
classes:
• C–customizingtable:userorganizationmaintenanceonly,noSAPimport.
• G–customizingtable:userspermittedtoinsertonly.
• E–systemcontroltable:SAPanduserorganizationhavetheirownkeys.
• S–systemtable:SAPmaintenanceonly,change=modiication.
• W–customer’ssystemtable.
ChangestotablestructuresaremadeunderthecontroloftheWorkbenchOrga-
nizerandtheTransportSystem.
Fromanauditingperspective,tablesmustmeetcertainrequirements.All(rele-
vant)changestotablecontent(datarecords)mustbelogged.Inaddition,changes
tothestructure,i.e.,changesintheDataDictionary(datadirectory)causedbycor-
rectionsorrepairsmustbeupdated.Logsfor“critical”tables,e.g.,thosethatcontrol
thevolumeandvaluelow,suchasaccountassignmentandvaluation,shouldbe
testedonasamplebasis.Itmustbepossibletomaketablechangesreadablewithin
areasonableperiodoftime.helegalretentionperiodforevidenceoftablechanges
should be identiied for each relevant geographic region (e.g. ten years for Ger-
many).
Anauthorizationconceptmustbeinplacewhosefunctionsincluderegulating
which user IDs are authorized for table maintenance. SAP has created a default
portfolioofauthorizationgroupsandassignedtablesandviewstotherelevantau-
thorization groups. he authorization groups are in turn stored in tables. Table
maintenancerequiresthefollowingauthorizations:
• authorization for the authorization group of the table and the “table mainte-
nance”action,and
• globalauthorizationforclient-independenttables.
heglobalauthorizationtestappliestoalltablesofdeliveryclassesC(customiz-
ing),G(customertableswithSAPentries),andE(systemtablesthatthecustomer
can change). his global authorization is always necessary because changes to
aclient-independenttablecanimpactotherclientsenteredinthesystem.
Toreducedependenceontheknowledgeofindividualpersonsandtoincrease
thesecurityofacorrecttablesetting,work/organizationinstructionsshouldexist
forcriticaltables,withinformationlike:
• namingconventions,
• occasionandreasonforatablechange,and
• consequencesofatablechange.
requestforchangestocriticaltablesmustbesubjecttothereleaseprocedureand
performed by using the correction and transport system. It must be possible to
provideevidencethatatablechangehasbeenmade.
TableChangeTableChange
LoggingLogging
AccessProtectionAccessProtection
Work/organizationInstructionsWork/organizationInstructions
ExamplesfromAuditPracticeatSAP
ITAudits
TableAccessandLogs
C|10|10.3
420
hehigh levelof integrationof theSAPsystemcan leadtounintendedside-
efects (e.g., in other modules) when table changes are made. For this reason,
a mandatory procedure should be in place to ensure that information is sent to
anyoneafectedbyachangeto“critical”tables.
he installationofa systemshould follow the implementationguidebecause
thisensuresthatallsystemset-upworkisfullycompleted.Possiblewaysofaccess-
ingthetablefortableentries:
• implementationguide,
• customizingmenus,
• directtablemaintenance,
• correctionandtransportsystem,and
• ABAP.
Changes to table content must be logged. Technically, this requirement must be
implementedbymeansoftwosystemsettings:
• Forrelevanttables,the“tablelogging”ieldmustbeactivatedintheDataDic-
tionary(technicalsetting).
• In the SAP start proile, the “rec/client” parameter must be initialized to the
client(s)tobelogged.
hestartparameterscanbeanalyzedwiththerSPArAMreport.
TablechangescanbeanalyzedwithspecialABAPreports.Importanttablesin
inancialaccountinginclude:
• clients,
• companycodesandcompanycodecontrol,
• documenttypesandtexts,
• chartsofaccounts,
• taxcodes,
• blockingreasonsforautomatedpayments,
• housebanks,
• ixedaccounttable,
• accountassignment,
• paymenttransactions,
• foreigncurrencyvaluationmethods,
• changedreconciliationaccounts,
• specialgeneralledgeraccounts,
• accountgroups,
• tolerancelimitsforinvoiceveriication,
• documentchangerules,
• foreignexchangerates,and
• customertables.
Changes, through corrections or repairs, to table structures entered in the Data
Dictionaryaremadeunderthecontrolofthecorrectionandtransportsystem(if
securingtheInformationFlow
securingtheInformationFlow
TableAccessTableAccess
systemsettingsforLogging
systemsettingsforLogging
AnalysisofTableChanges
AnalysisofTableChanges
ChangestoTablestructures
ChangestoTablestructures
421
activated).hesystemkeepsahistory, so thatmodiicationsof thiskindcanbe
traced.
Since the tables in the SAP system have a central control function, there are
obviousrisksassociatedwithaninadequateprocedureforchangingtablecontent:
• hereisariskofincorrectsettings.
• Changesmadetoatablecanhaveunintendedsideefectselsewhere.
• heintegrityofthedatasetandthefunctionalitymaybeviolated.Authoriza-
tionsdeined in the tablescouldbechanged.here isariskofnon-traceable
systemchanges.
• Changedocumentscouldbedeletedwithoutarchiving.
Otherspecialrisksinclude:
• “rec/client”parameternotinitialized,
• incorrecttableentries,
• importanttablesnotlogged,
• systemsettingsoftheupstreamsystem(feedersystemtothelivesystemfrom
whereobjectsareenteredthroughthetransportsystem),and
• copyfunctionsbetweenclients,whichoverwritetablesettingswithoutupdating
thehistory.
hefollowingtestproceduresarenecessaryfortableaccessandlogging:
• Determinetheprocedureforchangingtables.
• Evaluatetheprocedureonthebasisoftherequirementslistedabove.
• Testcompliancewiththerequirementsonthebasisofsamples.
Othertestsincludeestablishingtheextentofarchiving(beforedeletion)andmoni-
toringthechangefrequencyofimportanttables.
Auditobjectsinclude:
• testandreleaseprocedure,
• responsibilitiesandauthorizationsystemfortablechanges,and
• systemsettings for table logging,especially the technical settings in theData
DictionaryandtheSAPstartproile.
hesettingsinthetablesmustalsobeexamined.hechangedocumentswillshow
whetherchangesweremadetothelevelofrecordingduringtheperiodunderre-
view.
HInTsAndTIPs ;
• Togetaninitialoverviewoftablelogging,testthe“rec/client”parameter.
• In the SAP system, documentation on each table is available in report rSS-
DOCTB.hedocumentationincludesthestructureandtheielddescriptions.
RisksRisks
necessaryTestProceduresnecessaryTestProcedures
AuditobjectsAuditobjects
ExamplesfromAuditPracticeatSAP
ITAudits
TableAccessandLogs
C|10|10.3
422
LInKsAndReFeRenCes e
• AuditGuidelinesforSAPsystems.www.sap.com/germany/company/revis/infomaterial/
index.epx(accessedMay31,2007).
• SAPonlinedocumentation.
10.4 UserAdministration
KeyPoInTs •••
• Anaccessprotection system that canbeused togrant individual authoriza-
tionsensuresthatonlyauthorizedpersonsgetaccesstothesystemandspeciic
data.
• AssessingtheprocedureforassigningauthorizationsmaybeincludedinanIT
audit.
• To improve security, maintenance and activation of authorizations are segre-
gatedinthesystem.
• Passwordsmustconformtothesyntaxprescribedbythesystem.
• herearestandarduserswithpredeinedrightsintheSAPsystems.hehan-
dlingofthesestandardusersisalsoanobjectofanITaudit.
Anaccessprotectionsystemwiththeoptionofgrantingindividualauthorizations
hasfourmainobjectives:
• toprotectconidentialdatafromunauthorizedaccess,
• toprotectdatafromunauthorized(includingaccidental)changesordeletion,
• tocreatesystemtransparencytotheextentthatitispossibletotracewhohad
whichauthorizationsatwhattime,and
• toensurethatapplicationscanbeaudited.
hesepreventivecontrolmeasuresintheinternalcontrolsystemareintendedto
prevent breach of the legal prohibition on amendment of entries and guarantee
traceabilityinordertomakesurethatnounauthorized,incompleteandincorrect
datagetsintothesystem,orthatdataisassignedtothewrongperiodortransaction
inthesystem.
Accessprotectionmustensurethatonlyauthorizedpersonsgainaccesstothe
systemandspeciicdata.Itmustbepossibletohidethenecessarykeys(passwords)
duringentry.hesystemshouldensurethat:
• onlypasswordsofaspeciiedminimumlengthareaccepted,
• itisimpossibletousecharactersequencesthatareeasytoguess,
• passwordscanbecreatedandchangedonlybytheuser,
• mandatorypasswordchangesaretriggeredatdeinableintervals,and
• passwordsarekeptsecretfromanyoneexcepttheuser.
AccessProtectionsystem
AccessProtectionsystem
RequirementsonanAccessProtection
system
RequirementsonanAccessProtection
system
423
heauthorizationconceptmustmakeitpossibletorestricttherightsofusersto
those activities and accesses in the system that they absolutely need within the
boundsoftheirpositionandresponsibilityinthecompany(minimalauthorization
policy).hismeansthatitshouldbepossibletoimplementthemostdetailedde-
greewithregardto:
• thetypeofdataaccess(read,create,edit,delete),
• programs,
• dataandiles,and
• functions(menus,menulines),
whileusinganycombinationoftheselevelsasfaraspossible.
SincethecomplianceoftheSAPauthorizationconceptisinluencedtoasig-
niicant degree by the procedure for assigning authorizations, the assignment
procedureisalsoincludedinanITaudit.hisprocedureshouldbedocumentedin
organizationalterms,wellstructured,andtraceable.Compliancewiththeprocedure
shouldbemonitored.Finally,itmustbeensuredthatusermasterrecords,authori-
zations,andproilesarenewlycreated,edited,ordeletedinthequalityassurance
(test)systemandthentransferredtotheliveenvironmentthroughthecorrection
andtransportsystem.
Bygrantingauthorizations,itcanbedeinedwhichbusinessobjectsthecompa-
ny’semployeesmayeditandwhateditingfunctionsarepermittedinthisregard.
heauthorizationconceptallowsgrantingandcontrollinguseraccesstotheSAP
systemaccuratelyandlexibly.Inlinewiththisconcept,ausercanbegivendifer-
entauthorizationsfordiferentcompanycodes,forexampleeditaccessincompany
code01andreadonlyaccessincompanycode02.heauthorizationconceptalso
includessecuritymeasures,whichrestrictunauthorizedlogonorunwarrantedin-
terferencewithusermasterrecords,proiles,andauthorizations.
headministrationofusermasterrecordsandauthorizationsintheSAPsystem
isorganizedasfollows.Usermasterrecordsandauthorizationcomponentsarede-
pendentonclients,whichmeansthatseparateusermasterrecordsandauthoriza-
tioncomponentsmustbemaintainedforeachclientintheSAPsystem.heprotec-
tion of objects (e.g., data, tables, etc.) is described by authorizations or global
authorizationsassignedtotheobjectstobeprotected,similartolocksittedtodoors.
hey contain values for ields deined in an associated authorization object. he
usersaregivenauthorizationproiles,similartokeys,and/orglobalauthorization
proiles,similartobunchesofkeys,whichareenteredintheirusermasterrecords.
hecheckastowhetherauser’sauthorizationproilematchesanauthorization,i.e.,
whetherakeyitsalock,isperformedeitherindialogmodeduringruntimeorifthe
keyword“AUTHOrITYCHECk”appearsinanABAP,forexample.
Maintenanceandactivationofproilesandauthorizationsaresegregatedinthe
systemtoimprovesecurity.Onlytheactiveversionofaproileorauthorizationis
efectiveinthesystem.Aperson’smaintenanceauthorizationcanberestrictedto
certainusers,proiles,andobjects.
MinimalAuthorizationPolicyMinimalAuthorizationPolicy
AssignmentProceduresforAuthorizationsAssignmentProceduresforAuthorizations
AuthorizationConceptinthesAPsystemAuthorizationConceptinthesAPsystem
AdministrationofUserMasterRecordsandAuthorizationsinthesAPsystem
AdministrationofUserMasterRecordsandAuthorizationsinthesAPsystem
segregationofMaintenanceandActivation
segregationofMaintenanceandActivation
ExamplesfromAuditPracticeatSAP
ITAudits
UserAdministration
C|10|10.4
424
Securitychecksmusttakethefollowinglevelsintoaccount:
• PClevel,
• networklevel,
• operatingsystemlevel,and
• databaselevel.
heremainderoftheauditisconductedontheSAPapplicationlevel.
hehighlexibilityoftheSAPauthorizationanduseradministrationconcept
canleadtosecurityrisksifusedimproperly.Itispossibletoinluenceworkpro-
cessesand/oraccountentrytasks.Forexample,therecordingofchangedocuments
(masterdata,documents,controltables)couldbefullyorpartiallysuppressed,or
theauthoritycheckinprogramscouldberemoved.
SAPshipslargevolumesofwhatareknownasstandardproilestailoredtodi-
verseoperational functions.Duetothecomplexityof theauthorizationconcept,
manyusersimplementtheseproilesunchanged,whichmayexposethemtocer-
tainrisks:
• hestandardproilesdonotsuicientlycoveroperationalrequirements.
• Ifthestandardproilesareadaptedtooperationalrequirements,thismaygive
risetonewrisks(e.g.,byexpandingtheauthorizationsgranted).
• IftheSAPnamesoftheproilesareretained,eventhoughtheproileshavebeen
changed (e.g., by granting additional authorizations), the ability to audit the
proilesmaybeatrisk.
heaboveexampleshowsthatthesecurity,andultimatelythecompliance,ofthe
entiresystemdirectlydependsontheauthorizationsassigned.heassignmentof
authorizationsthereforerequiresparticularattention.Beforeauditingtheprocess-
ing results, the auditors irst must test the user authorizations to ensure that
processingresultsarebasedonauthorizedroutinesandentries.
hefollowingorganizationalandsystembasedieldworkactivitiesaresignii-
cantwithregardtouseradministration:
• Obtain information about the organization of user authorization assignment
(application and approval procedure, segregation of duties) and internal in-
structionsputinplaceforthispurpose.
• Clarifywhethertherearewritteninstructionsonissuingandchanginguserau-
thorizations.
• verifythatorganizationalmeasuresareinplacetoensurethat,whenemploy-
eesleavethecompany,theiruserauthorizationsarecancelledandtestwhether
thesemeasuresareutilized.
• Test whether new user authorizations or changes and deletions must be ap-
provedbyanemployeeincharge.
• Examinewhethercontrolproceduresareappliedbytheuserdepartmentsre-
sponsible when a new user master record is created or when a user's access
rightsarechanged.
Upstreamsecuritysystems
Upstreamsecuritysystems
PossiblesecurityRisksPossiblesecurityRisks
RisksofstandardProiles
RisksofstandardProiles
ImportanceofAssigningAuthorizations
ImportanceofAssigningAuthorizations
FieldworkActivitiesRegardingUserAdministration
FieldworkActivitiesRegardingUserAdministration
425
• Testwhetheruseraccessrightsarechangedbyasystemprocedure:
– whentheusers’responsibilitiesinthecompanychangeandtheirusermas-
terrecordshavetobechangedasaresult(riskofmultipleaccessrights if
responsibilitiesinthecompanychangefrequently),
– whenemployeesleavethecompany.
• Testonasamplebasiswhethertheauthorizationproilesofemployeesmatch
theirjobtasks.
• Testonasamplebasiswhethertheauthorizationsactuallygrantedmatchthe
authorizationsapproved.
• Testwhetherproilesandauthorizationsarechangedbyacompulsoryproce-
durewhenanauthorizationobjectischanged.Anauthorizationobjectconsists
ofuptotenauthorizationields,whicharecheckedduringanANDoperation,
testingwhetherauserispermittedtoperformaspeciicaction.
• Test whether changes within the user authorization concept are documented
andthecorrespondingdocumentsareretainedforatleastaslongasthelegal
retentionperiod.
hereare standarduserswithpredeinedrights in theSAPsystem(superusers).
heinitialpasswordsforthesetypesofusersaregenerallyknownandshouldbe
changedatereachinstallationandatereachclientcopy.
Fieldworkactivitiesrequiredinthisregardinclude:
• Testwhethernewlogonisnecessaryatertheuserhasbeeninactiveforawhile
(systemparametersorexternalsecuritysotware).
• EnsurethatallauthorizationsofthegeneralSAPuserhavebeencanceledand
transferredtoasecretemergencyuser.
• EnsurethatthestandardpasswordoftheDDIC(datadictionary)user,whichis
normallynecessaryforinstallationandmaintenancework,hasbeenchangedin
theactiveclients.
• EnsurethatthecomprehensiveauthorizationsinDDICaremadeavailableonly
temporarily.
• CriticallyexaminetheauthorizationsofITemployees,whoshouldbegranted
editaccesstodataonlyinexceptionalcircumstances.
A special user with comprehensive system authorizations should be deined for
emergencies.Anyactivitybythisusermustbeloggedinatraceableway,observing
thedualcontrolprinciple.
Ariskofmanipulationexistswhenunauthorizedaccessismadetothoseuser
masterrecords theownersofwhichhavenever loggedonto thesystemandfor
whichnopasswordchangehasbeenenforcedyet.Insuchcases, it ispossibleto
manipulatedataunderafalsename.Inthiscontext,theauditorsshouldexamine
whetherasettinghasbeenspeciiedinthesystemthatrequiresthestandardpass-
wordtobechangedwithinacertainnumberofdaysandblockstheuserifithasnot
beenchanged(alsopossibleforanyotherpassword).
AnalysisofsuperusersAnalysisofsuperusers
otherFieldworkActivitiesotherFieldworkActivities
specialUsersspecialUsers
ManipulationRiskManipulationRisk
ExamplesfromAuditPracticeatSAP
ITAudits
UserAdministration
C|10|10.4
426
HInTsAndTIPs ;
• Fromanauditingperspective,ITauditorsshouldpayparticularattentiontothe
existenceofacentraluseradministration.Aboveall,theyshouldtesttheorga-
nizationalandsystem-basedinternalcontrols.
• heuseofspecialauditingsotwareprovidedbyothervendorsfortheSAPsys-
temmaybeefectivewhenauditingcomplexauthorizationcombinations.
LInKsAndReFeRenCes e
• AuditGuidelinesforSAPsystems.www.sap.com/germany/company/revis/infomaterial/
index.epx(accessedMay31,2007).
• INSTITUTEOFINTErNALAUDITOrS.2005.Global Technology Audit Guide 1: Infor-
mation Technology Controls.AltamonteSprings,FL:heInstituteofInternalAuditors.
• IT GOvErNANCE INSTITUTE. 2007. COBIT 4.1. rolling Meadows, IL: IT Gover-
nanceInstitute.
• PFLEEGEr,C.,ANDS.L.PFLEEGEr.2003.Security in Computing.3rded.UpperSad-
dleriver,NJ:PrenticeHall.
• SAPonlinedocumentation.
10.5 Batch-InputInterfacesandBackgroundProcessing
KeyPoInTs •••
• Batch input isnormallyused to importdata fromexternal systems intoSAP
systems,ortotransferdatabetweenSAPsystems.
• he objectives of the job-order process are to protect company and personal
data,tomaintaintheintegrityofdataandfunctions,andtoprotectresources.
BatchinputisnormallyusedtoimportdatafromexternalsystemsintoSAPsys-
tems,ortotransferdatabetweenSAPsystems.hesourcesystemusesatransfer
interfaceforthedatatransfer,whichisprovidedbyanSAPapplicationinthetarget
system. he interface program of the application then generates a batch-input
session.
Abatch-inputsessionconsistsofseveraltransactioncalls,towhichaprogram
hasaddeduserdata.Normally, thesystemexecutes thetransactions inasession
withoutanyfurtheruserintervention.hisallowstoimportalargevolumeofdata
into theSAPsystemwithinaveryshortperiodof time.Asessionsimulates the
onlineentryoftransactioncodesanddata,generallyusingthesameproceduresas
indialogmode.hedataenteredinthescreenieldsthroughasessionaresubject
tothesameconsistencychecksasdataenteredindialogmode.Batch-inputpro-
cessing is called with certain transactions. Batch-input sessions are usually not
Batch-InputinsAPsystems
Batch-InputinsAPsystems
Batch-InputsessionBatch-Inputsession
427
startedinteractively.Atregularintervalsabackgroundjobstartssessionsthathave
notyetrun.Sessionsarenormallyprocessedinteractivelyonlyfortestingandcor-
rectionpurposes.
helegalframework,whichrequiresdatatoberecorded,stored,andprocessed
fully,accurately,andinatimelyandstructuredmannerandwhichstipulatesthat
thedatamustnotbefalsiiedincaseofchanges,alsocallsforcontrolsinthebatch-
inputprocess.heprerequisites for thecreationof efectivecontrols include the
organization of worklows, the segregation of incompatible functions, as well as
controlmeasuresandbodies.
henatureandextentoftheITorganizationanditsworklowshaveasigniicant
impact on the efectiveness of the internal control system. Such a system must
achieveacompulsorysequenceofprocesses,andanydeviationfromthissequence
shouldproduceanerrorthatmustbenoticedbyacontrolunit.Anefectiveinter-
nal control system involves the segregation of duties, which should distinguish
betweenplanning,executing,andmonitoringfunctions.
Generally, batch-input sessions are subject to the usual user authorization
checksperformedbythesystem.Whenasessionisprocessedonline,theauthoriza-
tionsoftheprocessinguserapply.
herearethreeprocessingtypestochoosefrom:
• Invisibleprocessing:Underthisprocessingtype,asessionisprocessedimmedi-
ately.
• visibleprocessing:Incorrecttransactionscanbecorrectedinteractivelyandany
transactionsnotyetexecutedcanbeprocessedsuccessively.
• Displayerrorsonly:hisprocessingtypeissimilartothe“visibleprocessing”type,
exceptthaterror-freetransactionsnotyetexecuteddonotruninteractively.
AsessioncontainsanerrorifitcausesatypeE(error)ortypeT(termination)er-
rormessage.Othermessagesareignoredandhavenoimpactontheprocessingof
asession.
Foreachbatch-inputsession,thereisalogthatcanbedisplayedinthesystem.
Itcontainsallerrormessagesrelatingtosessiontransactions.helogalsoshows
batch-input error messages relating to problems with the processing of transac-
tions, includingtherelevanttransactioncodeandthescreenonwhichtheerror
occurred.Inaddition,thelogcontainsoverallsessionprocessingstatistics.Alogfor
abatch-inputsessionwillexistonlyoncethissessionhasbeenprocessedaccording
tooneoftheabovethreetypes.Whenasessionisprocessed,theerror-freetransac-
tionsareentered,andmarkedasprocessedinthesession.Transactionswitherrors
arenotentered,andmarkedasincorrect.Ifasessioncontainsincorrecttransactions,
it can be processed more than once, with each repeat only reprocessing those
transactionsmarkedasincorrect.Foreachprocessingrun,theSAPsystemgenerates
asessionlog,whichoverwritestheexistinglog.helogcontainsonlythosemessages
that occurred during the last processing. Apart from error messages, posting
messagesarealso logged.hereisat leastonemessageforeachtransactionpro-
cessed.
RequirementsontheBatch-InputProcessRequirementsontheBatch-InputProcess
InternalControlsystemInternalControlsystem
AuthorizationsAuthorizations
ProcessingTypesProcessingTypes
LogsLogs
ExamplesfromAuditPracticeatSAP
ITAudits
Batch-InputInterfacesandBackgroundProcessing
C|10|10.5
428
InthecaseoffeedersystemsthatareindependentofSAP,thereisariskthat
plausibilitychecksareusedthatdiferfromtheSAPtables.hiscanafectmaster
andtransactiondata.Ifsessionnamesarenotplausibilitychecked,itispossiblethat
authorizedpersons start, correct,ordelete (dependingon theauthorizationsas-
signed)theprocessingofbatch-inputsessionsofotherdepartments.
heanalysisofthereadoutofthebatch-inputsessionsprovidesanoverviewof
allsessionsstoredinthesystem.heentriesinthe“incorrect”registerareofinter-
esttoauditors.
Auditorsshouldaskthefollowingquestionsonthebasisofthecontrolrequire-
ments:
• Isthereanoverviewofallbatch-inputinterfaceswithSAPsotware,specifying
detailssuchasissuingapplicationarea,datacontent,ilename,period,session
name,processingjob,relevanttables,reconciliationgroup,andresponsibility?
• Whichusersareallowedtocreate,start,correct,ordeletesessions?
• Isthereanoverviewofwhichsessionnamesarereservedforwhichdepartment
(transactionSM35)?
• Whocoordinatesthepostingdataoftheprocessedsessions?
• Whochecksthatthedatafromfeedersystemsisimportedfully,correctly,and
inatimelymanner?
• Areinternalcontrolsinplacebetweenfeedersystemsandongoingprocessing?
Jobsaresequencesofprogramsthatregularlyrunoneatertheotherinthesystem.
hejob-orderprocesshasthefollowingmainobjectives:
• toprotectcompanyandpersonaldata,
• toensuretheintegrityofdataandfunctions,and
• toprotectresources.
heobjectivesofthejobdocumentationare:
• toensuresmoothprocessing,
• toachieveindependencefromthedetailedknowledgeofspeciicpersons,and
• toensure that the IT-technicalprocessingcanbecheckedbyanexpert third
partywithinareasonableperiodoftime.
Joblogsarenecessarytoprovideevidenceofcompliantprocessing,i.e.,compliance
withthejob-orderprocessinparticular.
he job-order process must always contain clearly deined processes and re-
sponsibilitiesforassigningorders,execution,postprocessing,andoutputdistribu-
tion.Sinceauserdepartmentcangenerateandstartalargenumberofjobsinthe
SAP system, the relevant process documentation in the respective department’s
applicationmanualisnormallysuicient.
WhenjobsaregeneratedbyanSAPsystem,thedocumentationisautomatically
generatedatthesametime.Whenuserscreatetheirownjobs(nativejobgenera-
tion, e.g., sessions), they must also create the necessary documentation. he
RisksRisks
AnalysisofthedisplayAnalysisofthedisplay
AuditobjectsAuditobjects
Job-orderProcessJob-orderProcess
JobdocumentationandLogs
JobdocumentationandLogs
RequirementsontheJob-orderProcess
RequirementsontheJob-orderProcess
RequirementsontheJobdocumentation
RequirementsontheJobdocumentation
429
retentionperiodforjobdocumentationdependsontheapplicablelegalretention
periodsforeachrelevantgeographicregion.
Joblogshavetoprovideevidenceastowhenwhichjobwasprocessedwithwhat
parameters.hejoblogsgeneratedinthesystemmustbespeciallyprotected,and
insensitiveareastheremustbeseparatereportingonthebasisofthesystemlogs.
Ingeneral,aspeciicjob(e.g.,dunningrun)isautomaticallygeneratedbythe
systemonthebasisofajob-speciicusercommand.Accesstoajobgenerationcom-
mandcanbeprotectedaspartofthegeneralauthorizationconcept.Ajobcancon-
sistofseveralsteps.herearetwodiferenttypesofjobs:One-timejobs,whichare
tobeexecutedimmediatelyoraccordingtoaschedule,andperiodicjobs.Ajobis
startedbythesystemwhenadeinedeventhasoccurred(e.g.,apointintimeorthe
endofanotherjob).hisallowsbuildingjobnetworks.Ajobisinexactlyoneofthe
followingstates:scheduled,released,ready,active,completed,orterminated.
hefollowinglogsareavailableassystemlogsinanSAPsystem:
• joblogs,
• systemlogs,
• databaselogs,
• operatingsystemlogs,and
• workloadlogs.
hefollowingrisksmustbeconsidered:
• unauthorized(read)accesstocompanyandpersonaldata,
• unauthorized,uncontrolled,undetectedchangestodataandprograms,
• highloadonresourcesasaresultofinappropriateprogramconiguration,
• usererror,especiallyinexceptionalcircumstances(errorhandling),and
• dependenceontheknowledgeofindividuals.
Duringtheaudit, thecurrentstatusof theproceduresmustberecorded.Tothis
end,theauditorsmustrecordanddocument(totheextentnecessaryfortheaudit)
thedesiredrequirementsforjob-orderprocesses,jobdocumentation,andthecre-
ation and handling of system logs. When auditing the procedural concepts, the
desired requirements recorded earlier are to be examined on the basis of the
requirementsandrisksdiscussedinthischapter.Compliancewiththedesiredre-
quirements is testedbyreviewingthedocumentsandanalyzingthe logilesand
logs.
HInTsAndTIPs ;
• Whenauditingbatch-inputsessions,auditorsshouldalsochecktheexistenceof
processinstructions.
• Totestwhoispermittedtodeletebatch-inputsessions,auditorsshouldcheck
therelevantauthorizations.
systemLogssystemLogs
JobsinthesAPsystemJobsinthesAPsystem
systemLogsinthesAPsystemsystemLogsinthesAPsystem
RisksRisks
FieldworkActivitiesFieldworkActivities
ExamplesfromAuditPracticeatSAP
ITAudits
Batch-InputInterfacesandBackgroundProcessing
C|10|10.5
LInKsAndReFeRenCes e
• AuditGuidelinesforSAPsystems.www.sap.com/germany/company/revis/infomaterial/
index.epx(accessedMay31,2007).
• SAPonlinedocumentation.
432
1 DocumentationinInternalAudit1.1 Basics of Documentation
1.1.1 Objectives, Requirements, Sources, and Responsibilities
KeyPoInts •••
• Documentationisakeyelementofeachaudit.
• Importantobjectivesofdocumentationincludeprovidingevidencethattheau-
ditworkiscompliant,ensuringreadinesstogiveinformation,andpresenting
theaudithistoryacrossauditcycles.
• hisresultsinanumberofdiferenttasks,includingensuringthecompleteness
oftheinformation,thetraceabilityoftheindingsandrecommendations,and
providingasafeguardingfunction.
• heauditleadhastoassessandtakeadequateaccountofthediferentsourcesof
informationandhowbalancedtheyare.
heconceptofauditingisinseparablefromdocumentationthatisfocusedandac-
curate.Documentationisoneofmanyprocessesaccompanyingauditwork,andits
mainobjectiveistolayoutinwritingallactivitiesandfactsrelatingtoanaudit.It
isonekeytothesuccessofeveryaudit.Clearandcomprehensivedocumentationis
particularlyimportantforauditcompliance.Documentationmakesauditworkit-
selfauditable.
DocumentationinInternalAudithasthreemainobjectives:
• Itsirstobjectiveistoprovidedetaileddescriptionsofalltheoperationalaudit
processesandprocesssteps,asoutlinedintheAuditRoadmap(seeSectionB).
ItdocumentsthatthestructureofInternalAuditiscompliantinrelationtopro-
cessesandtheirassociatedinternalcontrols.Forthisreason,allrelevantprocess
steps,internalcontrols,and(ifappropriate)theirlinkswithinancialreporting
mustberecorded,takingSOXrequirementsintoaccount.hedocumentation
guidelinesmustbeappliedconsistentlytoallauditstoprovideauditevidenceto
provethattheauditprincipleshavebeencompliedwithandtherequirements
ofSOXhavebeenmet(seeSectionC,Chapter8;SectionD,Chapter14).
• StandardizedauditevidenceisnecessarytoensurethatInternalAudit isable
tocorroboratetheinformationitprovidestoallinternalandexternalpartiesat
anytime.Toguaranteethatconclusionsandrecommendationscanbesubstan-
tiated,InternalAuditdocumentationmustbecomplete,truthful,readilyavail-
able,traceable,andasdetailedasnecessary.SinceInternalAudithasdiferent
information levels and therefore diferent levels of detail, the documentation
mustbeconsistentbetweeenthesediferentlevels.
• Anotherimportantobjectiveistoprovideanaudithistory.Giventhedynamic
changesinbusinesslife,themonitoringofauditresultsonthebasisofdocu-
mentsisanimportanttaskforInternalAudit.Itisultimatelytheonlywayto
ImportanceofDocumentation
ImportanceofDocumentation
Documentationobjectives
Documentationobjectives
433
provide evidence of compliant audit cycles. References to earlier results, the
identiicationoftrends,long-termcomparisons,andtheidentiicationofpriori-
tiesandcoursesofactionforthefuturecanalsobe importantsub-objectives
underthisheading.
hesecentralobjectivesleadtodiferentdocumentationrequirements:
• Noinformationshouldbelostduringanaudit.Itisthereforenecessarytocreate
documentationguidelinesontheinformationtobeincludedandonhowthis
informationshouldberecorded.Suchguidelinesshouldbestructuredbyinfor-
mationtypeanddocumentationtype.heyshouldoferguidanceforpreparing
uniformandcomprehensibledocumentationthroughoutInternalAudit.
• A safeguarding function may also be important for Internal Audit in certain
circumstances (e.g., in fraudaudits). If required,keydocuments (e.g., e-mail
correspondence,workingpapers,dratreports)shouldbemadesubjecttothe
attorney-clientprivilegebysigningalegallybindingdeclaration.
• Documentsthemselvesmaybeauditobjectsandbesubjectedtospeciicield-
workactivities.
• Anothermajoritemisthetraceabilityofindingsandrecommendations.hedoc-
umentationshouldensureatalltimesthateachauditindingissupportedbyreli-
ableauditevidenceandfreefromassumptions,contradictions,orspeculation.
• Audit documentation is also used to exchange information. Consequently, it
shouldbereadilyavailabletoallpartiesconcerned.
• Anotherdocumentationrequirementresults fromthe increasing internation-
alization of business processes. Multilingual documentation of facts helps to
preventmisunderstandings.Accuratetranslationsareparticularlyimportantin
relationtolegalmatters.
hequestionofdocumentationsources is importantwithregard to therequire-
mentsofthedocumentation.Documentsmay:
• resultfromInternalAudit’sownieldwork,
• arisefromcertainadvanceoutputsuchaspre-investigations,
• beconsultedfromauditsconductedearlier,
• beprovidedbytheauditees,
• bemadeavailablebyotherunitsofthecompany,or
• comefromexternalinformationsources.
An important task in each audit is to apply the materiality principle to make a
correct,meaningfulselectionfromthelargenumberofavailablesourcesofdocu-
mentation.For thisreason, theauditorsshouldallowsuicient timeforcreating
andreviewingthedocumentation.heauditleadisultimatelyresponsibleforthe
adequacy of the documentation. However, each auditor should make sure at all
timesthatthedocumentationiscompliant.
DocumentationtasksDocumentationtasks
DocumentationsourcesDocumentationsources
ResponsibilityforDocumentationResponsibilityforDocumentation
Special Topics and Supplementary Discussion
Documentation in Internal Audit
Basics of Documentation
D|1|1.1
434
HIntsAnDtIPs ;
• Duringanaudit,auditorsshoulddocumentallobservations intheirworking
papersandevaluatetheirmaterialityatalaterstage.
• Auditorshave tocheckalldocumentation forcompleteness,consistency,and
comprehensibility. hey should ensure this through plausibility checks ques-
tioningeachindingtoensurethatitcanbesupportedindetailanddoesnot
contradictotherresults.
1.1.2 Legal Requirements
KeyPoInts •••
• he IIA has issued guidance and recommendations for document retention
policies.
• LawsandregulationsmayinluencethedocumentationrequirementsforInter-
nalAudit.heymayincludedataprotectionprovisions,archivingregulations,
anddocumentretentionrequirements.
hereisnospeciiclegalguidanceintheU.S.forInternalAuditregardingdocu-
mentation retention beyond the necessity to have documentation as part of a
functioninginancialaccountingandreportingsystemasrequiredbytheForeign
CorruptPracticesActandSOX.heIIAhas issuedguidanceondocumentation
retention,butitonlyrequiresthataninternalauditdepartmenthaveadocument
retentionpolicythatisconsistentwiththeorganization’srequirements.heguidance
doesnotspecifyminimumretentionrequirements.However,theIIArecommends
thataminimumofiveyearsofdatabeavailableforpeerreviews.
Acomprehensivedocumentationpolicycanincludetheintroductionofdocu-
mentmanagement,electronicarchiving,anddataprocessingsystemsandshould
giveconsiderationtodatasecuritymanagementtopreventthedisclosureofconi-
dential employee or customer information. In this context, data protection laws
suchastheU.S.DataProtectionActof1998orEUdataprotectionregulationsmust
beconsidered.
Internalauditorsshouldconsultwithlegalcounseltodeterminespeciicdocu-
mentretentionrequirementsintheirjurisdictionandtoestablishafeasibletimefor
whichdocumentsshouldberetained.
HIntsAnDtIPs ;
• Auditorsshouldfamiliarizethemselveswithpertinentdocumentationrequire-
ments.
DirectLegalRequirements
DirectLegalRequirements
ComprehensiveDocumentationPolicy
ComprehensiveDocumentationPolicy
DataProtectionRequirements
DataProtectionRequirements
435
• In the case of documents containing personal information, Internal Audit
shouldcheckthatconidentialityisprotected,involvingthelegalorthehuman
resourcesdepartmentifnecessary.
• InternalAudit’sdocumentationconceptshouldbediscussedwiththecompany’s
dataprotectionoicer.
LInKsAnDRefeRenCes e
• FILIPEk, R.2006.GuidancePromotesSoundRecordsManagement.Internal Auditor
(August2006):16–17.
• INSTITUTEOFINTERNALAUDITORS.2001.Practice Advisory 2100-2: Information
Security.AltamonteSprings,FL:heInstituteofInternalAuditors.
• INSTITUTE OF INTERNAL AUDITORS.2001.Practice Advisory 2100-5: Legal Con-
siderations in Evaluating Regulatory Compliance Programs.AltamonteSprings,FL:he
InstituteofInternalAuditors.
• INSTITUTEOFINTERNALAUDITORS.2001.Practice Advisory 2330.A1-1: Control of
Engagement Records.AltamonteSprings,FL:heInstituteofInternalAuditors.
• INSTITUTEOFINTERNALAUDITORS.2001.Practice Advisory 2330.A2-1: Retention
of Records.AltamonteSprings,FL:heInstituteofInternalAuditors.
• INSTITUTEOFINTERNALAUDITORS.2001.Practice Advisory 2330-1: Recording In-
formation.AltamonteSprings,FL:heInstituteofInternalAuditors.
• LANGE,J.2005.CurseofPriorWorkpapers.Internal Auditor(August2005):26–27.
1.1.3 Important Documentation Criteria
KeyPoInts •••
• he documentation of an internal audit department should be organized in
abasicstructure.
• hedocumentationsystemshouldbebasedontheAuditRoadmapandanum-
berofadditionalcriteria.
• Documentation medium, document iling, retention periods, document ar-
chiving,andresponsibilitiesandauthorizationsmustbeconsidered.
• InternalAudit shoulddeineconsistent rules for the treatmentofdocuments
accordingtoeachdocumentationtype.hisensuresthatuniquedocumentse-
lectionispossible.
Inordertodeinethecharacteristicsofefective,forward-lookingdocumentation,
themaintasksforeachdocumentationtypemustbedetermined.hetaskscanbe
phase-speciicorspanseveralphasesalongtheAuditRoadmap.hefollowingcri-
teriamustbetakenintoaccountforcomprehensiveandgeneral,butalsolexible
andspeciicdocumentation:
DocumentationCriteriaDocumentationCriteria
Special Topics and Supplementary Discussion
Documentation in Internal Audit
Basics of Documentation
D|1|1.1
436
• hedocumentationmediumistheirstcriteriontoconsider.Nowadays,almost
all documents in IT-based systems are stored on hard disks, shared network
drives,internet-basedsystems,orexternalstoragemedia.hisappliestoboth
documentsInternalAudititselfhasproducedaswellasvarioussourcedocu-
ments,whichareincreasinglygeneratedinelectronicformorareavailableas
scanneddocumentsorelectronicfaxes.Electronicallyavailableinformationcan
besupportedbyplausibilitychecks(e.g.,keywordindexes,referencesystems,
andsearchalgorithms),processedandcondensedautomatically,andincluded
incomparisonsandanalyses.However,theauditorsshouldkeephardcopiesof
atleasttheauditreports.Doingsoprovidesadditionalsecurity,butalsodeines
originalversions,signedcopiesofwhicharelabeledassuchandstoredasdocu-
mentaryevidence.hedocumentsstoredelectronicallycanbewrite-protected
inordertopreventsubsequentmodiications.
• heilingofdocumentsisbasedonhowtheinternalauditdepartmentisorga-
nized. If it consists of one local unit, documents can be iled uniformly and
centrally ina single location.With increasingdecentralizationof thedepart-
ment,datastorageandilinghavetobearrangedindividuallyforeachdocu-
ment type(seeSectionD,Chapter 1.2).Onthebasisofclassifyingattributes,
such as auditor, audit year, or audit method, individual searches can be per-
formedthusallowingmanykindsofanalyses.hisissupportedbydocument-
speciicfolderdirectories,inwhichtheauditorcanconductsearchesandmake
selectionsbydocumentationtype,bycontentwithinatype,oracrossdiferent
types.
• Document archiving is aimed at permanently storing information either as
printedcopiesoronspecialdatamediasuchasonlinearchives,externalstorage
media(e.gCD,DVD)andoperationalITsystems.hedocumentsmustbeiled
individuallyaccordingtohowcurrentandsigniicanttheyare.hefactthatthe
informationneedstobeavailableanduptodatemeansthatstorageandresource
usagehavetobeorganizedeiciently,i.e.,boththetimelinessofaccessingthe
informationandstorageeiciencyhavetobeoptimized.Sincemanycompanies
useserverswithintegrateddatabases,thedatawillotenbestoredcentrallyon
anonline-capablemedium.Allinformationshouldbestoredwithwriteprotec-
tion.
• Twoaspectsaresigniicantwithregardtoretentionperiods:externalrequire-
mentsresultingfromlawsandexternalguidelines,ifapplicable(seeSectionD,
Chapter1.1.2),andperiods imposedinternallytoensureasensibleauditpro-
cess.
• Responsibilitiesandauthorizationsprimarilypertaintothecreation,checking,
andreleaseofdocuments,aswellastheiradministrationingeneral.Authoriza-
tionsaredeinedandgrantedthroughaclearassignmentsystem.Speciically,
thefollowingmustbedeined:
■ Whoisgivenreadaccesstoiles?
■ Whocancreate,edit,anddeletedocuments?
DocumentationMediumDocumentationMedium
DocumentfilingDocumentfiling
DocumentArchivingDocumentArchiving
RetentionPeriodsRetentionPeriods
ResponsibilitiesandAuthorizations
ResponsibilitiesandAuthorizations
437
■ Whoisresponsiblefororganizingtheiling,archiving,anddistribution?
■ Whograntsaccessauthorizations?
Whendesigningadocumentationconcept,equalconsiderationmustbegivento
eachoftheabovecriteria.Noneofthecriteriamustbeletout,becauseotherwise
InternalAuditwillnotbeabletoprovideacomprehensiveguaranteethatitsdocu-
mentmanagementisreliableandcomplete.
HIntsAnDtIPs ;
• Auditorsshouldarchivetheauditdocumentsatthetimetheyoiciallyconclude
theaudit.
• Auditorsshouldcreateakeywordindexofallthetopicstheyhavecoveredand
assignthedocumentstotherelevantkeywords.
1.2 Documentation Along the Audit Roadmap
KeyPoInts •••
• Inadditiontothedocumentationcriteriaandthefocusontheprocessstructure
of the Audit Roadmap, the documentation concept is inluenced by Internal
Audit’sorganizationalstructure.
• hecriteriaofthedocumentationconceptshouldbeappliedtoeachdocument
typeandeveryauditcyclealongtheAuditRoadmap.
• Althoughgeneral rulesareadvisable, theneed for separate retentionperiods
andstoragemediamustbeconsidered.
GIAS’documentationconceptmanifestsitselfintheimplementationofthedocu-
mentationcriteriadescribedinSectionD,Chapter1.1.3.hesecriteriaapplytoeach
document typeandeveryaudit cyclealong theAuditRoadmap(seeSectionB).
Closerexaminationofthedocumentsrevealsthefollowing:
• heScopeisacentraldocument,whichisnormallycreatedbythepersonre-
sponsibleforthetopic.hisdocumentshouldbestoredelectronicallytomake
itavailableandaccessibletoallInternalAuditemployees.Itshouldbearchived
onlineforiveyears.AllInternalAuditemployeesshouldhavereadaccesstothe
Scopes.ChangesmayonlybemadebythepersonresponsiblefortheScopeater
consultationwithmanagement,i.e.theAuditManagerinchargeand(especially
inthecaseofnewScopes)theCAE.Forsomeaudits–especiallyad-hocaudits–
forwhichnoScopeexists,responsibilityforthecreationofaScopelieswiththe
auditleadandtheAuditManager,bothofwhomreviewtheScopeaspartofthe
qualityassuranceprogram(fordetailsonqualityassurancefortheindividual
documents,seeSectionD,Chapter5.3).
takingAllCriteriaintoAccounttakingAllCriteriaintoAccount
DocumentationConceptAlongtheAuditRoadmap
DocumentationConceptAlongtheAuditRoadmap
scopescope
Special Topics and Supplementary Discussion
Documentation in Internal Audit
Documentation Along the Audit Roadmap
D|1|1.2
438
• AnauditrequestcanbesenttoInternalAuditelectronicallyasane-mailattach-
mentorashardcopybyinternalmail.Anyhardcopiesreceivedshouldirstbe
scanned.herelevantauditteamilestheauditrequestandtheotherauditdoc-
uments,whichtogethercomprisetheaudit-relateddocumentation,foraperiod
of three years in a decentralized location. In addition, Internal Audit should
keeptherequestonanexternalstoragemedium,e.g.,aCD,foraperiodofseven
years.AllInternalAuditemployeesshouldgetreadaccess,butauthorizationto
edittherequestdocumentshouldnotbegranted.
• heauditannouncement isconvertedintoanon-editablestorageformatand
thene-mailedtotheauditees.hedocumentisiledelectronicallyinadecen-
tralizedlocationforthreeyears.hedocumentshouldnotbechangedoredited
thereater,andonlytheauthorizedpersons,i.e.,auditlead,auditteam,andAu-
dit Manager, are given read access. In addition, the audit announcement is
storedonaCDforsevenyears.
• heworkprogramiscreatedandstoredelectronically.hedocument isiled
electronically in a decentralized location for three years and centrally in the
onlinearchiveforiveyears.Documentationshouldbeaccessiblebyauditand
bytopic.Moreover,itmakessensetostorethedocumentsexternallyonaCDfor
sevenyears.AllInternalAuditemployeesshouldgetreadaccess,butauthoriza-
tiontochangeandedittheworkprogramisreservedfortheauditteam.
• Duringauditexecution,theauditorsproducetheworkingpapersinadditionto
thesourcedocuments.hesourcedocumentsareavailableelectronicallyoras
hardcopies.heauditorsshouldscananyhardcopydocuments.Sourcedocu-
mentsandworkingpapersshouldbeiledinadecentralizedlocationforthree
years and externally on a CD for seven years. All Internal Audit employees
shouldgetreadaccess,butonlytheauditteammaychangeandeditthedocu-
ments.Inadditiontothevariousworkingpapers,theauditsummaryandthe
workdonesheetsshouldbestoredelectronically.hesedocumentsshouldbe
retainedinadecentralizedlocationforthreeyears,inanonlinearchiveforive
years,andonCDforsevenyears.
• Allreportingdocumentsarenormallycreatedelectronically,buttheinalreport
shouldalwaysbeavailableelectronically(e.g.asapdf-ile)andashardcopy.he
printedversionmustbekeptfortwoyears.Reportsshouldbeiledinbotha
decentralandacentrallocation.Inaddition,theyshouldbeiledaccordingto
auditobjectinacentrallocationassignedtotherelevantaudittopic.herecom-
mendedretentionperiodsarethreeyearsinadecentralizedlocation,iveyears
intheonlinearchive,andsevenyearsonanexternalstoragemedium(e.g.,CD).
heauditorsshouldmakesurethatanychangesarerelectedconsistentlyacross
allstoragelocations.Onlytheauditteamcaneditthereports.AllotherInternal
Auditemployeeswillhavereadaccess.
• Onceanaudithasbeencompleted,theauditeesareaskedbywayofanaudit
surveytogivetheirassessmentofInternalAudit'swork(fordetails,seeSection
AuditRequestAuditRequest
AuditAnnouncementAuditAnnouncement
WorkProgramWorkProgram
WorkingPapersWorkingPapers
ReportingReporting
AuditsurveyAuditsurvey
439
D,Chapter7.2.2).hequestionnaires,whichtheauditleade-mailstothosecon-
cerned, are returned electronically. Ater receipt by Internal Audit, the audit
leadcanaddcommentsand thensaves thedocumentso that it iswritepro-
tected.hedocumentisiledbyInternalAuditmanagementinadecentralized
locationforthreeyears,intheonlinearchiveforiveyears,andonCDforseven
years.Allinternalauditorsaregivenreadaccess,butnochangesareallowed.
• hefollow-updocumentationistreatedinthesamewayasthedocumentation
forthebasicaudit.
IfthemonitoringmandateissuedtoInternalAuditnecessitatesfurtherauditsinthe
sameunitbeyondthefollow-up,thewholeauditprocessrepeatsitself,andthusalso
thedocumentationprocess.Attheendofthedocumentationprocesses,aterthe
retentionperiodshaveelapsed,thedocumentsmustbedeleted.hefollowingdia-
gramshowshowthedescribedprocessstepsrelatetoeachother.
Inadditiontothedocumentationcriteriaandthefocusontheprocessstructureof
theAuditRoadmap,thedocumentationconceptisinluencedbyInternalAudit’s
organizationalstructure.hestructureprovidestheframework,whichensuresthat
adequate documentation control is maintained over time. Especially if Internal
Audithasan internationalorganization,acleardocumentationstrategymustbe
pursued, with deviations between legal systems as harmonized as possible. he
objectiveistoachieveadocumentationconceptthattakesequalaccountofeach
documentationtype,ofthegeneralcriteria,thephasesoftheAuditRoadmap,the
structuralattributesofauditandauditobject,andtheorganizationalstructure.
follow-Upfollow-Up
DocumentationAccordingtoAuditCycleDocumentationAccordingtoAuditCycle
signiicanceoftheorganizationalstructuresigniicanceoftheorganizationalstructure
Complete
documentation
Complete
documentation
Scope
Work program
Work done sheets
Audit summaries
(Follow-up) reports
Audit survey
Online archive CD
Final reports
Printed versionDecentralized system
2 years7 years5 years3 years
Fig.1 Documentation within GIAS
Special Topics and Supplementary Discussion
Documentation in Internal Audit
Documentation Along the Audit Roadmap
D|1|1.2
440
HIntsAnDtIPs ;
• A documentation concept can only provide a general framework. Individual
adjustmentsmustbepossibletoaccomodatespeciicaudits.
• For the duration of an audit, auditors should make personal copies of every
importantdocumentandstoretheminaconidentialdirectory.
• Auditorsshouldtesttheavailabilityofdataandreportsforongoingaswellas
completedaudits.
• hearchivingofdocumentsshouldbelogged.
• Ifauditorsnoticethatauditdocumentsaremissing,theymustimmediatelyno-
tifytheAuditManagerincharge.
LInKsAnDRefeRenCes e
• INSTITUTEOFINTERNALAUDITORS.2001.Practice Advisory 2100-2: Information
Security.AltamonteSprings,FL:heInstituteofInternalAuditors.
• INSTITUTEOFINTERNALAUDITORS.2001.Practice Advisory 2330-1: Recording In-
formation.AltamonteSprings,FL:heInstituteofInternalAuditors.
• INSTITUTEOFINTERNALAUDITORS.2001.Practice Advisory 2330.A2-1: Retention
of Records.AltamonteSprings,FL:heInstituteofInternalAuditors.
441
2 Cooperation2.1 Communication and Information Flow
KeyPoints •••
• Communicationand informationexchangeare importantcomponentsof the
workofaninternalauditdepartment.
• heconidentialityofinformationmustbeobservedatalltimes.
• hecorrecttoneandstyleofcommunicationareasimportantastherighttim-
ing.
• InternalAudithastoconductitselfprofessionallyandobjectivelyinverbaland
writtencommunication.
Animportantpartoftheworkofaninternalauditdepartmentinacorporategroup
istoobtainandprocessinternalandexternal information.Relevantinformation
may, for example, be obtained from the internet, professional publications, or
throughcommunicationwithcooperationpartners.ForInternalAudittobeefec-
tive,itisessentialtobeopentoinformationfrommanydiferentchannelswithin
thecompanyandindiferentformats.
here are various criteria for communication and information lows, which
havetobemettoachieveefectivecooperation.Forexample,theconidentialityof
theinformationtransferred–irrespectiveoflowdirection–mustbeguaranteed.
AuditorsmustobserveInternalAudit’sspecialrulesforthedistributionofinforma-
tionandthecorporateguidelinesonthetreatmentofconidentialinformation,i.e.,
theymustmarkallauditreportsas“conidential”whensendingthemout.Inaddi-
tion, the applicable data protection regulations and legal requirements must be
compliedwith.
Itisimportantthatacompanymaintainsamutualexchangeofinformationin-
ternally.SAP’sInternalAudithasmappedthenecessaryrelationshipsinamatrix
(describedbelow),whichhasbeendiscussedwiththerespectivedepartments.he
tasks of audit management include constantly updating and implementing the
matrix.hematrixhastobeadaptedtotheindividualregionsandalsohastobe
coordinated with the other departments or individuals, such as the responsible
Boardmembers.Region-speciicmatriceshavetobediscussedwiththeCAEbefore
theyareimplemented.hisdiscussionrepresentsaqualitycheck,ratherthancon-
troloverregionalinformationlows.
Ofcourse,therearealsoinformationlowswithintheInternalAuditteamsand
across regions between team members and the Internal Audit management in
charge. his information low is very important especially with regard to audit-
relatedissues.Inaddition,contactatapersonallevelalsoservestostrengthenthe
teamspirit.Goodteamspiritisparticularlyvaluablewhenaglobalauditteamisput
togetherandtheauditorshavetogetusedtoeachother’sworkingstyleinashort
periodoftime.Annualdepartmentalmeetings,whichbringtogetherallInternal
Auditemployeesinoneplace,alsohaveapositiveefectonteamspirit.
GeneralGeneral
ConidentialityoftheinformationConidentialityoftheinformation
informationFlowMatrixinformationFlowMatrix
CommunicationwithintheteamCommunicationwithintheteam
Special Topics and Supplementary Discussion
Cooperation
Communication and Information Flow
D|2|2.1
442
It is important to use the right tone and an appropriate style when exchanging
information. A diferent tone should be used when communicating within the
companythanwhendealingwithexternalpartnersorothercompanies.Buteven
internally, auditors must ensure that all other parties perceive Internal Audit as
professionalandobjective.hetypeofinformationexchange–verbalorwritten–
isimportantinthisregard.Forelectronicandpaper-basedwrittencommunication
aswellasfordirectcontact,therearespecialconventionsthatshouldbeobserved.
Wheninformationis,forexample,passedoninwriting,particularattentionshould
bepaidtoform,clarity,andcompletenessofcontent.Inthisregard,itistherespon-
sibilityofauditmanagementtospecifythecorrecttoneandstyleofcommunication
forthedepartment.
Anotherimportantaspectofcommunicationistiming.First,thereisaperiodic
exchangeofinformation,whichhastobearrangedwithotherdepartments.And
RighttoneandstyleRighttoneandstyle
timingtiming
Sender
Reci- pient
Managerial
Accoun-
ting
Legal
External
auditors
Tax
Manage-
ment
Accoun-
ting
LegalGlobal Risk
Manag-
ement
Global Risk
Manag-
ement
External
auditorsTax
Internal
Audit
Accoun-
ting
Internal
Audit
Accoun-
ting
Fig. 2 Information Flow Matrix
443
second,thereareoccasionalexchangesofinformationastheneedarises.Insuch
cases,timingisimportantsothatinformationisnotcommunicatedtooearlyortoo
late.
Forverbal communication (face-to-face,via telephone,videoconference,net
meetingetc.),itisusuallyagoodideatocreateaninternalilenotetohaveawritten
recordofthediscussion.herearestandardtemplates,suchasinterviewormeeting
logs, in theworkingpapers for thispurpose (seeSectionB,Chapter4.2). In the
day-to-daylowofinformation,thedecisionofwhetherthecreationofailenoteis
appropriateornotdependsonthesubstanceandimportanceofadiscussion.As
withotherworkingpapers,thepurposeoftheilenoteistohavearecordofthe
conversationavailableonrequest.Especially if therearequeriesfromthepeople
involvedintheauditorinrelationtootherieldworkactivitiesandreportprepara-
tion, it isuseful tomaketheAuditManagerorCAEawareof theilenoteor to
forwardacopy.Ifthereisadisputeaboutwhatwassaidatameeting,thewrittenile
noteprotectsthosewhotookpartinthediscussion.
Wheninformationisexchangedinwriting,theauditorhastodecideonanap-
propriateformatforeachcase(e.g.,minutesormemorandum).Inaddition,itmust
bespeciiedwhethersubsequentchangesaretobeallowed,andifso,whoisautho-
rizedtomakethem.
HintsanDtiPs ;
• Whencommunicatingwithothers,auditorsmustalwaysrememberthat they
representthecompany’sinternalauditdepartment.
• Sometimesitmaybeusefultoaskcolleaguestoreadane-mailbeforesendingit
out.
• Auditorsshouldobservetheinformationlowmatrix.
LinKsanDReFeRenCes e
• ClIkEMAn, P. 1999. Improving Information Quality. Internal Auditor (June 1999):
32–33.
• InStItutEOFIntERnAlAudItORS.2001.Practice Advisory 2050-1: Coordination.
AltamonteSprings,Fl:heInstituteofInternalAuditors.
• InStItutE OF IntERnAl AudItORS. 2001. Practice Advisory 2310-1: Identifying
Information.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• InStItutEOFIntERnAlAudItORS.2001.Practice Advisory 2410-1: Communica-
tion Criteria.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• kOlEtAR, J.2006.IntelligenceGatheringandtheFutureofInternalAudit.he CPA
Journal(April2006):16–17.
• ORSInI, B. 2000. Improving Internal Communications. Internal Auditor (december
2000):28–33.
CreationofaFilenoteCreationofaFilenote
FormatFormat
Special Topics and Supplementary Discussion
Cooperation
Communication and Information Flow
D|2|2.1
444
2.2 Global Risk Management
2.2.1 Integration Overview
KeyPoints •••
• RiskManagementandInternalAuditarecloselyrelatedfunctions.
• he close relations between the two units are evident from various perspec-
tives.
• despitetheircloseness,theyshouldbeseparateorganizationalunits.
Riskmanagementisoneofinternalauditing’smostcloselyrelatedpartnerdisciplines,
and the two areas are signiicant interrelated instruments of corporate manage-
ment.Historically,theriskmanagementfunctionandtheinternalauditfunction
havedevelopedwithdiferentobjectivesinmind.Inthepast,theriskmanagement
functionwasotenalmostfullyincludedintheinternalauditfunction,buttoday
thetwofunctionsareusuallyseparated.hismeansthatintermsoffunctionand
organizationalintegration,RiskManagementisaseparateunitfromInternalAu-
dit,eventhoughthetwoareasarecloselyinterrelated.diferentrelationshiplevels
areshownbelow.
Quiteclearly,itisanobjectiveforInternalAudittoidentifyandaddresspotential
risksineveryaudit.hisminimumrequirementofarisk-basedprocedurecanbe
RiskManagementandinternalauditRiskManagementandinternalaudit
Risk-BasedProcedureRisk-BasedProcedure
Fig. 3 Network of Relations between Internal Audit and Risk Management
445
implementedstepbystepinallthephasesoftheAuditRoadmap,untilarisk-based
auditapproachisultimatelyachieved(seeSectionA,Chapter6.3).Whenthisap-
proachisalignedwiththeAuditRoadmap,ariskrelationcanbederivedforeach
auditstepintermsofquality,andsometimesquantity,i.e.,eachriskcanbelocal-
ized and analyzed. he aim is to use audit indings to identify relevant business
risks,todealwiththemaccordingtopredeterminedruleswithintheauditprocess,
andtomakeinformationaboutthemavailabletoRiskManagement.
Inaddition,RiskManagementrepresentsaseparateauditobject,because,like
anyotherorganizationalunitofthecompany,thisareahasitsownguidelinesand
principles.Certainstructuralandprocess-relatedapproachestoworkingarebased
on theseguidelinesandprinciplesandarenaturally included in InternalAudit’s
workfocus,alongwithcommunicationandinformationlows.
Efectiveriskmanagementmusthaveanindependentprocessmodel,i.e.,asep-
arateRoadmap.Inthecontextofmutualintegration,InternalAuditcancontribute
togeneratingandupdatingsuchaRoadmap.hereispossibleoverlapbetweenthe
stepsoftheriskmanagementprocessmodelandtheAuditRoadmap.heaimof
thecooperationfromRiskManagement’spointofviewistoobtainalltheinforma-
tionrequiredforefectiveriskcontrol.InternalAuditcanbeausefulpartnerinthis
regardbyprovidingallaudit-relatedriskinformation.
Essentially,RiskManagementisintendedtohelptheareaswithpotentialrisks
inidentifyingandcontrollingthemonthebasisofastandardizedmethodandquality
assurancesystemprovidedbyaneutralcorporatefunction.Iftheintegrationap-
proachesshownabovearecombined,thenitbecomesclearthatRiskManagement
andInternalAuditarecloselyrelatedunitsandshouldcooperateclosely.heprocesses
ofeachdepartmentshouldthereforebehighlyintegrated.However,thesometimes
diferentnatureofthework,diferentperspectives,andtheneedforindependence
fromeachothernecessitatetheexistenceoftwoseparateorganizationalunits.
HintsanDtiPs ;
• EveryauditorshouldtrytokeepintouchwithRiskManagement.
• Wheneverappropriate,riskmanagersshouldbe involved inanaudit. Inpar-
ticular,ariskmanagershouldbeinvitedtotheclosingmeetings.
LinKsanDReFeRenCes e
• InStItutEOFIntERnAlAudItORS.2001.Practice Advisory 2050-1: Coordination.
AltamonteSprings,Fl:heInstituteofInternalAuditors.
• InStItutEOFIntERnAlAudItORS.2003.Practice Advisory 2110-1: Assessing the
Adequacy of Risk Management Processes.AltamonteSprings,Fl:heInstituteofInternal
Auditors.
• InStItutEOFIntERnAlAudItORS.2003.Practice Advisory 2110-2: Internal Au-
ditor’s Role in the Business Continuity Process. Altamonte Springs, Fl: he Institute of
InternalAuditors.
RiskManagementasaseparateauditobjectRiskManagementasaseparateauditobject
separateRiskManagementProcessModel
separateRiskManagementProcessModel
integrationversusindependenceintegrationversusindependence
Special Topics and Supplementary Discussion
Cooperation
Global Risk Management
D|2|2.2
446
2.2.2 Risk Management Along the Audit Roadmap
KeyPoints •••
• heimplementationoftherisk-basedauditapproachasaframeworkconceptis
anintegralprocesscomponentoftheAuditRoadmap.
• EveryphaseoftheAuditRoadmapisconductedunderriskaspects.
• hecooperationbetweenInternalAuditandRiskManagementmustbecoordi-
natedindetail.
heimplementationoftherisk-basedauditapproachasaframeworkconcept(see
SectionA,Chapter6.3)isanintegralprocesscomponentoftheAuditRoadmap.
Risk-basedauditplanningassignspre-deinedkeyScopestoeachaudittopic.he
mainriskcategoryisoneoftheitemsindicatedinthekeyScope.hisgeneralas-
sessmentofriskisspeciiedfortheassociateditemoftheworkprogrambynoting
therisksubcategory.hesubsequentauditwill revealwhetherornot theserisk
assumptionsareconirmed.Oncetheaudithasbeencompleted,eachindingrelat-
ingtoanitemintheworkprogramwillbeconnectedtotheidentiiedriskinthe
auditreport.hisinformationwillbepassedontoRiskManagementforfurther
evaluation,assessment,andmonitoring.
he audit topics identiied during audit planning include information about
risk-proneareasrelatedtothetopics(e.g.,organization,inance,etc.),determined
onthebasisofthecommonriskcatalogoftheriskmanagementsystem.hiscata-
logformsthebasicstructureofallknownrisks.duringtheannualplanningphase
(seeSectionB,Chapter2.2andSectiond,Chapter3),InternalAuditassessesall
relevantaudittopicsfromariskperspective.RiskManagementisalsoinvolvedin
thisriskassessmentprocedure.Similararrangementsapplytoad-hocaudits,where
anindividualriskassessmentismadeatthetimeanauditrequestisacceptedor
submitted.
duringieldwork, themainfocus isontestingwhether internalcontrolsare
activeandefectiveinavoidingorlimitingrisk.Iftheyarenot,newinternalcon-
trolswillhavetobedeined.heauditobjectonwhichtheindingisbasedwillhave
tobequestioned,andtherisklaggedasanexisting,thoughpotentiallyavoidable,
risk.Aspartofthesetestingactivities,diferentriskcategoriesareanalyzedforin-
terrelationsamongeachotherandfortheiractual,independentexistence.Oten,
morethanoneriskisassignedtoainding.
Foreachinding,theinformationrelatingtotherelevantrisksisaddedtothe
workingpapers,especiallytotheworkdonesheets.Accordingly,everyindinghas
torelatetoat leastonerisk.Atthesametime, it ispossibletomakeappropriate
recommendations,whichmayrelateexclusivelytothetreatmentoftheriskorin
additionincludeotherfactsmentionedintheinding,suchasnon-compliancewith
internalguidelines.
overviewoverview
auditPlanningauditPlanning
auditexecutionauditexecution
WorkingPapersWorkingPapers
447
he indings which are pre-structured in the working papers, including risk
identiication,areultimatelyincludedintheauditreport,andtheinalrecommen-
dations are prepared. By following this procedure, a report will be created that
providesdetailsontherisksactuallyassignedtoainding,includingtherelevant
recommendations.
Onthebasisoftheauditresults,RiskManagementwill,ifappropriate,create
therelevantactivitiesanditemsintheriskmanagementsystem.RiskManagement
assessestheriskstransferredintotheriskmanagementsystem,analyzesthemwith
a focuson lossprobability andpotential impact.RiskManagementclariiesand
monitorsallfurtherinformation,especiallythestepstakentominimizerisk.
Follow-ups may give rise to additional Internal Audit and Risk Management
activities,suchastestingandrisk-basedevaluationofnewlyimplementedinternal
controls.heseactivitiesmustbecoordinatedwithoperationalmanagement.he
objectiveofallactivitiesistoachieveadequateriskcontrol.Sinceoverlapbetween
theactivitiesoftheindividualareasisprobable,itisnecessarytocoordinatetasks.
HintsanDtiPs ;
• Ifpossible,theidentiicationofrisksduringieldworkshouldalwaysbecoordi-
natedwithariskmanager.
• Inpreparationforanaudit,itmaybeusefulfortheauditortoreviewriskman-
agementreportsonspeciicrisks.
2.2.3 Risk Management Audits
KeyPoints •••
• heriskmanagementauditbreaksdownintothecentralorganizationandthe
decentralizedfunctionsoftheriskmanagementorganization.
• Certain focusareasmustbe taken intoaccountwhenauditingRiskManage-
ment.
RiskmanagementauditsareaseparateaudittaskforInternalAudit.Suchaudits
alsopassthroughallthephasesandsub-phasesoftheAuditRoadmap.
SAP’scentralriskmanagementdepartmentissupplementedbyadecentralized
organizationwithlocalandregionalriskmanagers,andtheactualdecisionmakers
andprocessownersintheriskmanagementprocess.ItthusseemssensibleforIn-
ternalAudit tostructureriskmanagementauditsalong these levels,butwithout
neglectingtheintegrationoftheseareasandthecommunicationbetweenthem.
hefocusareasofariskmanagementauditareasfollows:
• organizational structure, responsibilities, and Risk Management’s integration
intotheoverallcorporategovernancecomplex,
auditReportauditReport
efectonRiskManagementefectonRiskManagement
Follow-UpFollow-Up
RiskManagementauditandauditRoadmapRiskManagementauditandauditRoadmap
PossibleauditstructurePossibleauditstructure
auditFocusareasauditFocusareas
Special Topics and Supplementary Discussion
Cooperation
Global Risk Management
D|2|2.2
448
• formallowofinformation,communication,andreportingpaths,especiallyto
theBoard,
• basicstructureoftheriskmanagementprocess,consistingofidentiication,as-
sessment,control,monitoring,andreporting,
• functionalityandcomplianceoftheItsolutionthecompanyusesforriskman-
agement,
• processes,information,andcommunicationlowsbetweenthecentraldepart-
mentandthedecentralizedunits,aswellasamongtheseparatedecentralized
units,
• decentralizedstructureoftheriskmanagersincharge,
• objectives,tasks,andcooperationoftheriskmanagersvis-à-visthedecentral-
izedunitsresponsibleandamongeachother,and
• RiskManagement’scooperationwithotherfunctionstoensurecompliancein
thecompany,e.g.,InternalAuditandcompliancemanagement.
Inaddition,individualriskswillbeauditedbyanalyzingtheentirepopulationor
a sensibly chosen sample. Evidence of the eiciency and correctness of the risk
managementprocesshas tobeprovidedon thebasisof theserisks.Compliance
withtherequirementsofSOXisalsotested.Areviewofthedirectassignmentof
speciicinternalcontrolstoindividualriskscompletestheaudit.
Breakingtheauditdownintocentralizedanddecentralizedaspectshelpsdif-
ferentiateauditindingsintermsofresponsibility.Oten,individualresponsibilities
areinterrelatedwitheachother.hiskindofresponsibilitynetworkisaddressedby
astructuredaudit,makingiteasiertodetectandeliminateanyunclearresponsi-
bilities.
Ariskmanagementauditmaydetectadditionalrisksthatwerenotknownpre-
viously. Internal Audit treats and documents such risks according to the Audit
Roadmap.
HintsanDtiPs ;
• heworkprogramforariskmanagementauditshouldbediscussedwitharisk
manager.
• hespecialrelationshipbetweenInternalAuditandRiskManagement,espe-
ciallywithregardtotheirindependence,hastobetakenintoconsideration.
LinKsanDReFeRenCes e
• InStItutEOFIntERnAlAudItORS.2001.Practice Advisory 2010-1: Planning.Al-
tamonteSprings,Fl:heInstituteofInternalAuditors.
• InStItutEOFIntERnAlAudItORS.2003.Practice Advisory 2110-1: Assessing the
Adequacy of Risk Management Processes.AltamonteSprings,Fl:heInstituteofInternal
Auditors.
networkofResponsibilities
networkofResponsibilities
DetectionofadditionalRisks
DetectionofadditionalRisks
449
• InStItutEOFIntERnAlAudItORS.2003.Practice Advisory 2110-2: Internal Au-
ditor’s Role in the Business Continuity Process. Altamonte Springs, Fl: he Institute of
InternalAuditors.
• InStItutEOFIntERnAlAudItORS.2003.Practice Advisory 2140-4: Internal Au-
diting’s Role in Organizatons without a Risk Management Process.AltamonteSprings,Fl:
heInstituteofInternalAuditors.
2.2.4 Internal Audit as Part of the Risk Management Process
KeyPoints •••
• AparticularchallengeforInternalAuditandRiskManagementistoharmonize
theirtwoprocessmodels.
• hisensuresthatbothpartiescanguaranteethenecessarymutualintegration
whilemaintainingtheirrespectiveself-image.
Asmentionedearlier,awelldevelopedriskmanagementfunctionshouldhaveits
ownprocessmodel,i.e.aRoadmap.Indiferentphases,thismodelrepresentsthe
platformforappropriatecooperationbetweenthetwocomplianceunits,RiskMan-
agementandInternalAudit.Ingeneral,theriskmanagementprocessconsistsof
iveoperationalphases:riskplanning,riskidentiication,riskanalysis,riskcontrol,
andriskmonitoring.
heseiveoperationalphasesprovide the riskmanagement functionwithan
actionframeworkthatfacilitatescloseinteractionbetweenInternalAuditandRisk
Management.hefactthateachdepartmentmirrorssomeoftheother’sactivities
results inoverlap,which requires coordination.despite specialperspectives and
adiferentfocus,itpaystoidentifyasmanycommonalitiesaspossibleandtocon-
siderthemindailyoperations.
Onceriskshavebeenidentiied,theyhavetobediscussedwiththerelevantrisk
manager ina timelymanner. Incriticalcases,anautomatic informationmecha-
nismshouldbetriggered.herisksareanalyzedandassessedbytheprocessowner
withsupport fromRiskManagement.hisassessment includes inparticular the
developmentofanappropriateriskcontrolstrategy,whichhastobediscussedwith
operationalmanagement.Itispossibleanddesirabletoestablishsubstantiallinksto
therecommendationsmadebyInternalAudit.
Risk control is closely linked to the follow-up (see Section B, Chapter 6)
conductedbyInternalAudit,becauseinadditiontoariskreviewbyRiskManage-
ment,thiscontrolphasesimultaneouslyrequirestheresultsfromInternalAudit’s
follow-uptobecoordinatedandupdated.Inaddition,allrelevantfactshavetobe
communicated toRiskManagement tobeentered in the riskmanagement tool.
MaintainingthistoolistheresponsibilityofRiskManagement.
ProcessModelforRiskManagementProcessModelforRiskManagement
CooperationofinternalauditandRiskManagement
CooperationofinternalauditandRiskManagement
CoordinationwiththeRiskManagerCoordinationwiththeRiskManager
LinktotheFollow-UpLinktotheFollow-Up
Special Topics and Supplementary Discussion
Cooperation
Global Risk Management
D|2|2.2
450
Allriskmanagementactivitiesshouldalwaysbeconductedinclosecoordina-
tionwiththepeopleresponsibleintheoperatingunit.Generally,operationalman-
agementisresponsibleforriskcontrol.InternalAudittakesonacontrolfunction
bycheckingtheimplementationofrecommendationsandthustheminimizationof
risks.hecollaborationofallpartiesisanimportantelementofasuccessfuland
standardizedriskmanagementprocess.
AcriticalfactoristhatInternalAuditandRiskManagementunderstandthat
theycanefectivelyfunctionascompliancetoolsonlyiftheyacttogether.hisre-
quiresjointefortsandasensibledegreeoffranknesswitheachother,inspiteofthe
stringentneedforconidentiality.hisplacesparticulardemandsonthemanagers
in Risk Management and Internal Audit to create the necessary prerequisites to
guaranteethelowofinformation.
HintsanDtiPs ;
• If possible, auditors should take part in risk strategy meetings between Risk
Managementandemployeeswithoperatingresponsibility.
• AuditorsshouldhavereadaccesstoRiskManagement’sriskdatabasefortheir
currentaudit.hestatusofthedatahastobemonitoredcontinuallytogether
withRiskManagement.
• Especially before a follow-up, auditors should obtain information from Risk
Managementaboutitsassessmentoftheauditobjectsthattheauditorswantto
workon.
LinKsanDReFeRenCes e
• InStItutEOFIntERnAlAudItORS.2001.Practice Advisory 2010-1: Planning.Al-
tamonteSprings,Fl:heInstituteofInternalAuditors.
• InStItutEOFIntERnAlAudItORS.2003.Practice Advisory 2110-1: Assessing the
Adequacy of Risk Management Processes.AltamonteSprings,Fl:heInstituteofInternal
Auditors.
• InStItutEOFIntERnAlAudItORS.2003.Practice Advisory 2110-2: Internal Au-
ditor’s Role in the Business Continuity Process. Altamonte Springs, Fl: he Institute of
InternalAuditors.
2.3 Global Quality Management
KeyPoints •••
• Companiesmustbeabletorelyonthequalityoftheirproductsandservices,
becauserisksanddefectscanhaveaseriousimpactontheirsuccess.
• Arisk-focusedinternalauditfunctionthereforemustensurethatproductqual-
ityismonitored.
JointResponsibilityJointResponsibility
sharedobjectivesharedobjective
451
• Whenassessingtheoperationalqualitymanagementsystem,itisusefultocol-
laboratewithcompany-internaltestingbodies,becausetheynormallyhavethe
requiredexpertise.
• Inthiscontext,SOXhasledtoincreaseddemandsonacompany’sinternalcon-
trolsystem.
Every company has to ensure that its customers are satisied with the quality of
goodsandservicesitdelivers.Aconsistentlyhighlevelofqualitycannotbeachieved
bymerelyengagingininalchecksontheproductssuppliedtocustomersandmak-
ingcorrectionsasnecessary.Rather,acomprehensivequalitymanagement,which
includes requirements for the internal processes (process standards) and for the
functionalityoftheproducts(productstandards)isnecessary.ultimately,thiscus-
tomers-focused view of quality should be an integral part of the management
philosophyofeverycompany.Ifcustomersatisfactionplaysacentralrole,itstands
toreasonthatqualitymanagementwillbegivensimilarpriority.Mostemployeesof
thecompanyhavetobeinvolvedinqualitymanagement,anapproachreferredtoas
totalqualitymanagement.
Qualitymanagementhas twoconsequences forInternalAudit.First, Internal
Audit itself has to be focused on quality and design its own internal processes
accordingly.Andsecond,qualitydefectsonproductsorservicescanleadtoconsid-
erableinanciallosses,whichmayevenimpactthecompany’sgoingconcern.Such
lossesmustbeavoided.Any internalauditdepartment thatclaims toworkwith
ariskfocuscannotafordnottoassessqualitymanagement.
heperformanceoutputinthecompanyshouldmeetbothinternallyspeciied
qualitytargets,andexternalqualitystandards.hemostcommonlyusedexternal
standards are the ISO 9000 series. In addition, every company should adapt its
qualitymanagementsystemtoitsspeciicneedsanddeineitsowninternalquality
targetsindependentlyofexternalstandards.
Whenimplementingaqualitymanagementsystem,sotwarecompaniessuchas
SAPhavetoallowforthefactthattheirproductsareintangibleandqualitymea-
surementthereforeposesparticularchallenges.Furthermore,thefocusofthistype
ofcompanyisnotontraditionalproductionandsupplyprocesses,butontherele-
vantsotwareproductdevelopmentprocesses.heseincludeinparticular:
• Projectmanagement(Areprojecttargetsbeingachieved?).
• Requirementsmanagement(Whatperformanceisexpectedoftheproduct?).
• Conigurationmanagement(Whichversionisbeingshipped?Howdoesitit
intothecompany’sexistingproductportfolio?Howcantheproductbemain-
tainedandupdatedifnecessary?).
SAP’smaindevelopmentprocessesandcertainsupportprocessesareregularlycer-
tiiedaccordingtotheISOstandardbyexternalcertiicationbodies.Inaddition,
SAPusesSixSigmamethods(SAPSigma)andhasimplementedacomprehensive
internalqualitymanagementsystemtoensurethatsotwarequalityisofaconsis-
tentlyhighstandard.
introductionintroduction
needtoassessQualityManagementneedtoassessQualityManagement
internalandexternalQualitystandardsinternalandexternalQualitystandards
specialissuesatsaPspecialissuesatsaP
Special Topics and Supplementary Discussion
Cooperation
Global Quality Management
D|2|2.3
452
Generally,qualitymanagementproceduresshouldbedocumentedinwriting,
(e.g.,inaqualitymanagementmanual).hedocumentationshouldproperlystruc-
turetheprocesses,deinesigniicantqualityvariables,andassigntherelevantre-
sponsibilitiesclearly.Whenassigningresponsibilities,acarefuldistinctionshould
bemadebetween“qualitymanagement”and“qualityassurance,”becauseeachterm
coversdiferent tasks.Qualitymanagement refers toall coordinatedactivities to
manageandcontrolanorganizationwithregardtoquality,butqualityassurance
representsoperationalmeasuresaimedatmeetingthequalityrequirements.Given
theenormousimportanceofhigh-qualityproductsandservicesforcompanysuc-
cess,InternalAuditshouldalsoinvolveitselfwithqualityassurance.
hefollowingproceduresarefeasibleforqualitymanagementaudits,depend-
ingonthedesignofthequalitymanagementsysteminacompany:
• When the entire quality management is audited, Internal Audit examines all
elementsofthequalitymanagementprocess.hisincludesthecompany’sbasic
qualitypolicyandconcept,theprocesses,responsibilities,etc.Auditorsdonot
alwayshavethenecessaryknowledgetodothis,becauseinsotwarecompanies,
this requires expertise in sotware architectures, development landscapes, as
wellascodingandconigurationdetails.Withoutthisknowledge,itisdiicult
forauditorstoassesscompliancewithprocessandproductstandards.Forthis
reason,theauditorsshouldcooperatewithqualityexpertsandtesters(seeSec-
tiond,Chapter10).
• toauditqualitymanagement,InternalAuditcanalsocollaboratewithtechnical
testingbodies fromwithinthecompany, ifavailable.hesebodies,knownas
qualitycontrol,shouldhavetherequiredindependence(ideallysuchadepart-
mentwillreportdirectlytoexecutivemanagement)sothatanyqualitydefects
canbeidentiied.hecooperationcanbebeneicialforbothparties,becauseit
perfectlycomplementsInternalAudit’sworkfromamoretechnicalangle.Since
bothpartiesshareanauditor’sviewandwayofthinking,acoordinatedproce-
dureshouldbeeasytoachieve.
• AnotheroptionforInternalAuditistocooperatewithqualityoicersonindi-
vidualprojects.Qualityassuranceinprojectsisnotprimarilyataskofhigher-
levelqualitycontrolbutitispartoftheresponsibilityofeachemployee.Many
smallerprojectgroupsordepartmentsareunlikelytohaveindependenttesting
bodies.Instead,theroleofqualityoicerisassignedtospeciicemployeeswho
havethenecessarytechnicalandprocessknowledgeandsocialskillsforthisjob.
Cooperation between Internal Audit and these quality oicers is important
whenspeciicmajorprojectsareinvestigated.WhenInternalAuditisrequested
togetinvolved,projectsareoten:
■ particularlypronetorisk,or
■ problemshavealreadybeenreported.
Inbothcases,thequalityoicersareamongInternalAudit’smaincontacts.
DocumentationoftheQuality
Managementsystem
DocumentationoftheQuality
Managementsystem
internalauditandQualityManagement
internalauditandQualityManagement
independentauditofQualityManagement
asaWhole
independentauditofQualityManagement
asaWhole
Cooperationwithinternaltechnical
testingBodies
Cooperationwithinternaltechnical
testingBodies
CooperationwithQualityoicers
inProjectGroups
CooperationwithQualityoicers
inProjectGroups
453
Initsieldwork,InternalAuditcanprimarilyrelyondocumentedinformation.
Particularly, the followingquality-relateddocumentsshouldbeavailableandas-
sessed:
• aqualitymanual,whichdocumentsinwritingtheentirequalitymanagement
systemaspracticedbythecompany,
• individualqualityplans,whichdocumentthequalitymanagementsystemfor
aspeciicproductorproject,
• requirementspeciications(orqualitycriteria),whichsetouttherequirements
tobemet,
• processandworkinstructions,whichdescribeindetailtheprocessestobeap-
plied,
• practice-basedguidelines,which includerecommendedimplementationsand
best-practicesolutionsforclariication,and
• notestoprovideevidenceofthequality-relatedstepstakenorthequalityresults
achieved.
SOXalsohasanimpactonthequalitymanagementsystemofacompany(seeSec-
tiond,Chapter14).underSOX302,themanagementofthecompanymustensure
thatinformationofrelevancetoinvestorsismadeknownfullyandcorrectly.his
requirement goes beyond the pure inancial reporting criteria of SOX 404. he
question is not so much whether the information is of a inancial nature, but
whetherornot it ismaterial to stakeholders.Stakeholders thereforemustbe in-
formedofmaterialdefectsinacompany’squalitymanagementsystem.Inaddition,
underSOX302executivemanagementispersonallyresponsibleforcertifyingthe
efectivenessofinternalcontrols.Companyoicersmustconirmdirectlythatthey
arealsoresponsiblefortheinternalcontrolsinqualitymanagementandthatthe
controlsareefective.
HintsanDtiPs ;
• Auditorsshouldfamiliarizethemselveswiththecompany-internaldocumenta-
tionofthequalitymanagementprocess.
LinKsanDReFeRenCes e
• InStItutE OF IntERnAl AudItORS. 2004. Practice Advisory 1300-1: Quality
Assurance and Improvement Program.AltamonteSprings,Fl:heInstituteof Internal
Auditors.
• InStItutEOFIntERnAlAudItORS.2004.Practice Advisory 1320-1: Reporting on
the Quality Program.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• IntERnAtIOnAl ORGAnIzAtIOn FOR StAndARdIzAtIOn.2005.ISO 9000:
Quality Management System.http://www.iso.org/iso/en/(accessedMay31,2007).
Quality-RelatedauditDocumentsQuality-RelatedauditDocuments
impactofsoXimpactofsoX
Special Topics and Supplementary Discussion
Cooperation
Global Quality Management
D|2|2.3
454
2.4 Corporate Security Function
KeyPoints •••
• CommunicationbetweenInternalAuditandCorporateSecuritytakesplaceac-
cordingtoapredeterminedinformationlowforfraudpreventionandinvesti-
gation.
• Informationcanbeexchangedbetweenthetwopartiesatdepartmentalmeet-
ingsandworkshops.
• Information can also be transferred in the form of minutes of departmental
eventsandmonthlyupdatesaboutmattersrelevanttocorporatesecurity.
Inmanycases,CorporateSecurityandInternalAuditcooperateonfraudpreven-
tionandspeciicfraudinvestigations.Inaddition,theycommunicateaccordingto
criteriadeined in the informationlowmatrix(seeSectiond,Chapter2.1).he
cooperationbetweenInternalAuditandCorporateSecuritymayleadtoimproved
workingpractices forbothdepartments,because itallows information tobeex-
changedandimprovementsforfutureprocedurestobeproposedandevaluated.
SAP’sinternalauditdepartmenthasaccesstothetoolsforreportingsecurity-
relevant incidentsandfraud,whicharedevelopedandmaintainedbyCorporate
Security.hiscreatesapermanentexchangeofinformationbetweenthetwode-
partments.InternalAudit’steaminchargeoffraudinvestigationandpreventionis
indirectcontactwithCorporateSecurityemployees.Bothgroupscooperateclosely
duringongoinginvestigationsespeciallyregardingItsecurityandinfrastructural
security (e.g., facilities). Inaddition, InternalAuditprovides information,which
has a direct impact on the work performed by those responsible for corporate
securityandleadstoimprovedsecurityinthecompany.Ifrequired,theincidents
reportedinthereportingtoolarediscussedandnecessaryactionsaretaken.his
mayleadtoanad-hocauditbeingconductedorinformationbeingreferredtothe
complianceteam,forinstance.
topassinformationfromInternalAudittoCorporateSecurity,employeesfrom
CorporateSecuritycanbeinvitedtodepartmentalmeetingsoreventsheldbyIn-
ternalAudit,forexampletheglobaldepartmentworkshop,whichtakesplaceonce
ayearatSAP.Attheseevents,participantscandiscussparticularissuesofcoopera-
tion,suchasfraudallegations,protectionofthecompany,internaldataprotection,
etc..Informationcanbetransferredinonedirectionorexchangedbetweenparties.
hisfurtherbuildstheexpertiseoftheemployeesinbothdepartments.IfCorpo-
rateSecurity is involved inauditsconductedbyInternalAudit,allaudit-speciic
processesmustofcoursebediscussed,andtheinvestigationofCorporateSecurity
mustalsobecoordinatedwiththatofInternalAudit.Meetingshavetobearranged
toagreethedetailsofthejointprocedureandforpreparationandpost-auditac-
tivities.
InformationcanalsolowfromCorporateSecuritytoInternalAudit.Corporate
SecuritycaninviteInternalAuditemployeestoitsdepartmentaleventsandwork-
Relationsbetweeninternalaudit
andCorporatesecurity
Relationsbetweeninternalaudit
andCorporatesecurity
CommunicationbetweeninternalauditandCorporatesecurity
CommunicationbetweeninternalauditandCorporatesecurity
informationFlowfrominternalaudit
toCorporatesecurity
informationFlowfrominternalaudit
toCorporatesecurity
informationFlowfromCorporatesecurity
tointernalaudit
informationFlowfromCorporatesecurity
tointernalaudit
455
shops, where aspects relevant to corporate security are discussed. As previously
mentioned,theseeventscanbeusedeithertoprovideortoexchangeinformation.
Apartfromthesejointmeetings,CorporateSecuritycanalsoforwardtoInternal
Auditamonthlystatussummaryofsecurityincidentsthathaveoccurredandhave
beenprocessed,eitherinformallybye-mailorformallyatmeetingsoftheheadsof
thesedepartments.Atpersonalmeetings,theindividualcircumstancescanbedis-
cussed in detail. In this case it is important to forward such information to the
employeesofInternalAudit.Inaddition,CorporateSecuritycanforwardtoInter-
nalAuditminutesofsecuritycommitteemeetings,whichSAPholdsregularly.If
necessary,InternalAuditwillaskforclariicationofcertainmatters.
HintsanDtiPs ;
• Auditorsmustalwaysbeawarethattheinformationtransferredisconidential.
2.5 Management and Supervisory Bodies
KeyPoints •••
• InternalAudithastorelyonclosecooperationwiththecompany’smanagement
andsupervisorybodiessothatitcanperformitsauditservicesindependently
andobjectivelywithinthecompany.
• diferentcorporatelawsindiferentcountriesshapethewayinwhichInternal
Auditcooperateswithcorporatemanagementandsupervisorybodies.
• InGermany,theExecutiveBoardwiththemanagingdirectorsisnormallyre-
sponsibleforInternalAuditandisthereforethemainpointofcontactforall
audit-relatedneeds.
Becauseofitsprominentorganizationalpositionanditsimportancewithregardto
monitoring and control processes, Internal Audit has to cooperate closely with
othercontrolbodiesinthecompany.Germanstockcorporationshaveatwo-tier
boardsystemwithanExecutiveBoard,comprisedofthemanagingdirectors,and
aSupervisoryBoard,comprisedofshareholderrepresentativesandemployeerep-
resentatives. While the Executive Board manages the company, the Supervisory
Board oversees the Executive Board and nominates its members. Internal Audit
cooperates with both bodies. In countries with a monistic management system
(boardsystem),e.g.,theunitedStates,managementandsupervisionareperformed
byasinglebodyoracombinationofexecutive(inside)directorsandnon-executive
(outside)directors.Inthiscase,cooperationtakesplacewiththeBoardofdirec-
tors,seniormanagementandtheAuditCommittee.
SinceinGermany,InternalAuditreportsdirectlytotheExecutiveBoard,the
BoardisalmostalwaysthemainpointofcontactforInternalAudit’soperational
needs.hisincludesprimarilytakingnoteoftheannualauditplan,thediscussion
Country-speciicCooperationPartnersCountry-speciicCooperationPartners
RelationsBetweeninternalauditandexecutiveBoard
RelationsBetweeninternalauditandexecutiveBoard
Special Topics and Supplementary Discussion
Cooperation
Management and Supervisory Bodies
D|2|2.5
456
of additional audit requests and of Board summaries, and the provision of the
resourcesthatInternalAuditneeds.CooperationbetweenInternalAuditandEx-
ecutiveBoardmeansthatInternalAudithastoestablishitselfasatoolofexecutive
management. It is important that InternalAudit takesaproactiveapproach,be-
cause this is the only way in which it serves as a forward-looking management
instrument.Examplesofcooperationoncorporatemanagementtasksincludepar-
ticipationintheriskmanagementsystemoraudit-relatedkPIsystems,fromwhich
forward-lookingstatementscanbederived.Forexample,anaccumulationofaudit
indingsortheirparticularnaturehelpsoperationalmanagementfocusitswork.
InternalAuditmustbeabletorespondlexiblytorequestsoutsidetheannualaudit
plan,suchaspre-investigations,ad-hocaudits,requestsforcomment,andsupport
projects.
SinceSAPAGisaGermancorporation,GIASis,however,alsoresponsiblefor
providinginformationtotheSupervisoryBoard.hemaindutiesoftheSupervi-
soryBoardincludethemonitoringofexecutivemanagement,alsowithregardto
riskhandling.heSupervisoryBoardalsohastocheckwhetherexecutivemanage-
menthasimplementedanadequateinternalcontrolsystemforthispurpose,and
whetheritusesthesystemasintendedandmonitorsitsefectivenessandeiciency.
Executivemanagement’sauditapproachandtheresultsitproducesareimportant
indicatorsfortheSupervisoryBoard’smonitoringtasks.IftheSupervisoryBoard
hasestablishedanAuditCommittee,thisbodyismainlyresponsibleformonitor-
ing the company's inancial reporting and the related internal controls and for
budgetingandmonitoringtheexternalauditors.AtSAP,theAuditCommitteeasks
forregularreportsontheworkofInternalAudit(seeSectionB,Chapter5.4.1).
here is a diferent form of organization in the united States. All companies
listedonthenYSEarerequiredtohaveaninternalauditfunction.hismeansthat
SAPhasthedutytoestablishsuchafunction.However,thesetaskscanalsobeas-
signedtothirdparties.herearenoadditionalrulesonhowInternalAudithasto
beintegratedinthecompanyorganization.herecognizedbestpracticeistoseg-
regatethereportinglinesintoadministrativeandfunctionalbranches.hismeans
that theCAEcommonlyreports to theexecutivedirectorsaboutday-to-dayad-
ministrativeneedsandtotheAuditCommitteeaboutfunctionalissues.
Generally, thecooperationbetweenInternalAuditandtheBoardisarranged
diferently in diferent companies. For example, companies can specify that the
AuditCommitteeasksforregularreportsontheworkofInternalAudit,although
thismaysometimesleadtoconlictbetweenexecutivemanagementandInternal
Auditinitsdutyasamonitoringbody.
HintsanDtiPs ;
• Internal Audit should communicate regularly with the Board and the Audit
Committee.
• Forthebeneitofstakeholders,auditorsshouldincludeintheirworkinforma-
tionthatthecompanyhaspublishedexternally.
DutiesofthesupervisoryBoard
DutiesofthesupervisoryBoard
FormoforganizationintheUnitedstates
FormoforganizationintheUnitedstates
CooperationwiththeBoard
CooperationwiththeBoard
457
LinKsanDReFeRenCes e
• BARRIER, M. 2002. Relating to the Audit Committee. Internal Auditor (April 2002):
29–30.
• InStItutE OF IntERnAl AudItORS. 2001. Practice Advisory 2060-1: Report-
ing to Board and Senior Management.AltamonteSprings,Fl:heInstituteof Internal
Auditors.
• InStItutEOFIntERnAlAudItORS.2002.Practice Advisory 2060-2: Relationship
with the Audit Committee.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• InStItutEOFIntERnAlAudItORS.2004.Practice Advisory 1320-1: Reporting on
the Quality Program.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• InStItutE OF IntERnAl AudItORS.2001.Practice Advisory 2500-1: Monitoring
Progress.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• InStItutEOFIntERnAlAudItORS.2001.Practice Advisory 2600-1: Management’s
Acceptance of Risks.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• lEItHHEAd, B. 2000. In touch with the top. Internal Auditor (december 2000):
67–69.
2.6 External Auditors
KeyPoints •••
• here isacertainamountofoverlapbetweenthetasksofInternalAuditand
thoseofexternalauditors.
• However,therearealsodiferences.Forexample,externalauditorsprimarilyfo-
cusonpastevents,butinternalauditorsalsofocusonforward-lookingtopics.
• Bothpartieshaveaninterestinafunctioninginternalcontrolsystemandare
thereforenaturalcooperationpartners.
• Apartfromregularcoordinationmeetings,additionalarrangementsbetweenIn-
ternalAuditandtheexternalauditorsencouragegoodandtrustingcooperation.
Internal and external auditors should cooperate to ensure proper coverage and
minimizeduplicationofefort.hetasksofInternalAuditandtheexternalauditors
overlapwheneverInternalAuditdealswithauditsoftheinancialandaccounting
systemandauditsoftheinternalcontrolandmonitoringsystemonwhichthei-
nancialandaccountingsystemisbased.
However,asidefromcommonalities, therearesigniicantdiferencesbetween
thetwofunctions.heexternalauditorsprimarilyconductreviewsasofaspeciic
closingdateandthereforetendtofocusonthepastwhendeterminingieldwork
activities.InternalAudit,ontheotherhand,alsoperformsforward-lookingwork,
alwayswiththeaimofimprovingbusinessprocessesinthecompanyasawhole.
InternalAuditatSAPisprimarilyinstitutedbyexecutivemanagementandre-
mainsanintegralpartofthecompany,eventhoughithasagreatextentofinternal
introductionintroduction
LookingBackversusLookingForwardLookingBackversusLookingForward
independenceindependence
Special Topics and Supplementary Discussion
Cooperation
External Auditors
D|2|2.6
458
independence.herefore,InternalAuditcannotachievethesameformofindepen-
denceasexternalauditorsappointedbytheSupervisoryBoard.
Anotherdiferenceistheregulatoryframeworkthatrepresentsthebasisforthe
workof theexternalauditorsand InternalAudit. Incontrast to the increasingly
stringentregulationsonexternalcompanymonitoring,e.g.,asaresultofSOXand
theestablishmentofanoversightboardforexternalauditorsintheunitedStates
(PCAOB),thereisaconsiderableamountoffreedomfortheorganizationaldesign
ofaninternalauditfunction.AlthoughthePCAOBclearlystatesthattheabsence
ofaninternalauditfunctioncanberegardedasasigniicantdeiciencyintheinter-
nalcontrolsystem,andlegalrequirementsalsostipulatetheexistenceofaninternal
audit function, theactualdesignisundeined.hismeansthattheremustbean
internalauditfunctioninacompany,butunliketheexternalauditfunction,ithas
greaterfreedomintermsofdesign.
GiventhesimilaritiesbetweentheieldworkofInternalAuditandthatofthe
externalauditors,itseemssensibletoavoidduplication,forexamplebyusingthe
auditresultsproducedbyInternalAuditfortheauditoftheinancialstatements
andviceversa.Itisimportanttoensure,however,thattheexternalauditorsulti-
matelyhavesoleresponsibilityforthestatutoryauditoftheinancialstatements.
heycannotsharethisresponsibilitywithInternalAuditandmaynotincludecur-
rentInternalAuditemployeesintheirauditteam.heindingsofInternalAudit
cannotreplacetheexternalauditors’ownieldworkactivities.hisappliesinpar-
ticulartothosetransactionsconsideredmaterialfortheannualinancialstatements
andtothoserequiringagreaterdegreeofsubjectiveassessment(e.g.,themeasure-
mentofaccruedliabilities).However,thisdoesnotmeanthattheexternalauditors
should ignoretheresultsofInternalAudit’swork.heyshouldrather takethem
intoaccountintheirownwork,providingInternalAudit’stechnicalqualiication
and(internal)independenceareassured.
InternalAuditisoneofthecoreelementsofacompany’sinternalmonitoring
system,theefectivenessofwhichinturndeterminestheextentofieldworktobe
performedbytheexternalauditors.Aspartof theirauditplanning, theexternal
auditorshavetotestcarefullytowhatextenttheycanrelyontheexistinginternal
control system when determining their ieldwork activities. If external auditors
concludethatthesystemfunctionsadequately,theycan,withintheframeworkof
SOX,concentratetheirieldworkforexampleonmaterialtransactions.Butifthey
concludethattheinternalcontrolsystemistooweak,theyalsohavetofocuson
routinetransactionsintheirieldwork.
ItisimportantforexternalauditorstohaveaccesstoInternalAudit’sreports,
becausetheyprovideagoodinsightintotheauditfocusareasandproceduresas
wellastheresultsachieved.Ifbasedonalonger-termperiod,theyalsoshowthe
degreeofcommitmentwithwhichtherecommendationsresultingfromtheaudit
indingshaveactuallybeenimplementedinthecompany.
Conversely,InternalAuditshould,asfaraspermissible,beinformedofallsig-
niicantinsightsestablishedbytheexternalauditors.hisinformationmayinlu-
encetheaudittopicsaswellastherisk-basedauditplanning.EventhoughInternal
RegulatoryCoverRegulatoryCover
Cooperationfromtheexternal
auditors‘Perspective
Cooperationfromtheexternal
auditors‘Perspective
internalControlsysteminternalControlsystem
accesstointernalaudit’sReports
accesstointernalaudit’sReports
Cooperationfrominternalaudit’s
Perspective
Cooperationfrominternalaudit’s
Perspective
459
Audit employees cannot be integrated into the team of external auditors, they
shouldbeabletogetaccesstotheexternalauditors’work.lookingforagoodco-
operation with the external auditors with regular meetings and discussions may
helpimproveexternalandinternalauditors’eiciencyandefectiveness.
Also in view of increasing company complexity, both Internal Audit and the
external auditors are currently facing particular challenges with regard to their
rolesas(joint)guarantorsofanefectivecorporategovernancesystem.Itisthere-
foreobviousthatthetwopartiesshouldcoordinatetheirworktotheextentpermis-
sible. SAP’s internal audit department strives to make arrangements beyond the
regularcoordinationmeetingswiththeexternalauditors inordertoguaranteea
smoothexchangeofinformation.
LinKsanDReFeRenCes e
• AICPA.1991.SAS No. 65: he Auditor’s Consideration of the Internal Audit Function in an
Audit of Financial Statements.newYork,nY:AICPA.
• BROdY,R.G.,S.GOlEn,.AndP.M.J.RECkERS.1998.AnEmpiricalInvestigationof
theInterfaceBetweenInternalandExternalAuditors.Accounting and Business Research
(Summer1998):160–171.
• InStItutEOFIntERnAlAudItORS.2001.Practice Advisory 2050-2: Acquisition of
External Audit Services.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• InStItutEOFIntERnAlAudItORS.2001.Practice Advisory 2440-2: Communica-
tion Outside the Organization.AltamonteSprings,Fl:heInstituteofInternalAuditors.
ProcedureatsaPProcedureatsaP
Special Topics and Supplementary Discussion
Cooperation
External Auditors
D|2|2.6
Information
Supplier
Addressee Internal Audit External Auditors
Internal Audit
External Auditors
Fig. 4 Information Flow Between Internal Audit and External Auditors
460
2.7 External Institutions and Other Interested Parties
KeyPoints •••
• here are numerous external partners who can support Internal Audit with
technicalcollaboration,professionaladvice,andprovideanexternalperspec-
tive.
• Anactiveexchangewith thesecooperationpartnerskeeps InternalAudit in-
formedofthelatestdevelopments.
• hespecialaspectsassociatedwithInternalAudit'swork(e.g.,auditoracceptance
andskills,treatmentofsensitiveissuesandconidentialdata)imposelimitson
theextentofthesetypesofcooperation.
Internal Audit should seek cooperation with parties that could support it in
providingitsservices.However,sincethedepartmenthastocompeteforinternal
companyresources,InternalAuditmustdemonstrateanddocumentthebeneitsof
theseservices,togetnecessaryfundsapproved.Anumberofinstitutionsandser-
viceprovidersareeligibleasexternalcooperationpartners.
hefollowingentitiesareamongthesigniicantexternalcooperationpartners
forInternalAudit.Possibleaspectsofcooperationareexplainedaterward:
• company-externalprovidersofauditservices,
• professionalassociations,
• educationandscience,and
• networkswithotherinternalauditdepartments.
InternalAudit’scooperationwithexternalprovidersofauditservicescantakemany
diferent forms, ranging from equal exchanges of knowledge and experiences to
outsourcingorco-sourcingofinternalauditservices.
CertainprovisionsgoverningInternalAudit,suchaslistingrequirementsofthe
nYSE,merelystipulatethatacompanymusthaveaninternalauditfunction.Itis
thereforepermissible,andinsmallercompaniesevenexpedient,tooutsourcethe
internalauditfunctiontoathirdparty.Beforeanoutsourcingdecisionismade,the
beneitsandcostsofsuchadecisionmustbeanalyzedcarefully.However,apure
cost-beneit analysis might not be suicient as acceptance and skills issues and
alackoffamiliaritywithcorporateculture,etc.arefactorsthatcanderailanout-
sourcingattempt.
Ahybridmodelmaybeagoodcompromise,underwhichInternalAuditwould
in principle remain within the company, buying in external capacity at times of
peakdemandorwhenspecialexpertiseisneeded.InternalAudittakesonamoni-
toringandcoordinatingroleinsuchcases,whileresourcesareaddedasneeded.
heseadditionalresourcescanbeexternalguestauditorsornon-auditemployees
fromelsewhereinthecompany(seeSectiond,Chapter10).
introductionintroduction
signiicantCooperationPartners
signiicantCooperationPartners
CooperationwithauditserviceProviders
CooperationwithauditserviceProviders
outsourcingoptionoutsourcingoption
HybridModelHybridModel
461
SAPhasoptedforthehybridmodel.InternalAuditatSAPregardscertainaudit
segments,suchasrevenueauditsinsalesandconsultingbusiness(seeSectionC,
Chapter3.5),asitscorecompetency.hesetypesofauditsarealwaysconductedby
GIASemployees.For speciicother topics, especially if special technicalor legal
expertiseisrequired,itissensibletoinvolveexperts.hisenhancesInternalAudit’s
acceptance among the auditees. GIAS has accordingly put suitable measures in
placetoimplementthiscooperationindailyauditingpractice.Forexample,special
non-disclosureagreementsareconcludedtoensurethatsensitivedataishandled
correctly.Inaddition,inancialcontrolfortheauditobjectgivestheauditleadthe
necessaryoverviewofthecostsanaudithasaccumulated.
normally,InternalAuditshouldhavesuicientconidenceinitsabilitiestoseek
comparisonwithotherauditdepartments.Comparisonisagoodwayofdrawing
attentiontoitsownstrengths.BenchmarkingalsoidentiiesInternalAudit’spoten-
tialforimprovement.hebenchmarkingprocesshastobeuniformandobjective.
External consulting irms ofering such comparisons are typically best suited to
achievethis.
Cooperation with professional associations such as the IIA has a number of
beneitsforInternalAudit.First,theynormallyofertheirmembersabroadrange
oftrainingoptions.IntheunitedStates,theAICPAalsooferssupporttoInternal
Auditemployees.Cooperationwiththeseinstitutionsisuseful,forexampletode-
riveguidancefrombestpractices.heIIAevenoferstheinternationallyrecognized
qualiicationof“CertiiedInternalAuditor.”Inaddition,theassociationspresenta
forum for discussing practical issues of audit work with professional colleagues.
heAICPA,forexample,maintainsitsownprogramforauditorsinindustrywith
diferentaudit-relatedfocustopics.
Cooperation with education and science, such as university departments fo-
cusedonauditing,isaimedatkeepingInternalAudit’smethod-basedapproaches
abreast of the latest developments. An external perspective should help auditors
avoidgettingprofessionallyblinkeredandmakethemreceptiveofinnovation.At
thesametime,itenablesInternalAudittoexplainitsimportanceandtoshareits
knowledgewithawideraudience,e.g. throughpublicationsororganizedevents.
heexchangeofknowledgewitheducation institutions is alsoaimedatofering
newtalenttheopportunitytosupplementtheiracademiceducationwithpractical
experience.SAPofersstudentstheopportunitytocooperateonspeciicauditproj-
ects forperiodsbetween three to sixmonths. Inaddition,SAPregularlyawards
audit-relatedthesistopicstoundergraduateandgraduatestudents.
Aratherinformalexchangeamonginternalauditdepartmentsofdiferentcom-
paniesatprofessionalassociationlevelshouldbeintensiiedbyestablishinganet-
work.Especiallyforissuesthatconcernaspeciicgroupofcompanies,forexample
globalsotwarecompanieslistedonstockexchangesintwocountries,suchasSAP,
itwouldbeusefultofocusonthistypeofcooperation.Practicaltopics,suchasor-
ganizational structures, shouldbegivenpriority insuchnetworks. Inanycasea
ProcedureatsaPProcedureatsaP
BenchmarkingBenchmarking
CooperationwithProfessionalassociations
CooperationwithProfessionalassociations
CooperationwitheducationandscienceCooperationwitheducationandscience
networkingnetworking
Special Topics and Supplementary Discussion
Cooperation
External Institutions and Other Interested Parties
D|2|2.7
462
competitive situation between diferent internal audit departments should be
avoided.
HintsanDtiPs ;
• Professional associations are a good starting point when looking for suitable
cooperationpartners.
• Ifpossible,InternalAuditshouldmakeuseofexistingpartnerprogramswithin
thecompany.
LinKsanDReFeRenCes e
• InStItutEOFIntERnAlAudItORS.2001.Practice Advisory 2050-2: Acquisition of
External Audit Services.AltamonteSprings,Fl:heInstituteofInternalAuditors.
463
3 AnnualRisk-BasedAuditPlanning3.1 Inventory of Possible Audit Topics
3.1.1 Identification of Possible Audit Topics
KeyPoints •••
• Alargevarietyofsourcesmayhelpidentifypossiblyauditabletopics.
• InternalsourcesincludeInternalAudititselfandothercorporatedepartments
aswellastheKeyScopesdeinedbyInternalAudit.
• Amongtheexternalsourcesforauditabletopicsaretheexternalauditors,and
otherinternalauditdepartments.
AtGIAS,theannualrisk-basedauditplanningphaseisdividedintothefollowing
subphases:creationofriskproilesforallpossiblyrelevantaudittopics,compila-
tion of the audit inventory, and creation of the annual audit plan. However, the
foundation of the actual planning phase is an ongoing, more or less formalized
processofidentifyingpossibleaudittopics.Generatingaudittopicsismostproliic
whenfocusedonwhataretheoreticallypossibleandatthesametimepractically
feasibletopics,i.e.topicandcontentmustbeplausibleandhavearelevantpractical
application.Alargevarietyofsourcesmaybetappedforidentifyingpossibletopics,
e.g., Internal Audit itself, corporate functions, all members of management, and
employeesfromdiferentpartsofthecompany.
Audittopicscanalsobederivedfromtheauditsegmentsdeinedonthebasisof
KeyScopes.heKeyScopesprovideastructuredcollectionoftopicsandhelpto
takeintoconsiderationoperationalneedssuchascorebusinessprocesses.Atthe
sametime,KeyScopesestablishadirectlinkbetweenauditcontentandthephysi-
calaudit.Possibleaudittopicsmayalsoarisefromad-hocrequests.
Besides Internal Audit itself, other compliance-based departments may be
apossiblesourceoftopics.InternalAudit’sdiscussionofindividualcaseswith,or
generalissuesrelatingto,theriskmanagementdepartment,thelegaldepartment,
thehumanresourcesdepartment,orthecompliancedepartmentmayalsoleadto
auditabletopics.
Externalsourcescanalsosupplyadditionaldatasuchasinformationprovided
bytheexternalauditors,changesinlawsornewlegislation,orinformationderived
fromexchangingideaswithinternalauditorsfromothercompanies.Inaddition,
customers,partners,andvendorsmayalsoprovideinitialimpulsesforgenerating
audittopics.It is important,however, to investigatesuchtopicsfromaninternal
perspectivesincenotallinformationfromexternalsourcesmayberelevanttothe
organization.
he identiied possible audit topics are analyzed, structured, and assigned to
recognizableentities.Inthiscontext,theterm“entity”comprisesalldiferentorga-
nizationalunits(e.g.,subsidiaries,departments)aswellasalltypesofprojects,ini-
tiativesetc.withclearstructureswithregardtoresponsibilitiesandaccountability.
theoreticallyPossibleandPracticallyFeasibleAudittopics
theoreticallyPossibleandPracticallyFeasibleAudittopics
KeyscopesKeyscopes
AudittopicsofotherDepartmentsAudittopicsofotherDepartments
externalsourcesexternalsources
AnnualAuditPlanningProcessAnnualAuditPlanningProcess
Special Topics and Supplementary Discussion
Annual Risk-Based Audit Planning
Inventory of Possible Audit Topics
D|3|3.1
464
Inthecourseoftheannualauditplanning,ariskproileiscreatedforeachentity,
andtheriskassessedentitiesareaddedtotheGIASauditinventory(seeSectionD,
Chapter3.1.2).heauditinventoryinturnisthebasisforthecompilationofthe
annualauditplan(seeSectionD,Chapter3.2)andthesubsequentexecutionplan-
ning(seeSectionD,Chapter3.3).
HintsAnDtiPs ;
• Auditorsareencouragedtosubmittheirownaudittopicsuggestions.
3.1.2 Risk Assessment and Audit Inventory
KeyPoints •••
• heriskassessmentofallauditableentitiesmarksthestartoftheannualaudit
planning.
• Foreachauditableentityariskproileiscreatedtakinginconsiderationallrel-
evantSOXprocessgroupsandriskindicators.
• Onthebasisoftheriskproile,anoverallriskratingisproducedforeachentity
anditsrelevantSOXprocessgroups.
• heresultoftheriskassessmentisanauditinventorywhichcontainsallaudit-
ableentitiesandtheirrespectiveriskratings.
• heriskassessmentsofallentitiesshouldbereviewedatleastonceduringthe
yearattheendofthesecondquarter.
Every annual audit planning cycle starts with a risk assessment for all auditable
entities identiied. he term “entity” comprises all diferent organizational units
withspeciicresponsiblepersons,e.g.subsidiaries,departments,aswellasalltypes
ofprojects,initiatives,andotherunits.hebasisoftheriskratingmethodologyis
theGIASriskproilewhichiscreatedforeachauditableentity.hemainobjective
forcreatingriskproilesistheidentiicationofallsigniicantriskindicatorsforeach
entityandtheirallocationtotheentity’sSOXprocessgroups.Eachriskproileis
structuredasamatrixwiththeverticaldimensioncontainingallcurrentlydocu-
mentedSOXprocessgroupsperentityandthehorizontaldimensiondenotingthe
relevantriskindicators.
heriskindicatorsaregroupedintomainriskcategoriessuchasstrategicrisks,
inancialrisks,compliancerisks,operationalrisks,etc.asdeinedbytheglobalrisk
managementdepartment.hefocusissetprimarilyontheoverallriskindicators
facingSAP.Eachriskindicatorshoulddescribeapotentialriskexposureandmust
beidentiiableandmeasurable.Commonindicatorsincludetheproitandlosssitu-
ation,salesperformanceandforecasts,aswellaschangemanagementmeasures.
RiskProileRiskProile
RiskindicatorsRiskindicators
465
Statusdescriptionsorattributesmustbedeinedforeachindicator,denotingclearly
whetherornottheseindicatorsapply.Itistherebypossibletospecifyaccuratelythe
conditionsunderwhichtheindicatorsdoordonotimpacttheorganization.For
eachprocessgroupofanentity,eachrelevantriskindicatorisclassiiedaseither
lowimpact(1),mediumimpact(2)orsigniicantimpact(3)indicatingtheexistence
ofaspeciicrisk.hisapproachallowsGIAStoclearlydeterminetheimpactofeach
oftheavailableiteenindicators.
heGIASriskproilesalso includetheSOXprocessgroupsrelevant foreach
auditableentity.Allsigniicantriskindicatorsareclassiiedasdescribedaboveand
allocatedtotheirrespectiveSOXprocessgroups.
Onthisbasis,acalculationisperformedthatdeterminesanoverallriskrating
(i.e.low,medium,high,orextremelyhigh)onboththeprocessgroupandtheentity
level.Intheeventthatanauditor’spersonaljudgementdifersfromthespeciicrisk
ratingdeterminedbythecalculation,therisklevelcanbeadjustedifanappropriate
explanationforthechangeisgiven.heobjectiveoftheriskassessmentistode-
velopapreliminaryunderstandingofthepotentialriskexposuresfacingeachentity
baseduponindividualriskindicatorsand,ifnecessary,onauditors’judgement.he
indicator-basedapproachtoannualauditplanningalsoallowsGIAStosupportits
ratingsforeachauditableentityindetail.
AllentitiesevaluatedthroughtheGIASriskratingmethodologyareincludedin
theGIASaudit inventorytogetherwiththeirrespectiveriskrating.Toobtainan
independentriskassessment,GIASprovidesthetotalinventorycomprisingallre-
gional,global, IT,SOX,andrevenuerecognitionassurance(RRA)entities to the
globalriskmanagementdepartment.GlobalRiskManagementthenperformsits
ownriskassessmentbasedonthegeneralratingmethodologylow,medium,high
andextremelyhighconsideringthemainindicatorssuchasinancialrisks,strategic
risksetc..GlobalRiskManagement’sratingisreturnedtoGIAS,aweightedaverage
oftheresults(25%GlobalRiskManagementto75%GIAS)iscompiled,andthere-
spectiveglobal,regional,IT,SOX,andrevenuerecognitionassurance(RRA)inven-
toriesareinalized.
hecompilationoftheannualauditplanshouldbestartedwithapreliminary
comparisonofthetotalauditableentitiesandtheavailableheadcount.Takingthe
GIAStimesheetasreference(and,inthefuture,theGIASperformancemeasure-
mentresults),theaverageauditingtimesforallentitieswithariskratingof“ex-
tremelyhigh”,“high”andofsomerated“medium”areaddedupandcomparedatan
aggregatelevelwithGIAS’availablepersonnelcapacity.heintentionistotestthe
feasibilityoftheauditsand,ifnecessary,prioritizetheauditsaccordingtotheirrisk
assessment(iterativeplanningprocess).heoutcomeofthisprocessisarisk-based
rankingofauditableentities,whichisregardedasthebasisforcompilingthean-
nualauditplan.
Oneofthemostimportantaspectsoftherisk-basedauditplanningapproachis
theongoingreviewoftheriskassessmentsduringtheiscalyear.hisreviewshould
soXProcessGroupssoXProcessGroups
overallRiskRatingoverallRiskRating
AuditinventoryAuditinventory
iterativePlanningiterativePlanning
RiskAssessmentReviewRiskAssessmentReview
Special Topics and Supplementary Discussion
Annual Risk-Based Audit Planning
Inventory of Possible Audit Topics
D|3|3.1
466
includetheentireauditinventoryinordertoobtainacompletepictureofthecur-
rentriskexposureofallauditableentities.Ideallythere-assessmentshouldbeper-
formedonaquarterlybasis.However,sincethismightnotbepossibleduetotime
constraints,ahalfyearre-evaluationismandatory.here-assessmentisperformed
asfollows:
• hereviewshouldcommencebeforetheendofthesecondquarter.
• Aspreviouslymentioned,theentirecontentoftheinventoryshouldbesubject
toreview.
• Allre-assessmentsofrisksshouldbeperformedonlyonthe levelofriskrat-
ing(eitherlow,medium,highorextremelyhigh)andshouldnotbeperformed
basedonriskindicators.
• Incaseofachangeinrisk-level,thebackgroundandthereasonfortheadjust-
mentmustbedocumented.hereisnoneedtoadjustthecorrespondingrisk
proiles.
• BasedupontherevisedGIASauditinventory,theannualauditplanandthus
alsotheauditperformancerecordisadjustedaccordingly.
Besidesbeingupdatedonthebasisofthehalf-yearre-assessment,theannualaudit
planisalsoinluencedbythecontinuousreconciliationoftheriskexposuresfrom
ad-hocrequestswiththosefrompreviouslyscheduledaudits.Fromariskperspec-
tive,determiningthepriorityofad-hocrequestsversuspreviouslyscheduledaudits
isoneofthebiggestchallengesfacingauditmanagement.
LinKsAnDReFeRences e
• BEASlEy,M,R.ClunE,AnDD.HERMAnSOn.2005.ERM–AStatusReport.In-
ternal Auditor(February2005):67–72.
• GRAMlInG,A.AnDP.MyERS.2006.InternalAuditing’sRoleinERM.Internal Audi-
tor(April2006):52–58.
• InSTITuTEOFInTERnAlAuDITORS.2001.Practice Advisory 2010-1: Planning.Al-
tamonteSprings,Fl:heInstituteofInternalAuditors.
• InSTITuTE OF InTERnAl AuDITORS. 2001. Practice Advisory 2010-2: Linking
the Audit Plan to Risk and Exposures.AltamonteSprings,Fl:heInstituteof Internal
Auditors.
• InSTITuTE OF InTERnAl AuDITORS. 2003. Practice Advisory 2110-1: Assess-
ing the Adequacy of Risk Management.AltamonteSprings,Fl:heInstituteofInternal
Auditors.
• MCnAMEE,D.2004.RiskRelections.Internal Auditor(October2004):75–79.
• ROTH,J.2006.AnEnterpriseRiskCatalyst.Internal Auditor(February2006):81–87.
• SOBEl,P.2006.BuildingonSection404.Internal Auditor(April2006):38–44.
• WüSTEMAnn,J.2004.EvaluationandResponsetoRiskinInternationalAccounting
and Audit Systems: Framework and German Experiences. he Journal of Corporation
Law (2004):449–466.
Ad-hocRequestsAd-hocRequests
467
3.2 Annual Audit Plan
KeyPoints •••
• he annual audit plan is determined by two factors: by including the irmly
planned audit engagements and by adding new audit engagements resulting
fromtheriskassessment.
• Includingixedauditslimitstheavailableauditcapacityfortheyearandthus
reducesthevolumeofadditionalengagementsthatcanbeincludedasaresult
oftheriskassessment.
• Certainthresholdsshouldbeobservedinthisregardtoavoidneglectingoneof
theschedulingoptions.
• Aterschedulingtheixedaudits,theannualauditplanisilledwithrisk-based
auditengagementstransferredfromtheauditinventory.
• Anoverallplanisthencompiledandcoordinated,checkingitespeciallyagainst
availablenetcapacities.
heannualauditplan(seeSectionB,Chapter2.2)isderivedfromtheauditinven-
tory based on the priorities identiied by the risk assessment (see Section D,
Chapter3.1.2).Generallyequalconsiderationshouldbegiventoixedengagements
whicharealreadyscheduledandnewlyaddedengagementsresultingfromtherisk
assessment.Anauditperformancerecordisusedtocaptureasummaryviewofall
plannedaudits.Itisthebasisforauditmonitoringandcontrol.
heannualauditplanconsistsofthreediferentsections:
• PartA:heprojectedannualauditplanbasedonthecurrentpersonnelcapacity
ofthedepartment.
• PartB:Allentitieswithhighriskexposurethatarenotincludedintheannual
planduetopersonnelrestrictions.
• PartC:Strategiestocompensatemissingheadcountincludingacalculationof
additionalheadcountneeded.
PartAshouldcontainallsigniicantaudittopicsthatcoverrisksfromacorporate
governanceandcomplianceperspective.herefore,partAoftheannualauditplan
iscreatedaccordingtothefollowingprocedure.
heirmlyplannedaudits,whichareincludedintheannualauditplanasixed,
canbecategorizedinseveraldiferenttypes:
• First,specialaudits(seeSectionA,Chapter6.5)musthaveairmplaceinthe
annualauditplan.Inthecontextofrevenuerecognitionassurance(seeSection
C,Chapter9),customercontractconirmationsandunannouncedlicenseau-
dits are included in theannual auditplanasixedaudits. Inaddition,global
auditsandSOXauditsareirmlyscheduledengagements.
• Around30%to40%oftheavailablenetauditcapacityinayearisreservedfor
ad-hocauditsonthebasisofauditrequests(seeSectionB,Chapter2.3).his
percentageshouldbereviewed(andadjustedifnecessary)annually,takinghis-
toricalrequirementsintoaccount.
RiskAssessmentandAuditinventoryRiskAssessmentandAuditinventory
structureoftheAnnualAuditPlanstructureoftheAnnualAuditPlan
FixedAuditsFixedAudits
specialAuditsspecialAudits
Ad-hocAuditsAd-hocAudits
Special Topics and Supplementary Discussion
Annual Risk-Based Audit Planning
Annual Audit Plan
D|3|3.2
468
• next,thefollow-upaudits(seeSectionB,Chapter6)thatfallintotheplanning
periodmustbescheduledasixedaudits.heauditorsmustobservethedead-
lineswithinthefollow-upcycle.Follow-upauditsareduewithinspeciiedperiods
followingthebasicaudit.Inaddition,secondfollow-upauditsarescheduledas
ixedauditsifthestatusoftheirstfollow-upisredoraccordingtoauditorjudg-
mentwhenitisyellow(seeSectionB,Chapter6.2.2;SectionD,Chapter7.2.3).
• Anotherimportantitemisauditspostponedorcarriedoverfromtheprevious
year.Ariskassessmentshouldbemadetodeterminewhetherthereisstillaneed
toconducttheseaudits.Ifthereisstillavalidreasontoconducttheaudits,these
topicsareincludedinthecurrentauditplan,incombinationwithothertopicsif
appropriate.
Inadditiontotheirmlyplannedaudits,theannualauditplanshouldalsoinclude
newlyscheduledhighest-prioritytopicsidentiiedintheriskassessment(seeSec-
tionD,Chapter3.1.2).Takingintoaccounttheixedauditsalreadyenteredaswell
astheplannedcapacityforad-hocaudits,thenetbudgetedaudittimefornewrisk-
basedtopicscanbecalculatedaccordingtothefollowingformula:
heannualauditplanincludestimeallocationsaspertimesheetforeachauditen-
gagement.hismeans that foreachbasicaudit, statuscheck,and follow-up, the
currentlyapplicabletimefactorisused.heplannercanavoidoverschedulingby
comparing thealreadyscheduled time to theavailable timeduring theplanning
process.Assoonasthemaximumavailabletimeisreached,thephaseofrisk-based
inclusionofauditengagementsintheannualauditplaniscompleted.
heplannermustbeabletodemonstratethattheplanhasbeencompiledwith
anemphasisonoptimizationandthattheselectionofengagementsisnotaresult
ofarbitrarydecisions.hisisofparticularimportanceforInternalAudit’scredibil-
ity,becauseitevidencesobjectivityandindependence.
heaboveplanningprocessensuresthatpartAoftheannualauditplancontains
allsigniicantauditengagementswithregardtocorporategovernanceandcompli-
ance.PartAisbrokendownaccordingtoGIAS’teamstructure.PartBfollowsthe
Follow-UpsFollow-Ups
AuditsBroughtForwardfromthePreviousyear
AuditsBroughtForwardfromthePreviousyear
newlyscheduledAuditsnewlyscheduledAudits
entryintheAnnualAuditPlan
entryintheAnnualAuditPlan
credibilitycredibility
PartsBandcPartsBandc
Total available net audit time
=
–
– Time reserved for ad-hoc audits
Net capacity for new risk-based topics
Fig. 5 Calculating the net audit capacity for new risk-based topics
469
samestructureshowingallrelevantauditengagementsthatcannotbecovereddue
to restricted personnel capacity. If during the year additional engagements are
neededtocoveravailablecapacity,thetopicsfromsectionBshouldbeconsidered
forinclusion.PartCshouldgiveaclearpictureofwhichauditsarenotcovereddue
tocapacityconstraintsandofthewaypotentialriskscouldbetreated.Alternative
solutions could include reduced audit extent, combined audit engagements, and
additionalheadcountifpossible.
hedratoftheannualauditplanispresentedtotheCEO,theCFO,andthe
headoftheAuditCommitteefortheirconcurrence.Atergatheringtheirinput,
GIASassessestheircommentsindependentlyandinalizestheannualauditplan.
heinalversionoftheGIASannualauditplanmustbeapprovedbytheCAE.he
partiesmentionedbeforereceiveacopyoftheinalauditplanfortheirinforma-
tion. hen the respective GIAS regional teams commence with the execution
planning.
HintsAnDtiPs ;
• Auditorsshouldcheckwhethertheannualauditplancontainstherequiredfol-
low-upauditsandauditscarriedforwardfromthepreviousyearthatrelateto
them.
• Auditorsshouldmakesurethattheircapacityissuicientfortheauditstowhich
theyhavebeenassigned.
LinKsAnDReFeRences e
• InSTITuTEOFInTERnAlAuDITORS.2001.Practice Advisory 2010-1: Planning.Al-
tamonteSprings,Fl:heInstituteofInternalAuditors.
• InSTITuTE OF InTERnAl AuDITORS. 2001. Practice Advisory 2010-2: Linking
the Audit Plan to Risk and Exposures.AltamonteSprings,Fl:heInstituteof Internal
Auditors.
• InSTITuTE OF InTERnAl AuDITORS. 2003. Practice Advisory 2110-1: Assess-
ing the Adequacy of Risk Management.AltamonteSprings,Fl:heInstituteofInternal
Auditors.
3.3 Execution Planning
KeyPoints •••
• Duringexecutionplanning,thetopicsoftheannualauditplanareassignedto
possibleauditorsandtimeslots.
• hisprocesstypicallyoccursinstages,becauseanumberofpersonal,technical
andtime-relatedinteractiveefectsmustbetakenintoaccount.
FinalconsolidationFinalconsolidation
Special Topics and Supplementary Discussion
Annual Risk-Based Audit Planning
Execution Planning
D|3|3.3
470
• Once planning has been completed, the results are discussed with the team
members.
• Inaddition,theheadoftheAuditCommitteehastoconcurtotheplan,andthe
CEOisinformed.
Oncetheannualauditplanhasbeenapproved,therespectiveAuditManagersare
responsiblefortheexecutionplanning.Separateplanningstepsmustbetakenfor
eachregionalteamsothatthediferentauditteamscanbedesignated,followingthe
procedureoutlinedbelow.
First,thetimelinesforthosetopicsincludedintheplanasixeditems(seeSec-
tion D, Chapter 3.2.1) should be speciied in detail. Depending on whether the
itemsinquestionarefollow-upsortopicscarriedforwardfromthepreviousyear,
Internal Audit management has to make certain assumptions and set priorities,
relatingforexampletourgencyorperiodclosingdates,etc.Teamcolleaguesare
then tentatively assigned to each topic, taking into account their responsibility,
expertise,interests,etc.
next,thenewrisk-basedaudittopicsarearrangedintoalogicalplanningorder,
indingtherightbalancebetweenriskassessments(seeSectionD,Chapter3.2.2),
thesituationoftheauditees,andavailabilityoftheauditorstobedeployed.hisis
normally an iterative process, because oten repeated coordination is necessary,
using alternative planning scenarios. now the previously rough estimates of the
timerequirementsforeachauditareworkedoutindetail,usingthedatafromthe
timesheets.Simpleestimationsrevealthetotaltimerequiredforeveryiteminthe
annualauditplanandallowtheAuditManagertoreconcilethiswiththeactually
availableworkingdays.
Inadditiontoidentifyingtheauditteammembers,theteamstructureisdeter-
mined, i.e., the positions of audit lead and auditor are assigned. he position of
auditleadshouldbeilledinatimelymannerforeachaudit,becausethisperson
must perform certain activities before the start of the audit. Moreover, external
auditteammembersandguestauditors(seeSectionD,Chapter10)mayhavetobe
addedtotheschedule.
Whendrawinguptheplan,bufertimesshouldalsobeincludedanddistributed
asevenlyaspossible.hesebuferswillallowtheAuditManagertoaccommodate
additionalrequestsforauditstobeconductedduringtheyear,inadditiontothose
alreadyscheduled.hesameappliestomeetingsandworkshops,forexample.he
AuditManagershouldalsoenterplannedvacationandtrainingintheexecution
plansincetheycanhaveaconsiderableimpact.
lastly, thefeasibilityoftheexecutionplanischecked.Allplannedauditand
bufertimesareaddedupandcomparedtothetotalnetworkingtimeaccordingto
thetimesheet.Ifthevarianceis5%orlessineitherdirection,theplancanbere-
gardedasstable.hisoverallfeasibilitycheckisalsoreferredtoasinalplanning
consolidation.
Onthebasisoftheparametersnowavailable,thekeydataforeachauditcanbe
planned,includingthepreciseauditperiod,theauditannouncement,thereporting
operationalPlanningoperationalPlanning
FixedtopicsFixedtopics
newlyscheduledAuditsnewlyscheduledAudits
teamstructureteamstructure
BufertimesBufertimes
overallcheckoverallcheck
startingPointforAuditLeads
startingPointforAuditLeads
471
date,andtheopeningandclosingmeetings.heauditleadsinchargecanstarttheir
auditplanningwellinadvancebasedonthisdata.
Oncetheexecutionplanhasbeencompleted,theregionalteamsshoulddiscuss
theresultsindetail.hisallowsauditorstoidentifyandresolveanyissuesorerrors
atthisearlystage.heteammembersshouldvoicetheirgeneralagreementwiththe
plan.Commentsonteamformationorunclearaudittopicsshouldbediscussed.
hisprocessturnstheplanintoasharedworkingbasis,whichallinvolvedparties
canagreeto.
Finally,attheendofoperationalplanning,theCEOshouldbeinformedofthe
result,andtheheadoftheAuditCommitteeshouldconcurwiththeplan.hiswill
signaltheimplementationoftheannualauditplanandprovideanopportunityto
comment.
HintsAnDtiPs ;
• Auditorsshouldmakeanoteingoodtimeoftherelevantkeydataoftheaudits
forwhichtheyhavebeenscheduled.
• Auditors should seek involvement in the plan for topics that are relevant to
them.
3.4 Interrelation of Global and Regional Planning
KeyPoints •••
• Globalandregionalauditsmustbeplannedinclosecoordinationwiththevari-
ousteamsinvolved.
• Globalauditsshouldbeplannedirst inordertodeterminetheresourcesre-
quiredandtofacilitatethesubsequentplanningofregionalaudits.
• For this reason, global teams are put together and the audits coordinated in
outlinewiththoseresponsibleatanearlystage.
An importantannualplanning issue forglobal internalauditdepartments is the
interrelationbetweenregionalandglobalaudits.Sincetheauditplanisultimately
subjecttocentralresponsibility,regionalplanshavetobecoordinatedamongeach
otherwithconsiderationgiventotheglobalaudits.
Especiallyinlightofglobalaudits,thecontentsandtimelinesoftheauditplans
ofregionalteamsmustbecoordinatedtoavoidmultipleschedulingoftopicsand
double-bookingofauditors.heoptimalsequencefordealingwiththetopicsand
selectingtheteamshastobeexamined.hetimeneededforglobalengagements
mustbeincludedinthetimesheet.
Globalauditsmustbeplannedaheadofregionalaudits,sinceglobalauditteams
arenormallycomposedofmembersofdiferentregional teams.First, theglobal
audit lead has to be nominated, since he or she has the right to inluence the
sharedWorkingBasissharedWorkingBasis
informationtotheceoandconcurrenceoftheAuditcommittee
informationtotheceoandconcurrenceoftheAuditcommittee
needforGlobalcoordinationneedforGlobalcoordination
AvoidanceofDuplicatedPlanningAvoidanceofDuplicatedPlanning
timesequencetimesequence
Special Topics and Supplementary Discussion
Annual Risk-Based Audit Planning
Interrelation of Global and Regional Planning
D|3|3.4
472
compositionoftheglobalauditteamtoasigniicantextent.Especiallytheoverall
executionofglobalauditstakeslongerthanthatofregionalaudits(fordetails,see
SectionC,Chapter7).Forthisreason,itisrecommendedthattheAuditManager
performairstcheckoftheexecutionplanningoncealltheglobalauditsaresched-
uled.Ifthereisinsuicientcapacitytocoverthem,theAuditManagerwillnormally
havetosupplementthemwithexternalresources.Inglobalaudits,externalsupport
maybenecessarytodealwithcomplextopicsaswellasdiferentlegalsystemsand
cultures.
Inaddition,globalauditsshouldbecloselycoordinatedwiththemanagerofthe
unitstobeauditedand–inextraordinarycircumstances–withtheCEO.Oten,
mattersconcerningthecompany’sstrategyandmissioncandeterminethesuccess
of an audit, because due to their nature, global audits are also requested by the
Board.GlobalRiskManagementshouldbeinvolvedsothat,ifnecessary,theycan
providefeedbackabouttheurgencyoftheauditsinquestionandpossibleregional
priorities.
his requires the global planning process to be closely coordinated with the
globalplanningorganizationandtheregionalteams.Anychangesorsubsequent
adjustments have to be communicated to all parties involved, because they may
have far-reachingconsequences.his is theonlywaytomaintainthestabilityof
executionplanningatagloballevel.
HintsAnDtiPs ;
• Ifpossible,theexecutionplanshouldalloweachauditortotakepartinaglobal
auditatleastonceayear.
• Auditorsshouldregularlyexchangetheirglobalauditexperiencewiththeircol-
leagues.
• Auditorsshouldalsouseglobalauditstobuildtheirnetworks.
cooperationwiththeBoardandRisk
Management
cooperationwiththeBoardandRisk
Management
GlobalcoordinationProcess
GlobalcoordinationProcess
473
4 ITEnvironmentofInternalAudit4.1 Structure of a Global IT Environment of Internal Audit
4.1.1 Decentralized Use of IT
KEyPoInTs •••
• Worktemplatesareprovidedonacentralserverfortheoperationallevelofthe
audit,allowingauditorstocopythedocumentstheyneedforfurtherprocess-
ing.
• Standardcommercialsotware,ITtoolsfordataselection,andallSAPapplication
systems,includingtheiraudit-speciiccomponents,areavailableforsupporting
auditwork.
• Fromaformalperspective,ITuseshouldbestandardizedintheformofinter-
net-basedauditsotware.
In order to institutionalize Internal Audit’s methodical approach in a uniform
manner,theutilizationofIThastobeorganizedaccordingly.heprovisionofan
integrated IT solution for Internal Audit can require considerable efort and re-
sources.Itisnolongersuicientmerelytoprovidethemeanstocapture,process,
andtransferdata.ITtechnologyisnowrequiredtodelivermuchmorebesides:IT
ischangingfromalocalapplicationperspectivetoanoverallglobaltechnicalcon-
cept.AlthoughtheindividualITtoolsremainasigniicantcomponentofthetotal
ITlandscape,theyhavetobeintegratedintoahigher-leveloverallstructure.
heoperationalleveloftheAuditRoadmapistheinitialfocusforITsupport.
Althoughauditorsworklocally,theyhavetobeabletodosoinawaythatallowsas
muchcoordinationandnetworkingaspossibleamongeachother.hetemplates
arestoredandmaintainedcentrallyonaserver,basedonthephasesoftheAudit
Roadmap.Auditorscancopythetemplatestheyneedtotheirworkstationsforfur-
therprocessing.heycanusestandardITprogramsoraudit-speciicprograms.In
additiontostandardcommercialsotware,GIASauditorsprimarilyuseITtoolsfor
dataselectionandallSAPapplicationsystems,includingtheiraudit-speciiccom-
ponents(seeSectionB,Chapter4.1.3.3).
heformalaspectsofITuseshouldbestandardized.Alldeinedworktemplates
shouldbebasedonthesameauditsotwaresysteminordertosimplifytheexchange
ofworkresultsandreports.Forthisreason,thetemplateshavetobedeveloped,
maintained,andused inastandardizedmanner.hedecisiononwhichsystems
touseshouldbetakenonthebasisoftheiravailabilityatallcompanylocations,the
degreetowhichtheyareknown,andtheirlexibilityandadaptability.heavailable
functionsshouldinallinstancesincludewordprocessing,spreadsheet,andgraphics
functions.Forlocalstorage,diferentstoragesystems,e.g.databases,canbeused.
Apartfromformalstandardization,thecontent-relatedaspectoftheITapplica-
tion isalsosigniicant for thediferentphasesof theAuditRoadmap.Special IT
tools,e.g.,fordataselection,areavailable,inparticularforauditexecution.How-
IntegratedITsolutionIntegratedITsolution
ITsupportattheoperationalLevelITsupportattheoperationalLevel
FormallystandardizedUseofITFormallystandardizedUseofIT
Content-RelatedAspectsoftheITApplicationContent-RelatedAspectsoftheITApplication
Special Topics and Supplementary Discussion
IT Environment of Internal Audit
Structure of a Global IT Environment of Internal Audit
D|4|4.1
474
ever,theseITtoolsdonotcovertheentireauditprocess,becausetheydonotsup-
portnetworkingbeyondtherelevantdatabasesorinternet-basedapplications.his
restrictstheirdatatransportoptionsandmeansthat,althoughtheyareimportant
forauditwork,theydonotmeettherequirementsofanintegratedITsystemfor
InternalAudit.
heapplicationscurrentlyavailableoferonlylimitedaccessoptionsandoten
provideonlyrudimentarysupport(ifany)forthenecessarycrossfunctions.Phase-
basedqualityassuranceisanexampleofsuchacrossfunction.Worklowsonthe
basisoflocalapplicationsthereforearetobeusedtonetworktheauditorsandAu-
ditManagersinvolved.Itshouldalsobepossibletomonitorthetime,workpro-
gress,and,ifrelevant,thebudgetsandcostsofauditsonanintegratedbasis.here
shouldalsobeanITapplicationthatsupportsacentrallystandardizeddocumenta-
tionconcept.heabovepresentsatangiblestartingbaseforacomprehensiveIT
solutionforInternalAudit.
HInTsAnDTIPs ;
• Beforeeditingadocument,auditorsshouldalwaysmakesurethattheyareusing
thelatesttemplateversion.
• AuditorsshouldcarefullyselecttheITtoolsforauditsupportandsensiblyinte-
gratethemintotheauditprocess.
• Conidentialinformationshouldbestoredinaseparateprotectedarea.
LInKsAnDREFEREnCEs e
• OlIPHAnT, A. 2004. Auditing IT Infrastructures. Mission Viejo, CA: Pleier
Corporation.
4.1.2 Central Filing Structure
KEyPoInTs •••
• Duringtheaudit,thedocumentsarestoredindecentralizedsystems.
• Oncetheaudithasbeencompleted,theyshouldbestoredcentrallyaccordingto
thecriteriaofthegeneraldocumentationconcept.
• Arrangementsmustbemadeforcompliancewithsecurityregulations.Excep-
tionswithregardtoaccessrightsmustbehandledrestrictivelyanddocumented
accordingly.
ItisamatterfordiscussionwhetherInternalAuditshouldhaveadecentralizedor
acentraldocumentilingsystem.Duringtheaudit,thedocumentsforprocessing
arestoredinindividualdecentralizedsystems.Duringthisphase,auditorshaveto
havethelatestversionsoftheirdocumentsreadilyaccessibleatanytime.Inaddi-
RequirementsonaComprehensiveIT
solution
RequirementsonaComprehensiveIT
solution
DecentralizedstorageDecentralizedstorage
475
tion,aback-upcopyshouldbesavedtothecentralauditserveratleasttwiceaweek.
he back-up copies stored by the audit team members give the audit lead the
opportunitytogetanupdateofauditprogressandofthemostimportantresults.
Withthisinmind,itmaybeusefultostorecentrallycertaininformationordoc-
umentsofmoregeneralinterestduringtheaudit.hisallowsallauditorsinvolved
intheaudittokeepthemselvesinformedaboutobservationsandindingsandto
updateandsupplementthisdata(e.g.throughmaintainingacentralissuelogile).
However,thisshouldapplyonlytoinformationofinteresttootherauditorswork-
ingontheaudit.Ingeneral,onlycompletedportionsoftheauditdocumentation
shouldbemadeavailablecentrallytoallauditorsconcerned.Foracertainperiod
atertheaudit,however,auditorsmaystillstorethedatalocally.hismaybeuseful
incaseofqueries,subsequentamendments,etc.Ultimately,auditorshavetotake
thisdecisionbasedontheirownjudgementorinconsultationwiththeauditlead.
Whenstoredcentrally,thedocumentsshouldbestoredinamannerthatallows
them to be retrieved using diferent criteria. Step-by-step access along the audit
databasestoragestructureshould thereforebepossible inallcircumstances:he
auditkeywords(e.g.,auditnumber,audittype,reportnumber,etc.)allowusersto
call the informationat therelevant levelon thecentral server.Byspecifying the
parameters of an audit, e.g., the consecutive number or match code, i.e., with a
parametricsearchkey,thetitle,theauditor,ortheperiod,itispossibletomakethe
relevantdocumentsavailable.Audit-relateddocumentsinthisregardaretheaudit
request, the audit announcements, the work program, and the various reports.
However,thedocumentscanalsobestructuredaccordingtothephasesoftheAudit
Roadmapbyassigningthemtotherelevantphaseandclassifyingthembyanyfur-
thercriteriaatthislevel,e.g.,iscalyear,auditparameters,orauditees.hismaybe
very useful especially in the case of summaries per individual Roadmap phase
(e.g.thepercentageofcompletionofallworkingpapersasofacertaincut-ofdate).
hecentralstorageofauditdocumentsmustbecoordinatedwiththewayother
documentsarestored,e.g.,externalsourcesorsourcetexts.Hererelevantsumma-
rieswillleadfromthereportstothedescriptiveelements,e.g.,theauditsummaries,
andviceversa.Keywords,keyword indices,or referencingmaybeuseful in this
regard.
Acomprehensivesecurityplanmustbeimplementedforthecentralauditdata
server,coveringissuessuchas:
• anti-virusprotection,
• internetsecurity,
• archiving,
• dataprotection,and
• accessauthorization.
InternalAuditandITSecurityshouldagreeonprocedurestoimplementtheabove
issues, which are also important from an IT control perspective. In particular,
unauthorized access to centrally stored data of Internal Audit must not be pos-
sible.Forthisreason,accesspathsandthedocumentsthatcanbeaccessedbyeach
authorizationgroupmustbedeinedprecisely. Inexceptionalcircumstancesand
CentralstorageCentralstorage
CentralstoragestructureCentralstoragestructure
otherDocumentsotherDocuments
securityPlansecurityPlan
Special Topics and Supplementary Discussion
IT Environment of Internal Audit
Structure of a Global IT Environment of Internal Audit
D|4|4.1
476
aterconsultationwith theBoardor theAuditCommittee, itmaybedecided to
makecertainpartsoftheinformationonthecentraldataserveraccessibletoother
parties.hismust,however,remaintheexceptionandanysuchauthorizationmust
bedocumentedaccordingly.
heinalarchivingofthedataandthephysicalremovalofdatathathasbeen
deletedlogically,followstherequirementssetoutinthedocumentationconcept.
hisiswhereappropriateparametersforthedocumentationmedium,theretention
periods(seeSectionD,Chapter1)etc.mustbedeined.
HInTsAnDTIPs ;
• Auditorsshouldtestaccesstothecentrallystoredauditdocumentsinthecre-
ationofwhichtheyhavebeeninvolved.
• heauditorresponsibleshouldinformtheauditleadwhencentraldatastorage
hasbeencompleted.
4.1.3 Decentralized Reporting System
KEyPoInTs •••
• hedecentralizeddistributionofInternalAuditreportsmustmeettheinforma-
tionrequirementsofallpartiesafectedbytheaudits.
• Allpartiesreceivethereportsassoonaspossibleandwiththenecessarylevelof
conidentiality.
• A comprehensive administration system ensures that report distribution fol-
lowsdueprocess.
CentralstorageofthedocumentsofInternalAuditisanimportantprerequisitefor
globally standardizeddatamanagement.hisensures that completeandcoordi-
nateddocumentsareavailableforeveryaudit.Centralstorageandarchivingforms
thebasisforreportdistributionthatisfullyscalable.hediferenttargetgroupsaf-
fectedbyanauditreceivethesereportsonthebasisoftheirresponsibilities,with
aguaranteethattheyreceivethemsoonatertheauditandthattheinformationis
complete.
hedistributionofthereportshastobecentrallyadministeredintheITaudit
system, and it must be guaranteed that the reports reach their recipients in the
speciiedwayandwithintheagreedtime.hisshouldbeensuredbyusingcheck-
listsandcompletenessrecords.Generally,oneortwoInternalAuditrepresentatives
should be nominated for global report distribution, and the audit leads should
forwardtheirreports to themfordistribution.Toensure thatreportsarealways
distributedproperly, theentiredistributionconcept, includingall authorizations
andtargetgroups,shouldbecriticallyanalyzedatleastonceayear.
DataArchivingDataArchiving
CentralstorageasaPrerequisite
CentralstorageasaPrerequisite
DistributionAdministration
DistributionAdministration
477
hereportsmustbemadeavailabletotheirtargetgroupsbasedontheirrolein
theauditprocess.hepartiesdirectlyafectedbytheauditreceivethereportsby
e-mail under conidential cover. hey include the operational managers of the
auditedunitandtheseniormanagersinchargeoftheregionorunit.hereports
aredistributedasreportpackages(seeSectionB,Chapter5).
AtSAP,theBoardreceivestheBoardsummaryandtheassociateddetailedre-
portsthroughanintranet-basedreportingandanalysissystem.Onlineaccessallows
theBoardmemberstogetimmediateanddirectinformationabouttheauditresults
inquestion.Allother reportaddressees receive theiraudit reportsbyencrypted
e-mailorthroughaccesstoanappropriateportal.
AnumberofprerequisitesmustbemetbeforethereportsofInternalAuditare
distributed.Firstly,thereportsmustbecomplete,coverallreporttypes,andcon-
tainall theinformationnecessaryforeachaudit.Assoontheseprerequisitesare
met, InternalAudit’scentralreportadministrationis informed.Aformalquality
checkisperformedatthisstage,andifanydataismissingorincorrect,reportdis-
tributionisstopped.hisafectsallreportsdistributedthroughaninternet-based
informationsystem.heinitialdistributionofthereports, i.e., immediatelyater
completionistheresponsibilityoftheauditleadandtheAuditManager.Again,this
isprecededbyaformalqualitycheck.
HInTsAnDTIPs ;
• On thebasisof spot inquiries,auditors shouldcheckwhether theaddressees
havereceivedthereportsrelevanttothem.
4.1.4 IT Tools for Data Analysis
KEyPoInTs •••
• he use of computer-assisted auditing techniques beneits auditors when
analyzinglargevolumesofdata,wheremanualprocessingwouldentaildispro-
portionateefortanderrorrisk.
• Auditorsshouldthereforeconsiderusingsotware-assistedtoolsinordertoat-
tainauditobjectives.
• Computer-assistedauditingtechniquesincludegeneralauditsotware,sotware
foronlineaudits,andspecialauditsotware.
Auditors must collect relevant and meaningful evidence during audit execution.
heindingsandsummariesmustbesupportedbytherelevantanalysesandinter-
pretationsoftheauditresults.Today’sinformationprocessingsystemshavetomeet
special requirements in this regard,becausemuchof thedocumentaryevidence
existselectronicallyandcanonlybeauditedbyusingtherelevanttechnicaltools.IT
DistributionAccordingtoPurposeDistributionAccordingtoPurpose
DistributiontotheBoardDistributiontotheBoard
PrerequisitesforReportDistributionPrerequisitesforReportDistribution
needforComputer-AssistedAuditingMethods
needforComputer-AssistedAuditingMethods
Special Topics and Supplementary Discussion
IT Environment of Internal Audit
Structure of a Global IT Environment of Internal Audit
D|4|4.1
478
landscapes that consist of diferent hardware and sotware systems and contain
diferentdata structures, formats, and functionsmake it virtually impossible for
auditorstocollateandanalyzedatawithouttheuseofasotwaretool.Moreover,the
sheervolumeoflargestoresofdataexceedsthecapacityofamanualaudit.Com-
puter-assistedauditingtechniquesreducetheefortanderrorriskassociatedwith
manualprocessing.hedataqualityoftheinformationsourceuseddeterminesthe
reliability of the audit indings made in this regard. Computer-assisted auditing
techniquesincludegeneralauditsotware,sotwareforonlineaudits,andspecial
auditsotware.
Auditorsneedtoknowtheexactcapabilitiesoftheauditsotwareinordertouse
it eiciently. General audit sotware simpliies system access to data for analysis
purposesandallowsauditorstoreadinformationdirectlyfromdiferentdatabase
systems,ilesystems,anddataformats.Itcanalsobeusedtofacilitatemathematical
calculations,statisticalanalysis, follow-upchecks,accesscontrol,andcalculation
methods.Generalauditsotwaresupportsthefollowingfunctions:
• Fileaccess:hesotwareallowsuserstoreaddiferentformatsandilestructures.
• Fileorganization:hesotwareallowsusers to index,sort,mix,andcombine
iles.
• Dataselection:hesotwareallowstheuseofgeneraliltersandselectioncrite-
ria,includinghigher-levelcriteria,forexampletodescribetherelationshipwith
externalsources.
• Statisticalfunctionsallowtheuseofsamplingtechniques,stratiication,aswell
asfrequencyandtrendanalysis.
• Arithmeticfunctionsallowuserstocalculateratios.
• Searchfunctionsenablekeywordsearches.
• Automatedprocesseshelpwithdocumentanalysis.
Anotherprimaryapplicationofcomputer-assistedauditingtechniquesisthecapa-
bility to conduct continuous online audits. his method allows auditors to test
systemreliabilityduringnormaloperation.Inthisway,theoperationandfunction-
ingcanbemonitoredcontinuouslyandselectedauditevidencecanbeextracted
fromtheITsystem.
heSAPAISauditsotwareisasystem-supportedITtoolforauditsintheSAP
environment (see Section B, Chapter 4.1.3.3). Its use can help improve the audit
processandauditqualityintheSAPenvironment.SAPAIScanbeusedintheareas
ofinternalandexternalauditing,taxaudits,anddataprotection.Itprovidesalarge
numberofindividualroles,i.e.,deineduserproileswithacleartaskportfolio,and
ofersastructuredcollectionofpresetSAPreportprograms.Itsstructureisbased
onthestandardsandrequirementsofinternalandexternalaudits.Forthisreason,
theanalysesandreports foratypicalieldworkactivity,e.g., inataxorinancial
statementsaudit,arepresentedwithameaningfulstructureandcontent,thuspro-
vidingthedatanecessaryforfurtherieldwork.heuseofSAPAISisexpedientfor
thefollowingieldworkactivities:
GeneralAuditsoftwareGeneralAuditsoftware
softwareforonlineAudits
softwareforonlineAudits
specialAuditsoftwarespecialAuditsoftware
479
• onlinechecksintheareasofprocess-relatedandinancialreporting-relatedau-
dits,and
• exportofdocumentdataandaccountbalances,e.g.,totextiles.
HInTsAnDTIPs ;
• Whencompilingaworkprogram,auditorsshouldascertainthepossibleusesof
ITtools.
• During audit preparation, it is useful to conduct a test run to assess the IT
tools.
4.2 Globally Integrated IT Solutions
4.2.1 Requirements on a Fully Integrated IT Solution
KEyPoInTs •••
• hevariousfunctionsthatafullyintegratedITsolutionforInternalAuditneeds
toprovideresultinanumberoftechnicalandcontent-relatedrequirements.
• Asystemthatmeetstherequirementsshouldincorporatetheinternalcontrol
managementtoolandSAPAIS.
Anumberofcorerequirementscanbederivedfromthefunctionsthatafullyinte-
gratedITsolutionneedstohave.AsalreadydiscussedinSectionD,Chapter4.1.2,
itmustbepossibletomaintaintheworktemplatesanddocumentsaswellasthe
workingpapersanddocumentationdataofallauditscentrallyandinastandard-
izedway.hisisofcriticalimportancetoprovideaclear,uniforminformationbase
onthebasisofstandardizedanduptodatedocumentsforallthoseinvolvedinan
audit.Accordingly,thedocumentshavetoconformtoInternalAudit’sstatutes.
Anothercentralrequirementisthatonlineandolineprocessingispossiblesi-
multaneously.Dependingontheaudit inquestion,audit teamsmayworkeither
centrallyorlocally.Forthisreason,itmustbeguaranteedthatbothtypesofITuse
areavailableandare linkedtoeachotherperfectly.Onlineprocessingshouldbe
usedwhereverpossible.
InternalAudit’sITsystemauthorizationproilemustberole-based.Itisneces-
sary todeineuserproilesclearlyandunambiguously for InternalAuditand its
diferentfunctionsandmanagementlevels.Rolesshouldalsobedeinedforthird
parties (e. g., guest auditors) involved inaudits.Authorizationsor authorization
groupsmustbeassignedtotheseuserproilesforcertainsystemfunctionssothat
uniquerolescanbedeined.
Ahighlevelofintegrationandnetworkingwithotherusersinthecompliance
areaaswellasallotherbusinessapplicationsystemswillconsiderablyenhancethe
datatransferoptions.Intelligentsearchandanalysisfunctionscanbebuiltonthis
CentralDatabaseCentralDatabase
onlineandolineProcessingonlineandolineProcessing
RoleConceptRoleConcept
IntegrationandnetworkingIntegrationandnetworking
Special Topics and Supplementary Discussion
IT Environment of Internal Audit
Globally Integrated IT Solutions
D|4|4.2
480
basis,whichcanusehistoricalanalysisandcurrentresultstoidentifytrendsand
thusgenerateprioritizedauditsuggestionsforthefutureandconsequentlysupport
preventiveaudits.
Anotherimportantaspectisthelexibleanalysistechniquesforanalyzingthe
informationanddatageneratedbyInternalAudit.hisappliesasmuchtothetreat-
ment of indings and recommendations across diferent summarization levels,
rankings,andlinksasitdoestothegenerationofaudit-process-basedratios.
Inaddition,theremayneedtobeacloserlinkbetweenthereportingsystemand
theresultsofratioanalysis.hiscanbeachievedwithabsoluteratios,benchmark-
ingconcepts,orbalancedscorecardsystems(seeSectionD,Chapter7).Detailed
analysismustthenbepossibleonthebasisoftheratioaswellasonthebasisofthe
underlyingindings,reports,andthusaudits.
AuditexperienceandbestpracticesofInternalAuditandoftheauditeescanbe
used tohelp resolve current issuesbycollecting them in separatedatabasesand
makingthemavailablethroughsearchfunctions,e.g.,keywordsearches.Internet-
basednetworkingwithinternalguidelinesandprocessdescriptionsaswellasexter-
nalrules,regulations,andstatutesprovidesabroadinformationbaseforInternal
Audit.
Anintegratedaudittoolthatistailoredtothespeciicrequirementsofaninter-
nalauditdepartmenthastomeetalltheabovecriteria.SAP’sAISapplicationand
the internal control management tool described earlier (see Section B, Chapter
4.1.3.3)shouldbeintegratedatthisjuncture,withdueconsiderationfortheAudit
Roadmap.
HInTsAnDTIPs ;
• InternalAuditemployeesshoulddiscussideasforimprovingITuse.
• Routineevaluationofcompletedauditscancontribute to thecontinuous im-
provementoftheauditprocesses.
4.2.2 Concept for a System Structure of an Integrated IT Solution
KEyPoInTs •••
• IntegratedITsotwareforInternalAuditmustoferasolutionlexibleenough
toallowmultipleauditteamstoexchangedataandcollaboratethroughITsys-
tems.
• Inaddition,lexibilityofcontentandformhastopermitindividualuseofthe
system,sothatsystemcontrolcanbeoptimizedfordiferenttypesofaudits.
• Inthisregard,therequirementsofadeinedauditorrolehavetobecombined
withtheneedsofsystem-optimizedfunctioncontrol(controlprinciples,pre-
deinition,etc.).
FlexibleInformationAnalysis
FlexibleInformationAnalysis
RatioAnalysisRatioAnalysis
InformationDatabasesInformationDatabases
speciicAuditToolspeciicAuditTool
481
hedetailedconceptof theAuditRoadmapdeinesanumberofcontent-related
criteria for a meaningful structure of a comprehensive IT solution for Internal
Audit.However,thisconcepthastobespeciiedingreaterdetail,especiallywith
regard to application-related aspects such as predeined standard content, full
searchfunctions,automaticdatareplication,etc.hefocusofthetechnicalsolution
iswhatisknownasthemasterdatabase.
hemasterdatabasecentrallystoresthelatestapplicableversionsofalldocu-
ments,templates,guidelines,andworkinstructionsalongtheAuditRoadmap.It
forms the basis for the creation of audit-speciic Roadmaps, a process that is
triggeredwhenaplanningitemisreachedintheannualauditplanorwhenanap-
provedad-hocauditrequestissetup.Bothtransactionsgenerateanauditmaster
record in the system, including all important information relevant to the audit,
rangingfromaudittitleandnumber,schedulingandresponsibleauditorsthrough
information about the auditees. On the system side, this master record in turn
triggersthecreationofacopyoftheAuditRoadmaponthetargetserver,intended
fortheauditlead.hisiswherethedocumentsneededfortheauditarestored.he
extentofthedocumentsiledherecanbesetwithsystemparametersinthecustom-
izing.hisensuresthattherelevantdocumentsareconiguredspeciicallyforthe
relevantaudit.
Oncetheauditleadhasaddedfurtheraudit-relatedinformationtothedata,he
orshehastodeineworkpackages,assigningspeciictaskstoparticipatingaudi-
tors,whoreceivethemasindividualworkprogramitemsintotheirlocaldatabases
throughtheworklow.Atthesametime,theyaregivenaccesstoallthenecessary
documentsandtemplates.heauditorscannowedittheauditstepsinthesystem
directlyonline,orolinewithouthavingtoaccesstheserver.
Foreachphaseoftheaudit,userscanconigureindetail,onthebasisoftheir
roledeinitions,auniquecombinationofpossiblefunctions.However,somestan-
dardsettingsaremadeatgroup level, e.g.,peraudit type.hisalso includes the
customizing of interfaces, i.e. what data is transferred in which way to Internal
Audit’ssotwarefromneighboringsystems.Adistinctionshouldbemadeinthis
regardbetweensystemparametersettingsforintegratedsotwareanddatatransfers
fromthird-partyITapplications,becausediferentplausibilitycheckshave tobe
initiatedthere.
Oncetheauditorshavecompletedtheirworkingpapers,theinisheddocuments
arereplicatedontheauditlead’sserver,eitheronebyoneorinasingletransaction.
hisalsoallowstheauditleadtomonitortheprocesscontinually.hisisnotonly
acheckofeachauditstep,butalsoprovidesalltheinformationnecessaryforafull
andreliableauditstatusforeachphaseoftheAuditRoadmapandcontinuouslyfor
theentireaudit.hestructureoftheAuditRoadmapisthereforeveryimportantfor
qualityassurance.Assoonasacertainphaseisreached,completenesschecksare
automaticallyperformedaccordingtotheparameterssetinthesystem.henmes-
sagesandprocessstepsaregeneratedfortheapproval levelsandtheappropriate
loggingandautomaticallyforwardedtotherelevantauditleadsandAuditManag-
ComprehensiveITsolutionComprehensiveITsolution
MasterDatabaseMasterDatabase
AuditPreparationandExecutionAuditPreparationandExecution
DeinitionofRolesDeinitionofRoles
QualityAssuranceQualityAssurance
Special Topics and Supplementary Discussion
IT Environment of Internal Audit
Globally Integrated IT Solutions
D|4|4.2
482
ers.Whenallthefeedbackhasbeenreceived,thesystemautomaticallytriggersthe
startofthenextauditphase.
Anotherimportantaspectisthecontrolofactivitiesthatariseduringtheaudit.
Itmustbepossible,intermsofbothcontentandcapacity,fortheauditleadand
individualauditorsresponsible toscheduleandperformexpandedoralternative
ieldworkactivitiesforaworkpackage.Insuchcases,workpackagesmaybepro-
cessedsimultaneously,andthiswillrequireautomaticITsupport.
Eventhoughthecontentsofthesystemarenetworked,therehastobelexibility
andanappropriatedegreeof independencebetweenthe individualphasesofan
audit. It has to be possible to exchange working papers between work program
items, reassign indings and recommendations that have already been allocated,
andtomaptheresultstoanyreportformatorevenmultipleformats.Achangeon
onelevelwillautomaticallyrelectontheotherlevels,e.g.,intheworkingpapers,
auditreports,etc..hismeans that theassignmentsmustnotbestatic,although
alinkshouldalwaysbecreatedbymeansofreferencing.
hesystemshouldupdateratiosandcostsautomaticallyandbreakthemdown
byrelevantcriteria.Itshouldalsoguaranteethatthelatestinformationisavailable
atanytimetothoseresponsibleforcontrolandmonitoringpurposes.
he entire IT application should have a consistent graphical user interface,
throughwhichallfunctionsareaccessiblewithamouseclick.Onlydatashouldbe
enteredalphanumerically,butevenherereferencestokeywordsandstandardtexts
canbeused.Itshouldalsobepossibletosimulateaudits,whichisusuallyonlypos-
siblewithaminimumofefort,ifthereisaneasy-to-useinterface.
HInTsAnDTIPs ;
• AuditorsshouldmakesuggestionsonhowITauditingtoolscanorshouldbe
integratedintoInternalAudit’sITlandscape.
• Auditorsshouldcheckthecontentsof theAuditRoadmapforways inwhich
theycouldbesupportedbyIT.
4.2.3 Proposed Solutions in Terms
of Corporate Governance and Compliance
KEyPoInTs •••
• heaudituniversecombines ina standardized ITsystemall the foundations
andimplementationmeasuresformeetingcorporategovernancerequirements
ingeneralandcompliancecriteriainparticular.
• Inthisregard,thefollowinglevelscanbeidentiied:GeneralprinciplesofInter-
nalAudit,documentation,knowledgedatabase,andAuditRoadmap.
UnplannedActivitiesUnplannedActivities
FlexibilityFlexibility
UpdatingofRatiosUpdatingofRatios
GraphicUserInterfaceGraphicUserInterface
483
• heselevelscanbecombinedintoanapplicationportal,whichisaninternet-
basedapplicationandalsoallowsaccesstoothersourcesofaudit-relevantdata.
AnITsolutionforInternalAuditnotonlyimplementstheAuditRoadmap,butcan
alsomakeavailablethemethodsusedbyInternalAuditasatooltomeetcompli-
anceandcorporategovernancerequirements.Inaglobalaudituniverse(seeSec-
tionA,Chapter5.5),thisresultsinanITsolutionthattranscendsthepureprocess
perspective.Itincludesthecomponentsdescribedbelow.
hefundamentalsofInternalAuditprovideasolidbasisfortheresultingoverall
concept.hemission,therulescontainedintheGIASCodeofConduct,andthe
generalauditmandateofthedepartmentprovidetheframeworkforallsigniicant
activitiesperformedbyInternalAudittoguaranteecomplianceinparticularand
corporate governance in general. Guidelines for compliance with SOX, COSO,
COBIT® andnumerous laws,actsandregulations shouldbe included.All these
guidelinesshouldbestoredinadatabaseintextformatandalsoaschecktablesin
ordertodocumentthedegreeoftheirfulillment.Inthisregard,therecanalsobe
system-basedlinksbetweenthechecktablesandtheindividualaudittypes,sothat
evidencecansimultaneouslybeprovidedthattherulesdeinedtherehaveactually
beenimplementedinthesystem.heultimateobjectiveisalsotoensurethatInter-
nalAuditiscompliantitself.
hesecondlogicallevelcontainsallthedocuments,guidelines,rules,andin-
structionsthatdeineanddescribehowtheauditprocessperseisbeingimplemented
– including in its support function to ensure the compliance of other corporate
units.TogetherwiththeprinciplesofInternalAudit,thislevelformsthebasisofthe
twoprimarilyoperationallevelsofacomprehensiveaudituniverse.
hedatastoragelevelforallauditprocessresultsincludesperformanceindica-
tors,bestpractices,auditarchives,andstatistics.Italsocontainsdocumentsfrom
externalsourcesthathavearisenduringauditing.Takeninitsentirety,thismaterial
providesa typeofknowledgedatabase:Portalaccesscan turn thisdatabase into
avaluableinformationsourceforeveryemployeeinterestedinInternalAudit.
heactualoperationallevelisprimarilymadeupoftheAuditRoadmapwithall
its documents and templates. his level is controlled according to the rules and
processesdeinedinSectionB.heotherlevelsgetdataandinformation(including
updates)mainlyfromthisworkinglevel.
Allthedatastoredandprocessesmodeledareultimatelycombinedintoaninte-
gratedinteractiveapplicationportal.Allthelevelsdescribedaboveareaddressed
throughthisportal.Inaddition,itispossibletomakethecontentaccessiblethrough
theinternetortocreatealinktootheraudit-internalandexternalsourcessothat
dataandinformationfromtherecanbeintegratedandutilized.
herulesandsystemfunctionsmust,however,besupplementedinthatevery
auditor and manager contributes their experience and know-how in their daily
work to thebestof their ability.Only thecombinationof these factors canulti-
ComplianceandCorporateGovernanceTool
ComplianceandCorporateGovernanceTool
GeneralPrinciplesofInternalAuditGeneralPrinciplesofInternalAudit
DocumentationDocumentation
KnowledgeDatabaseKnowledgeDatabase
AuditRoadmapAuditRoadmap
ApplicationPortalApplicationPortal
CombinationofAllFactorsCombinationofAllFactors
Special Topics and Supplementary Discussion
IT Environment of Internal Audit
Globally Integrated IT Solutions
D|4|4.2
484
matelyguaranteethatInternalAuditmakesanoptimalcontributiontomaintaining
complianceandcorporategovernance.
HInTsAnDTIPs ;
• Auditors should collect as many relevant pieces of external information or
sourcesoninternalauditaspossible.
• AuditorsshouldregularlyreviewInternalAudit’sdocumentstomakesurethey
arecompleteanduptodate.
• Ifpossible,auditorsshouldclearlyshowforall signiicantieldworkactivities
howtheyarelinkedtocomplianceandcorporategovernance.
485
5 QualityAssuranceforInternalAudit5.1 QualityAssuranceinGeneral
KeyPoInts •••
• Qualityassuranceisimportantforeveryinternalauditdepartmentsothatitcan
providethebestpossibleservices.
• OrganizationssuchastheIIAorAICPAhaveintegratedqualityassuranceinto
theirstandardsandrecommendations.
• hebeneitsofaqualityassuranceprogram includeconsistentapplicationof
processes across global, regional, and local audits, standardization and com-
pletenessofdocumentation,andreportingreliability.
• Continuous process improvement (CPI) is also part of the quality assurance
program.ItisoneofthekeyrequirementsforInternalAudittomeetexpecta-
tionssuccessfully.
Howdoesacompanyensurecustomersatisfaction?Howdoesitensurecustomer
loyalty?HowdoesanyservicedepartmentsuchasInternalAuditdeveloptherepu-
tationofa“trustedadvisor”withinthecompany?Whatensuresthatadded-value
servicesaredeliveredtocustomers?heanswerisacomprehensivequalityassur-
ance program. Quality assurance is of such importance for every company that
organizations such as the IIA and AICPA have integrated quality assurance
recommendationsintotheirworkindiferentways,e.g.,asanintegralpartoftheir
standardsorintheformofspecialistinternalworkinggroups.
InternalAuditatSAPhasrespondedtothesechallengesanddevelopedacom-
prehensivequalityassuranceprogram,which isdocumented indetail.hemain
purposeofthisprogramistoprovideclearproceduresandthusensurecompliance
withinInternalAudititself.Aspartofthequalityassuranceprogram,diferentso-
called quality gates have been established for the Audit Roadmap. hese quality
gatesdeineresponsibilitiesandnecessaryactivitiesinconnectionwithfeedback,
reviews,andapprovalforthediferentprocesssteps.heyalsoensurethatInternal
Audit’scustomersalwaysgetthebestpossibleservice.InternalAudit’squalityas-
suranceprogramthereforealsoincludesanumberofdepartment-speciicquality
stepsembeddedintheprocessandorganizationalstructure.
Oneofthemajorbeneitsofhavingaqualityassuranceprogramisconsistency
in the application of the process model across global, regional, and local audits.
A well designed quality assurance program increases the efectiveness of the
supervisory function and enhances the reliability of Internal Audit reporting. It
alsoensures,amongotherthings,standardizationandcompletenessofdocumenta-
tion,completenessofieldworkactivitiesaccordingtotheworkprograms,adequate
linkageofauditrecommendationstoworkingpapers,andconsistencyinitemspre-
sentedintheimplementationreport,managementsummary,andBoardsummary.
objectivesofQualityAssuranceobjectivesofQualityAssurance
ApproachofInternalAuditatsAPApproachofInternalAuditatsAP
BeneitsBeneits
SpecialTopicsandSupplementaryDiscussion
QualityAssuranceforInternalAudit
QualityAssuranceinGeneral
D|5|5.1
486
Duetoitsconsistentqualityassuranceprogram,InternalAuditatSAPisableto
facenewchallengesarisingfromtheincreasingdemandsbyinternalcustomersand
externalpartners.Duetofactorssuchasglobalizationandcorporatescandals,the
roleof(internalandexternal)auditorshasincreasedconsiderablyinrecentyears
fromprovidersofpureauditservicestointernalconsultants,trustedadvisors,risk
identiicationexperts,fraudpreventionorearlydetectionchampions,SOXexperts,
usersofthelatestinformationtechnology,andmuchmore.Qualityassurancehelps
auditorsmeetthesenewrolesbyimprovingtheirworkthroughcontinuousprocess
improvement (CPI).hequalityassuranceprogramthatGIAShas implemented
includesmethodsforthecontinuousupdatingandimprovementofthestepsinan
iterativeprocessmodel,i.e.,theAuditRoadmap(fordetailsontheAuditRoadmap,
seeSectionB).
HIntsAnDtIPs ;
• hequalityassuranceprocessrequirestheassignmentofanownerorchampion
responsibleforcontinuousmonitoringandupdates.
• hequalityassurancechampionsshouldeducatetheotheremployeesandin-
volvethemintheirworkinordertoachievethedesiredresults.
LInKsAnDRefeRences e
• AICPA.AICPA General Standards. http://gaqc.aicpa.org/Resources/Audits+Performed+
Under+Government+Auditing+Standards/General+Standards(accessedMay31,2007).
• BRInkley,M.2006.HealthCheckfortheAuditBrand.Internal Auditor(June2006):
79–83.
• FABRIzIUS,M.AnDR.SeRAFInI.2004.InitiatingaQualityAssessmentcanhelpan
InternalAuditGroupcomeoutonTop.Internal Auditor(February2004):38–43.
• InSTITUTe OF InTeRnAl AUDITORS. 2004. Practice Advisory 1300-1: Quality
Assurance and Improvement Program.AltamonteSprings,Fl:heInstituteof Internal
Auditors.
• lIeBeSMAn,S.2005.QualityintheMix.Internal Auditor(October2005):73–77.
• MARkS,n.2005.MaintainingControl.Internal Auditor(February2005):36–38.
• WHITePAPeR.2006.Qualityreview.he CPA Journal(March2006):12–20.
5.2 DefinitionofTerms
KeyPoInts •••
• Aqualitygateisaprocedureinwhichacompletedprocessstepisassessedto
establishwhetherithasbeencompletedproperlyandwhethertheauditisready
foradvancementtothenextphase.
newchallengesforInternalAudit
newchallengesforInternalAudit
487
• Inadditiontothequalitygates,theoverallauditprocesshasadditionalinternal
controls,whichmonitortheauditprocesscontinuously.
• Allqualitygatesarealsointernalcontrols,butnotallinternalcontrolsareneces-
sarilyqualitygates.
• hequalityassessmentcanbemadebywayof feedback,review,orapproval,
followingthesequenceofthecontrols.
ToenhancetheunderstandingofthestructureofInternalAudit’squalityassurance
programatSAP,thischapterexplainsthetermsnormallyusedtodescribethequal-
itygatesandqualityassuranceprocedures.
Qualitygatesarekeycomponentsofqualityassurance.Ingeneral,aqualitygate
isaprocedureinwhicharesponsibleteammemberassesseswhetheracompleted
processstephasbeendealtwithproperlyandwhethertheauditcanproceedtothe
nextphase.Inotherwords,togotothenextphaseorsub-phaseoftheAuditRoad-
map,thepreviousphasemusthavesuccessfullypassedthequalitygate.heactual
auditexecution,forexample,canonlystartoncetheworkprogramhasbeencom-
pleted. he quality assessment of each process step is represented by feedback,
review,andinallytheapprovalofthepartyresponsible.
Inadditiontoqualitygates,theoverallauditprocesshasfurtherinternalcon-
trols,whichmonitortheprocesscontinuously.Allqualitygatesareinternalcontrols,
butnotall internal controlsarequalitygates, althoughbothareused toachieve
qualityassurance.Forexample,thefeedback,reviewandapprovalprocessrelated
totheauditworkprogramisbothaninternalcontrolandaqualitygatewhereasan
internalcontrolthatguaranteesthatthequalitygatesarepassedthroughproperly
during the entire auditprocesswouldbe consideredan internal controlbutnot
aqualitygate(seeSectionD,Chapter5.4).
he quality assessment can be made by way of feedback, review, or approval.
Feedbackmeanssuggestionsthatshouldbeconsideredforsubsequentactivities,al-
thoughtheirapplicationisnotmandatory.Forexample,thequalitygateforthean-
nualauditplanincludesreceivingmandatoryfeedbackfromGlobalRiskManage-
mentandtheregionalGIASteammembers.Italsoincludesreceivingoptionalfeed-
back fromtheCeOorothergroups.Whenpreparing theannualauditplan, it is
importanttoobtain,consider,and(ifdeterminednecessarybyInternalAudit)in-
corporatefeedbackfromsuchgroupsintotheannualauditplan.hisprocessisin-
tendedtominimizetheriskofexcludingrelevantaudittopicsfromauditplanning.
Reviewmeansensuringthattheauditobjectiscomplete(includingthefeedback)
prior to submission for inal approval. A review is more binding than feedback,
becauseitdirectlyaddressesthereviewpartner,whohastoperformthesettask.
However, unlike a withheld approval, a negative review result cannot stop the
process from moving forward. For a drat report, for example, Internal Audit
employeeswillonlybeaskedforfeedback,buttheauditeeswillhavetoperforma
reviewofthedrat,i.e.,theiropinionhastobeobtained.hecommentsfromthe
reviewshouldbeincorporatedintothereport.
termsUsedtermsUsed
QualityGatesQualityGates
InternalcontrolsInternalcontrols
feedbackfeedback
ReviewReview
SpecialTopicsandSupplementaryDiscussion
QualityAssuranceforInternalAudit
DeinitionofTerms
D|5|5.2
488
Approvalauthorizesadvancementtothenextstageoftheoverallworkprocess.
Approvaloftheworkprogram,forexample,leadstothestartofauditexecution.
Ifallthreestepsarenecessary,thenormalsequenceisforfeedbacktobeob-
tainedirst,followedbythereview,andapprovalisgivenlast.SectionD,Chapter
5.3dealswithtestingcompliancewithqualitygatesandtherelevantdocumenta-
tion.
HIntsAnDtIPs ;
• heauditormustrequestfeedbackifitismandatory,becausefailuretoobtain
feedbackposesarisktothecomplianceoftheentireauditprocess.
• Importantdocumentsshouldnotbesubmittedforapprovalwithoutareview.
LInKsAnDRefeRences e
• InSTITUTe OF InTeRnAl AUDITORS.2004.Practice Advisory 1300-1: Quality As-
surance and Improvement Program. Altamonte Springs, Fl: he Institute of Internal
Auditors.
5.3 GIASQualityAssuranceStructure
KeyPoInts •••
• he GIAS quality assurance structure includes quality gates along the Audit
Roadmapanddepartmentalqualitymeasures.
• ForeachphaseoftheAuditRoadmap,theremaybemandatoryoroptionalar-
rangementsregardingfeedback,review,orapprovalbyotherparties.
• GIAS’overallqualityassuranceprogramensuresacontinuousimprovementof
theauditprocess.
hequalityassuranceprogramdevelopedbySAP’sinternalauditdepartmentcom-
prises internal controls, quality gates for the Audit Roadmap, and other quality
assuranceactivities.hequalityassuranceprogramdeinestheminimumstandards
ofqualitychecksthatallGIASprocessesneedtopass.heGIASqualityassurance
programfollowsthestructureshowninFig.6.
InternalAudithasdevelopedbothRoadmap-speciicanddepartmentalquality
measures.heivequalitygatesshowninFig.7areintendedforthephasesofthe
Audit Roadmap. hey are explained below. each quality gate deines the parties
involvedandrequireseitheranoptional(O)oramandatory(M)taskforthefeed-
back,reviewandapprovalofthediferentGIAScriticalprocesses.
ApprovalApproval
sequencesequence
needfortheGIAsQualityAssurance
Program
needfortheGIAsQualityAssurance
Program
AuditRoadmapandQualityGates
AuditRoadmapandQualityGates
489
Dra
ftv
ersi
on
Final
ver
sion
Arc
hivin
g
Finalversion
Dis
cuss
ion
Discussion
Archiving
Draftversion
ScopeStatus
check
Working
papers
Field-
work
Work
program
Audit
announce-
ment
Annual
audit
planning
Audit
request
Follow-up
I+II
4
3
5
2
1
4321
X
X
(X)
X
X
X
Global Regional
applicable)
Follow-upReportingExecutionPreparationPlanning
54321
Fig. 7 AuditRoadmapandQualityGates
Accross/cold reviews
Audit Roadmap
GIAS:
Internal controls
GIAS:
Quality gates
Quality
indicators
GIAS Administration
Quality Assurance
Roadmap-based
qualityassurance
measures
Fig. 6 GIASQualityAssuranceStructure
SpecialTopicsandSupplementaryDiscussion
QualityAssuranceforInternalAudit
GIASQualityAssuranceStructure
D|5|5.3
490
hequalitygateforauditplanningincludesfeedback,review,andapprovalre-
gardingtheScope,annualauditplanandauditrequest(formoreonplanning,see
Section B, Chapter 2). With regard to Scopes, there are two scenarios: One for
regularlyrecurringaudittopics,forwhichaScopealreadyexists,andonefornon-
recurringornewtopics.hescenariofornewornon-recurringtopicsrelatestothe
minimum requirement of creating a Table of key Scopes, but the scenario for
standardtopicsrelatestoexistingstandardScopesthathavebeenassignedalready,
irrespectiveofaudittype.Fornewornon-recurringtopics,itismandatoryforthe
auditleadtoreviewandfortheAuditManagertoapprovetheScope,butitisop-
tionalfortheCAetoreviewtheScopeandprovidefeedback.Itisalsooptionalfor
theAuditManagerandtheauditteamtoprovidefeedback.Inthestandardtopics
scenario,theScopedoesnotnecessarilyhavetobereviewedbytheauditlead,but
bytheScopeowner.
Scopes Feedback Review Approval
CAE O O
Audit Manager O M
Audit team O
Audit lead (new/non-recur-
ring topics) or Scope owner
(standard topics)
M
Fig. 8 QualityGatesforScopes
hequalitygaterelatedtotheannualauditplan(seeSectionB,Chapter2.2and
SectionD,Chapter3)mentionsthekeyinteractionpartnersinvolvedinthispro-
cess,i.e.,theCeO,GlobalRiskManagement,andvariousotherfunctions,suchas
regionalinanceoicersandcorporatedepartments,ensuringthatallopinionsare
relected in theannualauditplan.hisqualitygatedeines thatwhile theBoard
memberresponsiblehastoconcurwiththeplan,heorshealsohasasanoptionto
providefeedback.Ontheotherhand,GlobalRiskManagementandtheGIASre-
gionalteamsarerequiredtoprovidefeedback.hereviewtasksmustbeperformed
bytheGIASplanningchampion,theGIASregionalteamsandtheCAe.Priorto
the CeO’s concurrence, the CAe must approve the inal proposal of the annual
auditplan.hisqualitygateensuresthatattheendoftheprocess,GIASdevelops
averycomprehensiveauditplan.
scopescope
AnnualAuditPlanAnnualAuditPlan
491
Annual audit plan Feedback Review Approval
CEO O
Global Risk Management M
CAE M M
Regional GIAS teams M M
Planning champion M
O
Fig. 9 QualityGatesfortheAnnualAuditPlan
hequalitygaterelated toaudit requests indicates thatwhenanaudit request is
received,theAuditManagerandtheCAemustreviewtherequest.heemployees
ofInternalAuditcouldalsogetinvolvedbyprovidingfeedback.Oncethisquality
assuranceprocess is completed, theaudit requestmustbepresented toanddis-
cussedwiththeCeO,beforeGIAScanprocessitfurther.
Audit request Feedback Review Approval
CEO
CAE
Audit team O
Audit Manager M
M
M
Fig. 10 QualityGatesfortheAuditRequest
heauditpreparationphaseoftheAuditRoadmapincludestheauditannounce-
ment and preparation of the work program (see Section B, Chapter 3.2). Both
documentsaremandatoryfortheauditprocessandhavetobeavailabletoenterthe
nextphaseoftheAuditRoadmap.Feedbackonandreviewoftheauditannounce-
mentpreparedbytheauditleadareoptionalfortheauditteam.Forregionaland
localaudits,theAuditManagermustapprovetheauditannouncement,butinthe
caseofglobalaudits,theCAeisresponsibleforapprovingtheauditannouncement.
AuditRequestAuditRequest
AuditAnnouncementAuditAnnouncement
SpecialTopicsandSupplementaryDiscussion
QualityAssuranceforInternalAudit
GIASQualityAssuranceStructure
D|5|5.3
492
Audit announcement Feedback Review Approval
CAE (global audits) M
Audit team O O
Audit Manager
(regional and local audits)
M
Fig. 11 QualityGatesfortheAuditAnnouncement
heapprovalofanauditannouncementmayberefusedforformalorcontent-re-
latedreasons.Formalreasonsincludeincompleteinformation,incorrecttimings,
etc.Contentreasonscouldbeincorrectorambiguousinformationonauditcon-
tent.Ifapprovalisrefused,theauditannouncementisreturnedtotheauditlead,
whocorrectsthedocumentwithinthespeciiedtimeframe.
hequalitygaterelatedtothepreparationoftheworkprogramgivestheCAe
andaGIASemployeenotinvolvedintheaudittheoptionofreviewingthework
program.Oncetheworkprogramhasbeenprepared,theauditleadmustreviewit.
Inaddition,theAuditManagermustapprovetheworkprogram.Creation,review,
andapprovalhavetobedocumentedinadedicatedfolder,theworkprogramfolder.
hisincludesenteringintheilethedateandthenameorinitialsofthepeoplewho
havecreated,reviewed,andapprovedtheworkprogram.Duringtheaudit,ifastep
oftheworkprogramisdeemednotnecessary,anexplanationmustbeprovidedin
the“comments”section,withthenameoftheauditoranddate.
Work program Feedback Review Approval
CAE
Audit Manager M
Peer from GIAS O
Audit lead M
O
Fig. 12 QualityGatesfortheWorkProgram
Refusaltoapprovetheworkprogrammayjeopardizetheentireauditprocess.For
thisreasonitisrecommendedthat,inthecaseofcomprehensiveworkprograms,
thepreparerforwardanycompletedsectionsforapprovalasearlyaspossible.his
maybecomeparticularlyrelevantforad-hocaudits,forexample,wherethework
programhastobecompiledandapprovedimmediately.
RefusaltoApprovetheAuditAnnouncement
RefusaltoApprovetheAuditAnnouncement
WorkProgramWorkProgram
RefusaltoApprovetheWorkProgram
RefusaltoApprovetheWorkProgram
493
heexecutionphaseoftheAuditRoadmapreferstotheieldworkactivitiesand
theirdocumentationintheworkingpapers(seeSectionB,Chapter4.2).Working
papersareevidenceoftheauditor’sworkandsupporttheauditresultsthatgiverise
totherecommendations.Itisadvisablenottoleavequalityassurancetotheend,
buttocarryitoutconcurrently.hismeansthattheaudit leadshouldcheckthe
workingpapersregularlytomakesurethatthey:
• clearlyandadequatelysupportauditresultsandrecommendations,
• havebeenilledcorrectly,
• arecompleteintermsoftypeandextent,
• havebeenwrittenclearlyandcarefully,and
• areproperlycross-referenced.
hequalitygaterelatingtotheworkingpapersindicatesthattheauditleadmust
reviewtheworkingpaperspriortosendingthedratauditreporttotheAuditMan-
ager. he Audit Manager can review the working papers and explicitly approve
them.evidenceof thereviewandapprovalmustbedocumented intheworking
paperswithinitialsornameanddateorbye-mail.
Working papers Feedback Review Approval
Audit Manager O
Audit lead M
Fig. 13 QualityGatesfortheWorkingPapers
Qualityassuranceisparticularlyimportantforreporting,sincetheultimateobjec-
tiveofthereportsistodocumentInternalAudit’sworkcorrectlyintermsofcontent
andform.hereportingphaseoftheAuditRoadmap(seeSectionB,Chapter5)
relates to the distribution of the drat audit report, obtaining feedback from the
auditee, and releasingandarchivingof theinal audit report.Dependingon the
speciiccaseandaudittype,auditreportingwillincludeasaminimumtheBoard
andmanagementsummariesandtheimplementationreport.hedistributionof
theauditsurvey(seeSectionD,Chapter7.2.2)isanotherqualityassurancemeasure.
SincetheauditeesarebestsuitedtoassessInternalAudit’sworkaterauditexecu-
tion,theauditsurveyshouldbesentoutatertheexecutionphase,ideallytogether
withthedratreport.
Itistheresponsibilityoftheauditleadtoensuretheaccuracy,coherence,and
completenessofindingsandrecommendations in thedratversionof theaudit
report.hecheckmustalsoascertainwhethersuicientauditevidencehasbeen
provided.hisiswhythequalitygaterelatedtothereport’sdratversionindicates
AuditexecutionAuditexecution
WorkingPapersWorkingPapers
ReportingReporting
DraftReportDraftReport
SpecialTopicsandSupplementaryDiscussion
QualityAssuranceforInternalAudit
GIASQualityAssuranceStructure
D|5|5.3
494
thatitismandatoryfortheauditleadtoreviewthedrat.heCAehastheoption
ofapprovingthisdratreportandteammembershavetheoptionofreviewingit.
Allobligations,includingtheauditlead’sreviewandtheAuditManager’smanda-
tory approval, must be completed prior to sending the drat to the auditees for
review.
WhenGIASobtainsfromtheauditeestherevieweddratimplementationre-
port,the“Action/ManagementResponses,”“Responsible,”and“CompletionDate”
columnsmusthavebeencompletedbytheauditees.hisisacriticalstepbecause
discrepancies with GIAS’ indings and recommendations need to be discussed,
clariiedandacceptedduringthereportingprocess.Forthisreason,opencommu-
nicationisveryimportantiftheauditorswanttoachievethebestpossibleresult.In
somecases,itisnecessarytodiscussopenlythereasonforandpurposeofainding.
Sometimes,thisdiscussionmayestablishthataindingisnotaindingatall.Audit
recommendations must be examined to ensure that they can be implemented.
When the report isdiscussed internally, theperson inchargecanalsoworkout
targetsforthefollow-upandaddthemtothereport.Anarbitratingbodyshouldbe
availableforcontroversialissues(forescalationseeSectionD,Chapter6).
Draft Report Feedback Review Approval
CAE
Audit Manager
Audit team
O
Auditees
Audit lead
O
M
M
M
O
Fig. 14 QualityGatesfortheDraftReport
hebasis fortheinalauditreport is thereviewedandapproveddratreport.In
otherwords,theinalauditreportshouldhaveataminimumallauditresults,rec-
ommendationsandmanagement’scommitmentasperthedratreport.heaudit
lead,togetherwiththeAuditManager, isresponsibleforverifyingthecomplete-
ness,accuracyandclarityofthereportcontent.hequalitygaterelatedtotheinal
versionoftheauditreportstressestheimportanceofthereview,inalapprovalfor
release, and approval for distribution processes. All tasks of these processes are
mandatoryfortheidentiiedkeyinteractionpartners.hisisnecessarybecausethe
inalversionoftheauditreportistheinalproductdeliveredtotheauditeesandto
seniormanagement.hisqualitygatealsoindicatesthatthereportingchampions,
i.e.,theauditleadandtheAuditManager,mustreviewtheinalversionoftheaudit
reportforcompliancewithGIASstandardspriortoinaldistributionandarchiving.
hesamequalitygateappliestotheBoardsummary.
AuditeeReviewAuditeeReview
finalAuditReportfinalAuditReport
495
Final report Review Release approval Distribution approval
Audit Manager
MAudit lead MM
MM
Fig. 15 QualityGatesfortheFinalReport
hequalityassuranceprocessisnotonlyusefulforconductingstandardauditsbut
alsoforspecial,andad-hocaudits(seeSectionA,Chapter6.5).Additionalquality
gateshavebeendevelopedtoguaranteeaminimumqualitystandardfortheseser-
vices.AllGIASauditsareultimatelybasedontheAuditRoadmap.hus,quality
assurancefornon-standardauditsisalsodeterminedtoalargeextentbythegen-
eralqualityassuranceproceduresoftheAuditRoadmap.Additionalqualitygates
areincludedintheauditprocessasneeded.heassuranceofrevenuerecognitionis
agoodexample.heconceptdevelopedtothisendincludesunannouncedlicense
auditsandcustomerconirmations.Formoreinformationofqualityassurancedur-
ingrevenuerecognitionauditsseeSectionC,Chapter9.
InadditiontotheRoadmap-speciicqualitymeasuresdetailedabove,Internal
AuditatSAPalsohasdepartmentalqualitymeasures,whichnotonlyprovideield-
worksupportforInternalAuditemployees,butalsoencouragecontinuousprocess
improvement.Tothisend,GIAShasdevelopedextensivedocumentation.Another
reason for establishing departmental quality measures is to ensure that internal
processesfromareassuchashumanresources,communications,ITinfrastructure,
andadministrationaretransparentandclearlydeined.hefollowingareexamples
ofdepartmentalqualitymeasures:
• HumanResources:
■ jobdescriptions,
■ timesheets,
■ training,
■ performancefeedback,and
■ professionaldevelopmentplansandcareerpathatGIAS.
• Communication:
■ GIASintranetpages,
■ GIASreportingsystem,
■ GIASletter/annualreportfortheAuditCommittee,
■ auditrequestform,
■ globalworkshops,and
■ auditsurvey.
• ITInfrastructure:
■ computerequipment,
■ useoftheSAP-internallivesystem,
■ accessauthorization,
needforAdditionalQualityGatesneedforAdditionalQualityGates
DepartmentalQualityMeasuresDepartmentalQualityMeasures
SpecialTopicsandSupplementaryDiscussion
QualityAssuranceforInternalAudit
GIASQualityAssuranceStructure
D|5|5.3
496
■ audittools,
■ sharedservers,and
■ videoconferencing/telecommunicationequipment.
• Administration:
■ charter,
■ organizationchart,
■ strategy,
■ mission,
■ objectives,
■ GIASPrinciples,
■ planningsystem,
■ benchmarkinginitiative,
■ budgetingprocess,
■ costcenterreporting,and
■ ratiosandindicators.
heultimategoalofdepartmentalqualitymeasuresintheHumanResourcesarea
is to recruit, develop and retain auditors who possess the knowledge and skills
neededtoperformtheirindividualtasks.GIAShascompletestatementsofjobre-
quirements for every position. his departmental quality measure ensures that,
whensearchingforauditprofessionals,theefortisconcentratedonrecruitingper-
sonnelwhomeetspeciicjobdescriptionrequirements.Detailedjobdescriptions
(seeSectionA,Chapter4.5)withaccurateroledeinitionsensurethatGIASaudi-
torsknowexactlywhattheirfunctionsandresponsibilitiesareandthattheycan
executetheirjobssuccessfully.
In-houseandexternaltraining,e.g.,inaccounting,fraudprevention,andtech-
nology,ensuresthatInternalAuditemployeeshavetheappropriateknowledgeand
technicalskillstoperformtheirtasks.
he professional development plan includes speciic development objectives,
tailoredtoeachGIASteammember,suchasobtainingprofessionalcertiications,
involvementinglobalaudits,andspecializinginkeytopicssuchasrevenuerecog-
nition.
Alongwith theprofessionaldevelopmentplan, the timesheet (seeSectionA,
Chapter4.7),andtheprofessionalcareerpath(e.g.,InternalAuditor,SeniorAudi-
tor,GlobalAuditor,AuditManager,CAe;seeSectionA,Chapter4.6)areinplace
toensuretheretentionofallmembersoftheGIASteam.
Departmental quality measures regarding communication are geared toward
achievingthemostefectivewayofexchanginginformationbetweenInternalAudit
andotherinterestedinternalandexternalparties.Asmuchaspossible,GIASpro-
motesdirectcommunication.hisiswhy,whenneeded,GIASusestelephoneand
videoconferencing.Communicationamongteammembersandwithinternalcus-
tomers,Boardmembers,andotherdepartmentsrangesfromtelephonecalls,e-mails,
etc.throughworkshopsandmeetings(informalorformallyrequested).GIASalso
JobDescriptionsJobDescriptions
trainingtraining
ProfessionalDevelopmentPlan
ProfessionalDevelopmentPlan
timesheetsandcareerDevelopment
timesheetsandcareerDevelopment
communicationcommunication
497
hasanintranetsitewhichisacentralrepositoryandcommunicationhubforall
processes,policies,procedures,auditreports,news,andadditionaldepartmental
documentation.hesitealsoprovidescontactinformationandspeciicforms,e.g.,
theauditrequest.
Atercompletinganengagement,GIASusesauditsurveystorequestfromthe
auditeestheirfeedbackregardingthequalityoftheserviceperformedbytheem-
ployeesofInternalAudit.hisfacilitatesGIAS’continuousimprovementprocess
(seeSectionD,Chapter7.2.2).
DepartmentalqualitymeasuresrelatedtoITinfrastructureensurethatemploy-
eeshaveaccesstomodernhardwareandtelecommunicationequipment,suchas
laptops,cellphones,andvideoconferencingtechnology.Inaddition,GIAShases-
tablishedforteammembersspeciicuserauthorizationproilesnotonlytorestrict
theaccessofunauthorizedpersonstosensitivedatabutalsotogainaccesstoinan-
cialandoperationaldataanddataanalysisintheSAP-internallivesystem.
GIAShasdevelopedverycomprehensiveandcompletedocumentationaspart
ofitsdepartmentalqualitymeasuresforadministration.Inthisarea,auditorsind
thecharter,themissionstatementandtheobjectivesandprinciplesthatguideIn-
ternalAudit.herearealsopolicies,proceduresandtemplatesthatstandardizethe
workofInternalAuditthroughouttheSAPGroup.hedepartmentalqualityassur-
ancesystemsalsoinclude:
• theplanningsystem(e.g.,auditinventory,riskassessmentofGIASandmanag-
ersresponsible,riskrating,annualauditplan,implementationplan),
• auditactivities(e.g.,methodstocollectandcaptureevidenceduringtheaudit),
• benchmarking (e.g., an assessment system that facilitates comparison among
auditees),and
• ratiosandindicators(e.g.,numberofrecommendationsmade,numberofrec-
ommendations implemented, and cost savings resulting from implemented
recommendations).
Alltheabovedepartmentalqualitymeasuresarelivedocumentsandprocessesthat
areconstantlybeingreviewedandupdatedbyGIASto improve theservicepro-
videdandtoaccommodatechangingneeds.
HIntsAnDtIPs ;
• Sincequalityassurancemeasurestaketime,thepersoninchargeshouldsched-
uleasuicientbufertoaccommodatethem.
• Inordertoprovidemaximumassurance,auditorsshouldalsomakeuseofthe
optionalstepsofthequalityassuranceprocess.
AuditsurveyAuditsurvey
ItInfrastructureItInfrastructure
AdministrationAdministration
Up-to-DateDocumentationUp-to-DateDocumentation
SpecialTopicsandSupplementaryDiscussion
QualityAssuranceforInternalAudit
GIASQualityAssuranceStructure
D|5|5.3
498
5.4 ProcessandDocumentation
KeyPoInts •••
• evidenceofcompliancewithqualitygatesmustbegatheredandarchivedinthe
workingpapers.
• Aqualityassurancemonitoringsheetsupportstheworkprocess.
For a successful quality assurance process, it is essential that all quality gates are
passedthroughinfull.GIAShasdevelopedthequalityassurancemonitoringsheet,
adocumentthatconsistsoftwosections.heheadersectiondescribesindetailbasic
data(e.g.,audittitle,number,teammemberresponsible,startandenddates,closing
meetingdate,audit type,auditstatus,Scope).hemonitoringsection listsall the
qualitygatesalongtheAuditRoadmap.herearealsospeciicareaswherereview
andapprovalaretobedocumentedforeachqualitygate,statingbywhomandthe
date.hedocumentalsocomparestheactualtimelinestotheplan.Basedonthese
factors,theauditors,theAuditManageroranexternalreviewercandetermineifthe
auditprocesshaspassedeachqualitygateornot.Ifnot,thereisaieldonthemoni-
toringsheettojustifythereasonfornon-compliancewithaqualitygate.
Althoughthequalityassurancemonitoringsheetsupports theaudit leadand
theAuditManagerinperformingtheirmonitoringtasks,theevidencerequiredfor
eachqualitygatetoconirmfeedback,review,andapprovalstillneedstobepro-
videdintheformofworkingpapers.heseworkingpapersareproofthattheindi-
vidualqualitygateshavebeenpassed.Forexample,ifforanauditannouncement,
approval by the CAe or the Audit Manager has been given by e-mail, and this
e-mailhasbeenarchivedintheworkingpapers(ashardcopyorelectronically),it
providesevidencethatthisprocesshasinfacttakenplace.
HIntsAnDtIPs ;
• InternalAuditshouldhaveelectroniccopiesofasmanydocumentsaspossible,
sincethiswillenableasmootherqualityassuranceprocessonagloballevel.
5.5 QualityAssuranceMonitoring
KeyPoInts •••
• heIIAhasdevelopedtwostandards,oneforinternal(IIAStandard1311)and
one for external (IIA Standard 1312) assessments of quality assurance pro-
grams.
• InternalassessmentsofInternalAuditatSAPcanbeeitherannouncedorunan-
nounced.
QualityAssuranceMonitoringsheet
QualityAssuranceMonitoringsheet
evidencethroughtheWorkingPapers
evidencethroughtheWorkingPapers
499
Asageneralrule,processesinacompanyshouldbemonitoredtodetermineifthe
rulesarebeingcompliedwith,whethertherespectiveprocessesareachievingthe
expectedresults,andwhetheranyadjustmentsarerequired.heIIArecommends
assessingandreportingonInternalAudit’squalityprogram.
AccordingtoIIAStandard1311internalassessmentsshouldcoverinparticular
thefollowingaspects:
• ongoingreviewsoftheperformanceoftheInternalAuditactivityasdetermined
byqualitygates,and
• periodicreviewsperformedthroughself-assessmentorbyotherpersonswithin
theorganization,e.g.,withregardtoSOXrequirements, takingknowledgeof
internalauditingpracticesandtheIIA’sStandardsintoaccount.
InresponsetoIIAstandard1311,InternalAuditatSAPhascreatedthe“coldreview,”
which is an unannounced cross-team quality review of compliance with quality
gatesforarandomlyselectedauditengagement.GIAShasalsocreatedthe“across
review”program,whichalsotestscompliancewithqualitygates,butasopposedto
thecoldreviewtheacrossreviewisannounced.
Both reviews are performed by Internal Audit employees (preferably from
diferentregions).heindependentteammemberfortheacrossreviewisselected
atthebeginningoftheauditandcarriesouttheindependentreviewonacontinuous
basisfromthebeginningtotheendoftheaudit.Inadditiontothequalityassurance
performedbytheAuditManager,theacrossreviewisanotherformofcontrol.
IIAStandard1312recommendsthatexternalassessmentssuchasqualityassur-
ance reviews should be conducted at least once every ive years by a qualiied,
independent reviewer or review team from outside the organization (for more
informationonpeerreviewsseeSectionD,Chapter9).GIAShascommitteditself
tocarryout25%ofitsinternalassessmentworkeachyearoverafouryearperiodto
bepreparedfortheexternalassessmentintheithyear.
LInKsAnDRefeRences e
• DelOITTe.2005.Optimizing the Role of Internal Audit in the Sarbanes-Oxley Era.www.de-
loitte.com/dtt/cda/doc/content/us_eRS_Internal%20Audit%20POV.pdf(accessedMay31,
2007).
• InSTITUTeOFInTeRnAlAUDITORS.2004.Practice Advisory 1310-1: Quality Pro-
gram Assessments.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• InSTITUTe OF InTeRnAl AUDITORS.2004.Practice Advisory 1311-1: Internal As-
sessments.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• InSTITUTeOFInTeRnAlAUDITORS.2004.Practice Advisory 1312-1: External As-
sessments.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• InSTITUTeOFInTeRnAlAUDITORS.2004.Practice Advisory 1312-2: External As-
sessment – Self Assessment with Independent Validation.AltamonteSprings,Fl:heInsti-
tuteofInternalAuditors.
AssessmentoftheQualityProgramAssessmentoftheQualityProgram
IIAstandard1311IIAstandard1311
coldReviewandAcrossReviewcoldReviewandAcrossReview
teamMembersResponsibleteamMembersResponsible
IIAstandard1312IIAstandard1312
SpecialTopicsandSupplementaryDiscussion
QualityAssuranceforInternalAudit
QualityAssuranceMonitoring
D|5|5.5
500
• JOHnSTOn,W.AnDD.kIRCH.1996.BenchmarkingPeerReviews.Internal Auditor
(December1996):42–47.
• MCCABe,k.2007.ContinuousImprovement.Internal Auditor(February2007):83–87.
5.6 TheGIASQualityAssuranceProgramCompared
totheRequirementsoftheIIA
KeyPoInts •••
• IIAStandard1300relatestoqualityassuranceinanInternalAuditdepartment.
• GIAS’qualityassuranceprogramconformstoIIAStandard1300.
Internal Audit at SAP has developed comprehensive guidance for its quality
assurance program, which supports the entire quality assurance process for the
department.hischaptercomparestheSAP-internalqualitystandardstothere-
quirementssetout inthestandardsof theIIA.heIIAhasestablishedStandard
1300“QualityAssuranceandImprovementProgram”astheminimumguidelines
forqualityassuranceandimprovementprogramsforaninternalauditdepartment.
hisstandardassignsresponsibilityforthedevelopmentandmaintenanceofaquality
assurance and improvement program to the CAe. he quality assurance and
improvementprogramshouldcoverallaspectsofInternalAuditactivityandcon-
tinuously monitor its efectiveness, particularly when it comes to adding value
throughrecommendationsforimprovingtheorganization’soperations.
he tablebelowshowsacomparisonbetween thequalityassuranceprogram
implementedbyGIASandAttributeStandard1300oftheIIA.
GIAS IIA 1300
Coldreviewandacrossreview Internalassessment
Auditsurvey Surveyofauditcustomers
QualitygatesalongtheAuditRoadmap Auditworkingpapers
QualitygatesalongtheAuditRoadmap Auditreport
Departmentalqualitymeasures ReviewbyInternalAudit
Peerreview Externalassessment
Reportingofexternalassessment
Fig. 16 GIAS’QualityAssuranceProgramvis-à-visIIAStandard1300
heabovetableshowsthattheGIASqualityassuranceprogrammeetstherequire-
mentsoftheIIA(forinformationonpeerreviews,seeSectionD,Chapter9).
MinimumQualityAssuranceRequirements
MinimumQualityAssuranceRequirements
comparisonofGIAsandIIAstandards
comparisonofGIAsandIIAstandards
501
HIntsAnDtIPs ;
• heIIAoferstrainingonqualityassurance.
• Auditorscanbroadentheirhorizonandcollectvaluableexperiencebyvolun-
tarilyshowingcommitmenttoqualityassurance.
LInKsAnDRefeRences e
• InSTITUTe OF InTeRnAl AUDITORS. 2004. Practice Advisory 1300-1: Quality
Assurance and Improvement Program.AltamonteSprings,Fl:heInstituteof Internal
Auditors.
SpecialTopicsandSupplementaryDiscussion
QualityAssuranceforInternalAudit
TheGIASQualityAssuranceProgramComparedtotheRequirementsoftheIIA
D|5|5.6
502
6 EscalationProcedure
KEyPoints •••
• Escalationprocessesmayresultfrom(1)aredtraiclightstatusintheoverall
auditstatement,(2)thefactthatrecommendationshavenotbeenimplemented,
or(3)fromadisagreementaboutsomeoftheauditindingsorrecommenda-
tions.
• During escalation, all responsible parties, including the Board, are informed
directly.
• heoverallauditstatementforabasicauditisprimarilyintendedtoassessthe
qualityoftheindings,buttheoverallfollow-upratinglooksmainlyattheef-
fectivenessoftheimplementationprocess.
• If there isanydisagreement, theaudit team, theaudit lead,and/or theAudit
Managershouldattempttode-escalatethesituationorreachaconsensuswith
theauditeewithoutvaryingtheoriginalauditinding.
• However,ifthedisagreementpersists,a“managementdisagreed”classiication
isaddedtotheauditreportandtheBoardsummary.
InternalAuditshouldensurethattheactualexecutionofauditsisdoneinamanner
that is agreeable to everyone involved. To ensure such agreement, audit results
shouldneverbeusedforanythingotherthantheintendedpurpose,asrequiredby
thestandardsandcodesofconductoftheinternationalauditinstitutes.Relations
betweenInternalAuditandauditeesshouldalwaysbebasedonatransparentand
professionalaudit,ratherthanonpossibleconsequencesofanaudit,becausethis
couldhaveanegativeimpactonlong-termcooperationandtrust.
Nevertheless, audit work may sometimes give rise to situations that require
special notiication of all those responsible, including the Board. his form of
reportingexistsoutsidethenormalreportingsystemanddependsontheparticular
situation. It isknownasescalation,because it isused tomake thoseresponsible
awareofproblemsituationsinaclearandunmistakablemanner.heobjectiveisto
identify problem focused solutions quickly and to implement them efectively.
Escalation should not be interpreted as a penalty, but as a way of getting to the
necessarysolutionsquicklyandsecurelyinordertoensureasmoothauditandto
maintaintheinterestsoftheauditeesandtheirorganizations.
During theescalationprocess, theclassiicationofauditindings into locally,
regionally,orBoard-relevanthastobeobservedinallinstances.Ifauditindings
classiied as local are escalated, the auditors must decide whether such indings
shouldbereporteddirectlytotheBoard.heauditorsshouldirstattempttore-
solvethematterwithregionalmanagement,butifagreementcannotbereached,
theauditorsshouldchangetheclassiicationandreportthecasetotheBoard.For
signiicantauditindings,theclassiicationisimmediatelysetto“Board-relevant.”
AuditProcedureAuditProcedure
needforEscalationneedforEscalation
EscalationAccordingtoClassiication
EscalationAccordingtoClassiication
Special Topics and Supplementary Discussion
Escalation ProcedureD|6
503
IfaindingisseriousandBoard-relevant,theauditorscanalsoinformtheBoard
immediatelythroughapriorityBoardissue(seeSectionB,Chapter5.2.5),asking
theBoardtotakeadecisionortointervene.
Escalationshouldalwaystaketheissuetothenexthigherlevelofthehierarchy,
theauditleadescalatingtotheAuditManager,whointurnescalatestotheCAE,
whoultimatelyinformstheBoard.
Ingeneral,InternalAuditdistinguishesbetweenthreediferentscenariosthat
cantriggeranescalationprocess:
• escalationduetoaninadequateoverallauditstatement(redtraiclight;seeSec-
tionD,Chapter7.2.1),
• escalationbecauserecommendationshavenotbeenimplemented(follow-up),
and
• escalationbecausemanagementdoesnotagreewithcertainindings
Ifanauditisescalated,thesub-phasesofthefollow-upphasemustbeexecutedin
ashortertimeframe(seeSectionB,Chapter6.1).
AtGIAS,theescalationprocedureforauditsidentiiestwoescalationstages.he
chartbelowshowswhenescalationstagesIor/andIIareinitiated.heactionsthat
areperformedduringanescalationprocessareexplainedinmoredetailinthefol-
lowing.
EscalationHierarchyEscalationHierarchy
scenariosforanEscalationProcessscenariosforanEscalationProcess
EscalationstagesEscalationstages
Report Type
Status
R
Escalation Stage I Escalation Stage II
Management
Disagreed
Overall Audit
Statement/Scoring
Escalation
Process
Basic
Follow-up I
Follow-up II
X
Na
X
X
Na
X
X
Na
X
Na
X
X
Na
X
X
Na
X
X
X
X
X
X
X1)
X
X
X1)
X
Na
Na
X
Xa)
X2)
X
X
X2)
X
Fig. 17 Escalation Process
504
heGIASescalationprocedureischaracterizedbyanumberofcriteria:
• heCEOmustbeinformed,eitheratapersonalad-hocmeetingwithInternal
Auditand/orwithane-mailsentbytheAuditManagerortheCAE.
• heCEOwillaskthemanagementinchargetoensureanadequatesequenceof
actionsregardingtheunresolveditems.
• IfotherBoardresponsibilitiesorbusinessunitsareafected,theBoardmember
inchargeoftheoperationalareamustbeinvolvedinthediscussionoftheprob-
lem.
• heregionaland/orlocalmanagerproposesanactionlist,includingtimelines,
foreliminatingtheproblems.
• During the follow-up phase, the auditees must provide clear evidence of the
resultsandactionstaken.
• Everyquarter,GIASpreparestheGIASescalationreportanddistributesittothe
Board.
hefollowingappliestotheescalationscenariosrelatedtotheoverallauditstate-
ment:
• heoverallaudit statement isalwaysconsidered inadequate if the ratingwas
“weak”or“substantialweakness”(seeSectionD,Chapter7.2.1).Sucharating
directlyleadstoaredtraiclightstatus.Oncetheoverallauditstatementhas
beenissued,therelevantsectionsofthemanagementandBoardsummariesare
updated.
• hese reports are forwarded directly to the regional and local heads of the
inance unit, regional and local risk management, and the corporate depart-
ments.
• hesepartiesarethendirectlyinvolvedintheindingsidentiiedasR(relevantto
regional/seniormanagement)orB(Boardrelevant)bywayofajointimplemen-
tationprocessandanimmediateexaminationoftheresultsbyInternalAudit.
heoverallauditstatementisaqualitativeevaluationoftheindings.hefollow-up
scoring(seeSectionD,Chapter7.2.3)measurestheimplementationandefective-
nessoftheactionstakeninresponsetoanaudit.Incaseofanynewindingsthe
assessmentoftheimplementationoftherecommendationsandthenewindings
areberatedseparatelyandthencombinedintoainalrating.hismeansthatin
everyauditcycleaqualityhistoryiscreated,i.e.,agradingofsubstantiveandformal
quality,whichprovidesaqualitativeoverviewof theauditeesand theirmanage-
ment.Formeasuringthesubsequentactions,itisthereforeimportanttoindout
whethernoneorfewproblemshavebeenresolvedinresponsetoanaudit,i.e.,if
mostoftherecommendationsarestillopenorinprocess.Escalationmayfollowif
recommendationsarenotimplemented,resultinginthefollowingaction:
• heauditorsmustenter“open”or“inprocess”inthe“GIASstatus”columnof
theimplementationreport(seeSectionB,Chapter5.2.3).
CriteriaforEscalationProcesses
CriteriaforEscalationProcesses
RedoverallAuditstatementtraicLight
RedoverallAuditstatementtraicLight
Follow-UpscoringFollow-Upscoring
Special Topics and Supplementary Discussion
Escalation ProcedureD|6
505
• hestatusinthemanagementandBoardsummariesisupdatedonthebasisof
thedetailsgivenintheimplementationreport.
heresultsofauditactivitiesarecontinuallycommunicatedanddiscussedwiththe
responsiblemanagers.Inexceptionalcases,diferencesofopinionaboutauditind-
ingsmayariseattheclosingmeetingorwhenthedratauditreportisprepared.
Ideally,managementwillvoiceadiferingopinionduringtheauditornolaterthan
theclosingmeeting.heauditleadisresponsiblefortryingtoreconciledifering
opinionsandtoreachaconsensusifpossible.However,ifnoconsensusisreached,
escalationmayensue.
TwobasicoptionscanbepursuedifthediferencesofopinionbetweenInternal
Auditandthemanagementoftheauditedunitcannotberesolved.Management
eitheracceptstheauditindingunderdispute,despitediferingopinion,oritdoes
notacceptit.Ifmanagementdoesacceptit,itcanexplainitsviewinthe“Manage-
mentaction/response”columnofthedratauditreportanddocumentitsdifering
opinion. he audit lead should make it clear that, although management’s com-
mentsarenoted,therelevantrecommendationshavetobeimplemented.hishas
tobedocumentedintheworkingpapers,preferablyalsointhe“Managementac-
tion/response”column.hefollow-upwillspeciicallylookattheimplementation
ofsuchauditindings.Insuchcases,itisnormallypossibletoresolvediferencesby
de-escalation.
Ifinspiteofintensiveexchangesofviewsanddiscussionsofaindingorrecom-
mendation, Internal Audit and the auditees do not agree the audit lead should
initiallytrytoresolvetheissue.Shouldsucharesolutionnotbepossible,theAudit
Managermustbeinformed.Iftheproblempersists,itislaggedbyinserting“man-
agementdisagreed”underInternalAuditstatusintheimplementationreport.his
showsthat InternalAuditandmanagementhavenotreachedagreement. In line
with Internal Audit’s cooperative approach, the auditor should, however, adopt
acautiousandconsiderateattitude,becauseInternalAuditwillbemoresuccessful
ifitcanconvinceratherthanenforce.
heaudit leadmayonlydropainding if itcanbeconvincinglyrefuted.For
example,ifcompellingdocumentsorevidencearesubmittedthatwerenotincluded
intheauditandnowcontradictInternalAudit’sindings,therelevantindingsin
theauditreportwilleitherberewordedoromitted.hismustbedocumentedin
theworkingpapers.
Inadditiontothescenariosalreadymentioned,theremaybeothersituations
thattriggeranescalationprocess:
• Managementacceptstheauditindingbutnottherecommendation.
• hemanagementofanauditedareaagreeswiththeauditindingsandrecom-
mendations,butregionalmanagementdoesnot,orviceversa.
he auditors should try to resolve diferences of opinion before distributing the
inalauditreport.
DiferentopinionsDiferentopinions
AcceptanceoftheAuditFindingAcceptanceoftheAuditFinding
ManagementDisagreedManagementDisagreed
DroppingAuditFindingsDroppingAuditFindings
FurtherReasonsforEscalationFurtherReasonsforEscalation
506
he following diagram shows the escalation process at the time of reporting
withandwithoutconsensusandacceptance.
Inspiteofalltheefortsoutlinedabove,itispossiblethatescalationmaybetheonly
optionlet.hismeansthat,inadditiontotheabovesteps,thefollowingactionwill
havetobetaken:
• hepersonsresponsibleinCorporateFinancialReportingandCorporateRisk
Management (and in other corporate departments if appropriate) assess and
processtheitemsunderdispute.
• InternalAuditassessesthestatusofactionsduringthefollow-upandchanges
thestatusto“done”ifthecauseoftheindinghasbeeneliminated.
• Ifthefollow-upstatusshowsthatthedisagreementpersists,theissuemustagain
beescalatedtotheBoardandtotheAuditCommittee.
• Ater a follow-up, any problems unresolved due to lack of agreement should
againbereportedtotheunitsmentionedabove.
DiagramDiagram
EscalationUnavoidableEscalationUnavoidable
Fig. 18 Diferent Procedures with or without Agreement about Audit Findings and Recommen-
dations
Special Topics and Supplementary Discussion
Escalation ProcedureD|6
507
Somemattersmaybeescalatedirrespectiveoftheauditindingsandrecommen-
dations made, for example, if the auditees have identiied inappropriate auditor
behaviorordefectshavebeenfoundintheauditors’ieldwork.Inthiscase,theau-
diteescanescalatedirectlytotheauditleadand/orAuditManager.Moreover,the
auditteam’sassessmentintheauditsurvey(seeSectionD,Chapter7.2.2)maytrig-
gerescalation.heAuditManagerand/ortheCAEareresponsiblefordetermining
thecausesofescalationandforde-escalatingthematter.
HintsAnDtiPs ;
• Auditorsshouldbeconsiderateoftheapproachtakenbytheauditeesinthesitu-
ationconcerned.
• hecommunicationofcriticalauditindingsrequiresconsiderationandjudg-
menttodecidebetweenimmediateescalationandanattempttoconvinceman-
agement.
• Auditorsshouldalwaysofertheirhelpindealingwithauditindings.
EscalationUnrelatedtoFindingsandRecommendations
EscalationUnrelatedtoFindingsandRecommendations
508
7 PerformanceMeasurementSystem7.1 BasicPrinciplesofanInternalAuditApproach
BasedonKeyPerformanceIndicators
7.1.1 Content,Objectives,andStructure
KeyPointS •••
• PerformanceindicatorsandratiosserveavarietyofdiferentpurposesinInter-
nalAudit.
• heavailabledatamaterialisverycomplexandofersmanydiferentlevelsfor
comparisonandanalysis.
• InternalAuditcandeinecomparisonsintheformofbenchmarkingorabal-
ancedscorecard.
AnexaminationofInternalAuditfromamoderncorporatemanagementperspec-
tive invariably requires consideration of diferent business concepts, e.g. bench-
marking,toestablishwhethertheycanbeusedforInternalAudit.heanalysisof
pastauditsyieldsanalmostlimitlesswealthofinformation,whichcanbeusedfor
targetedandfocusedcontrolandmonitoringwiththehelpofbenchmarkingmeth-
ods. he objective is to capture, process, and report information from the audit
processinsuchawaythatitproducesacondensedyetmeaningfulandcomprehen-
sivesummaryoftheauditservicesperformed.hepurposeis:
• tofacilitatemanagement’snavigationthroughthereportstructures,
• toshowtherankinganddistributionoftheunderlyingdataandderivefromit
comparisons,trends,andforecastsregardingcertainstatistics,
• toallowaqualitativeandquantitativeassessmentofaudits,and
• tosupportexternalcomparison.
Fordataanalysis,ityieldsimportantinsightstoexpressthelargeamountofinfor-
mationintheformofratiosandkeyperformanceindicators(KPI).InternalAudit
canusediferentsources,methods,andsummarycriteriatodeinethesubstanceof
eachindicatorinrelationtothesubjectmatteritdescribes.heindicatorsandra-
tioscanbeproduceddirectlybycountsandmeasurementsbasedonorganizational
andprocessstructures,ortheycanbecalculatedarithmetically.Eachofthemex-
pressesproportionsormutualrelationships,whichpermitconclusionsaboutthe
underlyingsubjectmatter,thusprovidingirstlyanindicationofsizeinrelationto
othervariablesandsecondlyameasureofquality.
heobjectivesofaKPIsysteminInternalAuditincludethefollowinginpar-
ticular:
• Fieldworkgeneratesalotofdiferentinformation,whichismademoreacces-
siblebystructuringitbothinaggregatedandindisaggregatedform.Ratiosand
performanceindicatorsprovideinsightsaboutauditcontent(e.g.,thenumber
ofhigh-riskindingsrelevanttoinancialreporting)aswellasprocess-related
informationProcessinginformationProcessing
introductionofKeyPerformanceindicators
andRatios
introductionofKeyPerformanceindicators
andRatios
objectivesofaKPiSystem
objectivesofaKPiSystem
509
statements(e.g.,numberofrejections/approvalsperauditstepandaudittype
atthequalitygates).Moreover,importantinformationispresentedbyoverall
indicatorssuchastheoverallauditstatementandtheauditsurveyrating(see
SectionD,Chapter7.2.2).Allindicatorsandratioscanbeusedtomonitorand
analyzeauditresults,thusformingthebasisforadditionalauditplanning.
• Indicatorsandratioscanalsobedeterminedasclassiicationattributes,allow-
ingtheauditorsinthecontextofauditindingsorrecommendationstocalculate
variablesforaccounts,customers,suppliers,andevencontracts,eitherperaudit
objectorasaverages.hisallowstheauditortoobtainadditionalinformation
abouterrorcausesandweaknessesintheorganizationoftheauditees.
• Other indicatorscanbeusedtobenchmarkorganizationalunitsagainsteach
other,e.g.,departmentsorlocalsubsidiaries,comparingandrankingthenum-
ber of audits, audit results, follow-up results, etc. his makes organizational
unitscomparableintermsoforganizationalweaknesses.
• Anotherobjectiveofindicatorsinthisregardistocontrolandmeasuretheper-
formanceofInternalAudititself.heseperformanceindicatorscanrelatetothe
department,teams,orindividualauditorsandrateboththeirauditworkand
theresultsachieved.
heseindicators,initiallyasabsoluteigures,provideirstcluesthatpermitstate-
mentsaboutInternalAuditatasummarylevel.Ifreadasindividualvariables,they
canstandalongsideotherresultsoftheaudit.Inasecondstep,theindicatorscanbe
integratedintoabenchmarkingsystem.InternalAuditbenchmarkingisprimarily
aboutorganizingthevariablesinasensiblestructureandgroupingtheminaway
thattheycanbecomparedagainstotherobjectsandperiods(seeSectionD,Chap-
ter7.3).hebalancedscorecardisanadvancedwayofusingandcontrollingkey
performanceindicatorsforbusinessprocesses.Itstructurestheindicatorsonop-
erationallevels,accordingtoperspectivesandcriticalareasofsuccess,suchasthe
inancialandinternalbusinessperspectives(seeSectionD,Chapter7.4).
HintSandtiPS ;
• Allauditors shoulddiscusswaysofusingdiferent ratiosand indicatorswith
theircolleagues.
LinKSandRefeRenceS e
• KAthy,S.AnDR.MCKAy.2002.BalancedScorecard.he CPA Journal (March2002):
20–25.
• LEAnDRI,S.2001.ImprovingFinancialPerformancehroughBenchmarkingandBest
Practices.he CPA Journal (January2001):44–48.
• REDIng,K,C.BARBER,AnDK.DIgIROLAMO.2000.BenchmarkingAgainst.In-
ternal Auditor(August2000):41–46.
creationofaSystematicKPiStructurecreationofaSystematicKPiStructure
SpecialTopicsandSupplementaryDiscussion
PerformanceMeasurementSystem
BasicPrinciplesofanInternalAuditApproachBasedonKeyPerformanceIndicators
d|7|7.1
510
• SChMIDt,C.2005.heDriver’sView.Internal Auditor(June2005):29–32.
• ZIEgEnFuSS, D. 2000. Measuring Performance. Internal Auditor (February 2000):
36–40.
7.1.2 StructureoftheKeyPerformanceIndicators
7.1.2.1 GeneralCriteria
KeyPointS •••
• Inordertodeineandtreatthelargenumberofpossibleratiosandindicatorsin
InternalAuditaccordingtostandardcriteria,allindicatorsmustbedetermined
unambiguouslyandconsistently.
• Adistinctioncanbemadeparticularlybetweencontent-related,organizational,
andformalcriteria.
• Moreover,valueandtimeaspectsaswellastheintendedtargetgroupmustbe
considered.
• Indicatorsandratiosmustbemeasured,recorded,andpresentedconsistently.
KeyperformanceindicatorsandratiosinInternalAuditcanbebasedondiferent
aspects.Ifauditcontentisusedastheguidingprinciple,indicatorscanbedeined
atdiferentlevels,rangingfromindividualindingsandauditobjectstotheentire
auditandtheauditedunit(e.g.,thenumberofinternalcontrolswithinaspeciic
process).Fromanorganizationalpointofview,thefocusismoreontherelation-
shipwiththeauditorganization,i.e.,thesetypesofindicatorscomparetheauditor
auditindingstootherauditteamsortheaverageperformanceoftheentireinternal
auditdepartment(e.g.,averagedurationofanaudit).
Inaddition, indicatorscanalsobedeinedaccordingtodiferentvaluebases,
becausecomparisonsarebasedonbudgetedandactualvalues,aswellasonaver-
agesorexternalvalues,e.g.,statisticsissuedbyauditinstitutesorothercompanies.
Closelyrelatedtothisistheperiodperspective,underwhichallformsofpossible
time horizons, from pure closing date analysis through period analysis between
reportingdatesandyear-to-yearcomparisonscanbeanalyzed.timeintervalscom-
prisingseasonalvariation,forexampleduetobusinesscyclesorrestructuringpro-
cesses,areparticularlyinteresting.Itisimportanttodistinguishaccuratelybetween
periodandcumulativevalues,i.e.,whetherthedatarelatestoonespeciicperiodor
representsaggregatevaluesforseveralindividualperiods.
Furthermore,thereareformalaspectsthatinluencetheselectionofasuitable
indicatorby theauditor toestablishwhich typeof indicator touse, i.e.,whether
absoluteorrelativevariablesarebestsuitedtodescribethesubjectmatter.Onthe
basisofstatisticalconsiderations,indicatorscanbeshownasindividualvalues,dis-
tributions,timeseries,orintheformofcorrelationsortrends.heformdepends
content-Relatedandorganizationalaspects
ofindicators
content-Relatedandorganizationalaspects
ofindicators
Value-Basedandtime-Basedindicators
Value-Basedandtime-Basedindicators
formalaspectsofindicators
formalaspectsofindicators
511
on the addressee’s expectations. A KPI-based summary can present aggregated
comparisonsaswellasabreakdownintounderlyingbaseinformation.
hetargetgroupInternalAuditwantstoaddressisanothercriterionfortailor-
ingthediferent indicators.Forexample, indicators intendedfor theBoard level
havetomeetdiferentrequirementsthanindicatorsforoperationalmanagementor
the auditees. At the Board level, strategic information is more important, i.e., if
a guideline has been breached, the Board will investigate whether the guideline
servesitspurposeandisappropriateforthecompany,whereasoperationalman-
agementwillbeinterestedinthecauseofthecontraventiontobeabletoputadequate
internalcontrolsinplaceforthefuture.Selectingtherightformofpresentationcan
bevitalincommunicatingefectivelyandinensuringthatanyanalysisismetwith
acceptancethroughoutthecompany.
heunitsofmeasurementforstatingtheindicatorsmustbeclearandconsistent.
he way decimal points or large igures are shown (1,000,000, 1,000 thousand,
1million),thetreatmentofroundingandtheresultingdiferences,aswellasunits
ofmeasurementthemselveshavetoconformtointernationalstandardsorprevail-
ing local customs. A written deinition of form and content can considerably
facilitateconsistentapplicationandacommoninterpretationoftheindicators.
Indicatorscanbemeasuredandrecordedindiferentways.Ingeneral,indica-
torsaretheresultofcounting,calculations,orcorrelations.herecordingprocess
cansometimesbeautomatedordeinedasanadditionalfunctionoftheoperational
orplanningprocess.hetimeaspectisimportant,i.e.,whetherrecordingiscon-
tinuousortheigurerelatestoaspeciicdate.InternalAuditalsohastoascertainto
whatextenttherecordedbasedatahastobemadecomparable,i.e.standardizedby
adjustingit(e.g.discounting).hismaybenecessaryforinancialdatawithdifer-
entinterestduedatesormaturities.
Itisimportantforcompaniestohaveconsistentguidelinesforpresentingper-
formanceindicators.herehastobeacompany-widestandardastohow,where,
andwhenspeciicindictorsareused.hisappliestobothindicatorsandratiosat
the operational report level and management summaries. Consistent rules help
avoidmisunderstandingsaboutindicators.
HintSandtiPS ;
• Auditors should think of criteria that are to be mandated for all key perfor-
manceindicatorsoftheinternalauditdepartmentanddiscussthemwiththeir
colleagues.
LinKSandRefeRenceS e
• EttER, A., AnD P. tuRnER. 2006. Collecting Performance Data. Internal Auditor
(October2006):89–93.
KeyPerformanceindicatorsfordiferenttargetGroups
KeyPerformanceindicatorsfordiferenttargetGroups
WaysofStatingtheindicatorsWaysofStatingtheindicators
MeasurementandRecordingofindicatorsMeasurementandRecordingofindicators
consistentGuidelinesforPresentingindicatorsconsistentGuidelinesforPresentingindicators
SpecialTopicsandSupplementaryDiscussion
PerformanceMeasurementSystem
BasicPrinciplesofanInternalAuditApproachBasedonKeyPerformanceIndicators
d|7|7.1
512
• InStItutE OF IntERnAL AuDItORS.2001.Practice Advisory 1311-2: Establishing
Measures (Qualitative Metrics and Qualitative Assessments) to Support Reviews of Internal
Audit Activity Performance.AltamonteSprings,FL:heInstituteofInternalAuditors.
7.1.2.2 SelectedGeneralStandardKeyPerformanceIndicators
KeyPointS •••
• WhendesigningaKPIsystem,InternalAuditmustsetprioritieswithregardto
thetargetgroupsthatwillreceivethisinformation.
• Settingprioritiesisthebasisfordeiningtheindicatorsandtherequiredbase
data.
• Indicatorcontentmustbedeinedaccordingtopurposesothattheindicators
canbeusedappropriately.
• hisensures that theratiosand indicatorscreatemeasurableaddedvalue for
InternalAudit’swork.
WhencreatingaKPIsystemfor InternalAudit, InternalAudithas todecideon
aspeciicsetofindicators.hispre-selectionhastobemadewiththedistinctions
presentedinSectionD,Chapter7.1.2.1.Ifpossible,thepersoninchargeshouldcon-
sidertheinterestsofallinvolvedparties,fromtheCAE,AuditManagers,andaudit
leadstoauditedunits,theirmanagers,andmembersoftheBoardequally.
AKPIsystemisregardedasadecisionandargumentationtoolandittherefore
servesasamanagement instrument.general standard indicatorsandratiosand
speciic,morecomplexvariablesshouldbeconsideredtobeincludedinaKPIsys-
temforInternalAudit.hischapterdeinesgeneralindicatorsandratios;Section
D,Chapter7.2dealswithmorespeciicperformanceindicatorsvariables.
hegeneralbroadstandardindicatorsforaninternalauditdepartmentinclude
thefollowing:
• numberofauditorsperdepartment,auditteam,andaudit,
• numberofauditorsforevery1,000employees,every1millioneurosofrevenue,
andevery1,000eurosofInternalAuditbudget,
• InternalAuditcoststructureratiosineachregion,
• timepercentagestakenupbythephasesoftheAuditRoadmapandthecorrela-
tionsbetweenthem,
• numberofdiferentaudittypescomparedtothetotalnumberofaudits,
• proportionofglobal,regional,andlocalaudits,and
• auditorcapacityutilizationasaproportionofnetavailableworkingtime.
Allindicatorsshouldbeeithermeasuredorcalculatedbasedontheauditprocess.
Indicatorscanbecreatedbybringingotherindicatorsinrelationtoeachotherto
enhancecomparability,valuescanbecombinedinanywayrequired,oradditional
diferentcoordinatescanbeincludedinthecalculation.
SelectionofSpeciicindicators
SelectionofSpeciicindicators
PossibleindicatorsPossibleindicators
GeneralStandardindicators
GeneralStandardindicators
513
hequestionofhowtopresentindicatorsarisesfromtheunderlyingrequire-
ments.Firstofall,indicatorsandratioscanbepresentedonthebasisofasuitable
structure,e.g.,theAuditRoadmap.heycanlikewisebesuppliedasspeciic,detailed
information inadditionto therelevantindingsandrecommendations.Further-
more,itmaybeusefultotailorthepresentationofindicatorstotheparticulartarget
groupbypreparingaspecialKPIsummary.hismeansthat,sinceindicatorsare
derived variables, they should always be presented in relation to the underlying
dataaswellastherelevanttargetgroup,e.g.,acomparisonofthenumbersofSOX-
relatedindingsforeachoftheBoardareas.
InternalAuditmanagementisresponsibleforensuringthattheindicatorsare
completeandcorrect,bothintermsofbasedatareliability,andtheirmeaningful
integrationintheauditprocesses.Determiningindicatorsisonlyoneaspect,com-
municatingthemwithinthecompanyisanotherequallyimportantaspect.taking
both factors intoaccount is theonlyway toachieve theobjectiveof creatingan
understandingfortheindicatorsandthuspreparethewayforfurtherapplications,
suchasbenchmarkingandthebalancedscorecard.
HintSandtiPS ;
• Auditorsshouldarrange,inorderofimportance,theindicatorstheyhaveiden-
tiiedascriticalforanaudit.
• Auditors should analyze the informative value of each indicator and suggest
alternativesifappropriate.
• Ifanauditproducesunusualresults,acomparisonofindicatorsmayshedlight
ontheirregularitiesandthusprovideargumentstoassuretheindings.
7.2 SelectedSpecialKeyPerformanceIndicators
7.2.1 OverallAuditStatement
KeyPointS •••
• heoverallauditstatementmakestheauditresultscomparable.Itcanmakeone
organizationalunitmeasurableagainstanotherinthecompany.
• Itcanalsobeincludedinthecompany-wideriskmodel.
• AnoverviewoftheoverallauditstatementsgivestheBoardaclearunderstand-
ingoftheorganizationalunitsauditedinthecompany.
• heoverallauditstatementisbasedontheclassiicationsoftheauditindings
intheauditreport,towhichendaclassiicationhastobeassignedtoeachaudit
inding.
• Auditobservationsarenotrated.
• Inordertostandardizetheclassiicationprocess,theclassiicationofauditind-
ingsisbasedontheriskcategoriesadoptedfromglobalriskmanagement.
PresentationofGeneralindicatorsPresentationofGeneralindicators
SigniicanceoftheGeneralindicatorsSigniicanceoftheGeneralindicators
SpecialTopicsandSupplementaryDiscussion
PerformanceMeasurementSystem
SelectedSpecialKeyPerformanceIndicators
d|7|7.2
514
• heoverall audit statement is shown inivecategoriesand isvisualizedwith
atraiclightsystem.hequantitativeresultiscalculatedintheirststep,andthe
qualitativeaspectaddedinthesecond.
• Any result in the substantial weakness category has to be escalated immedi-
ately.
heoverallauditstatementprovidesauniversallyconsistentandobjectiveopinion
ontheauditobjectfortheauditeesaswellasforregionalandseniormanagement.
Itformspartoftheauditreport,makingtheauditresultsalongtheAuditRoadmap
measurableandcomparable.heassessmentsareconsistent,becauseallauditteams
havetoapplythesameassessmentstandard.
AnoverviewofoverallauditstatementshelpstheBoardtodevelopaclearun-
derstandingofthequalitativeprocesscomplianceoftheorganizationalunitsaudited
in the company. he overall audit statement helps make an organizational unit
comparableagainstanotherorganizationalunitinthecompany.hisbenchmark
canbeusedtoproducearanking,whichshouldcompriseorganizationalunitswith
similarcontentsandobjectives.heoverallauditstatementcanalsobeusedincon-
nectionwiththecorporateriskmodel,especiallywhenassessingtherisksforthe
diferentaudittopicsduringselectionfortheannualrisk-basedauditplanning.
By establishing the overall audit statement, Internal Audit complies with IIA
Standard2410.A1,accordingtowhichinalcommunicationofengagementresults
should, where appropriate, contain the internal auditor’s overall opinion and/or
conclusions.
heclassiicationmethodisbasedonalogicalcalculationmodel,whichensures
thataconsistentprocedureisfollowed.hisavoidsanindividualassessmentofthe
classiicationsaccordingtoregional teamassessmentsandalsocreatesaglobally
consistentprocedurewithinInternalAudit.heoverallauditstatementisbasedon
theclassiicationsoftheauditindingsintheauditreport,whichareasfollows:
• L=locallyrelevant,
• R=regionallyrelevant,and
• B=Board-relevant.
Aclassiicationmustbeassignedtoeachauditinding.Auditobservationsarealso
classiiedaccordingtothissystem.InternalAuditdistinguishesbetweenauditind-
ingsandobservationsasfollows:
• Auditinding:
■ veriiablefactssupportedbyobjectiveevidence,and
■ provennon-compliancewithinternalorexternalrules.
• Auditobservation:
■ improvementpotentialidentiiedincertainareas,and
■ nofactualproofthatindicatesanauditinding.
Onlyauditindingsareincludedinthecalculationoftheoverallauditstatement.
Globallyconsistentandobjectiveopinion
Globallyconsistentandobjectiveopinion
RankingRanking
compliancewithauditStandards
compliancewithauditStandards
classiicationofauditfindings
classiicationofauditfindings
515
hefollowingdiagramprovidesadescriptionoftheL,R,andBclassiications.
Ofcourse,insomecasesindividualdecisionsonclassifyinganauditindinghaveto
bemade.
Inordertostandardizetheclassiicationprocess,theclassiicationofauditindings
isbasedontheriskcategoriesadoptedfromCorporateRiskManagement.heten
riskcategoriesare:
1. Economy,
2. Market,
3. Strategy,
4. Personnel/employees,
5. Organizationandcontrol,
6. Communicationandinformation,
7. Finance,
8. Products,
9. Projects,and
10. Otheroperationalrisks.
descriptionoftheclassiicationsdescriptionoftheclassiications
RiskassessmentoftheauditfindingsRiskassessmentoftheauditfindings
by the Board
L�Allotherissues
L(=Operational/
local
management)
R(=Regional/
senior
management)
B(=Board/CEO)
ExampleFinding
US-GAAP/
US-GAAP/
Fig. 19 Classiication
SpecialTopicsandSupplementaryDiscussion
PerformanceMeasurementSystem
SelectedSpecialKeyPerformanceIndicators
d|7|7.2
516
heseriskcategoriesarebrokendownintofurtherlevels,whichsimpliiestheas-
signmentofthecontentofauditindings.
Each of the ten risk categories is rated per audit inding on a scale of 1 to 3
points:
• 1–lowimpact,
• 2–mediumimpact,and
• 3–highimpact.
husmaximumof30pointscanbereachedperauditinding.hisproducesthe
followingclassiication:
• L:1to10points,
• R:11to20points,and
• B:21to30points.
hewaytheclassiicationhasbeencalculatedhastobedocumentedinaworking
paper(availableasastandardtemplate)andiledwiththeworkingpapersofthe
audit.
heabovecalculationoftheclassiicationformsthebasisfortheoverallaudit
statement,whichisexpressedinoneofthefollowingivecategories:
• Exceeds standards: Adequate, eicient and efective internal controls are in
place.nooperationaland/oraccountingweaknessesand/orerrorshavebeen
identiied.
• Meetsstandards:Adequate,eicientandefectiveinternalcontrolsareinplace.
Onlyminimalweaknessesand/orerrorshavebeenidentiied.
• needsimprovement:Identiiedweaknessesand/orerrorsmustbeeliminatedin
ordertominimizetheriskofinanciallossandimproveoperationalefective-
nessandeiciency.
• Weak:heweaknessesand/orerrorsidentiiedposeriskstothecompany.here
isariskthatfraudcanbecommittedandremainundetected.Identiiedvariances
fromexistingguidelinescannotbeaccepted.hesituationhastobeescalatedto
managementimmediatelyandremediedquickly.
• Substantialweakness:heweaknessesand/orerrorsidentiiedposesigniicant
riskstothecompany.Fraudcannotberuledout.hecompanyisnotprotected
frominancialloss.hemattermustimmediatelybeescalatedtomanagement
andtheBoardandcorrectiveactionmustbetakenimmediately.
heivecategoriesarevisualizedintheauditreportwithatraiclightsystem.he
irsttwocategoriesleadtoagreentraiclightstatus,theneedsimprovementcat-
egoryisshownasyellow.helasttwocategoriestriggeraredtraiclightstatus.
heoverallauditstatementisdeterminedquantitativelyandqualitatively:
• Quantitativestatement:hecategoriesdescribedaboveareratedaccordingto
thenumberofauditindings.
• Qualitativestatement:Sincearatingonthebasisofthenumberofauditindings
alonewoulddistorttheoverallpicture,aweightingaccordingtotheL,R,andB
classiicationsisperformed.
PointSystemRatingPointSystemRating
documentingthecalculation
documentingthecalculation
detaileddescriptionoftheoverallaudit
Statement
detaileddescriptionoftheoverallaudit
Statement
QuantitativeandQualitativeassessment
QuantitativeandQualitativeassessment
517
Viewedasawhole,thisleadstothefollowingmatrix.
hediagrambelowshowshowtheratingiscalculated,usingictitiousexamples. examplesexamples
Fig. 20 RatingSystem
% of R – BBRLExample
–EmployeedefraudsaroundEUR
1millionfromaccountspayable.15
51–100%354124
Exceeds
Stan-
dards
Meets
Stan-
dards
Subs-
tantial
Weakness
Weak
Needs
improve-
ment
51–80%12143
0–50%442
01
Fig. 21 CalculationExamples
SpecialTopicsandSupplementaryDiscussion
PerformanceMeasurementSystem
SelectedSpecialKeyPerformanceIndicators
d|7|7.2
518
If theworkprogrammustbeexpandedduringtheauditduetonewcircum-
stances outside the area of responsibility of the management being audited, the
auditleadmustensurethatthesecircumstancesarenotincludedintheassessment
oftheoriginalaudit.Forthisreason,thenewcircumstanceshavetobereported
andratedseparately.hisreportcanmakedirectreferencetotheoriginalreportor
getanewreportnumber.
Anyresultinthesubstantialweaknesscategorymustbeescalated(seeSection
D,Chapter6)throughtheAuditManagerand,dependingonthecircumstances,
theCAEdirectlytotheBoard.hetimeaspecttakesonaspecialimportanceinthis
regard.heauditleadisresponsibleforcompletinganddistributingthe(dratand
inalversionsofthe)auditreportasquicklyaspossible.Dependingonthecircum-
stancesunderaudit,theCAEmayhavetosubmitapreliminaryreporttotheBoard
immediately.heriskmanagerinchargeisalsoinformed.Completionofthe“com-
ments/reasons”ieldinthemanagementsummariesismandatory.Adetailedfol-
low-upplanmustbesubmittedtotheAuditManagerandtheCAE.
InisolatedcasesandaterconsultationwiththeAuditManager,theauditlead
canadaptanoverallauditstatement,dependingonthecircumstancesandthedoc-
umentationathand.hismeans,thatthecalculatedresultcanbevariedifthereare
compellingreasonstodoso.hereasonsforthedeviationhavetobedocumented
intheauditreport,andadetailedmotivationfortheadaptationshouldbeiledwith
theworkingpapers.
heoverallauditstatementisreportedinthemanagementsummaryusingthe
traiclightsystem.heresult isalso incorporatedintotheBoardsummary.he
indingsandrecommendationsdescribeinanaggregatedwaytheoverallauditsta-
tus.hedevelopmentofthestatusinthecourseoftheauditcyclewithregardtothe
auditobject isalsoimportant,becauseitgivestheoverallauditstatementitsdy-
namicsforacomprehensive,continuallyupdatedhistory.
heoverallauditstatementalsocanbedeterminedbycalculatingtheinancial
impactofeachinding.hecalculationisbasedontheactualorestimatedinancial
consequencesandisadjustedbytheprobabilityoftheoccurrence.Dependingon
theauditor’sabilitytogiveareliableestimationoftheinancialimpact,twocatego-
riesofindingscanbedeined:quantiiableandnon-quantiiable(i.e.,qualitative)
indings.Incaseofnon-quantiiableindings,anaveragetheoreticalinancialim-
pactiscalculatedbasedonthesizeoftheauditedentity.heoverallauditstatement
(red,yellow,orgreentraiclight)isthesumoftheinancialimpactofeachinding.
hematerialityandthresholdsforthetraiclightsaredeterminedonceayearby
usingtheinancialigures(e.g.yearlyrevenue,assets)ofthediferententities.he
feasibilityofthisnewmodelforcalculatingtheoverallauditstatementiscurrently
being evaluated by gIAS during a six month pilot phase. If the new calculation
modelproofstobefeasibleinpractice,itwilleventuallyreplacetheoldmodel.
increasingtheextentoftheengagement
increasingtheextentoftheengagement
escalationincaseofSubstantialWeakness
escalationincaseofSubstantialWeakness
deviationfromthecalculatedRating
deviationfromthecalculatedRating
ReportingReporting
alternativeModelforcalculatingtheoverall
auditStatement
alternativeModelforcalculatingtheoverall
auditStatement
519
HintSandtiPS ;
• Assoonasauditorsnoticethattheoverallauditstatementwillprobablyproduce
aredtraiclightstatusintheauditreport,theyshouldinformtheAuditMan-
ager.
LinKSandRefeRenceS e
• InStItutEOFIntERnALAuDItORS.2001.Practice Advisory 2410-1: Communica-
tion Criteria.AltamonteSprings,FL:heInstituteofInternalAuditors.
7.2.2 AuditSurvey
KeyPointS •••
• Ater every engagement, Internal Audit sends an audit assessment question-
naire(auditsurvey)totheauditedorsupportedunit.
• herearetwodiferenttemplatesavailable:oneforstandardauditengagements
andoneforad-hocauditengagements.
• heauditsurveyhasthreesections.hemiddlesection,whichisthemainpart,
consistsoftenquestionsabouttheaudit.hequestionnaireforadhocaudits
consistsofninequestions.
• heauditsurveyhelpsdetermineInternalAudit’svalueforthecompanyand
facilitatestheassessmentofitswork.
• Askingforfeedbackincreasesthedepartment'scredibility.
• heauditleadandAuditManagerareresponsibleforobtainingfeedback.
Atereveryengagement,InternalAuditsendsanauditassessmentquestionnaireto
theauditedorsupportedunit.hisdocumentisusedtoratethetechnicalandad-
ministrativeperformanceoftheauditteam.heauditsurveyhelpsInternalAudit
managementunderstandhowtheauditteam’sworkandresultshavebeenreceived.
hisallowsdrawinginferencesabouttheperformanceoftheauditleadandeach
individualauditor.hisfeedbackhelpsInternalAuditmanagerswithperformance
appraisalsandallowsthemtocoordinatetrainingmeasuresforindividualauditors
ifweaknesseshavebeenidentiied.Ifthesurveyhaslaggedanyproblems,Internal
Auditmanagementcanremedythesituationandidentifyimprovementpotential
forfutureaudits.heauditsurveyalsomeasuresthequalityofauditworkandis
thereforesuitableforsettingdepartmentalperformancetargets.
hereareseveralreasonsforintroducinganauditsurvey:First,partofInternal
Audit’smissionistoaddvaluebydevelopingmanagement-focusedsolutions.he
audit survey has been introduced to measure the beneits delivered by Internal
PurposeoftheauditSurveyPurposeoftheauditSurvey
ValueargumentValueargument
SpecialTopicsandSupplementaryDiscussion
PerformanceMeasurementSystem
SelectedSpecialKeyPerformanceIndicators
d|7|7.2
520
Auditandtogivemanagerstheopportunitytoassessauditperformanceinastruc-
turedandstandardizedway.ItprovidesanopportunitytomeasureInternalAudit’s
standingwithinthecompany.Aperformanceindicatorisderivedonthisbasisand
canbeusedforinternalpresentations.Italsohelpsrespondtoquestionaboutthe
valuethatInternalAuditaddsinthecompany.InternalAudit’svaluecannotalways
bemeasuredinfull,becauseitsactivitiesaretoovaried,buttheauditsurveycan
helpgivetheauditeesaneasy-to-usewayofassessingtheauditwork.
IIAPracticeAdvisory1310-1(QualityProgramAssessments)recommendsim-
plementing a method to demonstrate and measure the value and beneit that
InternalAuditgeneratesforthecompany.SAPhasrespondedtothisrecommenda-
tionbyintroducingtheauditsurvey.
heauditsurveyshowsInternalAudit’scommitmenttohavingitsperformance
assessed outside of the department. In principle, Internal Audit has to fulill its
auditmandateirrespectiveoftheauditee’slevelofsatisfactionandproduceobjec-
tive,accurateandmeaningfulauditresults.Itisneverthelessaquestionofcorporate
culture to what extent the auditee’s opinion is being considered. Internal Audit
should be open to constructive criticism as an opportunity to identify potential
improvements.heauditsurveydemonstratesthedepartment’swillingnesstoaccept
andprocessfeedbackandtorespondappropriately.InternalAuditalsodemonstrates
thecompanythatitwelcomesinputandispreparedtoacceptandimplementre-
commendationswithinitsowndepartment.
heauditsurveyconsistsofthreesections.heheadercontainsadministrative
datafortheaudit.hemiddlesectionhasten(ornineforad-hocaudits)questions,
whichareansweredbycheckingoneofthefollowingsixratings:
• stronglyagree,
• agree,
• neitheragreenordisagree,
• disagree,
• stronglydisagree,or
• notapplicable.
In a third section, there is room to add comments on speciic questions or re-
sponses.hebottomsectionisfortheauditteamtoaddanycommentsorremarks
asfreetext.hecompletedauditsurveyissenttotheAuditManagerelectronically
andthenforwardedtotheCAE.
heopeningandclosingmeetingsaregoodoccasionsformakingauditeesaware
oftheauditsurvey.Itisenoughtorefertothesurveybrielyattheopeningmeeting,
buttheauditorsshouldpresentandexplainthequestionnaireattheclosingmeet-
ing.heauditorscan,ofcourse,alsopresentandexplaintheauditsurveyine-mails
ordiscussionsduringthepreparationphase.
hequestionnairesshouldbesentoutatthesametimeasthedratreport,be-
causetheauditedunitwillhavehadrecentexposuretoInternalAudit’swork,and
itsresponseswillrelecttheentireauditexecution.hedistributionofthesurveyis
aqualitygateforInternalAuditandmustbedocumented.InternalAuditofersthe
opportunitytoholdaseparatemeetingwiththeauditedunittodiscussthedrat
compliancewiththeQualityProgram
compliancewiththeQualityProgram
credibilitycredibility
StructureoftheauditSurvey
StructureoftheauditSurvey
alertingtotheauditSurvey
alertingtotheauditSurvey
distributionoftheQuestionnaires
distributionoftheQuestionnaires
521
Fig. 22 AuditSurveyforStandardAuditEngagements
SpecialTopicsandSupplementaryDiscussion
PerformanceMeasurementSystem
SelectedSpecialKeyPerformanceIndicators
d|7|7.2
522
auditreportindetail.hismeetingprovidesanotheropportunitytoasktheaudi-
teestocompletetheauditsurvey,particularlysinceitissometimesdiiculttoget
thecompletedquestionnairebackwithintheAuditRoadmaptimeframe.helatest
time for sending out the questionnaires is when the inal audit report is
distributed.
heauditleaddecideswhetherthequestionnaireissenttoseveralpeopleorjust
oneperson.Sendingthequestionnairetoseveralpeoplemaybenecessaryforre-
gionalandglobalaudits,forexample.heauditleadisalsoresponsibleformaking
auditeesawareoftheauditsurvey,sendingoutthequestionnaires,andaskingfor
thecompletedquestionnairestobereturned.heauditleadisresponsibleformak-
ingtheauditeesawareofthefactthattheauditsurveyisnotanonymous,butthat
the results will be treated conidentially. he audit lead and the Audit Manager
shouldagreewhotheaddresseeofthesurveyshouldbeandsendthequestionnaire
totheappropriateperson(e.g.,thelocalinanceoicerinthecaseofalocalsubsid-
iary).heaudit leadcannormallyaddcommentstotheauditsurvey,e.g., if the
opinionvoicedrequirestheauditleadtostatehisorherpointofvieworifaddi-
tionalfactshavetobepresented.
heauditsurveyhelpstheAuditManagerimproveauditqualitycontinuously.
Atthesametime,itcanalsodocumentgoodperformanceandthusmotivatethe
auditteamandthewholedepartment.topreventtheratingofindividualauditors,
thequestions inthesurveyfocusonauditexecution,notontheperformanceof
individuals.
heresultsoftheauditsurveyscanbecompiledmonthly,butnolessfrequently
thanquarterly.Resultscanbebrokendownbyregionand/orauditlevel.heCAE
consolidates and analyzes the results. hey are rated on a scale of 10 (best) to 1
(worst)andcommunicatedtoInternalAuditmanagement,theCEO,andtheAudit
Committee.
LinKSandRefeRenceS e
• InStItutEOFIntERnALAuDItORS.2004.Practice Advisory 1310-1: Quality Pro-
gram Assessments. AltamonteSprings,FL:heInstituteofInternalAuditors.
7.2.3 Follow-UpRating
KeyPointS •••
• he follow-up assesses the extent to which the measures recommended as a
resultoftheprecedingaudithavebeenimplemented.
• Eachauditindingisratedaccordingtoasetscale.
• newindingsduringafollow-upareratedaswell.
• heoverallfollow-upratingisreportedinthemanagementandBoardsumma-
riesasatraiclightstatus.
ResponsibilityoftheauditLead
ResponsibilityoftheauditLead
informationValueoftheauditSurvey
informationValueoftheauditSurvey
ResultsoftheauditSurvey
ResultsoftheauditSurvey
523
hefollow-upauditassessestheextenttowhichthemeasuresagreedduringthe
precedingaudithavebeenimplemented.Itthusevaluatestheefectivenessofthe
implementationprocessresultinginthefollow-upscoring.hestatusisreported
usingatraic-lightsystem(red,yellow,green).Eachauditindingisratedaccord-
ingtoasetscale.hepointssysteminthediagrambelowformsthebasisforthe
follow-upscoring.
hefollowingexamplesillustratethescoringprocess:
• AindingthatwasclassiiedasBoard-relevantattheprecedingaudit,buthasnot
yetbeenimplementedatthetimeofthefollow-upauditisratedtwelvepoints.
• Aindingthatwasclassiiedasrelevanttoregionalmanagementatthepreced-
ingauditandthatisstillinprocessisratedthreepoints.
• Aindingthatwasclassiiedaslocallyrelevantattheprecedingauditandhas
beenfullyimplementedisratedzeropoints.
heaggregatedscoring,isclassiiedasfollows:
• greenstatus:0to11points.
• yellowstatus:12to23points.
• Redstatus:24ormorepoints.
newindingsmade in thecourseof the follow-upareratedseparatelyusing the
ratingsystemfortheoverallauditstatement(seeSectionD,Chapter7.2.1).Finally,
thefollow-upscoring(fortheimplementation)andthefollow-upnewindingsrat-
ingarecombinedintoanoverallfollow-uprating(seeFig.24).
heoverallfollow-upratingisreportedinthemanagementandBoardsumma-
riesasatraiclightstatus.Ifthestatusisred,abriefexplanationhastobeaddedto
bothdocuments.heBoardsummarycontainsatable,whichshowsapointssum-
maryforeachstatus.Intheauditreport,thepointsareaddedupandautomatically
transferred to themanagementandBoard summaries.heresultsof theoverall
follow-UpScoringfollow-UpScoring
examplefortheimplementationRatingexamplefortheimplementationRating
newfindingsRatingandoverallfollow-upRatingnewfindingsRatingandoverallfollow-upRating
ReportingReporting
Local
Regional
Board
Open In processDone/Reasonably
controlled
Status
Green/
0points
Green/
0points
Green/
0points
Yellow/
1point
Yellow/
3points
Yellow/
3points
Red/
6points
Red/
6points
Red/
12points
Fig. 23 PointsMatrixfortheFollow-UpScoring
SpecialTopicsandSupplementaryDiscussion
PerformanceMeasurementSystem
SelectedSpecialKeyPerformanceIndicators
d|7|7.2
524
follow-up rating depend on the degree of implementation and the quantity and
qualityofthenewindings.Ifafollow-upIauditresultsinaredtraiclightstatus,
asecondfollow-upauditmustbeperformed.Ifthetraiclightstatusisyellow,the
auditleadandAuditManagerdecidewhetherasecondfollow-upisnecessary.Ifa
follow-upIIauditisconducted,theratingisperformedinthesamewayasforthe
follow-upIaudit.Ifthesecondfollow-upproducesanotherredtraiclightstatus,
the conditions for “heightened escalation” are met, which leads to the CEO’s
or Board’s intervention (for more information on escalation see Section D,
Chapter6).
HintSandtiPS ;
• hestatusofeachauditindinghastobekeptuptodatemeticulouslysothatthe
overallfollow-upratingcanbereliablycalculated.
• he overall follow-up rating in the audit report must always agree with that
stated in theBoard summary.Auditors should thereforealign the twodocu-
ments.
LinKSandRefeRenceS e
• InStItutEOFIntERnALAuDItORS.2001.Practice Advisory 2410-1: Communica-
tion Criteria.AltamonteSprings,FL:heInstituteofInternalAuditors.
Overall Follow-up Rating
FU New
Findings
Rating
FU
Scoring
Substantial
Weakness
(red)
Weak
(red)
Needs
Improvement
(yellow)
Meets
Standard
(green)
Exceeds
Standard
(green)
Yellow Red RedGreenGreenGreen
RedYellowYellowYellow RedYellow
Red RedRedRed RedRed
Fig. 24 RatingMatrixfortheOverallFollow-UpRating
525
• InStItutE OF IntERnAL AuDItORS.2001.Practice Advisory 2500-1: Monitoring
Progress.AltamonteSprings,FL:heInstituteofInternalAuditors.
• InStItutEOFIntERnALAuDItORS.2001.Practice Advisory 2500.A1-1: Follow-up
Process.AltamonteSprings,FL:heInstituteofInternalAuditors.
• LAROSA, S. 2005. ERM-based Audit Reports. Internal Auditor (December 2005):
73–75.
• MCCuAIg,B.2006.ABCsofReportingonControls.Internal Auditor(October2006):
35–39.
7.3 BenchmarkingStructure
KeyPointS •••
• Benchmarkingisasystematiccomparisonofkeyperformanceindicatorsand
ratioswithcorrespondingvaluesfromotherperiodsorsources.
• Forbenchmarking,theindicatorsneedtobestructuredwiththetargetgroupin
mind.
• Benchmark comparisons must be standardized and performed, maintained,
andqualityassuredbyabenchmarkingchampion.
• Variancesaretreatedaccordingtodiferentstrategies.
• heresultsarenormallypreparedspeciicallyformanagement.
Abenchmarkingconceptisthestartingpointforenhancingthemeaningfulnessof
simplekeyperformanceindicatorsandratios.hismeansthatindicatorsarecom-
paredtobenchmarksandpresentedinalternativeways,i.e.,inmulticoloreddiagrams
ortables.Foranoverview,alltheindicatorsshouldbegroupedbycontent.Depend-
ingonthetargetgroupdiferentperspectivesmustbeconsidered.hismayresult
in diferent indicator rankings. From Internal Audit’s perspective, the following
structureisrecommended:
• Indicatorsrelatingtotheinternalauditdepartmentanditsorganizationshould
beconsideredirst.
• heyarefollowedbytheratiosandindicatorsthatanalyzeInternalAudit'sser-
viceportfolio,i.e.,thevariousaudit-relatedandnon-audit-relatedservices.
• hen, indicators that measure the content of the audits should be included:
heseareindicatorsthatarerelatedtoasingleauditobject,e.g.,acontract,and
thosethatrelatetotheentireauditedunit,e.g.,alocalsubsidiary.
henextstepistodeinebenchmarksforthevariousindicatorsandratios.Indica-
tors always have an absolute and a relative value, and the benchmark selected
determineshowaccuratetheyare.heappropriatebenchmarkshavetobeselected
speciicallyforeverysituation,rangingfromclosing-datevalues,averages,andper-
centage distributions through intervals and series, which can be compared with
KPisandBenchmarkingKPisandBenchmarking
deinitionofSuitableBenchmarksdeinitionofSuitableBenchmarks
SpecialTopicsandSupplementaryDiscussion
PerformanceMeasurementSystem
BenchmarkingStructure
d|7|7.3
526
eachother.Itisultimatelytheexpectedorrequiredsubstantialmeaningthatdeter-
minestheselection.
hefollowingarethemaincomparisoncategoriesofinterestforInternalAudit:
• benchmarksfromthepreviousyearoraveragesfromseveralprioryears,
• benchmarksfromothercorporateunits,e.g.ManagementAccounting,ifavail-
able,
• benchmarks fromexternal sources (e.g., auditing institutes, industryassocia-
tions,othercompanies),
• benchmarksdeinedintermsofbusinesstargets,especiallyaspartofcost-ben-
eitanalysis,e.g.inrelationtoprojectresults,and
• benchmarksintermsofoutcomesexpectedbymanagement.
Benchmarkingrarelyusesalltheabovevaluesatthesametime.hefocusisrather
onselectedvalues,becausetheefortrequiredforgeneratingthedataisconsider-
able.Inaddition,itisadvisabletotestwhethertheselecteddataiscomparablein
termsofbothformandcontent.InternalAuditshouldnominateabenchmarking
champion,whocentrallyexaminesbenchmarkingqualityandform.Ifnosuchcon-
trolisimplementedonaregularbasis,thenthereisariskthattheindicatorsfollow
divergingrulesandarenolongerconsistent.
heactualcontrolfunctionofbenchmarkingisbasedonidentiiedvariances.
Forexample,ifvariancesoccurincomparisontoexternalvalues,itisnecessaryto
irstanalyzethequalityandoriginof thesebenchmarks. Itshouldalsobetested
whethertheindicatorsareplausibleinrelationtopastdevelopment.Pastdevelop-
mentisthenextrapolatedintothefuture.hismeansthatultimatelydatacompari-
son and trend analysis form part of Internal Audit’s benchmarking analysis. An
explanationforvariancesalsohastoaccountforinterdependencies.
Benchmarkingshouldbepresentedatdiferentmanagement levels, for infor-
mationpurposesandtoeasenavigationthroughtheunderlyingdatamaterial.he
addresseeswillnormallyabsorbthebenchmarkingresultsbetterandfasterifthey
arepresentedgraphically.
HintSandtiPS ;
• Auditorsshouldcommenttheindicatorstheyhavedetermined,e.g.,toindicate
whethertherearepositiveornegativevariances.
LinKSandRefeRenceS e
• ALLAn, M., h. tOnKIn, AnD R. RunDLE. 2002. Benchmarking the Inter-
nal Audit Function Follow-on Report. www.anao.gov.au/WebSite.nsf/Publications/
5527C42C327C50E1CA256C5C001BA5D5(accessedMay31,2007).
• InStItutE OF IntERnAL AuDItORS.2001.Practice Advisory 2500-1: Monitoring
Progress.AltamonteSprings,FL:heInstituteofInternalAuditors.
Possiblecategoriesforcomparison
Possiblecategoriesforcomparison
RegularcontroloftheindicatorsUsed
RegularcontroloftheindicatorsUsed
extentofBenchmarkingininternalaudit
extentofBenchmarkingininternalaudit
PresentationofResultsPresentationofResults
527
7.4 StructureofaBalancedScorecardApproach
KeyPointS •••
• hebalancedscorecard (BSC)approach isaKPI system thatutilizesand in-
corporatesdiferentperspectivesandviewsintegratingthemwithstrategicap-
proaches.
• heBSCstructurecanbeappliedtoInternalAudit,andthepredeinedindica-
torsaresetasstrategicobjectives.
• hesecanbeusedtoderivemeasures,whichinturnleadtoindicatorsandcom-
parisonsofto-beandas-isvalues.
hebalancedscorecardapproachtakesthekeyperformanceindicatorsandratios
discussedearlieronestepfurther.Itmakesthempartofcorporateoperations,ex-
pressedindiferentactionieldsandperspectivescreatinganetwork-likestructure
ofdirectlyandindirectlylinkedindicators,whichhastobeunderstoodandtreated
asawhole.
hefollowingshouldbenoted:
• Abalancedscorecardcanbedeinedbothstrategicallyatthecorporateleveland
operationallyatthedepartmentallevel.
• he balanced scorecard approach integrates inancial and non-inancial per-
formancemeasuresonfourdimensions.hegeneraldimensionsareinancial
performance,processindicators,customersatisfaction,andinnovation.
• heindicatorsarechosentocapturethecompany’smainareasofactivityand
decisionlevels.
• Every indicator is compared against targets, action tracking, as-is measure-
ments,andfeedback.
Internal Audit has special requirements for the design of a balanced scorecard
structure.hestartingpointinchoosingcomponentsofthebalancedscorecardis
aclearmission,fromwhichvisionsandobjectivescanbederived,whichinturnare
thediferentdimensionsthataretobeintegratedinthebalancedscorecard.Internal
Audit’sspeciicdimensionsareinancials,employees,theauditprocess(including
auditobjects),andauditees.Appropriate indicatorsaredeinedfor thesedimen-
sions. hey are speciied, controlled, and monitored in terms of overall target
achievementbythemanagersincharge.
hemetricscanbeleadorlagindicators.AtInternalAudit,aclassicexampleof
aleadindicatorisriskassessment,andatypicallagindicatoristhenumberofac-
tualauditindings.henumberofactualauditindingscaninturnbeusedasinput
foranewriskassessmentandthusbecomealeadindicator.hismakesindicators
importantasbothplanningandanalysistools.Asleadindicators,theycanbeused
inplanning,andaslagindicators,theyservetodocumentdevelopments.hebal-
ancedscorecard tracksdiferent indicatormeaningsand their interdependencies
BalancedScorecardandKeyPerformanceindicators
BalancedScorecardandKeyPerformanceindicators
attributesoftheBalancedScorecardattributesoftheBalancedScorecard
focusoninternalauditfocusoninternalaudit
controlwiththeBalancedScorecardcontrolwiththeBalancedScorecard
SpecialTopicsandSupplementaryDiscussion
PerformanceMeasurementSystem
StructureofaBalancedScorecardApproach
d|7|7.4
528
acrossvariousperspectives.Duetoitscomprehensivenature,especiallytheinclu-
sionofqualityaspects,thebalancedscorecardconceptenablesKPI-basedcontrol
ofInternalAudit.hedepartment’smission,visions,andobjectivesareintegrated
intotheconceptandmappedthroughquality-focusedindicators.Sinceeiciencyis
animportantpointtoconsider,theinancialperspectiveshouldbetiedintoacom-
prehensiveanalysis.
HintSandtiPS ;
• Auditorsshouldfamiliarizethemselveswiththebalancedscorecardconceptus-
ingindicatorstheyhaveselected.
• Auditorsshouldbeawareofthebeneitsofthebalancedscorecardapproachand
thevalueitaddscomparedtobenchmarking.
LinKSandRefeRenceS e
• CALLAghAn,J.,A.SAVAgE,AnDS.MIntZ.2007.AssessingtheControlEnviron-
mentusingaBalancedScorecardApproach.he CPA Journal (March2007):58–63.
• KAPLAn, R., AnD D. nORtOn. 1996. using the Balanced Scorecard as a Strategic
ManagementSystem.Harvard Business Review(74):75–85.
• KAthy,S.,AnDR.MCKAy.2002.BalancedScorecard.he CPA Journal (March2002):
20–25.
Special Topics and Supplementary Discussion
Integrated Cost Management (Cost of Internal Audits)D | 8
529
8 Integrated Cost Management (Cost of Internal Audits)
Key PoInts •••
• ToallowInternalAudittoperformitstasksefectively,theorganizationmust
provideadequateresourcestoguaranteethatthedepartment’scapacityisfully
utilizedanditproducesthebestpossibleresults.
• AtrackingsystemcanbeusedtoallocatecoststoInternalAudit'sactivitiesand
thusmeasureresourceutilization.
• Atimemanagementsystemisanimportanttoolforallocatingthecostoftime
andefortspenttoauditactivities.ByrecordingtimeInternalAuditmanage-
mentcanalsoanalyzehowemployeesusetheirtime.
• Internal Audit’s total costs may include time and efort, direct audit-related
costs,directnon-audit-relatedcosts,andindirectcosts.
• AnefectivecostmonitoringprocessalsosupportsInternalAudit’sbillingpro-
cess.
• hereareseveraldiferentcosttransfermodelsthatcanbeused.Selectionofthe
appropriatemodeldependsontheadministrativeburdencreatedbythebilling
processandthenatureoftheauditactivitiesconductedinthecompany.
• InternalAudit’sperformanceshouldbeassessedfrombothainancialandnon-
inancialperspective.
Whenitcomestocostmanagement,InternalAuditisnodiferentfromothercor-
porate departments. To allow Internal Audit to perform its tasks efectively, the
companymustensureithasappropriateresourcesavailabletoensurethatthede-
partment’scapacityisfullyutilizedanditproducesthebestpossibleresults.It is
alsoimportanttoensurethatthecostsofInternalAudit’sactivitiesdonotexceed
theannualbudget.
AccordingtoguidancefromtheIIA,theCAEshouldcompileandsubmitan
annualbudgettotheBoardofDirectorsandseniormanagementforapprovalatthe
beginningofeachiscalyear.heannualbudgetshouldbecompiledatertheAudit
Committeehasconcurredwiththeannualauditplan,becausethebudgetshould
coverthecostsoftheactivitiesthatInternalAudithasplannedforthenextiscal
year.
henormalbudgetforInternalAuditprimarilyincludesemployee-relatedand
audit-relatedcostelements.Othercoststobeincludedinaninternalauditbudget
include training costs, the cost of audit-related literature and publications, audit
technology,expertadvice,and theengagementof independentspecialists.hese
costsmustbeincludedinthebudgetcalculationsothatInternalAuditcanperform
itstaskseicientlyandefectively.
Forthecompilationofarealisticbudget,itisessentialtodevelopamethodof
recordingallsigniicantaudit-relatedcostsincurredasaresultofthedepartment’s
work.AtSAP,GIAS’budgetisproducedusingtimesheetdata(seeSectionA,Chap-
Cost ManagementCost Management
Compiling an Annual BudgetCompiling an Annual Budget
Cost elements IncludedCost elements Included
Budgeting MethodBudgeting Method
530
ter4.7)andactualprior-yearigures.Usingthismethod,itmustalsobepossibleto
adequatelyallocatethecoststotheactivitiesthatdrivethem.Basedupontheseal-
locations,InternalAudit’sperformancecanbemeasuredintermsofhowresources
(e.g.,auditortimeandcorporatefunds)areusedforthevariousactivities.
BydeterminingInternalAudit’sperformanceandthecostsofitsactivities,In-
ternalAuditmanagementcangainanoverviewofthedepartment’sefectiveness
andeiciency.Itisalsopossibletomakeregularcomparisonsofthebudgetedand
actualcostsofauditactivities forcertainperiodsofaiscalyearandtoestablish
whetheraspeciicaudithasremainedwithinbudget.
Aninternalauditdepartmentcanbetransformedfromacostcenterintoaproit
center,wheretheauditeesandcustomersarebilledfortheauditsconductedbyIn-
ternalAudit(seeSectionA,Chapter2.5.5).However,itcannotbeInternalAudit’s
objectivetogeneraterevenues.InternalAudit’scostsaremanagedprimarilysothat
businesseiciencyandproductivity,aswellasresourceutilizationandbudgetcom-
pliance,canbemeasuredandthuscontributetoincreasingeiciency.
hecostsincurredasaresultofInternalAudit’sactivitiesarerecordedinthe
SAPsystemandthenallocatedtothedeinedcostcenter.hesecostsincludeper-
sonnelcosts,travelexpenses(lightsandaccommodation),andallocationsforthe
useofITequipmentandoices.GIASmustadministratethecostcenterscarefully
sothatInternalAudit’sperformancecanbemeasuredatthegloballevel.hisin-
cludesnotonlyallocatingthecoststoindividualproitcenters,butalsoanalyzing
andmeasuringcostswhileconsideringpossiblecosttransfer.GIASdoesnotcur-
rentlybillcustomersforthecostsitincursinconnectionwithaudits.heremainder
ofthischapterdescribeshowcosttransferscouldwork.
Oneofthemostimportantfactorsincalculatingthecostsofinternalauditsis
thetimeauditorsspendperformingactualauditwork.herefore,formostinternal
audits,timemanagementsystemsareanimportantinformationtooltohelpallo-
cate costs to audit activities. Time management reports provide information to
Internal Audit management about how eiciently and efectively the employees
involvedinanaudituseavailabletime.hesereportscanalsobeusedtosupport
performanceanalysis,whichisimportantforanumberofperformancetargets.he
reportscanbeproducedregularly,orforspeciiceventsorpurposes.
hefollowingdescribesthediferenttypesofcoststhatareincurredinInternal
Audit’sworkandshouldbemeasuredanddocumentedtoproducearealisticsum-
maryoftotalcosts.Aspreviouslymentioned,thecostsforthetimeandefortspent
bytheemployeesinvolvedinanauditareoneofthemostimportantcostelements.
Aninternalauditisaserviceprovidedbytrainedandqualiiedauditors.Byrecord-
ingthetimetheyspendonanaudit,theinternalauditfunctioncananalyzehow
timeisdistributedamongthediferentauditactivitiesandhoweicientlytheyare
carriedout.
henormalprocedurefordeterminingthetimeandefortspentonanauditis
torecordthetimespentintimerecords,whichallauditorscompleteregularly(e.g.,
monthly, fortnightly,orperaudit).Generally,everyauditorcompleteshisorher
Advantages of Performance
and Cost Analysis
Advantages of Performance
and Cost Analysis
Proit CenterProit Center
Cost Centers at GIAsCost Centers at GIAs
time Managementtime Management
time and efort Coststime and efort Costs
time Recordingtime Recording
Special Topics and Supplementary Discussion
Integrated Cost Management (Cost of Internal Audits)D | 8
531
owntimerecord.hedatashows,howeachauditor’sworkingtimehasbeenspent
duringtheperiod.Itisimportanttorecordthetimeactuallyspentoneachaudit
activity.Timemayalsobespentonadministrationortraining.heseperiodsalso
mustberecordedcarefully,sothedepartment’stimerecordisnotdistorted.
Accuratetimerecordinghasthefollowingadvantages:
• Quantitative support for time management at employee level: Accurate time
recordingforallauditactivitiesinthecurrentyearfacilitatesfuturetimesheet
calculationsandthusrealisticpreparationoffuturebudgetsandauditplans.It
alsoallowsauditorstomakesensibleplansforspeciicaudits.
• Controlofauditactivities:heauditleadandAuditManagerresponsiblecan
usedirecttimerecordstocompareactualtobudgetedtimesandthusefectively
analyzewhethertheauditisprogressingaccordingtoscheduleandhowfarthe
audit is from completion. his allows forward-looking planning of employee
engagements.hesecanbebrokendown into thephasesof theAuditRoad-
map,whichinturnleadstogreaterplanningaccuracy.Moreover,auditorsare
motivatedtoconcludetheauditprojectaccordingtoscheduleandmeetquality
standards.
• Increasedproductivity:Analysisofthetimeactuallyspentonauditing(audit-
related time) compared to time spent on administrative and other activities
(non-audit-relatedtime)facilitatesmonitoringresourceutilization.
hecompletionofthetimerecordsisanessentialprerequisiteformeaningfulanal-
ysis.hefollowingtimerecorddataisusefulforInternalAuditmanagement:
• timethattheauditteamspendsoneachauditactivity,
• exceedingoftheestimatedtimerequired,
• non-billabletimepermonth(e.g.,fortrainingoradministration),
• proportionofbudgetedtimetoactualtimespentoneachauditactivity,and
• proportionofnon-billabletobillabletimeperauditor.
Normally,timeisrecordedforeachauditduringthereportingperiod(monthlyor
twicemonthly).Everyauditactivitythatcanbeclearlydeterminedisirstassigned
toacostcentercodesothattimescanberecordedwithoutproblems.
heannualauditplanallowsacertainperiodforconductingtheauditactivities.
Forefectivemonitoring,everyauditorrecordsthetimeheorshehasactuallyspent
onanauditobject.heresponsibleAuditManagershouldreviewandapprovethe
timesrecordedtoensurethatthetimeandefortforthereportingperiodhavebeen
capturedproperly.heAuditManagerneedsthefollowinginformationtoreview
therecordedtimes:
• approvedauditobjectbudget,
• timerecordingdatasheetswherethetimesspentonconductingtheauditactivi-
tieshavebeenaccuratelyrecorded,and
• regularreportsonbillablehoursgeneratedfromthesystem.
Advantages of time RecordingAdvantages of time Recording
Important time Record DataImportant time Record Data
time Recording Proceduretime Recording Procedure
Check by the Audit ManagerCheck by the Audit Manager
532
Ifthetimespentonauditingtaskscanbemeasured,InternalAuditmanagement
canallocatethecostsforthetimespenttotheauditactivitiesonthebasisofthe
compensationofeachemployeeinvolvedintheaudit.Anotherwaytoallocatetime
andefortcostistomultiplythenumberofauditorhoursspentbytheappropriate
hourlyrate.hehourlyrateistheaveragehourlycostbilledfortheservicesofan
InternalAuditemployee.hisrateshouldcoverthecostsofprovidingtheservice,
at least in part. To ensure eiciency, the hourly rate should also cover overhead
costs(operatingcostsandpersonnelcosts).hehourlyrateforindividualauditors
issetbyInternalAuditmanagement.Normally,ahigherhourlyrateischargedfor
aSeniorAuditorthanforalessexperiencedauditor,whichmeansthatthehourly
ratesgenerallyrelectthejobhierarchyinthedepartment.
In addition to time and efort, direct audit-related costs represent another
signiicantcostofinternalaudits.Directaudit-relatedcostsarecostsincurredasa
directresultofidentiiableauditactivitiesinanauditproject.Internalauditsusu-
allyincurdirectaudit-relatedcostssuchastravelexpenses,includinglightsandlocal
accommodationforauditors.heycanalsoincludesubsistence,localtransport,or
telecommunication expenses. Costs for time and efort and direct audit-related
coststogetheraccountforthemajorityofaudit-relatedcosts.
Inadditiontodirectaudit-relatedcosts,thereareotherdirectcoststhatInternal
Auditincursasaresultofactivitiesnotdirectlyrelatedtoanaudit.Examplesin-
clude departmental events, initiatives, or projects, and Internal Audit employee
participationinexternalevents.
hird-partycosts, e.g., for legaladvice,arealso signiicantandshouldbe in-
cluded.Ifthesetypesofcostsareincurredindirectrelationtoanauditactivity,they
shouldbeclassiiedasdirectaudit-relatedcosts.Ifnot, theyaretreatedasdirect
non-audit-relatedcosts.Internalauditorsmustensurethatthecostsofnon-audit-
relatedactivitiesarewithinbudget,becausetheycanhardlybebilledtocustomers.
hesecostscan,however,becharged,ifthecostsbilledtocustomersaremadeup
oftheactualcostsincurredandamark-up.Distinguishingbetweendirectaudit-
relatedanddirectnon-audit-relatedcostscreatesgreatercost-drivertransparency.
hecostsincurredmustbeaccuratelyanalyzedandclassiied.Occasionally,di-
rectcostsmaybeincurredthatcanbeallocatedtomorethanoneauditactivity,(for
example,ifthecostsofalightarerelatedtotwoindependentauditactivitiesper-
formedbyInternalAudit).Forthisreason,itisimportanttotrackthesetypesof
coststofacilitatesubsequentanalysisandaccuratecosttransferstoauditees.
Inadditiontotimeandefortcostsandtheotherdirectcosts,InternalAudit’s
activitiesalso incurcosts thatcannotbeclearlyallocated toa speciicauditora
non-audit-relatedactivity.hesecostsarealsoreferredtoasindirectcostsorde-
partmentaloverheads.heyarenecessaryforInternalAudittoperformitscentral
functionasaninternalauditbody.Indirectcostsarenormallycarriedbythede-
partmentasawholeandnotallocatedtoanindividualauditororauditengagement.
Inreturn,theadvantagesgeneratedwiththesecostsbeneitthewholedepartment.
Allocating Costs to time spent
Allocating Costs to time spent
Direct Audit-Related Costs
Direct Audit-Related Costs
Direct non-Audit-Related Costs
Direct non-Audit-Related Costs
third-Party Coststhird-Party Costs
Documentation and Analysis
Documentation and Analysis
Indirect CostsIndirect Costs
Special Topics and Supplementary Discussion
Integrated Cost Management (Cost of Internal Audits)D | 8
533
Indirectcostsareincurred,forexample,fortheuseofoicespace,oicematerials
andITequipment.
InternalAuditalsoincursindirectcostsintheprocessofperformingtheneces-
saryauditservices.hus,allserviceusersshouldpayfortheirshareofthesecosts.
Commonly, thesecostsare (partiallyor fully) recovered through thehourlyrate
determinedbyInternalAudit.
Carefulcostmonitoringisalsocriticaltothebillingprocessoftheinternalaudit
department.hemodelspresentedbelowconsiderhowthecostsofInternalAudit
canbestbebilled.Indoingso,InternalAuditmustconsiderthereasonsandmo-
tivesforchargingspeciiccosts.hefollowingbillingmodelsarepresentedbelow:
• actualcostmodel,
• cost-plusmodel,
• revenuemodel,and
• hybridmodel.
heactualcostmodelisrelativelysimpletouse.Underthismodel,theauditeeis
billedone-to-one(e.g.,withoutmark-up)foralldirectauditcostsandallbillable
timeandefortcostsusingcostallocationandfollowingcostaccountingprinciples.
hismodelisbasedontheprinciplethattheauditeesshouldassumethecostsofthe
auditproject,becausetheyareusingtheservicesofaninternaldepartment.he
idea is that internal audit costs are unavoidable costs for ensuring compliance,
which theauditeesmustcoveraspartof theirbusinessactivities. If theauditees
carry the costs of internal audits, they can in return expect certain outputs
fromInternalAudit,suchasimprovedeiciency,increasedproductivity,andfraud
detection.
Oneoftheadvantagesoftheactualcostmodelisthatitiseasytoadministrate,
becausetheinvoicedcostsaredirectlymeasurableandtransparentfortheauditees.
Moreoverafunctioningcostmonitoringsystem(e.g.throughtimerecordingand
costcenterreporting)allowsInternalAuditmanagementtoeasilydeterminethe
totalcoststobeallocatedandbilledtotheauditeesaspartofitsadministrativedu-
ties.
However,theactualcostmodelisonlysuitableforauditsincludedintheannual
auditplanandagreeduponbytheBoardofDirectorsorAuditCommittee.Since
theannualauditplanhasbeenpreparedandapprovedbaseduponariskanalysisof
allcorporateunits,itiseasiertoexplaintotheauditeesthatauditsarenecessaryand
thereforetheauditeesshouldberesponsibleforallassociatedcosts.Itis,however,
diicult toget theauditees toaccept thecostsofspontaneous,unplannedaudits
(e.g.,processreviewsorinvestigationsintofraudandanonymousallegations).
Anotherbillingmodelforinvoicingisthecost-plusmethod.hismodelincludes
allactualcostsincurredinconductingtheauditactivities(similartotheactualcost
model),plusamark-upof,say,5%to10%,whichisbilledtotheauditees.hemark-
upisbilledmainlytocovertheindirectcostsincurredbyInternalAudit.
Billing of Indirect CostsBilling of Indirect Costs
Billing ModelsBilling Models
Actual Cost ModelActual Cost Model
Advantages of the Actual Cost ModelAdvantages of the Actual Cost Model
suitability and Limits of the Actual Cost Modelsuitability and Limits of the Actual Cost Model
Cost-Plus ModelCost-Plus Model
534
InternalAuditisotenusedforavarietyofreasons.Forexample,thecompany
asawholemayvalueitsservicesandbepreparedtopayforthem.Also,Internal
Auditemploysexpertsandhasextensiveknowledgeofthecorporateunits,sothat
itsactivitiescanaddvalue.heauditeesmustdecidewhetheritisnecessarytoask
InternalAudittoinvestigateoperationalmattersinthecompanyandwhetherthe
costsarejustiied.Bycontrast,irrespectiveofwhethertheactualcostorcost-plus
methodisused,InternalAuditmustreconciletheneedtobillitsserviceswiththe
company’soverallobjectives.IfthefactthatInternalAuditbillsforitsservicesde-
terspotential auditees fromengaging InternalAudit, so that fraud, for example,
maygoundetectedandthusunpunished,InternalAuditfailsinitsobligationtoact
inthecompany’sinterest.Forthisreason,whenusingthecost-plusmodel,audit
management should make sure that the billing of audit services does not have
anegativeimpactontherelationshipbetweenauditeesandInternalAudit.
Dependingontheannualbudget,themark-upcanbeixedatdiferentlevels
from year to year. If required, Internal Audit and the auditees should conclude
aservicelevelagreementeachyear,whichestablishesthemark-ups(fortheyearin
question)andInternalAudit’sservicesonwhichthemark-upisbased.
herevenuemodelisanotheralternativeforcosttransfers.Undertherevenue
model,thecostsofinternalauditsarebilledonthebasisofixedorvariableper-
centagesoftherevenuegeneratedbytheauditees.hismodelisnotrelatedtodirect
orindirectcostsincurredbyInternalAudit.Revenuecan,forexample,becalcu-
latedonthebasisofsix-monthmovingaveragerevenueoronthebasisofthelatest
annual salesigure.For theconceptof therevenuemodel tobeunderstood, the
involved parties must understand how Internal Audit its into the company as
awhole:InternalAuditisregardedasanin-housecorporatefunction,becausethe
servicesitprovidesbeneitsalltheunitsofthecompany.Asforallin-housefunc-
tions,thecorporate-widecostsareallocatedusinganappropriateformula.
hepercentagechargedmustbedeterminedsuchthat InternalAudit’sdirect
and indirect costs are covered.However, this isnot easy to implement,because,
dependingonthepercentagedeterminedearlier,InternalAuditmayrecovermore
orlessthanthecostsithasactuallyincurred,resultinginaproitorloss,respec-
tively.
herevenuemodelissuitableforplannedinternalaudits.Itcanalsobeusedfor
units thatmustbeauditedat leastannually,units thatareexposedtosigniicant
risks,orthosethatareofcentralimportance.heixedorvariablepercentageused
shouldbean indicationof theriskproileof theauditee.Ahighpercentagecan
meanthattheunitisexposedtohighrisks,sothatthehigherrateofrecoveryhas
toinancetheadditionalresourcesthatInternalAuditmayhavetouseasaresultof
thehighrisk.hisgivestheauditeesanincentivetomanagetheirunitwithaview
toreducingtherisksothatthepercentagechargedfallsovertime.Moreover,the
revenuemodel facilitatesadministration for InternalAudit,because theauditees
arebilledatapreviouslyagreedrate,irrespectiveoftheactualcostsincurredbythe
auditactivity.hetrackingofcostsinsuchacaseservestomonitortotalcostsand
Using Internal Audit’s services
Using Internal Audit’s services
Determining the Mark-UpDetermining the Mark-Up
Revenue ModelRevenue Model
Determining the Percentage Charged
Determining the Percentage Charged
suitability and Limits of the Revenue Modelsuitability and Limits
of the Revenue Model
Special Topics and Supplementary Discussion
Integrated Cost Management (Cost of Internal Audits)D | 8
535
audit progress within the audit budget. here are, however, some units, such as
shared servicecenters, forwhich thismodel is less suitablebecause theydonot
generaterevenue.
Besidesthemodelsdescribedsofar,InternalAuditcanalsouseahybridmodel.
Asthenamesuggests,thehybridmodelisacombinationofthemodelsdescribed
above:Dependingonthenatureoftheauditactivitiesconducted,InternalAudit
usesacombinationofsuitablemodelstobilltheauditee.Usingthesemodelsfor
billingwillturnInternalAuditintoatrueproitcenter,reportingproitsatleastfor
partsofitsactivities.
Asmentionedearlier,thedepartmentalbudgetisderivedfromthedepartment’s
objectives,whicharesetannually.Basedonanexistingcosttransferstructure,In-
ternalAuditcandeterminewhetherthedepartmenthaskeptwithinorexceeded
budget.AlthoughInternalAuditisnotarevenue-generatingdepartment,itshould
ensurethatitmeetsitsbudget.Withtheoverviewthatthebudgetprovides,Internal
Auditmanagement cananalyzewhether the existingcost transfers arebasedon
reasonableparameters.Itcanalsoregularly(e.g.,quarterly)monitorbudgetutiliza-
tion compared to cost recovery. Such regular checks help initiate any necessary
correctiveaction immediately. Inaddition,at theendof theyear, InternalAudit
should analyze the variances between the actual igures and the budget for the
year.
InternalAuditmanagementshouldcheckInternalAudit’sannualcostreportsto
establishwhetherthereportediguresare in linewithstandardvaluesorbudget
(seeSectionD,Chapter7).hefollowingareexamplesofreportsthatcanbemade
availabletoInternalAuditmanagement:
• summaryofthepublishedreportsandtheirresults,
• summaryofbillableprojecthours,
• listofnon-billablehours,e.g.,forgeneraladministration,
• summaryoftheauditsurveys,
• absenteeismstatistics,
• currentstatusofalloutstandingaudits,and
• auditsthathaveexceededtheirtimeschedule.
InadditiontoInternalAudit’scosts,thedepartmentmustalsoanalyzeitsperfor-
mancefrombothainancialandnon-inancialperspective.Varianceanalysisisnot
theonlywayofdetermining the eiciencyandefectivenessof thedepartment’s
resourceutilization.Itisalsopossibletoassessproductivitybyanalyzingtheresults
ofpeerreviews.InternalAudit’sperformancecanalsobeassessedthroughspeciic
indicatorsandratios,suchasnumberofauditsperauditor,numberofindingsper
audit,numberofauditrequests,percentageofcostsinexcessofauditbudget,pro-
portionofnon-productiveandproductivetimeperauditor,anddirectaudit-related
costsasaproportionof totalcostsperauditproject.hese indicatorsandratios
allowInternalAudittotakeefectivemeasurementsofthequantitativeandqualita-
tiveaspectsofallauditactivities.
Hybrid ModelHybrid Model
Departmental BudgetDepartmental Budget
Annual ReportsAnnual Reports
IndicatorsIndicators
536
HInts AnD tIPs ;
• hetimespentonanaudit shouldberecorded immediatelyandanalyzedas
soonaspossible.
LInKs AnD RefeRenCes e
• INSTITUE OF INTERNAl AUDITORS.2001.Practice Advisory 2020-1: Communica-
tion and Approval. AltamonteSprings,Fl:heInstituteofInternalAuditors.
• REDING, K. F., P. J. SOBEl, U. l. ANDERSON, etal. 2007. Internal Assurance and
Consulting Services. AltamonteSprings,Fl:heInstituteofInternalAuditors.
• SAWyER,l.B.,M.A.DITTENHOFER,ANDJ.H.SCHEINER.2003.Sawyer’s Inter-
nal Auditing.5thed.AltamonteSprings,Fl:heInstituteofInternalAuditors.
Special Topics and Supplementary Discussion
Peer ReviewD | 9
537
9 Peer Review
Key Points •••
• Apeerreview,alsoknownasaqualityassurancereview(orQAR),istheevalu-
ationofaninternalauditdepartmentbyindependentprofessionalsinthesame
ieldasrequiredbytheIIA.
• Apeerreviewexaminestheinternalauditdepartment’scompliancewithprofes-
sionalstandardsandsuggestsimprovementsinordertoalignthedepartment
withbestpracticesrecognizedintheprofession.
• Generally,internalauditdepartmentscandecideforthemselveswhomtoselect
asauditpartner.
• hepeerreviewgoesthroughthenormalphasesofanauditproject,i.e.,plan-
ning,preparation,execution,reporting,andfollow-up.
Apeerreviewistheevaluationofaninternalauditdepartment’sworkbyindepen-
dentprofessionalsinthesameield.Othertermscommonlyusedforthisprocess
include“qualityassessment”,“qualityassurancereview”or“QAR.”Inapeerreview
anexternalpartyexaminesthestrengthsandweaknessesoftheinternalauditde-
partment,usuallyincludingorganizationalandoperationalstructures.Peerreviews
mustbeconductedbyqualiiedpersonswhohaverelevantprofessionalexpertise,
arenotconnectedwiththecompany,andhavenoconlictinginterests.Peerreviews
areconcludedwithawrittenreport.
Inrecentyears,recognitionandpublicscrutinyofauditorshasincreased,en-
hancingtheimportanceofindependentpeerreviews.Asaresult,theAICPAhas
reviseditsPractice-MonitoringProgramandissuednewstandardswithefectfrom
January1,2005.
Likewise, internalaudit instituteshaveenhancedtheirpeerreviewprograms.
IIA Standard 1312 (External Assessments) advises that a peer review should be
conductedbyanindependentbodyonceeveryiveyears.Further,sincethisstan-
dardcameintoefectonJanuary1,2002,everyinternalauditdepartmentseeking
accreditationforitsactivitiesaccordingtotheInternationalStandardsforthePro-
fessionalPracticeofInternalAuditingmustconductapeerreviewbyDecember31,
2006.heIIAhasissuedadditionalguidanceonpeerreviewsinPracticeAdvisories
1312-1(ExternalAssessments),1312-2(ExternalAssessmentsSelf-Assessmentwith
Independent Validation), and 1320 – 1 (Reporting on the Quality Program). In
addition,theIIAupdateditsQualityAssessmentManualin2006.
hemainobjectiveofapeerreviewistoimproveauditqualityasawhole.Such
anassessmentisagoodwayofevaluating,documentingandreportingontheef-
fectivenessandqualityofaninternalauditdepartmenttointernal(e.g.,corporate
management,BoardofDirectors)andexternalbodies(e.g.,externalauditors).It
alsoprovidesvaluablesuggestionsforimprovinginternalauditpractices.Although
theprofessionalpracticestandardsformthebasisforapeerreview,theyarenor-
DeinitionDeinition
Peer Review and Public AccountantsPeer Review and Public Accountants
Peer Review and internal AuditPeer Review and internal Audit
Peer Review objectivePeer Review objective
538
mallysupplementedbytheexperienceofthepeerreviewproviders.hisprocessis
thereforenotonlyaboutcompliancewithstandardsandaboutindingoutifaudi-
torsadheretotheirownprocesses.ItisalsoaboutaligningInternalAuditwiththe
profession’srecognizedbestpractices.
In2005,InternalAuditatSAPinitiatedapeerreviewprocesswiththefollowing
objectives:
• toobtainobjectiveconirmationfromprofessionalthirdpartiesthattheaudit
procedurespracticedbyGIASconformtoIIAstandards,
• to gain a certiied substantive basis for the development of an SAP sotware
solutionforauditmanagement,
• toenhance theproileandstatusofGIASbothwithinSAPandamong third
parties,
• togaincredibilityamongcontactsaswellasinternal,andexternalcustomersby
reversingtheroles(auditingtheauditors),
• to allow Internal Audit employees to gather valuable personal experience
throughouttheprocess,
• tofacilitatebenchmarkingagainstinternalauditdepartmentsofothercompa-
nies,and
• tomotivateInternalAuditemployeesbecausethepeerreviewshouldgivethem
conidencethattheyareusinganinternationallyrecognizedandefectiveaudit
model.
hedevelopmentofthepeerreviewconceptinvolvespreliminaryconsiderations
andgeneralplanningforconductingapeerreview.heseconsiderationscomprise
thefollowing:
• initialassessmentoftheprojecttoobtainaclearunderstandingoftheexpected
beneit,
• appointmentofaninternalprojectteam,
• presentationofairstprojectplantotheentiredepartmenttoestablishitsbasic
readinesstoconductapeerreview,
• deinitionoftheperiodtobereviewed,and
• testingoftheinternalqualityassuranceprogramwhichisthebasisforthepro-
cessestobesubjectedtopeerreview.
heprofessionalstandardsoftheIIAonlyrequirethatexternalqualityassurance
reviewsbeconductedbyqualiied,independentauditors.Toalargeextent,thein-
ternalauditdepartmentscandecidefor themselveswhomtoselect for this task.
However,intermsofcontentandtopic,apeerreviewshouldbeconductedaccording
toIIAprinciples,becausetheyrepresentthecurrentbestpracticeintheprofession.
Manyconsultingirmsoferqualityassessmentreviewsaspartoftheiraudit-
relatedservices.heprofessionalinternalauditinstitutesalsooferpeerreviewser-
vices.hequalityassessmentcanbemadeeithermainlybyathirdparty,orinthe
objectives of the Peer Review at sAP
objectives of the Peer Review at sAP
Development of the Peer Review Concept
Development of the Peer Review Concept
selection of the Peer-Review Partner
selection of the Peer-Review Partner
Possible Peer-Review Partners
Possible Peer-Review Partners
Special Topics and Supplementary Discussion
Peer ReviewD | 9
539
formofself-assessment,followedbyareviewoftheresultsbyathirdparty.heIIA
commonlyprovidesandalsoperformsqualityassessmentservices.
Asisthecaseformostpurchasingdecisions,bidsforcomparisonshouldbein-
vitedwhenselectingapeer-reviewpartner.GIASconsideredseveralbids in this
regardfromtheIIAaswellasfromexternalconsultingirmsofdiferentsizesand
eventuallydecidedontheIIAasareviewpartner.
Eachinternalauditdepartmentmustmakeitsowndecisionregardingtheben-
eitsandsuitabilityofthediferentproviders.Butunlikeexternalconsultingirms,
the professional organizations generally rely on practicing professionals making
themselvesavailableonavoluntarybasis.heseprofessionalsaremembersofthe
professionandcertiiedas such,but theydonot receiveany fees;only their ex-
pensesarereimbursed.
Oncetheinternalauditdepartmenthasselectedasuitablepeer-reviewpartner,
theactualpreparationphasebegins.AtthisstageInternalAuditshouldmatchand
comparetheIIAstandardswiththedepartment’scurrentprocessesandrules.
Itisofcriticalimportancethataninternalauditdepartmentbeknowledgeable
ofitsownprocessesbeforeundergoinganexternalreview.InternalAuditatSAP
tookthefollowingmeasurestoprepareforitspeerreview:
• Developedadetaileddeinitionandcleardocumentationofitsownqualityas-
suranceconcept(seeSectionD,Chapter5).
• Usedcross-teamauditorstoassessinternallywhethertheexistingqualityassur-
anceconceptiscompliedwith.
• Conductedadepartment-internalemployeesurvey:Astandardquestionnaire,
whichisbasedonIIAquestionnaires,wasusedtoaskemployeestogivetheir
personalassessmentofthequalityoftheInternalAuditfunction.
• Conducted a pre-investigation in conjunction with the selected peer-review
partner.Aone-or two-daymeetingprovides theopportunity todiscusspre-
liminaryresultsfrominternalreviewstepsinadvanceand,ifappropriate,agree
theirstcorrectivemeasures.
hese results were communicated to all Internal Audit employees immediately
before theactualpeer reviewso that theycould look forward to the subsequent
externalreviewwithconidenceandapositiveattitude,orrectifyanyshortcom-
ings,ifpossible.
heinternalauditdepartmentbeingreviewedhaslittleinluenceontheexecu-
tion of the actual peer review, but it can play a key role in helping the process
succeedbyprovidingsupportandexplanationstothereviewers.Itisparticularly
importanttoensurethatthepeerreviewauditorsareabletocommunicatewiththe
company’smanagementbodiesandInternalAudit’sothermaincontacts,because
a quality review oten involves open and structured interviews with managers,
auditors, and other employees (e.g., from Corporate Legal or Corporate Risk
Management).
Partner selection at sAPPartner selection at sAP
Company-speciic DecisionCompany-speciic Decision
Preparation for the Peer ReviewPreparation for the Peer Review
Preparatory steps at sAPPreparatory steps at sAP
execution of the Peer Reviewexecution of the Peer Review
540
he peer review mostly focuses on assessing the following aspects of audit
work:
• OrganizationalpositioningandstructureofInternalAudit:Here,theorganiza-
tionalfundamentalsofthedepartmentareconsidered(e.g.,onthebasisofthe
Charter,mission,targetagreements,andtheaudithandbook).
• Deinition and implementation of a risk-based audit approach: his involves
reviewingtheauditreports,workingpapers,andauditplanningdocumentsas
partoftheassessmentoftheauditapproachandprojectmanagement.
• PersonnelmanagementwithinInternalAudit(i.e., thequaliications,training
plan,andcareerdevelopmentofitsemployees).
• Deinitionofandcompliancewithqualityassuranceprogramsasdeinedbythe
IIAstandards.
• AuditofIT-relatedissues.
hepeer-reviewpartnershouldkeepInternalAuditinformedabouttheprogressof
thereview.Likeallotheraudits,thesuccessofapeerreviewreliesupontrusting,
transparentcooperationbetweenthepartiesinvolved.
At the conclusion of a peer review a report describing the results is written,
which,ifapplicable,willconirmthatInternalAuditcomplieswiththeIIAstandards.
In addition to conirming compliance, the reports should also suggest improve-
mentsbyhighlightingbestpractices.Itisalsoimportanttoinformthoseresponsible
forInternalAuditinthecompanyoftheresultsofthepeerreview(e.g.,CEO,Audit
Committee).
hepeerreviewresults inanoverallassessmentof InternalAudit’sactivities.
heIIAallowsforthreepossibleratings,i.e.“generallyconforms”,“partiallyconforms”,
and “does not conform”. In 2006, GIAS was awarded the “Generally conforms”
statusbytheIIA.
InternalAuditshouldhavetheconidencetocommunicatethepeerreviewre-
sultswithinthecompany.hisistheonlywaythepeerreviewcanachieveoneofits
mainobjectives:tostrengthenInternalAudit’sstandinginthecompany.
heminimumobjectiveofapeerreviewistoconirmthattheinternalaudit
departmentreviewedperformsitsactivitiesinaccordancewiththeIIAstandards.
Ifthisobjectiveisnotmet,thepeer-reviewpartnershouldspecifycorrectiveac-
tionsanddeadlineswithinwhichtheactionsaretobeimplemented.Ifthemini-
mumobjectivehasbeenmet,InternalAuditshouldcontinuealigningitselfwith
recognizedbestpractices.Forthispurposethepeerreviewpartnercanpointout
potentialforimprovementand,ifpossible,speciicstepstobesttappingthispoten-
tial.heserecommendationsshouldthenbeimplementedinasustainablewayas
partofastructuredfollow-upprocess,i.e.,withirmresponsibilities,deadlines,and
escalationproceduresifnecessary.
Main Focus Areas of the Peer Review
Main Focus Areas of the Peer Review
CommunicationCommunication
ReportingReporting
iiA AssessmentiiA Assessment
internal Audit’s Response
internal Audit’s Response
implementation of Recommendations
and Follow-Up
implementation of Recommendations
and Follow-Up
Special Topics and Supplementary Discussion
Peer ReviewD | 9
541
Hints AnD tiPs ;
• Internal Audit’s professional associations provide comprehensive peer review
guidelines.
• Manyconsultingirmsalsooferdetailedguidelinesonthistopic.
LinKs AnD ReFeRenCes e
• InSTITUTEOFInTERnALAUDITORS.2004.Practice Advisory 1312-1: External As-
sessments.AltamonteSprings,FL:heInstituteofInternalAuditors.
• InSTITUTEOFInTERnALAUDITORS.2004.Practice Advisory 1312-2: External As-
sessments Self-assessments with Independent Validation.AltamonteSprings,FL:heInsti-
tuteofInternalAuditors.
• InSTITUTEOFInTERnALAUDITORS.2004.Practice Advisory 1320-1: Reporting on
the Quality Program.AltamonteSprings,FL:heInstituteofInternalAuditors.
• InSTITUTEOFInTERnALAUDITORS.2002.Standards for Professional Practice.Al-
tamonteSprings,FL:heInstituteofInternalAuditors.
• InSTITUTE OF InTERnAL AUDITORS. 2006. Quality Assessment Manual. 5th ed.
AltamonteSprings,FL:heInstituteofInternalAuditors.
• SAwyER,L.B.,M.A.DITTEnHOFER,AnDJ.H.SCHEInER.2003Sawyer’s Inter-
nal Auditing. 5thed.AltamonteSprings,FL:heInstituteofInternalAuditors.
• SEARS,B.2002.Internal Auditing Manual.newyork,ny:warren,Gorham&Lamont.
542
10 GuestAuditors
KeyPoints •••
• Guestauditorsmaybeusedinalltypesofaudits.
• heuseofguestauditorsmaybenecessaryordesirablewhenspecialistknow-
howisneeded,capacityproblemsexist,oremployeeshavetobetrained.
• herearequalitativeandquantitativecriteriafortheselectionofguestauditors.
• AtSAP,theselectionofguestauditorsfollowsasetprocedure.
• Guestauditorsshouldbeintegratedintotheauditteamfromanorganizational
andtechnicalpointofview.
• Beforethestartoftheaudit,basicauditingproceduresshouldbeexplainedto
guestauditorsduringatrainingday.
• herelationshipwiththeguestauditorshouldbemaintainedevenatertheend
oftheaudit.
• Costallocationfortheuseofguestauditorsmustbeclariiedbeforetheaudit,
andallcostshavetobebudgeted.
AtSAPtheauditleadortheAuditManagerisresponsiblefordecidingwhetherto
includeoneormoreguestauditorsinaGIASauditteam.hischaptershowsthat
theuseofguestauditorsmaybeconsideredforavarietyofreasons.hegeneral
term“guestauditor”isusedinthiscontexttorefertoanypersonswithsigniicant
involvementinanauditwhodonotdirectlybelongtotheinternalauditdepart-
ment. In practice, more than one guest auditor may be used, depending on the
particularaudit inquestion,butanaudit teammustneverconsistexclusivelyof
guestauditors,i.e.,carehastobetakentoinvolveatleastonepermanentInternal
Auditemployeeintheaudit.WhileguestauditorsareusedinfrequentlyatSAP,in
someorganizationsresourceconstraintsrequireconsistentuseofguestauditorsin
formalco-sourcingorout-sourcingarrangements,wherepartoralloftheinternal
auditieldworkisperformedbyoutsideauditors.
he environment in which Internal Audit operates has become increasingly
complex.SometimesthisgivesrisetosituationswhereInternalAuditemployees
cannotcovercertainauditcontentwiththeirownexpertise,andtheappropriate
trainingwouldtaketoolongtocomplete.However,inotherpartsofthecompany
and also outside the company, there may be experts who will have the relevant
backgroundandrequiredknowledge.InternalAuditmustrecognizeandtapinto
thewealthofknowledgeandexperienceoftheseexperts.hiswillallowInternal
Audittoconductcomplex,specializedauditactivitiesinlinewithrequirements.
herecanalsobecapacityreasonsforemployingguestauditors.Forexample,if
theresourcescheduledoesnotprovidesuicientcapacitytostafateamforanaudit
thatcannotbepostponed,(e.g.,becauseofinstructionfromtheBoardofDirectors)
itispossibletoaddoneormoreguestauditors.Extraordinarysituationslikethat
mustbeagreedwiththerelevantAuditManagerandtheCAE.
introductionintroduction
GeneralneedforGuestAuditors
GeneralneedforGuestAuditors
QuantitativeReasonsforGuestAuditors
QuantitativeReasonsforGuestAuditors
Special Topics and Supplementary Discussion
Guest AuditorsD|10
543
Insomecases,itmaybepossibletoincludeaninexperiencedguestauditor,e.g.,
auniversitystudent,inanaudit.heselectiondependsonthetimeandresource
schedulefortheauditconcerned.Insuchcases,thefocusisnotonco-optingtech-
nical expertise, but on providing training for inexperienced Internal Audit
employeesandpeoplewhomayjointhedepartmentinthefuture.
Guestauditorscanbeusedinstandardandspecialaudits,aswellasinad-hoc
audits.ItistheresponsibilityoftheauditleadandtheAuditManagertoidentifythe
needtodeployaguestauditor.Sinceauditleadsareawareofengagementswellin
advance(seeSectionB,Chapter2.4), theyare inapositiontostart theresource
procurementprocessifnecessary.Duetotheshortnoticegivenforad-hocaudits,
guestauditorsmaybecomeinvolvedinsuchauditsonshortnotice.
Guestauditorsshouldbeinvolvedinauditworkfromthebeginningoftheaudit.
At SAP they work according to the GIAS Roadmap (see Part B) and cooperate
closelywiththeInternalAuditteam.However,thirdpartiesinvolvedinauditwork
foraspeciictaskthatrelatesonlytoacertainfunctionarenotclassiiedasguest
auditors.Suchparties,knownasassessors(e.g.medicalexperts,privatedetectives,
membersofthepoliceservice,lawyers)areco-optedfordealingwithveryspeciic
tasksintheaudit.Incertaincircumstances,theAuditManagerandtheauditlead
mustdecide,inconsultationwiththelegaldepartmentifnecessary,whethertoin-
volveanassessortogiveanexpertopinion.
Whenselectingguestauditors,itshouldbeensuredthattheymeetthetechnical
requirements of the audit in question and are able to contribute the necessary
know-how.heguestauditor’s technicalqualiicationsandexperienceshouldbe
consideredrelativetotheScopeonwhichtheauditisbased.Iftheauditiscomplex,
forexampleinthecaseoffraudaudits,itisadvisabletoinvolveanauditorwhoal-
readyhasexperienceinthisarea.
SAPhasformalizedtheuseofguestauditorswithinGIASauditteamsaccording
tothefollowingprocess,whichdistinguishesbetweeninternalguestauditors(SAP
employees)andexternalguestauditors.
• Internalguestauditors:
■ heAuditManagerandtheCAEagreeontheuseofaguestauditorsothat
hisorherdeploymentcanbeapproved.
■ heAuditManagerinformstheCAEofthecosts(workingdaysandtravel
expenses).
■ Aninternalorderiscreatedandtheinternalordernumberisforwardedto
theauditlead.
■ heauditleadcreatesastainglistfortheguestauditor(necessaryforSAP-
internalcosttransfers),whichrecordstherelevantpersonalandorder-related
data.
■ heguestauditormustsignanon-disclosureagreement,alsoarrangedby
theauditlead.
■ he audit lead requests a new drive on the data server (group share) on
whichtheguestauditorcanwork.Atertheaudit,thedataistransferredto
trainingandRecruitmenttrainingandRecruitment
DeploymentoptionsDeploymentoptions
DeinitionoftermsDeinitionofterms
QualitativeselectionCriteriaQualitativeselectionCriteria
selectionatsAPselectionatsAP
544
thegeneralGIASgroupshare.hereasonfortheseparatedriveistoprotect
sensitivedataontheInternalAuditdrivefromaccessbytheguestauditor.
• Externalguestauditors:
■ heAuditManagerandtheauditleadmustobtainatleasttwodiferentprice
quotesforguestauditors.
■ heAuditManagerandtheCAEagreeontheuseofaguestauditorsothat
hisorherdeploymentcanbeapproved.
■ Apurchaseorderandaninternalorderarecreated.
■ AnexternaluserIDisrequestedfortheguestauditorinordertogivehimor
heraccesstopredeinedsystems.histaskiscarriedoutbytheauditleadin
cooperationwiththepersonalassistantoftheCAE.
■ heexternalguestauditormustsignanon-disclosureagreement,againar-
rangedbytheauditlead.
■ Forthesamereasonasinthecaseoftheinternalguestauditor,theauditlead
appliesforanewdriveonthedataserver(groupshare)onwhichtheguest
auditorcanwork.Atertheaudit,thedataonthisdriveisalsotransferredto
thegeneralGIASgroupshare.
heassignmentofguestauditorstoacertainrolewithintheauditteampresents
aparticularchallengefortheAuditManagerandtheentireteam.heguestaudi-
tor’stechnicalandorganizationalassignmentmustbedeinedbeforetheauditand
communicatedclearlytoallinvolved.Itisalsopossibletoappointtheguestauditor
asauditlead.hisdecisionismadebytheAuditManager,inconsultationwiththe
CAE.Aguestauditormaybeusedastheauditleadwhenthereisashortageofre-
sourcesatthetimethestaingplanisdrawnup.However,atSAPatleastoneaudi-
torfromtheinternalauditdepartmentmustbeinvolvedineveryaudit.
Whateverthecircumstances,itisessentialtointroducetheguestauditortoIn-
ternalAudit’sauditapproachandbasicauditingprocedures.Tothisend,itisuseful
toscheduleatrainingdayinordertofamiliarizetheauditorwiththesetopics.he
auditleadisresponsibleforpreparingthetraining.AtSAPsuchtrainingdealsin
particularwiththeGIASstandardRoadmap,basicauditprocedures,thecreation
and iling of working papers, communication with employees of the area being
audited,andthecreationoftheauditreport.
heauditleadisresponsiblefortheguestauditor’ssmoothintegrationintothe
audit team. his means knowing the guest auditor’s technical background and
communicatingthistotherestoftheteam.Conversely,italsorequiresinforming
theguestauditorabouttheauditteamandthetechnicalqualiicationsand/orpref-
erences of its individual members. In addition to the technical background, the
personalaspectalsoplaysanimportantpartwhenintegratingtheguestauditorinto
theteam.AuditleadandAuditManagershouldrecognizeandtakeintoconsider-
ationtheguestauditor’sstrengthsandweaknessestoenhancecooperation.hey
alsoshouldensurethattheguestauditor’sarrivalintheteamdoesnotgiveriseto
technicalandorganizational
Assignment
technicalandorganizational
Assignment
trainingtraining
integrationintotheteam
integrationintotheteam
Special Topics and Supplementary Discussion
Guest AuditorsD|10
545
any(personal)conlictintheteamandeliminateanydiicultiesassoonaspossible,
ideallybeforetheactualauditworkbegins.Ifpossible,theauditleadshouldsched-
uleandprepareforameetingoftheentireauditteambeforetheauditbegins.
Attheendoftheaudit,theguestauditorshouldbegivenanappropriate“fare-
well.” his refers to the extent to which the relationship with the guest auditor
establishedduringthejointauditworkshouldbemaintainedbeyondtheendofthe
engagement.Adistinctionshouldbemadeinthisregardbetweenexternalthird
partiesandguestauditorsfromelsewhereinSAP.Clariication,frombothanorga-
nizationalandainancialperspective,shouldalsobesoughtastowhethertheguest
auditorwillcontinuetobeinvolvedinanyauditfollow-upactivities.Itmustalsobe
clearlydeinedtowhatextentcontactwiththeguestauditorwillbemaintained.
Depending on the cooperation in the audit team, this may vary between rather
formalandmore relaxed formsof contact.Whatever thecase, theguest auditor
shouldbeavailableforqueriesandinformationrelatingtotheaudit,becausethere
willinvariablybequestionsatertheauditormeetingswiththeauditees.Ifthese
meetingsraisetopicscoveredbytheguestauditor,heorsheshouldalsoattend.
heuseofguestauditorsincursbothinternalandexternalcosts.hecostsare
chargedtotheGIAScostcenterconductingtheauditandarethereforeunderthe
AuditManager’sresponsibility.hecostsofexternalauditorscaneasilybeidenti-
iedandassignedonthebasisoftheinvoice.
IftheguestauditorisanSAPemployee,costallocationmaybemorecompli-
cated. Two diferent cost categories are possible. Travel expenses and the guest
auditor’slabor.TravelexpensesarechargedtotherelevantGIAScostcenteronthe
basisoftheinternalorderandtheassociatedstainglist.Incertaincircumstances,
SAP-internal guest auditors, consultants for example, may wish to charge their
hourstotheinternalorderaccordingtothecharge-outratesassignedtothem.In
suchcases,theauditleadandtheCAEhavetodecidewhethertheguestauditors
willbecompensated for thehoursworkedand thecostsactually charged to the
relevantGIAScostcenter.
Forbothinternalandexternalguestauditors,thecostsmustbebudgetedand
includedintheoverallbudgetoftheappropriateGIAScostcenter.Iftheyarenot
appropriatelybudgeted,theremaybedelaysinacquiringtheguestauditor,which
inturnmayimpacttheauditandGIASgenerally.heAuditManagerisresponsible
foravoidingsuchimpact.
HintsAnDtiPs ;
• Makesuicientallowanceinyourbudgetforthepossibleemploymentofguest
auditors.
• Startselectingsuitableguestauditorswellinadvance.
ConclusionoftheAuditConclusionoftheAudit
GuestAuditorCostsGuestAuditorCosts
internalCosttransfersinternalCosttransfers
BudgetingBudgeting
546
LinKsAnDRefeRenCes e
• InSTITuTE oF InTERnAl AuDIToRS. 2001. Practice Advisory 1210-A1: Obtaining
Services to Support or Complement the Internal Audit Activity.AltamonteSprings,Fl:he
InstituteofInternalAuditors.
• InSTITuTEoFInTERnAlAuDIToRS.2002.Standards for Professional Practice.Al-
tamonteSprings,Fl:heInstituteofInternalAuditors.
547
11 ManagementofInternalAudit11.1 Operational Audit Management
KeyPoInts •••
• Auditmanagementisinluencedbythediferentmanagementlevelswithinthe
internalauditdepartmentandtheirrespectivefocusondiferenttasks.
• Audit management consists of diferent components: audit planning, quality
management,performancemanagement,andauditcontrol.
Managementoftheinternalauditfunctionis inluencedbythevariousmanage-
mentlevelswithinthedepartmentaswellasmanagement’sfocusondiferenttasks.
heCAEkeepstrackoftheimplementationoftheannualauditplanandofaudit
controlasawhole,whiletheAuditManagersperformmanagementtasksduring
theaudit execution.Audit leadsare responsible for theauditprocess from their
speciicperspectives.
he type and complexity of the tasks to be monitored by audit management
shouldalsobeconsidered.Strategic tasks, suchas the introductionanduseofa
benchmarking system, requireasmuchmanagementcontrolasa complexaudit
itself.Managementtasksincludecooperationandthejointidentiicationofsolu-
tionswiththepartiesconcernedwhenbottlenecksorotherproblemsoccur.his
requiresthecooperationofallmanagementlevelswithinInternalAuditandwith
theauditees.
Diferentdisciplinescanbeincludedunderthegeneralheadingofauditman-
agement:
• auditplanning,
• qualitymanagement,
• performancemanagement,and
• auditcontrol.
Auditplanning(seeSectionB,Chapter2andSectionD,Chapter3)andqualityman-
agement(seeSectionD,Chapter5)formanintegralpartoftheAuditRoadmapand
havebeenirmlyestablishedasoperationalauditmanagementelementsofInternal
Audit’sprocess.hetwootherauditmanagementdisciplines,performanceman-
agementandauditcontrol,canbeseenasoverallmanagementfunctionsofInternal
Auditmanagement,especiallysincetheyaremonitoringtasksratherthanopera-
tionalactivities.PerformancemanagementinInternalAudithastwocomponents,
theauditperformance recordandemployeemanagement, i.e., linemanagement
andcontrol,includingperformancefeedback(fordetails,seeSectionA,Chapters
4.5and4.6).
InternalAuditManagementLevelsInternalAuditManagementLevels
orientationoftasksorientationoftasks
AuditManagementDisciplinesAuditManagementDisciplines
Special Topics and Supplementary Discussion
Management of Internal Audit
Operational Audit Management
D|11|11.1
548
Operational audit management
Audit planning Quality management Performance management
Audit perfor-
mance record
Employee
management
Audit control
Monitoring audit management
Audit Management of Internal Audit
Fig. 25 Audit Management Disciplines of Internal Audit
HIntsAnDtIPs ;
• AuditManagersshouldusetheirowninitiativetocontributetooperationalau-
ditmanagementprocesses,forexample,bycompletingoptionalqualitygates.
• AuditManagersshouldalsoregularlydiscussthepotentialforimprovingopera-
tionalauditmanagement.
LInKsAnDRefeRences e
• REDIng, K. F., P. J. SoBEl, U. l. AnDERSon, etal. 2007. Internal Assurance and
Consulting Services.AltamonteSprings,Fl:InstituteofInternalAuditors.
• SAwyER,l.B.,M.A.DIttEnhoFER,AnDJ.h.SChEInER.2003.Sawyer’s Inter-
nal Auditing.5thed.AltamonteSprings,Fl:heInstituteofInternalAuditors.
• SEARS,B.2002.Internal Auditing Manual.newyork,ny:warren,gorham&lamont.
11.2 Monitoring Audit Management
11.2.1 Audit Performance Record
as Part of Performance Management
KeyPoInts •••
• heauditperformancerecordprovidesanoverviewoftargetachievementfor
allplannedaudits.
• Itcontainsall therelevant informationfromthestart throughtheendof the
year,documentingtheactualtimesequenceofeveryaudit.
• InternalAuditmanagementisprimarilyresponsiblefortheauditperformance
record.
hepurposeoftheauditperformancerecordistomonitorandcontroltheimple-
mentationoftheannualauditplan.Itisusedasevidencetoshowallthoseinvolved
inInternalAuditandallotherresponsibleunitsthattheannualauditplanhasbeen
functionoftheAuditPerformanceRecord
functionoftheAuditPerformanceRecord
549
dulyimplementedandanyamendmentshavebeendocumentedandcanbetraced.
hus,thefocusislessontheindividualauditperse,whichwillbemonitoredinthe
contextofauditcontrol(seeSectionD,Chapter11.2.2).
onceauditplanninghasbeencompleted,theirmlyscheduledauditsareen-
teredintheauditperformancerecord.hisformsthebasisforupdateswiththeaim
ofhavingfullcontrolofprogressandanychangesmadeinthecourseoftheyear.
heAuditManagerscontinuouslymonitoreachitemoftheplan.
heitemsincludedintheplanarestructuredverticallyandbreakdowninto:
• globalaudits,
• regionalandlocalaudits,and
• specialaudits,suchascustomerconirmationsandSoXaudits.
Inadditiontothisbasicstructure,furtherdiferentiationispossibleforeachitem.
Inthecourseoftheyear,ad-hocauditsareaddedtotheitemsalreadyplanned.
Inadditiontotheverticalstructure,thereisalsoahorizontalstructure,accord-
ingtowhichInternalAuditshoulddiferentiateauditengagementsbyaudittype,
auditorresponsible,andexecutiondate.InternalAuditalsoshouldstatewhetheran
engagementhasbeenreturnedtotheauditinventory,whetheranaudithasbeen
postponeduntilthefollowingyear,orwhethertheengagementhasbeencanceled
(withreasonsgiven).Sincetheannualauditplanisatargetagreementbetweenthe
AuditCommitteeand InternalAudit, anychangemustbemade inconsultation
withtheCAEandexplicitlyandclearlyjustiied.
Attheendoftheyear,theauditperformancerecordconcludeswithitemstobe
carriedforwardtothefollowingyear.onthisbasis,InternalAuditcanassessthe
implementationoftheannualauditplanandtheeiciencyofInternalAudit.Fur-
ther,InternalAuditcanincludeotherinformationintheauditperformancerecord,
e.g.informationonanyauditsurveysreceived(seeSectionD,Chapter7.2.2).
heAuditManagersofInternalAuditandtherelevantauditleadsarerespon-
sible for correctly maintaining and monitoring the audit performance record.
togetherwith theAuditManagerconcerned, theaudit leadsshouldbeawareof
theirresponsibilityandmaintainthedataaccordingly.heaccuracyoftheinforma-
tionthattheauditleadspassondependsontheirownjudgmentandontheinfor-
mation individual auditors have given them. his means that an accurate audit
performancerecordistheresponsibilityofallinvolvedandshouldbeinterpretedin
thisway.
heCAEandtheAuditManagersshoulddiscusstheauditperformancerecord
regularlyandanalyzetheresultsatleastonceeachquarter.helateststatusofthe
auditperformancerecordshouldalsobediscussedduringteammeetings.Byin-
cluding the opinions and suggestions of individual auditors, Internal Audit will
ultimatelyarriveatacomprehensive,objectivepictureforeachauditteamandfor
InternalAuditasawhole.
startingBasestartingBase
VerticalstructureVerticalstructure
HorizontalstructureHorizontalstructure
BasicAuditPerformanceRecordPatternBasicAuditPerformanceRecordPattern
ResponsibilityforDataMaintenanceResponsibilityforDataMaintenance
DiscussionoftheAuditPerformanceRecordDiscussionoftheAuditPerformanceRecord
Special Topics and Supplementary Discussion
Management of Internal Audit
Monitoring Audit Management
D|11|11.2
550
HIntsAnDtIPs ;
• AuditorsshouldlettheauditleadandAuditManagerresponsibleknowabout
anycircumstancesandchangesthatcouldhaveanimpactontheauditplan.
• Auditorsshouldregularlychecktheplanaboutthestatusofauditsinwhichthey
areinvolved.
• AuditorsshoulddiscussanydiscrepancieswiththeAuditManagerresponsible.
11.2.2 Audit Control
KeyPoInts •••
• Auditcontrolfocusesondetailedplanningandmonitoringofanindividualau-
dit.
• heminimumrequirementunderthisprocessistoplanthenecessarytimes,
resources,andbudgets foreachphaseof theAuditRoadmapandtomonitor
thembasedupondeinedmilestones.
• herelevantcorrectionandcontrolmeasuresarecloselyrelatedtothisrequire-
ment.
• Anotherimportantelementofauditcontrolisthemeasurementoftheeiciency
oftheinalauditresult.
• heauditleadandtheAuditManagerarejointlyresponsibleforauditcontrol.
• Foreachaudit,auditcontrolcanbemappedalongtheAuditRoadmaponthe
basis of igures and can be reported to the Audit Committee and the Board
through key performance indicators and a standardized evaluation system
(suchasthetraiclightsystem).
Auditcontrolisasub-disciplineofauditmanagementanddealswiththedetailed
planningandmonitoringofaudits.Itafectsallcategoriesandtypesofaudits.As
explainedpreviously(seeSectionB,Chapter2.2),anannualauditplaniscompiled
irst.hisplandeinesthetimeperiodsscheduledforallauditsandassignsauditors
andanauditleadtoeach.hisperspectivelooksattheauditasawhole.however,
toensureclosermonitoringofanaudit,itisnecessarytoplanandanalyzethespe-
ciicphasesoftheaudit,alwaysdependingontheauditconcerned,andespecially
the audit type. to establish comprehensive audit management, an internal audit
departmentshoulddeinesomestandardgridsortemplatestoassisttheplanning
process.hesegridscanbeusedtostructureindividualauditsquicklyandsecurely
accordingtooperationalprojectmanagementprinciples.
Beforeintroducingauditcontrol,InternalAuditshouldsetanumberofbasic
parameters,forexamplethewayinwhichtimeisrecorded.Itisalsonecessaryto
clearlydeinehowthesevariablesareusedinemployeeevaluationsandsalaryre-
views. Internal Audit should clarify possible interrelations and the exchange of
DetailedMonitoringDetailedMonitoring
RequiredDeinitionsRequiredDeinitions
551
information with human Resources, the data protection oicer, and Managerial
Accounting. InternalAudit shoulddecide theextent towhichrecordedworking
timescanandmaybeusedasabasisforcosttransfers(seeSectionD,Chapter8).
Anothercloselyrelatedissueisthetreatmentofovertime,includingtheresulting
alternative billing options (e.g., higher rates charged for time worked outside
normalhours).InternalAuditmustdeterminehowtodiferentiatethedatatobe
captured(i.e.,whethertheinformationistoberecordedperauditorandauditor
whetheraggregatesaresuicient).hereInternalAuditmustconsiderdataprotec-
tion regulations in the interest of individual employees as well as the need to
conductobjectivelysuccessfulauditswithoutrunningtheriskofmakingmistakes
duringauditworkduetotimeandcostconstraints.
Irrespectiveoftheattributesoftheindividualaudit,thefollowingbasiccompo-
nentscanbespeciiedforauditcontrol:
• Everyaudittaskrequiresacertainamountoftime.hetimesheetcanbeusedto
specifyatimescheduleforeveryauditbysettingmilestones.Foreachphaseof
theAuditRoadmaporevenwithinaphase,thesemilestonesareusedtocheck
whetheranauditsteporworkpackagehasbeencompleted.hepercentageof
completionisthencomparedtothecostsincurredandthetimetakenuptothat
point.
• Detailedauditplanningcanbecarriedoutattheactivitylevel(i.e.,processstep)
or the auditor level. he overall perspective is achieved by summarizing the
auditorvaluesinrelationtocertainactivitiesoranaudit.Forglobalorlonger-
termspecialaudits,themostsuitableplanningunitwillprobablybetheauditor
level,andforstandardauditstheactivitylevelwilltendtobemoresuitablebe-
causethenecessaryauditprocessesareusuallystandardizedinthiscase.
• Aspartofmonitoring,actualtimesarecomparedwithbudgetedtimes,andthe
milestonesreachedaresetagainstplan.Ifthereareanyvariances,suitablemea-
suresaredeined,e.g.adjustmentstotheextentoftheauditand/orthenumber
ofauditorsdeployed,oranextensionofthetimeperiodforindividualphasesor
auditsteps.Inordertoenablethiscomparison,theaudittimesshouldbere-
cordedaccordingtoanactivitycatalog.Activitiesinthiscontextcouldbethe
phasesoftheAuditRoadmaporindividualprocesssteps,suchasthecreationof
theworkprogram.InternalAuditshouldrecordactualtimesforeachactivity,
dividedintocoretimeandovertime.hismakesactualtimesdirectlycompa-
rabletobudgetedtimes.
• AcleardeinitionofindividualprocesseswithinInternalAuditisanimportant
prerequisitefororganizationalimplementationofauditcontrol.hedeinition
speciiesthemethodandperiodoftimerecording,auditorormanagementre-
sponsibility, theinternalcontrolsandapprovals,andtheplanningunit.hus,
InternalAuditshouldalsospecifytheaccountassignment,i.e.,thesystemused
forassigningperformancedata,andthediferentupdatinglevels(peraudit,per
auditperiod,type,etc.).
BasicelementsofAuditcontrolBasicelementsofAuditcontrol
timeRequiredtimeRequired
PlanningUnitPlanningUnit
comparisonofActualandBudgetedtimescomparisonofActualandBudgetedtimes
organizationalPrerequisitesorganizationalPrerequisites
Special Topics and Supplementary Discussion
Management of Internal Audit
Monitoring Audit Management
D|11|11.2
552
• he recorded times are used to assess auditor performance. Diferent billing
methodscanbeusedforadetailedallocationofcostsincurredtotheindividual
audits(fordetails,seeSectionD,Chapter8).Diferentoptionsgenerallyexist
alsowithregardtobudgeting.AlthoughInternalAuditshouldaimforaudit-
related budgets, they will generally be achieved only for certain strategic or
globalaudits,ifatall.Forthisreason,collectivebudgetsaresetup,whichin-
clude,forexample,budgetiguresperregionoraudittype.
• It isalsoimportanttoexaminetheauditresultsbasedonplannedandactual
times, resources,budgets, andcosts. InternalAudit shouldexaminecritically
whetherandhowtheresultscorrelatewiththesevariables.Atthesametime,
InternalAuditshouldcomparetheplannedauditobjectiveswiththoseactually
achieved.hisallowsInternalAudittoevaluatethesubstanceoftheauditand
alsoguaranteethattheauditresultisinreasonableproportiontotheresources
used.
AuditcontrolcanbemappedalongtheAuditRoadmapforeveryaudit.Variances
canbeshowneitherthroughkeyperformanceindicatorsoratraiclightsystem
(where“red”indicatesthevarianceistoolarge,“yellow”indicatesmedium–mod-
eratediferenceand“green”meansthevarianceisacceptable).Aggregatedinforma-
tiononindividualaudittypes,periods,regions,etc.isofparticularinterest.hus,
auditcontrolisalsoenabledtoperformanalysesaccordingtodiferentdimensions.
Forexample,budgetedandactual timescanbeaggregatedperphase forcertain
audit types,orby topicandregion, inorder toobtainamoreaccuratebasis for
planning.hisallowsInternalAudittoallocateresourcesquicklyandprovidesthe
ability toexercisebettercontroloveraudit eiciency.Moreover, it formsagood
basisforanintegratedbenchmarkingsystemandabalancedscorecard(seeSection
D,Chapter7).
heauditleadandtheAuditManagerinchargeareresponsibleforauditcon-
trol.heAuditManagermuststayinvolvedinmonitoringtheprogressofaudits
andinterveneiftherearesigniicantvariances.tothisend,InternalAuditcande-
inethresholdswithinthedepartmenttospecifyatwhatstagetheAuditManager
andtheCAEhavetobeinformedortakeaction.InternalAuditalsoshouldcon-
sider towhatextent theBoardand/or theAuditCommitteeshouldbe involved.
generally,summarizedinformationregardingauditprogressshouldbeprovidedto
thesebodiesat leasttwiceayear,usinganoverallstatusreportthat listsallcon-
ductedandongoingaudits(seeSectionB,Chapter5.5).
HIntsAnDtIPs ;
• Auditorsshouldalwaysrecordcostsasaccuratelyaspossibleandallocatethem
tothespeciiedplanningunits.
• Auditorsshouldregularlyreviewtheresultsofauditcontrolanalysistogether
withtheauditleadinchargeanddiscussthecausesofanyunusualitems.
costMonitoringandBudgeting
costMonitoringandBudgeting
AuditResultcheckAuditResultcheck
BeneitsofAuditcontrolBeneitsofAuditcontrol
ResponsibilitiesResponsibilities
553
12 MarketingofInternalAudit12.1 Internal Marketing
KeyPoInts •••
• Byprovidingqualityauditresultsquicklyandmakingobjectiveandusefulrec-
ommendations,InternalAuditcanefectivelymarketitselfthroughouttheor-
ganization.
• Toreachallthosewithanactiveorpassiveinterest,InternalAuditshouldofer
diferentformsofinformation.
• InternalAuditshouldusethecompany’sintranet,distributeprinteddocuments,
holdinformationevents,anddrawattentiontoitsworkinpublications.
• AuditsurveysarealsopartofInternalAudit’sinternalmarketing.
InternalAuditperformsitsactivitiesasstafdepartmentoftheBoardandprovides
auditresultstotheauditeesonaconidentialbasis.hebestformofmarketingfor
InternalAuditistomaketheresultsofanytypeofauditavailableasquicklyaspos-
sibleandinthebestpossiblequality.hereliabilityandobjectivityassociatedwith
suchapracticearerecognizedbytheorganizationandhelpthedepartmentbuild
arelationshipoftrust.Compliancewiththeauditprinciplesandaconvincingre-
portingsystemhelpsafeguardthedepartment’sreputationacrossalllevelsofthe
organization.
Asecondinternalmarketingtechnique,whichshouldoccurnaturallyasaresult
of an efective audit process, is the implementation of all the recommendations
fromtheauditreport.Iftheauditresultsareintegratedintocorporateprocessesas
expertlymotivatedandobjectivelyvalue-addingpropositions,theywillhaveapos-
itiveinluenceonhowInternalAuditisperceivedthroughoutthecompany.
InternalAuditcannotexistoutsidetoday’snetworkedcommunicationandme-
dialandscape.Inordertoreachallthosewithanactiveorpassiveinterest,Internal
Auditmustoferdiferentformsofinformation.Sometimesotheremployeesinthe
companyarenotawareoftheexistenceofaninternalauditdepartmentortheymay
havethewrongimpressionsofhowthedepartmentworksandarethereforereluc-
tanttoengageitforcertaintasks.herefore,InternalAuditshouldactivelypromote
thefactthatitisavailabletohelpwithmanytypesofproblemsandcanbeinvolved
inindingasolution.Tothisend,alltheinstrumentsthatcanbuildcommunicative
relationshipsshouldbeused.
heintranetisofparticularimportanceinthisregardbecauseitcanbeusedto
providethefollowing:
• informationaboutthedepartment,
• servicesofered,
• auditprinciplesandstandards,
• processmodel,
AuditQualityAuditQuality
RecommendationsRecommendations
CommunicationCommunication
UseoftheIntranetUseoftheIntranet
Special Topics and Supplementary Discussion
Marketing of Internal Audit
Internal Marketing
D|12|12.1
554
• forms,e.g.,anauditrequest,and
• reportsfortheBoardmembersandstrategicmanagement.
hisensuresthatalllevelsinthecompanycanusetheintranettogetinformation
aboutInternalAuditasneeded.
Other information media used for internal marketing include printed docu-
ments,suchastheInternalAuditcharterorawhitepaper,whichcontainsashort
summaryofimportantinformationaboutInternalAudit.Acomprehensiveinter-
nalaudithandbookisanotherinternalmarketinginstrument,asisapeerreviewof
thedepartment, includingcertiicationandpublicationofresults(seeSectionD,
Chapter9).
TrainingandinformationeventsshowcasingInternalAuditarealsoimportant.
heycantaketheformofemployeetrainingorspeciicdepartmentpresentations.
hese events should provide general information about audit work to as many
employees as possible in order to highlight the value speciic to their unit that
InternalAuditcanaddandencouragethemtocooperateactivelywiththedepart-
ment.
Another formof internalmarketing is thepublicationofarticles in in-house
communicationmedia.AtSAP,publications that support internalmarketing in-
cludetheGIASLetterandtheannualreporttotheAuditCommittee(seeSection
B,Chapter5.4.1).Seniormanagementcircularsshouldalsobeusedtoprovidein-
formationaboutgeneralauditresultsand/orpresentInternalAudit’sinvolvement
inhigher-levelissues.Inordertoprotectemployeesandsafeguardtheirinterests,
auditresultsshouldbeusedasabasisfornewguidelines,withreferencetoInternal
Auditifappropriate.
Auditsurveys,whichtheauditeescompleteatertheaudithasbeenconducted,
arealsopartofInternalAudit’sinternalmarketing(seeSectionD,Chapter7.2.2).
ABoardsummaryoftheresultsthedepartmenthasachievedintheauditsurveys
canalsopromoteInternalAudit’swork.Consolidatedresultscanalsobeincluded
inpresentationsforotherdepartments.
HIntsAnDtIPs ;
• Auditorsshouldcheckwhetherpublicationsaboutinternalauditingcanbeused
forin-housecommunication.
• Auditorsshoulddeterminewhat,intheirview,arethemostimportantinforma-
tionchannelsandoptimizetheirusebyInternalAudit.
LInKsAnDRefeRenCes e
• SeArS,B.2002.Internal Auditing Manual.NewYork,NY:Warren,Gorham&Lamont.
PrintedDocumentsPrintedDocuments
eventsevents
PublicationsPublications
AuditsurveysAuditsurveys
555
12.2 External Marketing
KeyPoInts •••
• By cooperating with external institutions, Internal Audit can demonstrate its
compliancewithexternalrequirementsandalsocontributetodevelopingthese
requirementsfurther.
• OthersigniicantexternalmarketinginstrumentsofInternalAuditarethepub-
licationofpapers,thedevelopmentofsotwaresolutionsforinternalauditing,
andparticipationinbenchmarkingstudies.
• Trainingeventsarealsoagoodwaytopresent the internalauditdepartment
outsidetheorganization.
InternalAudit’sprocessesarenotonlygovernedbyinternalrequirements,butare
alsosubjecttosigniicantexternalinluences,suchaslaws,guidelines,andstatutes.
Bycooperatingwiththerelevantexternalinstitutions,InternalAuditcandemon-
strateitsacceptanceofandcompliancewiththeserequirementsandalsocontribute
to developing them further. By presenting and publishing papers, and holding
workshops,InternalAuditcandrawattentiontoimportantissuesandprovidecrit-
icalsupportasitdrivesthedevelopmentofpossiblesolutions.hisisanimportant
element of this department’s external marketing, because it also supports new
trendsinhigher-levelcompany-widepositioning,e.g.thoughtleadership,corpo-
ratecitizenship,andreputationmanagement.
Contributions to professional journals generate interest and promote under-
standingforthefunctionsofInternalAudit,evenbeyondthegroupofpeoplewho
aredirectlyafected.Inaddition,InternalAudit’sexternalmarketingmayinclude
compiling comprehensive scientiic publications and recommending them as
practice-basedauditstandardsintheformofaninternalaudithandbook.Other
informationmedia,suchasCDsorDVDswithdidacticcontentandpracticalex-
amplessupportsuchconcepts.
Undercertaincircumstances,someinternalauditdepartmentsmayalsocon-
sidertheoptionofdevelopingstandardsotwareforinternalauditing.Asuccessful
marketlaunchwouldresultinmarketingthecompany’sinternalauditdepartment,
becauseitwillhavepilotedthesotware.hepilotversionwouldbeusedtodeine
astandardapplicationforinternalauditing.Itwouldthereforeberegardedasrefer-
enceforsubsequentlyintroducingthesotwareinothercompanies.
Participationinsector-basedorcross-sectorbenchmarkingactivitiesthroughkey
performanceindicatoranalysisandappropriatestudiesisanotherformofexternal
marketingbecauseitshowshowInternalAuditispositionedwithinitsowncompany
andincomparisontoothercompanies.Participationinbenchmarkingstudiesis
alsoacommonlyusedmethodtoidentifystrengthsandweaknesses.
CooperationwithexternalInstitutionsCooperationwithexternalInstitutions
ProfessionalJournalsProfessionalJournals
softwareforInternalAuditsoftwareforInternalAudit
BenchmarkingBenchmarking
Special Topics and Supplementary Discussion
Marketing of Internal Audit
External Marketing
D|12|12.2
556
Trainingoferingssuchascourses, seminars,and informationeventsarealso
popularmarketinginstruments.InternalAuditcanmakeimportantcontributions
regarding topics such as compliance, SOX requirements, and fraud prevention.
Oferingauditor trainingcontributessigniicantly toenhancing thepositiveper-
ceptionofaninternalauditdepartment.Informationeventsandpaperspresented
atuniversitiessimultaneouslyprovideanopportunityforthedepartmenttorecruit
futureemployees.
Acomprehensivemarketingconceptshouldalwaysbedevelopedincoopera-
tionandagreementwith thepublic relationsdepartmentof theorganization. In
ordertodisseminatetherelevantinformationandcontentsuccessfullyindiferent
internationallinguisticandculturalgroups,InternalAuditwillnormallyneedto
co-opt media experts with publishing experience. In addition to Internal Audit,
acompanyalsohasotherimportantinstrumentsandinstitutionstoensurecompli-
ance,whichmayalsobethesubjectofexternalinterest.Accordingly,itisanimpor-
tantfunctionofaconsistentexternalmarketingconcepttoachieveabalancedpub-
licperceptionofallthecomponentsandtheirinteraction.
HIntsAnDtIPs ;
• Auditorsshouldseizeanyopportunityforexternalmarketing,e.g.,givingtalks
onInternalAudit’sspecialsubjects.
• Auditorsshouldalsocontributetothewritingandpublicationofpapersonau-
dittopicswithwhichtheyarefamiliar.
• regularparticipationinexternalworkinggroupsisrecommended.
trainingtraining
DevelopinganexternalMarketingConcept
DevelopinganexternalMarketingConcept
Special Topics and Supplementary Discussion
Fraud PreventionD | 13
557
13 Fraud Prevention
Key Points •••
• Fraudcanbecommittedinanycompany.hereforeallcompaniesshouldpre-
paretheirprocessstructuresforsuchaneventuality.
• Fraudshouldbeidentiiedandevaluatedreactivelyandproactively.Allmeasures
shouldalsobetakenforadequateprosecutionofthosewhocommitfraud.
• Anorganizationshouldhaveaclear,unambiguouscodeofconduct.
• Guidelinesandinstructionsmustbecomprehensibleandaccessibletoallem-
ployees.
• Anorganizationshouldhaveasharedsetofvaluesandclearlycommunicatethe
consequencesthatfraudentails.
Everycompanymustfacethesubjectoffraud,irstbecausemanycompanieshave
experiencedthenegativeimpactoffraudintheformofinanciallossesanddamage
totheirimage,andsecondbecausethishasbeennecessitatedbylegalrequirements
suchasSOX.hus, ithasbecome increasingly important to equip the company
adequatelysoitcandealwithsuchproblems.Withinitsareaofresponsibility,In-
ternalAuditinvestigatesandassessesverydiferenttypesofincidentsandsuspected
fraud.InternalAuditisanintegralpartofthecompany’shandlingoffraud,although
otherdepartments, suchasCorporateLegalandCorporateSecurityarealso in-
volved.Toefectivelydealwith fraud it is important tohaveaclearly structured
organization, which immediately deals with the relevant circumstances of fraud
andtriggers,coordinates,andperformsthenecessaryactivitiesquickly,accurately,
andreliably.
hecorporatelegaldepartmentistheorganizationalcenterdealingwithfraud
atSAPandisalsoknownas“fraudilter.”hisiswhereallthereportinglinescome
togetherandareconsolidated.hisglobalfunctionisprimarilyresponsiveinchar-
acter,becauseitinitiatesactiononthebasisofinformationandreports,followedby
measurestakeninthediferentdepartments.hecorporatelegaldepartmentisalso
responsibleforcentralcoordination.Duetoitscentraladministrativefunction,it
alsohasstatisticalinformationatitsdisposal,whichisincludedinthefraudpre-
ventionprocess.
When a fraud is suspected the Fraud Evaluation Committee should convene
immediately, depending on the signiicance and urgency of the information or
report.AtSAP,thiscommitteeismadeupofemployeesfromInternalAudit,Cor-
porateLegal,andCorporateSecurity.hecommitteedecideswhichdepartmentis
to take what action and when. In addition to such ad-hoc meetings, the Fraud
EvaluationCommitteeshouldmeetregularlysothatallimportantmatterscanbe
discussedinthiscommunicationforum.
Withitsglobalmandate,SAP’sfraudilterisconnectedtodiferentcommunica-
tionchannels,whichsupplyinformationwithintheorganization.AllSAPemployees
Dealing with FraudDealing with Fraud
Role of the Corporate Legal Department
Role of the Corporate Legal Department
Fraud evaluation CommitteeFraud evaluation Committee
Fraud FilterFraud Filter
558
canaccessincidentreportingmechanismsandthewhistleblowingfunctionviathe
intranetandusethesetoolswithoutrestriction.heglobalcomplianceorganiza-
tionprovidesanotherimportantcommunicationmedium.
Incident reporting isan intranet-basedreporting tool thatemployeescanuse to
reportincidents,althoughtheycannotreportanonymouslythroughthistool.he
standardized structure of the report covers all aspects of possible threats, from
hackerattackthroughassetthet.herearealsofree-textields,whereanydescrip-
tion can be added. Depending on the circumstances, the recorded incidents are
reportedtoCorporateLegaland/orCorporateSecurityandhandledaccordingly.
incident Reporting
incident Reporting
Fig. 26 SAP Fraud Filter
Special Topics and Supplementary Discussion
Fraud PreventionD | 13
559
InternalAudithasreadaccesstoallincidentreportsreceived.Incidentsreported
throughthissystemformthemainbasis forFraudEvaluationCommitteemeet-
ings.
Oncethereportedincidentshavebeeninvestigated,theycanbeusedtodevelop
measurestopreventfraudinthefuture.AtSAP,theincidentreportdocumentation
isalsousedforthereportstotheBoardandtheexternalauditors.
hewhistleblowerfacilityisaSOX-compliantanonymousreportingtoolavail-
able toSAPemployeeson the intranet. It is intended forreporting irregularities
withregardtorevenuerecognitionandotherinancialdataofSAP(seeSectionA,
Chapter2.6).
heglobalcomplianceoiceisanotherpointofcontactforemployeesandman-
agersthatassessesandhandlesverydiversematters.Inessence,theglobalcompli-
anceteamdratsthecodeofconductwithinSAPandensuresemployeecompliance.
Contraventionsofthiscodecanbereportedtothecorporatelegaldepartmentand
mayalsobedealtwithbyInternalAudit,dependingontheseriousnessofthecir-
cumstances.
hefraudallocationmatrixistheworkingfoundationofthefraudilter.Item-
bodiestheilterfunction,becauseoneaxisliststhepossiblethreatsandtheother
thedepartmentsresponsibleortobeinformed.Allpossibleriskscenariosarelisted
here, from thet through corruption, so that the response can be as rapid and
focusedaspossible.hescenariosexistinoverviewformatandindetailforeach
department.
AtSAP,InternalAudit,CorporateLegal,andCorporateSecurityaretheprimary
departmentsinvolvedinfraudinvestigations.Likearapidresponsegroup,theaudit
teamsofInternalAuditareinapositiontoactpromptlywhenevernecessaryinany
localsubsidiaryorbusinessunitofSAP.Inspecialcircumstances,InternalAudit
canalsoengageexternalpersonsandserviceproviders,usuallydetectives,forensic
experts,orattorneys.
SAP’sfraudpreventionmodelformsanintegralpartofitsorganizationaland
operational structures. From Internal Audit’s perspective, the fraud prevention
model’scompany-wideelements,suchastheSAPCodeofBusinessConduct,play
ascriticalaroleasitsaudit-speciicelements.hebasicstagesofthemodelhave
been institutionalized, for example through global guidelines and the Code of
BusinessConduct,andarecoherentandcomprehensibleforallemployeesofthe
organization.hisisimportant,becauseit is impossibletoimplementorcomply
withguidelinesthatarenotknownorunderstood.Overall,thefraudprevention
model should be regarded as a cycle, because the process is driven and supple-
mentedtoasigniicantextentbypastexperience.Anyweaknessesthatoccurmust
be eliminated as part of the process and lead to an overall improvement at the
variouslevels.hisrelectsthemodel’stop-downandbottom-upapproach,which
givesitthenecessarylexibility.
Documentation of Reported incidentsDocumentation of Reported incidents
Whistleblower FacilityWhistleblower Facility
Global Compliance teamGlobal Compliance team
Fraud Allocation MatrixFraud Allocation Matrix
Departments involvedDepartments involved
Prevention ModelPrevention Model
560
Organizationalguidelinesprovideaframeworkofconductforanorganizationand
itsemployees.heyshouldprovideinstructionsforallbusinessunits,transactions,
andorganizationalunitsandmustnotcontraveneprevailinglawsandregulations.
Inadditiontotheactualinstructions,thefollowingitemsshouldbemadeclearand
documentedaccordingly:
• objective,
• beneits,
• strategiccontribution,
• riskincaseofnon-compliance,
• areaofapplicationandtargetgroup,
• conidentiality,
• consequencesofnon-compliance,
• implementationandenforcement,and
• responsibilityfortheguideline.
SAP’sguidelines,suchastheCodeofBusinessConduct,areaccessibletoallem-
ployeesontheintranet,andthepersonsresponsiblefortherelevantguidelineare
availableforqueries.herulesprovidedthereinaresubjecttoapermanentupdating
GuidelinesGuidelines
Fig. 27 Fraud Prevention Model Overview
Special Topics and Supplementary Discussion
Fraud PreventionD | 13
561
processandrepresentthelatestversion.histransparencyandavailabilityfacilitates
auditworksigniicantly,becausetheguidelinesprovideaixedpointofreference.
heSAPCodeofBusinessConductappliestoallSAPemployeesaroundthe
globe.Itassessesandregulateshowtodealwithpotentialconlictrelatingtoem-
ployees, customers, partners, and suppliers. he code of conduct also provides
guidanceonhowtoresolveconlictthatarisesfromrelated-partydealings.
Inadditiontothefundamentalguidelinesandinstructions,anotherimportant
criterioniswhetherandtowhatextentemployeesareawareofmattersrelatingto
fraud.Anorganizationmustusediferentcommunicationelements toalert em-
ployees of fraudulent activities or rules regarding fraud adequately. Information
andcommunicationthatcomesfromtheBoardreceivesspecialpriorityandatten-
tion.Anycommunicationgenerallyshouldconformtothecorporatephilosophy
andculture.Itisalsoimportanttohighlightclearlytheconsequencesofanycontra-
ventionoftheguidelines.
Knowledgeofcommunicationchannels,suchasincidentreportingorthewhis-
tleblowerfacility,heightensemployees’awarenessoftheguidelines.hecommuni-
cation channels to the fraud ilter, which activates the organization’s response
system,willonlyfunctiononcetheguidelineshavebeenpositionedinaclearand
comprehensiblewayandtheemployeesareawareoftheirresponsibility.
heworkofInternalAudit,whichactsbyconductingspeciicallydesignedaudits,
isbasedonthecornerstonesdescribedabove.DuetoInternalAudit’sproactiveap-
proach,thedepartmentformspartofSAP’spreventionprogram.Internalandexter-
nal empirical values are one basic element of proactive audits, and the results of
testinginternalcontrolsinaccordancewithSOXareanothersourceofinformation.
Furthermore,preventiveauditieldworkfocusesonthefollowingprocessesand
contentelements:
• incomestatement,expenses,andcosts,
• accountsreceivable,
• accountspayable,
• purchasing,procurement,invitationstobid,
• capitalexpenditure,
• payroll,
• externalservicesandservicecontracts,and
• areaswherebriberyandcorruptionispossible.
Consequence management and its communication in the organization form the
apexofthepreventionmodel.hereportsandmemorandumsofInternalAuditare
thestartingpointforconsequencesandtheresultingcommunication.Inaddition
to any criminal charges, the consequences of economic crime or incidents that
cause loss to the company are mostly of a disciplinary or organizational nature.
Consequencesmustbeapplieduniformly,without favoritismand irrespectiveof
hierarchylevels.helinetakenonconsequencesiscommunicatedthroughoutthe
sAP Code of Business ConductsAP Code of Business Conduct
employee Awarenessemployee Awareness
importance for the Fraud Filterimportance for the Fraud Filter
Prevention by internal AuditPrevention by internal Audit
Focus of Preventive FieldworkFocus of Preventive Fieldwork
Consequence Management and Communication
Consequence Management and Communication
562
organizationandthuscreatesaixedsetofvaluesonwhichtheentierfraudpreven-
tionmodelisbased.
SAP’sinternalauditdepartmentispartoftheanti-fraudprocessstructure,be-
cause it takes on key tasks in investigating cases of loss caused to the company.
InternalAuditconductsauditsproactivelyaspartoftheannualauditplanunder
thefraudpreventionmodel,butalsoreactivelywheninitiatedbyarequest.Sucha
requestcanbemadethroughthecommunicationmediamentionedearlieror,most
commonly,directlythroughthefraudilter.Reactiveauditsarenormallyconducted
adhocandrequireieldworktobestartedimmediately.Dependingonthecircum-
stances,InternalAuditcanalsomerelyinitiateapre-investigation.hisprocedure
ismappedinanAuditRoadmapdevelopedspeciicallyforthispurpose(seeSec-
tionB,ChapterB.7.2).
hefraudScopeisanintentionallycomprehensivepresentationofallpotential
circumstancesthatareconceivableinrelationtoactionsthatcauselosstothecom-
pany.Inoutline,theScopehasbothaprocessorientationandafraudorientation,
allowingInternalAudittoidentifypotentialrisksatprocesslevelaswellasvulner-
ableorganizationalunitsandaccountsatfraudlevel.BasedontheScope,alexible
workprogramisadjustedorsupplementedforeachaudit.Speciicemphasescan
alsoberelectedinandsupportedbythelevelofdetailoftheworkprogram.Work
programsarecompiledand implemented forbothreactiveandproactiveaudits.
herearepre-dratedworkprogramsforparticularlyvulnerableprocesses,which
merelyneedadjustmenttothespeciiccircumstances.hismakesiteasiertopre-
pareforreactiveauditsandsavestime.
Whentheauditteambeginsieldworkwithoutknowingthedetailsofafraud
case,theextentofloss,orthepersonsinvolved,anappropriateactionguideshould
befollowedirst.hisguideisusedtocollatefactsandcarryoutstructuredresearch
andinvestigations.Asdetailsoftheincidentareentered,aninitialpictureofevents
emerges.heactionguideisastructuredmethodofgivingtheauditteamaninitial
overview. Individual issues complete the picture and signal the next action and
auditsteps.heactionguidecanalsobeusedasadocumentationvehicleandsub-
sequentworkingpaperandfraudsummary,evenifthefactsarenotyetknown.he
actionguidecollatesthefollowinginformation:
• personsandcompaniesinvolved,
• relationshipsandlinksamongpersonsandcompanies,
• timelineofevents,
• documentsandsystemsafected,
• quantiicationandqualiicationofextent,
• accountingestimate,and
• linktopreviousorsimilarincidents.
InternalAuditinterviewsthepeoplewhoareafectedorinvolvedintheincident.
hroughouttheinvestigation,suspectedemployeescanalsobequestioned.Ifthe
interviewsrevealthatemployeesareguiltyandhavedirectlyorindirectlyadmitted
Anti-Fraud Process structure
Anti-Fraud Process structure
scope and Work Program
scope and Work Program
Action GuideAction Guide
interviewsinterviews
Special Topics and Supplementary Discussion
Fraud PreventionD | 13
563
theirguilt,theresultoftheinterviewsisofcriticalimportanceforreportingand
documentingthecase.Interviewsshouldalwaysbeconductedbytwoauditorsin
ordertoensurethattheevidenceisauthentic.
Inthecourseoftheirieldwork,auditorsmayhavecontactwithexternalthird
parties,e.g., thepoliceorthedistrictattorney’soice.It is importanttoconduct
thesetalks,oratleastprepareforthem,togetherwiththecorporatelegaldepart-
ment.heemployees’privacymustbeprotected,whichiswhyInternalAuditdoes
notpublicizethesuspectedfraudorvoiceanysuspicions,butratherhandsoverthe
collectedfactsrelevantforthecase.
Inadditionto interviewsandsystemtests,whichareprimarilyperformed in
SAPAIS,dependingonthespeciiccase,backgroundchecksonthefacts,andthe
peopleandcompaniesinvolvedarealsoimportant.Takingtherelevantdataprotec-
tionregulationsintoaccount,thedatasourcesforbackgroundchecksinclude:
• commercialregister,
• nationalandinternationalinternetdatabases,
• pressdatabases,
• solvencychecks,and
• detectiveagenciesandcreditbureaus.
Alldocumentsrelatedtotheallegationsorthematterbeinginvestigatedmustbe
iled.heyshouldbeavailableatalltimesandpresentedinsuchawaythattheycan
beunderstoodbythirdparties.InternalAudit’sreportsalwaysconformtothenor-
malreportingguidelines.hisrequiresthatInternalAuditproduceimplementation
reportsormemorandums,whichatSAPareforwardedtotheCEO,therespective
Boardmemberandanyotherinvolvedparties.However,otherreportsmayalsobe
used,particularlyincasesoffraudandtheirsolution.heseinclude:
• expertreportsandsurveys,
• analysesofforensicinvestigations,
• analysesof(backed-up)data,
• legalreports,
• witnessstatements,
• backgroundandresearchreports,and
• reportsfromthirdparties,e.g.,detectives.
hesereportsarenormallyproducedandcommissionedinconsultationwiththe
corporatelegaldepartmentandareprotectedbytheattorney-clientprivilege.he
legaldepartmentalsohelpsclarifyandascertainthattheycanbeusedinacourtof
lawandcriminalprosecution.
Hints AnD tiPs ;
• Auditorsmustunderstandclearlythatfraudcanoccuranywhereanytime.
• Functioningcommunicationstructuresandclearlyassignedresponsibilitiesare
veryimportantwithregardtofraudpreventionandinvestigation.
Contact with external third PartiesContact with external third Parties
Background ChecksBackground Checks
Reporting and DocumentationReporting and Documentation
564
LinKs AnD ReFeRenCes e
• AnDERSOn,U.AnDA.DAHLE.2006.Implementing the Professional Practices Frame-
work.2nded.AltamonteSprings,FL:heInstituteofInternalAuditors.
• InSTITUTEOFInTERnALAUDITORS.2006.Practice Advisory 1210.A2-1: Auditors
Responsibilities Relating to Fraud Risk Assessment, Prevention and Detection. Altamonte
Springs,FL:heInstituteofInternalAuditors.
• InSTITUTEOFInTERnALAUDITORS.2006.Practice Advisory 1210.A2-2: Auditors
Responsibilities Relating to Fraud Investigation, Reporting, Resolution and Communication.
AltamonteSprings,FL:heInstituteofInternalAuditors.
• InSTITUTEOFInTERnALAUDITORS.2002.Standards for Professional Practice. Al-
tamonteSprings,FL:heInstituteofInternalAuditors.
565
14 ServicesProvidedbyInternalAuditRelatingtotheSarbanes-OxleyAct
14.1 General Principles
14.1.1 Legal Framework
KeyPOIntS •••
• SOXwaspassedbytheUnitedStatesCongressin2002withanaimtoprotect
investorsandrestorethepublic’sconidenceinthecapitalmarkets.
• AmongthemanyprovisionsofSOX,sections302and404ofSOXareofpar-
ticularimportancetointernalauditors.
• SOXsection302makesmanagement,particularly theCEOandtheCFO,re-
sponsibleforthecomplianceofthecompany’sinancialreports.
• Tomeet theseobligations,SOXsection404requiresmanagement toprovide
evidence thatall corebusinessprocesses relevant to theinancial reports, in-
cludingtheinternalcontrols,aredocumentedandefective.
• Inaddition,SOXhascreatedthePublicCompanyAccountingOversightBoard,
orPCAOB.
Inrecentyears,therehasbeenamarkedincreaseinuncertaintyamonginvestors,
especiallysmallinvestors,aboutthecomplianceofinancialreportsandtheman-
agementofcompanies.Inpart,thisisbecauseofseveralhighlypublicizedcasesof
companiesmanipulatinginancialstatementsandcollapsingasaresult.Inmany
cases,itwasshownclearlythatthecausesweremismanagementandfraudulentacts,
resultinginseverelossesforshareholders.heseeventsledtoaseriouslossoftrust
amonginvestorsincapitalmarketsaroundtheworld.IntheUnitedStates,these
developmentsareofparticularimportance,becauseequityinvestmentsplayanim-
portantroleinthepensionarrangementsfortheentirepopulation.Atthesametime,
theydamagedthepublic’sconidenceincompaniesingeneralandtheircorporate
governancestructures.heU.S.governmentrespondedin2002bypassingtheSar-
banes-OxleyAct(SOX).
hepurviewofSOXcoversallU.S.companiesregisteredwiththeU.S.Securities
andExchangeCommission(SEC),includingtheirforeignsubsidiaries,aswellas
foreigncompanieslistedintheUnitedStates(e.g.,foreignprivateissuers,suchas
SAP).AlthoughU.S.-basedcompanieshavehadtofulilltheprovisionsofsection
404ofSOX(seeSectionC,Chapter8)sinceNovember15,2004,certainconcessions
applytoforeignprivateissuers,requiringthem,amongotherthings,toapplySOX
404onlytoiscalyearsendingaterJuly15,2006.heactcontainsdetailedrequire-
mentsonreporting,alsowithregardtotheefectivenessofinternalcontrols,sets
newstandardsformanagementresponsibilityandaccountability,increasestrans-
parency,andlaysdownrulesforproperbusinessconduct.heapplicationofSOX
istoensurecompliantreportingandrestoretheconidenceofallstakeholdersin
goodcorporategovernanceandmanagement.
LossoftrustLossoftrust
PurviewofSOXPurviewofSOX
Special Topics and Supplementary Discussion
Services Provided by Internal Audit Relating to the Sarbanes-Oxley Act
General Principles
D|14|14.1
566
heintroductionandestablishmentofthissophisticatedsetofrulesposesnew
challengesforInternalAudit.Oten,itsprovisionsleadtotherestructuringorre-
alignment of individual areas of responsibility and the associated tasks. As an
NYSE-listedandthereforeSEC-registeredcompany,SAP–andbyextensionalso
GIAS–mustfacethechallengesofimplementingSOX.
Inthiscontext,twosectionsofSOXareofkeyimportancetoInternalAudit:
• SOXsection302(“Corporateresponsibilityforinancialreports”)mandatesthat
internalcontrolproceduresareestablished,maintained,andevaluatedtoensure
fullandaccurateinancialdisclosurethatefectivelyrelectstheinancialposi-
tionofthecompany.Aprerequisiteforthisisthatallinformationiscaptured
properlyandinatimelymannersothattheCEOandCFOhaveaccesstothis
dataintimetoenablethemtocertifythattheinancialreportsarecompliant.
Both oicers are required to sign an aidavit to conirm the efectiveness of
these controls and procedures and make known every incident of fraud that
afectsmanagementorotheremployeesmateriallyinvolvedintheinternalcon-
trolsystem,irrespectiveofitsseriousness.Bysigningtheaidavit,theseoicials
assumepersonalresponsibilityfortheaccuracyofthecompany’sinancialin-
formationaspublishedinallannualandinteriminancialstatements.
• heimplementationofSOXsection404(“Managementassessmentofinternal
controls”)requiresthegreatesteforttoensurecompliancewiththeregulation.
Itrequiresmanagementtoproduceaninternalcontrolreportthatairmsthat
managementhasestablishedandmonitorsaninternalcontrolsystemanddocu-
mentsandassessestheefectivenessoftheinternalcontrols.hisistoensure
thatallinancialstatementsareproducedaccordingtotheapplicableaccount-
ingprinciplesandmisstatementsintheinancialstatementsareavoided.SOX
section404coversallinternalcontrolsrelatingtoinancialreporting.Evidence
oftheefectivenessofthiscontrolsystemmustbeprovidedannuallyaspartof
aprocessspeciicallyinstitutedforthispurpose.Amanagementreportconirm-
ing the efectiveness of the internal control system, certiied by the external
auditors,mustbesubmittedannuallytotheSEC.
hePublicCompanyAccountingOversightBoard(PCAOB)hasalsobeenintro-
ducedasaresultofSOX.NewlyestablishedbySOXsection103(“Auditing,quality
controlandindependencestandardsandrules”)in2002,thePCAOBisaprivate-
sector,non-proitcorporationtooverseebothU.S.andforeignauditorsofpublic
companies.Allauditorsandpublicaccountingirmsthatprepareauditreportsfor
issuersgovernedbySOXmustregisterwiththeboard.hisendstheself-regulation
ofpublicaccountantsintheUnitedStates.hePCAOBissupervisedbytheSEC
andtakesoninvestigativeanddisciplinarypowersoverpublicaccountants:Under
theprovisionsofSOX,itmonitorscompliancewiththeexistingstandardsofapro-
fession,butitalsohasfar-reachingpowerstoformulatenewstandards,i.e.,itcan
setauditing,qualitycontrol,ethics,andindependencestandards,whichmustallbe
compliedwith.Inaddition,thePCAOBcanconductqualityinspectionsofregis-
teredauditorsandpublicaccountingirms.
SigniicanceforInternalAudit
SigniicanceforInternalAudit
KeyRequirementsKeyRequirements
SOX302SOX302
SOX404SOX404
PCAOBPCAOB
567
HIntSAnDtIPS ;
• Auditorsshouldfamiliarizethemselveswiththemainelementsoftherelevant
sectionsofSOX.
• Inthefuture,auditorswillneedtofocusevenmoreonthecompletenessofthe
internalcontrols,especiallywithregardtoriskcoverandinancialreporting.
LInKSAnDRefeRenCeS e
• DElOITTE.2005.Optimizing the Role of Internal Audit in the Sarbanes-Oxley Era.www.de-
loitte.com/dtt/cda/doc/content/us_ERS_Internal%20Audit%20POV.pdf(accessedMay31,
2007).
• GRAY,G.l.2004.Changing Internal Audit Practices in the New Paradigm: he Sarbanes-
Oxley Environment. AltamonteSprings,Fl:heInstituteofInternalAuditors.
• HAUSER,D.,R.HOPkINS,AND H.lEIBUNDGUT.2004.heSarbanes-OxleyAct
andtheRoleofInternalAudit.Der Schweizer Treuhänder(December2004):1057-1065.
• INSTITUTEOFINTERNAlAUDITORS.2004. Internal Auditing’s Role in Sections 302
and 404 of the U.S. Sarbanes-Oxley Act of 2002.AltamonteSprings,Fl:heInstituteof
InternalAuditors.
• PUBlIC COMPANY ACCOUNTING OVERSIGHT BOARD (PCAOB). 2004. Au-
diting Standard No. 2: An Audit of Internal Control Over Financial Reporting Performed
in Conjunction With an Audit of Financial Statements. http://www.pcaobus.org/Stan-
dards/Standards_and_Related_Rules/Auditing_Standard_No.2.aspx (accessed May 31,
2007).
• PUBlIC COMPANY ACCOUNTING OVERSIGHT BOARD (PCAOB). Staf Ques-
tions and Answers: Auditing Internal Control over Financial Reporting. http://www.pcaob.
org/standards/staf_questions_and_answers/2005/01-21.pdf(accessedMay31,2007).
• ROTH, J. AND D. ESPERSON. 2003. Internal Audit’s Role in Corporate Governances:
Sarbanes Oxley Compliance. AltamonteSprings,Fl:heInstituteofInternalAuditors.
• U.S.CONGRESS.2002.Sarbanes-Oxley Act of 2002. 107th Congress of the United States of
America. HR 3763. WashingtonDC:GovernmentPrintingOice.
14.1.2 COSO Requirements
KeyPOIntS •••
• heCOSOInternalControlframeworkisanon-bindingrecommendationfor
establishinganinternalcontrolsystem.
• Visually,themodelispresentedintheformoftheCOSOcubetoillustratethe
overlappingrelationshipsbetweentheobjectives,componentsandlevelsofthe
organization.
• AnimplementedinternalcontrolsystemshouldcoverallCOSOcomponentsin
ordertomeettherequirementsofSOX404.
Special Topics and Supplementary Discussion
Services Provided by Internal Audit Relating to the Sarbanes-Oxley Act
General Principles
D|14|14.1
568
WhentheCommitteeofSponsoringOrganizationsoftheTreadwayCommission
(COSO),foundedin1985,conductedastudyoffraudulentinancialreportingin
1992, it developed a concept that provides a non-binding, generally applicable
frameworktosupportcompaniesinestablishing,using,monitoring,andassessing
theirinternalcontrolsystems.Itspeciiesastandarddeinitionofaninternalcon-
trolsystem,thusensuringthatinancialreportsarecomparableandofhighquality.
UndertheCOSOframework,aninternalcontrolsystemhasthreekeyobjectives:
• efectivenessandeiciencyofoperations,
• reliabilityofinancialreporting,and
• compliancewithapplicablelawsandregulations.
InternalAuditalsopursuestheseobjectivesaspartoftheinternalmonitoringsys-
tem(seeSectionA,Chapter1.2).
hefollowingdiagramshowsamodiiedversionoftheCOSOcube.Itdemon-
stratesthataninternalcontrolsystemisshapedbythecharacteristicsofdiferent
internalcontrolcomponents,whicharenecessarytoachievetheabovekeyobjec-
tives.hecomponentsare:
• ControlEnvironment,
• RiskAssessment,
• ControlActivities,
• InformationandCommunication,and
• Monitoring.
hethirddimensioncomprisesalltheprocessesandcompanyunitsforwhichthe
achievementofobjectivesmustbeensuredthroughtheoperativecontrolcompo-
nents.
COSOframeworkCOSOframework
COSOCubeCOSOCube
Fig. 28 COSO Cube (COSO IC)
AdaptedfromSOX-Online,www.SOX-online.com/COSO_cobit_COSO_cube-old.html
Copyright©1992bytheCommitteeofSponsoringOrganizationsoftheTreadwayCommission
569
heCOSOInternalControlframework(COSOIC)providesacomprehensiveview
ofthedimensionsoftheinternalcontrolsystemanditsimplementationactivities.
COSOICrepresentsaglobalstandardfortheinternalcontrolsystemtobeestab-
lishedunderSOXandensuresthattheinstalledsystemsareconsistent,measurable,
and comparable. An expanded model, the COSO Enterprise Risk Management
framework(COSOERM)hassincebeendeveloped,speciicallydeinedforthein-
terestsofacomprehensiveriskmanagementsysteminthecompany(seeSectionA,
Chapter1.3).hemainadditionsrelatetoobjectivesoftheorganization(e.g.,stra-
tegicobjectiveshavebeenadded)andtheinternalcontrolcomponents(e.g.,objective
setting,determiningriskappetite,andeventidentiicationhavebeenadded).
hecontrolenvironment is the foundation for theother fourcomponents. It
relectsthecorporatecultureandthemonitoringactivitiesperformedbythesuper-
visory bodies in order to inluence the control consciousness of the company’s
people.Controlenvironmentfactorsincludeintegrity,ethicalvalues,management’s
operatingstyle,delegationofauthoritysystems,aswellastheprocessesformanag-
inganddevelopingpeoplewithintheorganization.
Apreconditiontoriskassessmentistheidentiicationandestablishmentofcon-
sistentinternalobjectives.Allrisksthatcanafecttheachievementofbusinesstargets
mustbeidentiied,documented,andevaluatedduringriskassessment,andappro-
priateactionsformitigationmustbespeciied.hiscomprehensiveriskassessment
conceptisaprerequisitefordetermininghowtherisksshouldbemanaged.
Controlactivitiesarethepoliciesandproceduresthathelpensuremanagement
directivesrelatingtoriskidentiicationandcontrolareunderstoodandcarriedout
withinthecompany.heactualimplementationanddocumentationofthesecon-
trolsareaprerequisiteforanefectiveresponsetorisksandalsoserveasconcrete
evidenceofcontrolactivitiesfortheexternalauditors.Forthisreason,controlac-
tivitiesareakeycomponentoftheSOX404provisions.
Intra-companycommunicationofrelevantinformationguaranteesappropriate
decision-makingbymanagement,onthebasisoftheresultsproducedbytheinter-
nalcontrolsystem.Allemployeesmustbeawareofthiswithregardtotheirareaof
responsibility within the internal control system. A functioning internal control
systemisthusonlypossibleifthereisasuitableinformationsystem.
Inviewoftheconstantlychangingparametersfortheinternalcontrolsystem,
thesystemmustbepermanentlymonitoredtoensureitisefectiveatalltimes.his
processinvolvesaboveallmanagement,theBoardofDirectors,InternalAudit,and
allresponsibleemployees.
SOX requires that organizations implement a formal internal control frame-
work.WhileCOSOICisnotexplicitlyrequired,itissuggestedandrecommended
asanexampleofanappropriateframework.Further,surveyevidencesuggeststhat
this framework is the most commonly adopted by companies that must comply
withSOX.InordertomeettherequirementsofSOX404withregardtotheconir-
mationoftheefectivenessoftheinternalcontrols,itisimportantthataninstalled
COSOICandCOSOeRMCOSOICandCOSOeRM
ControlenvironmentControlenvironment
RiskAssessmentRiskAssessment
ControlActivitiesControlActivities
InformationandCommunicationInformationandCommunication
MonitoringMonitoring
LinkBetweenSOXandCOSOLinkBetweenSOXandCOSO
Special Topics and Supplementary Discussion
Services Provided by Internal Audit Relating to the Sarbanes-Oxley Act
General Principles
D|14|14.1
570
internalcontrolsystemcoversalltheabovecomponentsoftheCOSOframework.
hesecomponentsthereforeformthebasisforunderstandingSOX404.
HIntSAnDtIPS ;
• Auditsoftheinternalcontrolsystemshouldbeguidedbythecomponentsofthe
COSOcube.
• Auditors should try to incorporate,directlyor indirectly, all thecomponents
ofCOSOintheworkprograminordertoguaranteethattherequirementsof
SOX404aremet.
• Ineveryaudit,internalauditorsshouldestablishthelinktotheobjectivesofthe
internalcontrolsystem.
LInKSAnDRefeRenCeS e
• ANDERSON,S.A.,M.H.CHRISTANDk.l.SEDATOlE.2006.Managing Strategic
Alliance Risk: Survey Evidence of Control Practices in Collaborative Inter-Organizational
Settings. AltamonteSprings,Fl:heInstituteofInternalAuditors.
• COMMITTEE OF SPONSORING ORGANIzATIONS OF THE TREADWAY
COMMISSION (COSO). 1992.InternalControlIntegrated Framework.NewYork,NY:
AICPA.
• COMMITTEEOFSPONSORINGORGANIzATIONSOFTHETREADWAYCOM-
MISSION (COSO). 2003. Enterprise Risk Management Framework. New York, NY:
AICPA.
• DElOACH, J.2000.Enterprise-wide Risk Management: Strategies for Linking Risk and
Opportunity. london:FinancialTimesManagement.
• PUBlICCOMPANYACCOUNTINGOVERSIGHTBOARD(PCAOB).2004.Audit-
ing Standard No. 2: An Audit of Internal Control Over Financial Reporting Performed in
Conjunction With an Audit of Financial Statements. http://www.pcaobus.org/Standards/
Standards_and_Related_Rules/Auditing_Standard_No.2.aspx(accessedMay31,2007).
• PUBlIC COMPANY ACCOUNTING OVERSIGHT BOARD (PCAOB). Staf Ques-
tions and Answers: Auditing Internal Control over Financial Reporting. http://www.pcaob.
org/standards/staf_questions_and_answers/2005/01-21.pdf(accessedMay31,2007).
• U.S.CONGRESS.2002.Sarbanes-Oxley Act of 2002. 107th Congress of the United States of
America. HR 3763. WashingtonDC:GovernmentPrintingOice.
14.1.3 Impact of SOX on Internal Audit
KeyPOIntS •••
• he introduction of SOX entails new challenges and demands for Internal
Audit.
571
• Itisimportanttostrikeabalancebetweensafeguardingtheauditprinciplesand
makingthegreatestpossiblecontributiontotheSOXprocesseswithoutputting
theindependenceandobjectivityofInternalAuditatrisk.
• However,noneoftheseconsiderationsmustdetractfromthefactthatmanage-
menthastheoverallresponsibilityforthecomplianceoftheSOXprocesses.
• herearemanywaysinwhichInternalAuditcanperformanimportantsupport
function.
hetasksofInternalAudithaveundergoneamajortransformationinrecentyears
andtheiroverallsigniicancehasincreased(seeSectionA,Chapter2).hestrin-
gentrequirementsthatSOXhasplacedoninternalcontrolsystemshaveaccelerated
thisdevelopmentbecauseInternalAudit,aspartoftheinternalmonitoringsystem
andactingonbehalfofcompanymanagement,isalsoresponsibleformonitoring
theinternalcontrolsystem.
Itisultimatelythesoleresponsibilityoftopmanagementtoensurecompliance
withSOXsections302and404,andthisresponsibilitycannotbetransferred.Com-
pany management must satisfy itself at least once a year that suicient internal
controls over inancial reporting processes are in place and working efectively
byconductinginternalcontroltests.hisistheonlywaytoensurethatthecertii-
cation of the inancial statements required under SOX can be made with the
necessaryconidenceaboutitscontentandform.Butcompanymanagementcan
additionallydelegatecontroltasksrequiredbySOXtothenextmanagementlevel
and,bycascadingthemdown,illustratetheresponsibilityofallmanagersinvolved
intheinternalcontrolsystem.InternalAuditcanprovideassistancetocompany
managementinessentiallytwoways:byoferingsupportservicesandbyproviding
actualauditservices(seeSectionD,Chapter14.3).However,thecriticalfactoris
thattheCEOandCFOultimatelymustcertifythattheinternalcontrolsarework-
ingefectively,andSOXsection904speciiesstrictlegalpenaltiesthatmaybefall
theseexecutivesifthecertiicationsarenottruthful,includinglargemonetaryines
andprisonsentences.
here isgeneralconsensusthatInternalAuditmustprotect its independence
andobjectivityatalltimes.hus,itcannotassumeseparateandinalresponsibility
foranythingotherthanauditing–inthiscasewithregardtotheprocessofprovid-
ingandpreservingevidenceaccordingtoSOX.Asaresult,InternalAuditmustind
acarefulbalancebetweenitsauditmandateanditssupportfunctions.Inthiscon-
text,theIIAhasdevelopedpossiblesolutionsandevaluatedthemwithregardtothe
auditprinciplesofobjectivityandindependence.Itisforeverycompanytodecide
whethertoregardtheseproposalsasusefulguidanceandtoimplementandapply
theminlinewithitsin-housepossibilities.
InrelationtoSOXactivities,InternalAuditcanassumethefollowingroles:
• InternalAudit’sroleasaconsultingbodymeansthatitsupportsthecompanyin
identifying,evaluating,assessing,aswellaseliminatingrisks.ProvidedInternal
Audit limits itself tomakingrecommendationsorgivingassessmentsofpro-
transformationofInternalAudittransformationofInternalAudit
ResponsibilityofCompanyManagementResponsibilityofCompanyManagement
MaintainingIndependenceandObjectivity
MaintainingIndependenceandObjectivity
RolesofInternalAuditRolesofInternalAudit
ConsultingBodyConsultingBody
Special Topics and Supplementary Discussion
Services Provided by Internal Audit Relating to the Sarbanes-Oxley Act
General Principles
D|14|14.1
572
cessesandcontrols,thisroledoesnotgiverisetoconcernsregardingtheprin-
ciplesofindependenceandobjectivity.
• InternalAudit's testinganddocumenting roleallowsmanagement to involve
thedepartmentintestingtheefectivenessoftheinternalcontrolsystemandto
musteritssupportinthedocumentationoftheprocessesandinternalcontrols.
hisdoesnotinterferewiththeprinciplesofindependenceandobjectivityas
longasmanagementretainstheauthoritytodecideonprocessandcontrolde-
signandtoassesstheefectivenessoftheinternalcontrolsystem.
• IfInternalAuditactsasmainprojectlead,theauditorassumestheroleoflead
projectmanagerduringtheimplementationofSOX404.Iftheauditor’sfunction
isrestrictedtoadministrativetasks,thereisnoconlictwiththeindependence
andobjectivityprinciples.However,assoonastheauditorperformsmanage-
menttasksandthushasspecialdecisionpowers,compliancewiththeseprinci-
plescannolongerbefullyguaranteed.
• DuetoInternalAudit’sknowledgeofcompany-internalcontrols,itmakessense
for Internal Audit to assume the role of trainer and knowledge leader in the
handlingofcontrols.Auditorsareuniquelypositionedwithintheorganization
to ofer support and training for activities necessary as part of the internal
controlsystem.hisdoesnotgiverisetoanyconlictwiththeprinciplesofin-
dependenceandobjectivity.
• InternalAuditcanalsobeconsultedbymanagementasanexpertinassessing
theefectivenessoftheinternalcontrolsystem.hisexpertiseallowsauditorsto
supportmanagementinitsassessmentbyprovidingtrainingandinformation
withoutinfringingupontheindependenceandobjectivityprinciples.Aconlict
wouldonlyariseiftheauditorsweretoperformtheseassessmentsundertheir
ownresponsibility.
• Asanaccreditationbody,InternalAuditperformsaccreditationsandisinvolved
inassessingtheinternalcontrolsystem.Itcanonlydosoinasupportingand
consultingrole,whichmustnot involve takingonanyresponsibility,because
thiswouldputInternalAudit'sindependenceandobjectivityatrisk.
Ifthediferentrolesarecombined,InternalAuditcantakeonanimportantposi-
tion in the SOX scenario. Special procedures must be developed, although they
shouldbebasedontheformalparametersofthegeneralauditprocess.hisisthe
onlywaytoensurethatallInternalAuditengagementsarehandledproperlyand
theexpectedresultsarecorrectandcomparable.
HIntSAnDtIPS ;
• AuditorsmustensurethattheirSOX-relatedactivitiesdonotconlictwiththe
auditprinciplesofindependenceandobjectivity.
• Auditors should develop their own SOX skills, i.e., acquire knowledge of the
implementationmethodsandtheconsequencesofSOX-relatedactivities.
testingandDocumentingBody
testingandDocumentingBody
MainProjectLeadMainProjectLead
trainerandKnow-HowCarrier
trainerandKnow-HowCarrier
expertAssessoroftheInternalControlSystem
expertAssessoroftheInternalControlSystem
AccreditationBodyAccreditationBody
SummarySummary
573
• heclassicauditprocessshouldalwaysbeexaminedforoverlapwiththeSOX
requirements.
• Auditorsshoulddocumenteverythingthatcouldinanywayinluencethede-
signoftheinternalcontrolsystem.
LInKSAnDRefeRenCeS e
• GRAY,G.l.2004.Changing Internal Audit Practices in the New Paradigm: he Sarbanes-
Oxley Environment. AltamonteSprings,Fl:heInstituteofInternalAuditors.
• INSTITUTEOFINTERNAlAUDITORS.2004.Internal Auditing’s Role in Sections 302
and 404 of the U.S. Sarbanes-Oxley Act of 2002.AltamonteSprings,Fl:heInstituteof
InternalAuditors.
• INSTITUTEOFINTERNAlAUDITORS.2005.Practical Considerations Regarding In-
ternal Auditing Expressing an Opinion on Internal Control.AltamonteSprings,Fl:he
InstituteofInternalAuditors.
• PUBlICCOMPANYACCOUNTINGOVERSIGHTBOARD(PCAOB).2004.Audit-
ing Standard No. 2: An Audit of Internal Control Over Financial Reporting Performed in
Conjunction With an Audit of Financial Statements.http://www.pcaobus.org/Standards/
Standards_and_Related_Rules/Auditing_Standard_No.2.aspx(accessedMay31,2007).
• PUBlIC COMPANY ACCOUNTING OVERSIGHT BOARD (PCAOB). 2004.
Staf Questions and Answers: Auditing Internal Control over Financial Reporting.
http://www.pcaob.org/standards/staf_questions_and_answers/2005/01-21.pdf (ac-
cessedMay31,2007).
• REDING, k. F., P. J. SOBEl, U. l. ANDERSON, etal. 2007. Internal Assurance and
Consulting Services.AltamonteSprings,Fl:InstituteofInternalAuditors.
• ROTH, J. AND D. ESPERSON. 2003. Internal Audit’s Role in Corporate Governances:
Sarbanes Oxley Compliance. AltamonteSprings,Fl:InstituteofInternalAuditors.
• U.S.CONGRESS.2002.Sarbanes-Oxley Act of 2002. 107th Congress of the United States of
America. HR 3763. WashingtonDC:GovernmentPrintingOice.
14.2 Integrating SOX Organization and Internal Audit
14.2.1 Management of Internal Controls
KeyPOIntS •••
• InordertomeetSOXrequirements,managementmustscrutinizethebusiness
processesandtheunderlyingaccountingtransactions.
• he organization must identify the relevant internal controls for all inancial
accountsrelatedtotheinancialstatementsandtheircontrolobjectives.
• heinternalcontrolmanagementtoolhelpsmeettherequirementsofSOX302
and404.
• Allcorebusinessprocessesandtheinformationnecessaryforacomprehensive
SOXapproacharestoredinacentralprocesscatalog.
Special Topics and Supplementary Discussion
Services Provided by Internal Audit Relating to the Sarbanes-Oxley Act
Integrating SOX Organization and Internal Audit
D|14|14.2
574
• heprocessgroupsaredividedintoindividualprocesses,whichinturncom-
prisediferentprocessandcontrolsteps.
• Signiicantcontrols,inparticular,mustbeidentiiedanddescribedaccurately.
hemainpurposeofthischapterisnottopresentbasicinformationabouttheSOX
procedures,but theway inwhichInternalAudit is involvedandfully integrated
into this audit-relatedprocess.Someof the fundamentalshavealreadybeende-
scribed, at least in outline, in earlier sections of this handbook (see Section A,
Chapter2.6).Withreferencetotheintroductiontotheinternalcontrolmanage-
menttool(seeSectionB,Chapter4.1.3.3),detailsofInternalAudit’sinvolvementin
theSOXprocessarenowprovided.hiswillmakeiteasiertoclassifyInternalAu-
dit’svariousSOXapproachesandtoassesstheirsigniicanceforcompliancewith
theprovisionsofSOX.
OneofthemainobjectivesofSOXistoensurethatthesigniicantinancialdata
disclosedintheinancialreportspresentsanaccurateandcompletepictureofthe
inancialhealthoftheorganization.hereportsarebasedonnationallawsandin-
ternationalstandards,whichproviderulesonhowtopresenttransactionsinthe
accounts.hepurviewofSOXnotonlyincludeseventsthatfollowtheentryofan
incoming document in the accounting system, but also the underlying business
processes that precede entry. he accounting system is scrutinized to establish
whetheratransactionisveriiedbysuicientcontrols, i.e.,whetherithasinfact
beentriggeredbybonaidebusinessprocessesanditsnatureandamountarebased
onactualbusinessoperations.
Fromtheperspectiveoftheinancialaccounts,materialityisanimportantcri-
terion,thatis,itisestablishedwhetheradequatecontrolsexistforthoseaccounts
that are relevant to the inancial statements. Internal controls normally relate to
clearcontrolobjectivesinordertocoverthecorrespondingrisksandensurethat
thebusinessprocessesarecompliantoverall.hisistoensurethat,fromtheper-
spectiveoftheinancialaccounts,allvaluesenteredhavebeendulyconirmedby
controlsbasedonclearlydescribedbusinessprocessesandthatthesecontrolscover,
oratleastmitigate,therisksassociatedwiththeseprocesses.
Asmentionedearlier,SAPhasdevelopedanITtoolforanalyzingandevaluat-
ingtheinternalcontrols,whichisintendedtosupportcompliancewiththerequire-
mentsofSOX302and404.Speciically,ithelps:
• conirmthattheiguresintheinterimandannualinancialstatementsandthe
relevantpublicationsarecorrect,
• document,establish,andimplementthecontrolsandprocessstepsrequired,
• assess the efectiveness of the controls and process steps and create a report
summarizingtheresults,and
• showinperiodicreportsallchangestotheinternalcontrols,includingallmate-
rialweaknessesthathaveoccurredsincethelastassessment.
InvolvementofInternalAudit
InvolvementofInternalAudit
BusinessProcessesasStartingPoint
BusinessProcessesasStartingPoint
InternalControlsInternalControls
IttoolIttool
575
AcentralprocesscatalogisakeycomponentofthisITtool.hiscatalogcontains
all the process groups and processes relevant to SOX 404, including all relevant
controlobjectivesandrisks,aswellastheafectedaccounts.heprocessgroupsare
basedonthecorebusinessprocessesofthehigh-techindustrythathaveadirector
indirectimpactontheiguresreportedintheinancialstatements.Dependingon
theorganizational structure, someprocessgroupsare relevantonly tocorporate
departments,othersonlytolocalsubsidiaries,althoughsomearerelevanttoboth.
Herefollowsalistofselectedprocessgroupsbywayofexample:
• ManagerialAccounting,
• AccountsReceivable,
• Purchasing
• InternalAudit,
• CorporateFinancialReporting,
• AccountsPayable,
• Marketing,and
• Sales.
ItisimportanttoensurethateachprocessgroupisseparatelyidentiiedintheIT
toolso that therelevantprocessescanbeassignedunambiguouslyandadminis-
teredcorrectly.
Eachprocessgroupisinturndividedintoseparateprocesses.Herefollowasan
exampletheindividualprocessesofprocessgroup“GeneralPurchasing”(PRG),
identiiednumericallyinincrementsoften:
• PRG10Contract,
• PRG20Purchaserequisition,
• PRG30Purchaseorder,
• PRG40Controlandreports.
Eachprocessconsistsofdiferentprocessandcontrolsteps.Althoughtheprocess
groups and processes have centrally standardized deinitions, the process and
control steps are determined individually for each organizational unit. hey are
identiiedbytheprocessnumber,dividedintoindividualstepnumbers,asshown
inthefollowingexampleforthe“Contract”and“Purchaserequisition”processes
fromthe“GeneralPurchasing”processgroup:
• PRG10.01Goods/serviceselection,
• PRG10.02Supplierselection,
• …,
• PRG20.01Preparationofpurchaserequisition,
• PRG20.02Creationofpurchaserequisition.
hespeciicdetailsofthisexamplemayvaryindiferentcompanies.
heassessmentofthesigniicanceofacontrolisotensubjective,butthereare
anumberofcriteriatohelpdecidewhetherornotacontrolshouldberegardedas
signiicant.Signiicantcontrolsnormallyoccuratthebeginning(e.g.,monitoring
ProcessCatalogProcessCatalog
ProcesseswithintheProcessGroupsProcesseswithintheProcessGroups
ProcessandControlStepsProcessandControlSteps
SigniicantControlsSigniicantControls
Special Topics and Supplementary Discussion
Services Provided by Internal Audit Relating to the Sarbanes-Oxley Act
Integrating SOX Organization and Internal Audit
D|14|14.2
576
ofaccessauthorizations)andattheend(e.g.,contractsignedbytwosignatories)of
aprocess.Speciically,theyincludethefollowing:
• controlsrelatingtothepreparationoftheannualinancialstatementsandthe
igures to be disclosed, especially all controls of process steps that trigger or
reportaccountmovements,
• controlsintendedtopreventfraud,
• controlsonwhichothercontrolsdepend,e.g.,managementcontrolofopera-
tionalcontrols,suchasthedual-controlprinciple,
• controlsonsigniicant,non-routine,non-systematictransactions(e.g.,accounts,
includingmeasurements/assessmentsandestimates,suchastheapprovalofan
impairmentlossonanassetorthereversalofanimpairmentloss),and
• controlsonperiodicclosingprocessesininancialreporting,includingcontrols
onindividualprocesssteps,suchas
■ entryoftotalsinthegeneralledger,
■ entryofjournalvaluesinthegeneralledger,and
■ recordingofrecurringandnon-recurringadjustments ininancialreport-
ing,e.g.,inconnectionwithdeferrals,accruals,etc.
HIntSAnDtIPS ;
• Auditorsshouldfamiliarizethemselvesindetailwiththoseprocessgroupsthat
areimportantfortheirieldwork.
• Ifauditorsidentifyanyissues,theyshouldinformthepersonresponsibleforthe
processgroup.
• WhencreatingScopesandworkprograms,auditorsshouldusetheprocesscat-
alogasaguidelineand,whereverpossible,takeintoaccountintheirieldwork
interrelationsandinterfacesbetweenprocessgroups.
LInKSAnDRefeRenCeS e
• DElOITTE.2005.Optimizing the Role of Internal Audit in the Sarbanes-Oxley Era.www.
deloitte.com/dtt/cda/doc/content/us_ERS_Internal%20Audit%20POV.pdf (accessed
May31,2007).
• INSTITUTEOFINTERNAlAUDITORS.2004. Internal Auditing’s Role in Sections 302
and 404 of the U.S. Sarbanes-Oxley Act of 2002.AltamonteSprings,Fl:heInstituteof
InternalAuditors.
• PUBlICCOMPANYACCOUNTINGOVERSIGHTBOARD(PCAOB).2004.Audit-
ing Standard No. 2: An Audit of Internal Control Over Financial Reporting Performed in
Conjunction With an Audit of Financial Statements. http://www.pcaobus.org/Standards/
Standards_and_Related_Rules/Auditing_Standard_No.2.aspx(accessedMay31,2007).
• PUBlIC COMPANY ACCOUNTING OVERSIGHT BOARD (PCAOB). Staf Ques-
tions and Answers: Auditing Internal Control over Financial Reporting.http://www.pcaob.
org/standards/staf_questions_and_answers/2005/01-21.pdf(accessedMay31,2007).
577
14.2.2 SOX Lifecycle Process Model
KeyPOIntS •••
• heSOXlifecycle,whichisaspeciicprocessmodel,formsthebasisforallSOX-
relatedactivities.
• WithintheSOXlifecycle,twomainphases,designassessmentandtestingofthe
internalcontrols,areparticularlyimportant.
• AnITtoolisusedfortheadministrationanddocumentationofallthestepsin
theSOXlifecycle.
heSOXlifecycle,whichisaspeciicprocessmodel,formsthebasisforallSOX-
relatedactivities. Itcontains thediferent steps thatacompanymustperformto
complywiththerequirementsofSOX.hisprocessmodelalsoshowswhyandhow
InternalAuditcanbeinvolvedinormonitorthisprocess.hediferentapproaches
ofInternalAuditcanbemappedaccordingtothegeneralprocessandtheresulting
roles.hemany,sometimescomplex,issuesarediscussedinthenextchapter(see
SectionD,Chapter14.2.3).heyformthebasisfortheapproachesInternalAudit
takestoitsSOXintegration,describedinSectionD,Chapter14.2.4.
heprocessdocumentationmustbecompiled,reviewed,andsupplementedan-
nually.hismeansthattheprocessownermustevaluate,onthebasisoftheprocess
catalog,whetherallprocessesmeettheirpurposeandobjectivesandarecorrectly
andfullyorganizedanddocumented.hisalsoincludesacompleteexaminationof
allthemappedrisksandcontrols.Tothisend,theprocessownercanusedescrip-
tivetextaswellaslowcharts,tables,andmatrices.Withinthedesignassessment
phase,twoareasaredistinguished(fordetails,seeSectionC,Chapter8):
• During control design assessment, the controls are scrutinized to establish
whethertheyaretheoreticallyabletominimizeorpreventtherelevantrisksand
whethertheyaresuitableforensuringthattheamountsstatedonanaccountare
correct.
• Duringprocessdesignassessment,on theotherhand, thematerial risksofa
processareanalyzedtodeterminewhetherallareefectivelycoveredbythede-
inedcontrols.hisinvolvesestablishingwhetherthecontrolsareworkingcor-
rectlyandpositionedasspeciied,andwhethersigniicantcontrolsaremissing.
Itisimportanttoensurethateveryprocesshasatleastonesigniicantcontrol(also
referredtoaskeycontrol)andthateachcontrolcoversatleastoneofthefollowing
criteria:completeness,accuracy,validity,andrestrictedaccess.
hedesignassessmentwilleitherconirmthattheprocessesandcontrolsare
correctorindexceptionsorerrorsthatshouldbediscussedwiththeirowners.If
noexceptionsareidentiiedandallcontrolsareregardedasefective,thedesignof
theprocessesandcontrolscanberatedasadequate.Ifexceptionsareidentiied,the
ratingdependsontheirsigniicance,eitherinrelationtotheindividualexceptions
SOXLifecycleasBasisforIntegrationSOXLifecycleasBasisforIntegration
DesignAssessmentDesignAssessment
DesignAssessmentResultDesignAssessmentResult
Special Topics and Supplementary Discussion
Services Provided by Internal Audit Relating to the Sarbanes-Oxley Act
Integrating SOX Organization and Internal Audit
D|14|14.2
578
oraggregatedwithothercontrolexceptionsinthespeciicprocessorinrelationto
theirefectonotherprocesses.Insuchacase,theprocessandcontroldesigncan
stillberatedadequate,oritmayberatedinsuicient.hereareanumberofsimilar
criteria(e.g.:Isthenumberofcontrolssuicient?Arethecontrolsindependent?Do
theycoverthematerialrisks?)toassesstheadequacyofboththecontrols(e.g.,the
controlreducestherisktoanacceptablelevel)andtheprocesses(e.g.,allcontrols
arecorrectlypositioned).
he results of the design assessment are documented in the internal control
managementtool,wheredetailedinformation,suchastheassessmentstepstaken,
theexpectedresults,theevidenceobtained,andtheconclusion,isrecorded.Any
exceptionsshouldbeappropriatelyreportedusingpredeinedissuecategoriessuch
as“Inadequatecontroldesign”or“Controlnotperformed.”Acloselyrelatedissue
istheprioritizationoftheindingsaccordingto:
DocumentationoftheResult
DocumentationoftheResult
Create/review
process
documentation
Complete
design
assessment
Retesting
Findings
Findings
Remediation
RemediationRisk and
account mapping
Process Ow
ners
SOX Champions
Pro
cess
Ow
ners
snoipmahC XOS
sn
oip
ma
hC
XO
S
srenwO ssecorP
Fig. 29 SOX Lifecycle
579
• highpriority(e.g., if theexceptionfoundcouldtriggeramisstatement inthe
inancialreports),
• mediumpriority(e.g.,iftheexceptionsfoundcouldhaveanimpactontheac-
curacyoftheinancialdata),and
• lowpriority(e.g.,iftheexceptionfoundisofsetbyadocumentedandsuccess-
fullytestedcontrol).
heSOXchampionalsomustdecidewhethertocreateaspeciicremediationplan.
Itisnormallyadvisabletodeveloparemediationplan,ifremediationwilltakelon-
gerthanfourweekstoeliminatetheidentiiedweaknessoriftheindingrelatesto
theapplicationoftheUS-GAAPaccountingguidelines(e.g.,withregardtorevenue
recognition)ortoamissingcontrol.
hesecond importantstageof theSOXlifecycle is the testingof the internal
controls(seeSectionC,Chapter8).hecompanyisobligedtocarryoutsuchtests
and to examine diferent aspects of internal control, including, for example, the
typeofcontrol.hemethod,timeframe,andextentoftestingmustbedeinedac-
cordinglyonceayear,andinparticular,evidencemustbeprovidedtoensurethat
theinternalcontrolsareefectiveforallimportantinancialaccounts.heinternal
controlscanbetestedindiferentways,e.g.,throughinterviews,directobservation,
walk-throughs,ordocumentanalysis.
heextentoftheteststobeperformedisofparticularimportance(seeSection
B, Chapter 4.1.2; Section C, Chapter 8). he samples should be selected using a
reasonableprocedure.Dependingontherequirementsoftheexternalauditors,it
canbespeciied,forexample,thatallsigniicantcontrolsand10%ofallstandard
controls must be tested. On the basis of such parameters a structured sampling
procedurecanbedetermined.Asampleselectioncriterioncanbethefrequencyof
useoftheinternalcontrol(annual,monthly,daily,etc.).
Whentestingtheefectivenessoftheinternalcontrols,certaininformationmust
bestoredintheITtool, includingthesamplesize,thetypeofsampling,thetest
procedure or combination of testing methods, and the expected results (type of
evidence, formal and substantive accuracy). he actual test results also must be
documented.hetestresultsandtheappropriateevidencearecollectedinafolder,
referencingtheteststepsanditemsofevidencetotherelevantcontrolstepsinthe
processdocumentation.At theendof the testphase, ameeting isheldwith the
processownerstodiscusstheresultsandindings.Aterthemeeting,thetestresults
shouldbedocumentedintheITtool,usingtheappropriatecategoriesfordescrib-
inganyexceptions.
Atertheremediationphasefortheexceptionsfound,thecontrolsareretested,
focusingonwhetherthecontrolweaknessesidentiiedhavebeeneliminatedand
whethertheCEO,theCFO,andtheexternalauditorswillbeabletoconirmthe
complianceoftheinancialdataonthebasisofanadequateinternalcontrolsys-
tem.
testingtheefectivenessoftheInternalControlstestingtheefectivenessoftheInternalControls
extentoftheteststoBePerformedextentoftheteststoBePerformed
DocumentingtestexecutionDocumentingtestexecution
RetestingRetesting
Special Topics and Supplementary Discussion
Services Provided by Internal Audit Relating to the Sarbanes-Oxley Act
Integrating SOX Organization and Internal Audit
D|14|14.2
580
HIntSAnDtIPS ;
• Whencompilingworkprograms,auditorsshould,ifpossible,incorporatethe
resultsoftheSOXlifecycle.
• Inparticular,auditorsshouldassessthedocumentedandtestedinternalcon-
trolsfromInternalAudit’sperspective.
• InternalAuditemployeesshouldasktobeincludedintherelevantdistribution
listssothattheyreceiveregularupdatesonSOXprocedures.
• Alldocumentedprocessstepsandcontrolsmustbecarefullyreferenced.
LInKSAnDRefeRenCeS e
• COMMITTEEOFSPONSORINGORGANIzATIONSOFTHETREADWAYCOM-
MISSION (COSO). 2003. Enterprise Risk Management Framework. New York, NY:
AICPA.
• COMMITTEE OF SPONSORING ORGANIzATIONS OF THE TREADWAY
COMMISSION (COSO). 1992.InternalControlIntegrated Framework.NewYork,NY:
AICPA.
• INSTITUTEOFINTERNAlAUDITORS.2006.Sarbanes-Oxley Section 404: A Guide
for Management of Internal Control Practitioners. AltamonteSprings,Fl:heInstituteof
InternalAuditors.
• PUBlICCOMPANYACCOUNTINGOVERSIGHTBOARD(PCAOB).2004.Audit-
ing Standard No. 2: An Audit of Internal Control Over Financial Reporting Performed in
Conjunction With an Audit of Financial Statements.http://www.pcaobus.org/Standards/
Standards_and_Related_Rules/Auditing_Standard_No.2.aspx(accessedMay31,2007).
• PUBlIC COMPANY ACCOUNTING OVERSIGHT BOARD (PCAOB). 2004. Staf
Questions and Answers: Auditing Internal Control over Financial Reporting. http://www.
pcaob.org/standards/staf_questions_and_answers/2005/01-21.pdf (accessed May 31,
2007).
• U.S.CONGRESS.2002.Sarbanes-Oxley Act of 2002. 107th Congress of the United States of
America. HR 3763.WashingtonDC:GovernmentPrintingOice.
14.2.3 Roles and Responsibilities
KeyPOIntS •••
• heproceduresforSOXcompliancecomprisecomplexarrangementsandafect
anumberofparties.
• Inadditiontotheprocessowners,theSOXmanager,andtheSOXchampions,
InternalAudit,theexternalauditors,theCEO,andtheCFOareallinvolvedin
SOXcompliance.
• Cooperationbetweenthesepartiesmustbeclearlydeinedandcoordinated.
581
• InternalAudit’sactivitiesareprimarilyfocusedonsharinginformationandpro-
cessexperience.
• Acloselyrelatedtaskisthedevelopmentandoptimizationofbestpracticesas
standardsforthecorebusinessprocesses.
heproceduresforSOXcompliancecomprisecomplexarrangementsoforganiza-
tionalfunctionsandafectanumberofparties,rangingfromprocessownersand
theactualSOXorganizationthroughInternalAuditandtheBoardofDirectorsand
management,whosignthecertiicationoftheinancialstatements.Toensuresuc-
cessfulcooperation,itisnecessarytoclearlydeineandcoordinatetherolesofall
theparties involved.Duetothecomplexityofthetasksandresponsibilities, it is
onlypossibletodealbrielywitheachoftheparties.
Aprocessownershouldbeselectedforeachprocessorprocessgroup(ifappli-
cable).Typically,processownersarethemanagersortheemployeeresponsiblefor
theprocessonaday-to-daybasis.hatis,theprocessownerissomeonewhoisin-
timatelyfamiliarwiththeprocess.Processownersareresponsibleforensuringthat
thedocumentationoftheprocessesandcontrolsisalwaysuptodate,theprocesses
servetheintendedpurpose,andthecontrolsareadequateandsuicient.hus,pro-
cessownersserveasqualitymanagersandexpertsfortheprocessesandcontrols
assignedtothem.FortheentiredurationoftheSOXlifecycle,theprocessowners
arethemaincontactsforallotherparties,but,toensureindependence,theyshould
notassumedirectresponsibilityforperformingdesignassessmentsortestinginter-
nalcontrols.hisisthejoboftheSOXchampion.heSOXchampionworksvery
closelywiththelocalmanager,whosemanagementdutiesincludeverifyingthatthe
internalcontrolsareworking.
WithintheactualSOXfunction,theSOXmanager,whoispartofthecorporate
riskmanagementfunction,isavailableastheirstpointofcontact.Heorshere-
portstotheheadofthecorporateriskmanagementfunction.hemostimportant
taskoftheSOXmanageristomonitorand,ifnecessary,coordinatethewholeSOX
processfromanoverallglobalperspective.
he SOX champions are another important group within the SOX function.
heyareresponsibleforSOXcoordinationatthelocallevel,i.e.withintheentity
concerned.Togetherwiththe internalandexternalauditors, theyensure thatall
SOX-relatedactivitiesarecarriedoutproperly.hisincludestrainingprocessown-
ers,monitoringthequalityofdataintheITtool,holdingcoordinationandstatus
discussionmeetings,andpreparingtheregularreportsfortheSOXmanager.More-
over,theSOXchampionscarrythemainresponsibilityforlargepartsoftheSOX
lifecycle,especiallydesignassessmentandsupportfortestingtheefectivenessof
theinternalcontrols.
InternalAudit’sintegrationintotheSOXcomplianceproceduresgivesSOXau-
ditorstheopportunitytogainacomprehensiveunderstandingofallSOX-relevant
coreprocesses(formoreonhowInternalAuditisinvolvedintheSOXprocedures,
seeSectionD,Chapter14.2.4).Bestpracticescanbeidentiiedanddeinedonthe
SOXCooperationSOXCooperation
ProcessOwnerProcessOwner
SOXManagerSOXManager
SOXChampionSOXChampion
SOXAuditorsinInternalAuditSOXAuditorsinInternalAudit
Special Topics and Supplementary Discussion
Services Provided by Internal Audit Relating to the Sarbanes-Oxley Act
Integrating SOX Organization and Internal Audit
D|14|14.2
582
basisof thediferent forms theprocesses take,withdueregard forbusinessand
cultural diferences. At SAP, the SOX auditors are organized as a separate team
within Internal Audit. hey contribute audit expertise and provide a consistent
knowledgebase for theglobalSOXprocess, thus facilitating the introductionof
standardized testing methods and the communication of process recommenda-
tions.Atthesametimetheysupportmanagementindeveloping,improving,and
applyinginternalcontrols.heSOXauditorscanprovideimportant information
abouthowglobalguidelinesaremettoInternalAudit’sotherregionalteams,the
SOXmanager,theBoardofDirectors,andthecorporatedepartmentsconcerned.
heirknowledgeofsuitableprocesses,systems,andstructuresqualiiesSOXaudi-
torsasacompetentsourceofinformationonissuesofcompanyorganization.But
SOXauditorsalsofulillanimportantroleinpassingtheirknowledgeandexperi-
enceontootherdepartmentsandlocalsubsidiaries:Forexample,SOXauditorscan
pass their knowledge of SOX-relevant transactions, system settings, and process
designsontootherlocalsubsidiariesorinformotherauditteamsofspeciicpro-
cessandsystemdetailsrelevantfortheiraudits.Sinceitdealswithsomanydiferent
aspects,theSOXauditteamisanidealstartingpointfornewemployees:First,it
introducesthemtothebasicsofauditing,andsecond,becausetheymustfamiliar-
ize themselveswithmanydiferentprocessgroups, theyhavetheopportunity to
acquirecomprehensiveexpertisewithinonlyafewyears.Forthisreason,Internal
Auditshoulddevelopanappropriatetrainingprogram.
heexternalauditorsareresponsibleforpreparingtheannualSOXcertiication.
Accordingtotheprevailingauditguidelines,theymustconsiderthedesignassess-
mentandtheefectivenesstestingoftheinternalcontrolsandassessthequalityof
thecompany’sinternalSOXevaluationprocess.Iftheexternalauditors’assessment
hasfoundthattheinternaltestingisreliable,theexternalauditorscanbasetheir
SOXauditsonInternalAudit’sworkresults.hismeansthattheextenttowhichthe
externalauditorsmusttesttheinternalcontrolscanbereducedintermsofquantity
(althoughnotquality).
heCEOandtheCFOultimatelycarrytheoverallresponsibilityforconirming
the efectiveness and compliance of the internal control system (see Section D,
Chapter14.1.1).heymustsatisfythemselvespersonallythattheinternalcontrols
areworkingbygettinginvolvedintheSOXprocess,especiallywithtestactivities.
InternalAuditcansupporttheBoardinsomeaspectsofthistask,althoughthiscan
benosubstitutefortakingactionofitsown.
HIntSAnDtIPS ;
• AuditorsshouldlookforopportunitiestobeincludedinSOX-relatedactivities.
• Duringprocessaudits,auditorsshouldinteractcloselywiththeSOXauditteam.
• InternalAudit’semployeesshouldsharebestpracticesuggestionsbasedontheir
ieldworkwiththeSOXauditorsandSOXchampions.
• AuditorsshouldkeepuptodatewithSOXactivitiesintheirauditareasbykeep-
ingincontactwiththerelevantSOXchampions.
externalAuditorsexternalAuditors
CeOandCfOCeOandCfO
583
LInKSAnDRefeRenCeS e
• INSTITUTEOFINTERNAlAUDITORS.2006.Sarbanes-Oxley Section 404: A Guide
for Management of Internal Control Practitioners. AltamonteSprings,Fl:heInstituteof
InternalAuditors.
• PUBlICCOMPANYACCOUNTINGOVERSIGHTBOARD(PCAOB).2004.Audit-
ing Standard No. 2: An Audit of Internal Control Over Financial Reporting Performed in
Conjunction With an Audit of Financial Statements. http://www.pcaobus.org/Standards/
Standards_and_Related_Rules/Auditing_Standard_No.2.aspx(accessedMay31,2007).
• PUBlIC COMPANY ACCOUNTING OVERSIGHT BOARD (PCAOB). Staf Ques-
tions and Answers: Auditing Internal Control over Financial Reporting. http://www.pcaob.
org/standards/staf_questions_and_answers/2005/01-21.pdf(accessedMay31,2007).
• REDING, k. F., P. J. SOBEl, U. l. ANDERSON, etal. 2007. Internal Assurance and
Consulting Services. AltamonteSprings,Fl:heInstituteofInternalAuditors.
• RITTENBERG,l.E.ANDB.J.SCHWEIGER.2005.Auditing: Concepts for a Changing
Environment. Mason,OH:hompson.
• U.S.CONGRESS.2002.Sarbanes-Oxley Act of 2002. 107th Congress of the United States of
America. HR 3763. WashingtonDC:GovernmentPrintingOice
14.2.4 Overview of Internal Audit’s SOX Services
KeyPOIntS •••
• herearetwobasicwaysinwhichInternalAuditcanbeinvolvedintheSOX
complianceprocedures:Byprovidingsupportservicesandbycarryingoutaudit
engagements.
• Diferent formsofservices,whichcoverspeciic topicsaccordingto theSOX
lifecycle,arepossible.
• However,theSOXorganization,theprocessowners,andtherelevantmanagers
areresponsibleforensuringthattheSOXlifecycleiscompleted.
hischapterprovidesanoverviewofthediferentwaysinwhichInternalAuditcan
beinvolvedintheSOXcomplianceefort.Subsequentchapterswilldiscusseachin
moredetailandwithagreaterfocusontheAuditRoadmap.Especiallyduringthe
irstyearsofSOX implementation, it is advisable toassign InternalAudit’sSOX
complianceactivitiestoadedicatedSOXauditteam.hisallowsspeciicexpertise
tobebuiltfasterandcontrolledaccordingtorequirements.Inaddition,theriskof
neglectingInternalAudit’sotherauditworkiseliminated.
ProvidedthatadedicatedSOXauditteamhasbeendesignated,InternalAudit
canapproachtheSOXprocessintwoways:eitherbyprovidingsupportservicesor
bycarryingoutauditengagements.heaimofsupportservicesisprimarilytohelp
thedepartmentsandsubsidiariesafectedbySOX,especiallyduringtheprelimi-
naryphasesof implementation.heultimateobjectiveofauditservicesistotest
DedicatedSOXAuditteamDedicatedSOXAuditteam
twotypesofSOXServicestwotypesofSOXServices
Special Topics and Supplementary Discussion
Services Provided by Internal Audit Relating to the Sarbanes-Oxley Act
Integrating SOX Organization and Internal Audit
D|14|14.2
584
existingSOXprocessesaspartofa“classic”audit,toreportanyweaknesses,and
providerecommendationsforimprovement.heprocedureislargelythesameas
that forother typesofaudits.hediferencesaredescribed later (seeSectionD,
Chapter14.3).WheneverInternalAuditisinvolvedintheSOXlifecycle,theprin-
ciplesofindependenceandobjectivitymustbemaintained.hefollowingdiagram
illustratesthediferentSOXservices.
Supportservicesaredescribedasfollows:
• hemainpurposeofgeneralsupportservicesistoprovidehelpasrequested,
e.g.training,documentcreation,processreviews,etc.Everyorganizationalunit
afectedbySOXsections302and404iseligibleforthesetypesofservices.he
timeittakestoprovidethesupportdependsontheextentofservicesrequested,
but it should not exceed 30 days per auditee unit. Several auditors can work
simultaneouslyduringthisperiod.hetimerestrictionisimposedtolimitre-
sponsibilityandensureindependenceforsubsequentaudits.
• Designassessmentsupportservicesprovidehelpinperformingacompletepro-
cessassessmentofspeciicprocessgroups.hisconcernseveryunitthatmust
complywithSOXsections302and404.hetimeprovidedfordesignassess-
mentsupportshouldalsonotexceed30daysperauditeeunit.
• FromtheGIAS’perspective,controlefectivenesssupportforspeciicprocess
groupsisthemosttypicalformofsupportInternalAuditcanprovidebecauseit
isverycloselyrelatedtoauditing.hisconcernsallsubsidiariessubjecttoSOX
sections302and404,andthe30-daytimelimitalsoapplies.
hefollowingformsofauditservicesarepossible:
• localSOXprojectauditsshouldestablishhowSOXprocesseshavebeenimple-
mentedinaunitfromanorganizationalperspective.heseauditsshouldinclude
newsubsidiariesthatmustcomplywiththeSOXrequirementsfortheirsttime.
hemaximumtimeframefortheseauditsshouldbe20persondays.
SupportServicesSupportServices
AuditServicesAuditServices
Fig. 30 Overview of SOX Services
585
• SOX quality audits are aimed at testing the quality of SOX activities in a
subsidiary.heyafectallunitsthathavealreadycompletedtheSOXlifecycle
and focus on compliance with the formal criteria of the SOX process. From
apracticepointofview,werecommendatimeframeofnomorethan5through
15persondaystopreventtheseauditsfromevolvingintoasupportengagement
orafull-blownprocessgroupaudit(seeSectionD,Chapters14.3.1and14.3.2).
• ForSOXprocessgroupaudits,speciicprocessgroupsareselectedforafullSOX
review,rangingfromdesignassessmentthroughtesting.heyagainafectallunits
thathavealreadycompletedtheSOXlifecycle.Dependingonthecomplexity,
atimeframeof30through40persondaysisrecommended.
Although the support services are normally optional and should be viewed as
a “start-up” service during the irst two years of SOX implementation, the SOX
auditserviceswillbeanintegralpartofInternalAudit’sannualauditplan.Each
companymustdecideforitselfwhethertheseservicesshouldcontinuetobeofered
byadedicatedauditteam,orwhethertheyshouldbepartiallyorgraduallyassigned
toregularauditteams.However,themainresponsibilityrelatedtodesignassess-
mentandtestingremainswiththeSOXorganization,theprocessowners,andthe
managersresponsible.InternalAudit’s involvementmustbelimitedtothatofan
independentstafdepartment.
HIntSAnDtIPS ;
• Ifatallpossible,auditorsshouldbeinvolvedinInternalAudit’sSOXsupportor
auditservices,eveniftheydonotbelongtotheSOXauditteam.
LInKSAnDRefeRenCeS e
• HAUSER,D.,R.HOPkINS,AND H.lEIBUNDGUT.2004.heSarbanes-OxleyAct
andtheRoleofInternalAudit.Der Schweizer Treuhänder(December2004):1057-1065.
• INSTITUTEOFINTERNAlAUDITORS.2006.Sarbanes-Oxley Section 404: A Guide
for Management of Internal Control Practitioners. AltamonteSprings,Fl:heInstituteof
InternalAuditors.
14.3 Integration along the Audit Roadmap
14.3.1 SOX Support Model
KeyPOIntS •••
• GIAS’SOXsupport isbasedonboththeSOXlifecycleandthephasesof the
modiiedAuditRoadmap.
• ASOXauditorcanassumeasupportingroleinreviewingtheSOXdocumenta-
tionandinassessingandtestingthecontrols.
MainResponsibilityMainResponsibility
Special Topics and Supplementary Discussion
Services Provided by Internal Audit Relating to the Sarbanes-Oxley Act
Integration along the Audit Roadmap
D|14|14.3
586
• hesupportworkcanbeperformedthroughoutthephasesoftheAuditRoad-
map.
• AlthoughSOXsupportisnotanaudit,areportshouldbesenttotheBoard.
heintegrationofInternalAuditintoSOXprocessdesignallowsInternalAuditto
providesupporttotheorganizationalunitsconcerned,bothduringpreparations
andwhenimplementingtheprovisionsofSOXsection404.heSOXauditteam
shouldensurethattheSOXchampionandtherelevantprocessownersunderstand
theirdutiesandareabletoperformtheirtaskscorrectlyandcarefully.
WhenprovidingSOXsupport,aserviceinthenon-audit-relatedcategory(see
SectionA,Chapter7.3),InternalAuditbasesitsactivitiesonthestandardprocess
modeloftheAuditRoadmap(seeSectionB).Speciicelementsareaddedwhere
requiredbytheSOXsupport.heSOXlifecycleisanotherreferenceframeworkfor
InternalAudit’sactivities(seeSectionD,Chapter14.2.2).Bothelementsshouldbe
reconciled and aligned with each other. When providing SOX support services,
specialfactorsariseinrelationtoeachphaseoftheAuditRoadmap.hesefactors
areexplainedinthefollowing.
When planning SOX engagements, Internal Audit’s support services are also
takenintoconsideration.hisafectsprimarilythelocalsubsidiariesandthepro-
cessgroupsthataresubjecttotheprovisionsofSOX.TwotypesofSOXsupportcan
bedistinguished:supportthatInternalAudithasidentiiedasnecessaryduringan-
nualauditplanningandsupportthatthelocalsubsidiaryorlocalSOXchampion
requestsfromInternalAudit.
heextentofthesupportservicestobeprovideddependsontherequirements
oftheorganizationalunitconcerned.Allactivitiesarebasedontheprocessdocu-
mentationrecordedintheinternalcontrolmanagementtool(seeSectionD,Chap-
ter14.2.1).hepreparationsforSOXsupportcomprisetwomainsteps:hesupport
announcementandadetaileddeinitionofthenecessaryactivities.
hesupportannouncementmustgivereasonablenoticetotheorganizational
unitconcerned,i.e.,itshouldnotbemadelaterthanonemonthbeforeactivitiesare
scheduledtostart.hentheSOXsupportlead,inconsultationwiththelocalSOX
champion,determinestheprocessgroupstobegivensupport.
heSOXauditorscarryout theSOXsupport largelyaccording to theproce-
duresofInternalAudit.Indoingso,theyassessexisting(partial)workresultson
theonehand,andontheothertheycloseanygapsandprovideusefulexamplesfor
designassessmentandtestprocedures.hesupportprovidedisdocumentedinthe
workingpapersinastructuredformat;forthecontroltestphaseinparticular,the
samplingmethodmustbeaccuratelydocumented.
Oncethesupportworkhasbeencompleted,aclosingmeetingisheldatwhich
theSOXchampionandthelocalCFOareinformedoftheresults.Iftheyacceptand
agreewiththeresults,theinalreportishandedtothem,aswellastoallthosere-
sponsibleintheSOXorganizationandInternalAudit.heinalreportcontainsthe
indingsforeachprocessgroupandindicatestherelevantstatus.ABoardsummary
SupporttaskSupporttask
AuditRoadmapandSOXLifecycle
AuditRoadmapandSOXLifecycle
AuditPlanningAuditPlanning
ScopeScope
SupportAnnouncementandDeinitionof
Activities
SupportAnnouncementandDeinitionof
Activities
executionexecution
ReportingReporting
587
isalsoprepared,whichgivesatraic-lightstatusandhighlightsthemostserious
problemareas.AcopyofthissummaryisalsosenttothoseresponsibleinInternal
Audit.Ifthestatusofthereportisred,theresultsarediscussedwiththeCEO.In
addition,theBoardshouldbegivenaseparatequarterlyreport,whichsummarizes
theresults.
Aterreporting,thefollow-upphasebeginswiththeremediationoftheind-
ings.heindingsdescribethecurrentstatus,listingtheweaknessesidentiiedfor
remediationasabasisforfurtheraction.hentheSOXchampionsretestthepro-
cessandcontroldesignandtheefectivenessoftheinternalcontrols.Normally,this
taskisnotincludedinInternalAudit’sremit,anditisgenerallytheprocessowner’s
responsibilitytoresolveanyproblems.Oncethistaskhasbeencompleted,thepro-
cessorcontrolhastobelettodoitsworkforatleastonemonthbeforetheSOX
champion performs another test. his is to ensure that the weakness has in fact
beeneliminatedandnofurtherproblemshaveoccurred.Ifnecessary,InternalAu-
ditcansupporttheorganizationalunitagainduringretesting.
HIntSAnDtIPS ;
• Auditors should try to incorporate the results of SOX support activities into
theirworkprograms.
• AuditorsshouldregularlyexchangeinformationabouttheSOXqualitystatusin
thevariouslocalsubsidiarieswithcolleaguesfromotherauditteams.
LInKSAnDRefeRenCeS e
• HAUSER,D.,R.HOPkINS,AND H.lEIBUNDGUT.2004.heSarbanes-OxleyAct
andtheRoleofInternalAudit.Der Schweizer Treuhänder(December2004):1057-1065.
• INSTITUTEOFINTERNAlAUDITORS.2006.Sarbanes-Oxley Section 404: A Guide
for Management of Internal Control Practitioners. AltamonteSprings,Fl:heInstituteof
InternalAuditors.
14.3.2 SOX Audit Model
KeyPOIntS •••
• InternalAudit’sSOXprocedureisbasedonthestandardAuditRoadmap.
• Appropriateadditionsandmodiicationsshouldbemadeforspeciicphases.
• InternalAuditmustapplyspecialproceduresforthepreparationandexecution
ofSOXaudits.
• SpecialproceduresmustbeappliedforSOXauditsbecauseofthedeepstructure
oftheprocessesandobjectstobeauditedandthealignmentwiththeinternal
controlmanagementtool.
follow-Upfollow-Up
Special Topics and Supplementary Discussion
Services Provided by Internal Audit Relating to the Sarbanes-Oxley Act
Integration along the Audit Roadmap
D|14|14.3
588
hegeneralAuditRoadmapformsthebasisforallSOX-relatedauditactivities.his
appliestoallengagementtypes(seeSectionD,Chapter14.2.4)andservestoensure
thatInternalAuditalwaysmeetsthecompliancerequirementsofinternationalau-
ditinstitutes.ForSOX-relatedauditactivities,partsofthestandardAuditRoadmap
aremodiied.
SinceresourcesandcapacitiesforpossibleSOXauditsarelimited,theunitstobe
auditedshouldbeassessed,analyzed,andselectedaccordingtorisk(seeSectionD,
Chapter3),inthesamewayasduringthegeneralauditplanningprocess(seeSec-
tionB,Chapter2).Tobeabletoweightauditobjectsofequalstanding,theclassic
riskassessmentformulaordeterminedrisklevelisfurtherqualiiedbyaweighting
factor(e.g.,inrelationtosales).Inaddition,SOXauditscanalsobeincludedinthe
audit plan in response to audit requests (see Section B, Chapter 2.3). Similar to
otheraudits,SOXaudits shouldhaveanopeningmeeting.SOXauditors should
alsousetheinternalcontrolmanagementtoolduringtheplanningphase,because
ModiiedAuditRoadmapModiiedAuditRoadmap
AuditPlanningAuditPlanning
Fig. 31 SOX Audit Roadmap
589
itprovidesthemwithagoodoverviewofthesubstanceandstatusoftheSOXpro-
cessesintheorganizationalunitconcerned.
hedeinitionofaScopeispredeterminedbythenecessarycomprehensivepro-
cessandcontroldocumentation.SincetheSOXdocumentationdescribesthecon-
tentindetail,itisnotnecessarytocreateaspecialScopeforSOXaudits.heaudit
stepscanbetransferredtoaworkprogramonthebasisofthedescribedprocesses.
he next step is the development of the SOX-speciic work program, which
consistsprimarilyofaproject-relatedauditlistandallowstheauditorstotesteach
individual SOX process step, from documentation through certiication of the
inancialstatements.Sinceactivitiesfocusonindependenttestsofthedesignas-
sessment and the internal controls, the work program contains details of these
steps,withreferencetotherelevantcategoriesintheITtool.Inthiscontext,itisa
goodideatoanalyzetheauditpreparationandexecutionphasesinclosecorrela-
tion,becausetheybuildoneachother.
herearediferenttypesofaudits:localSOXprojectaudits,SOXqualityaudits,
and SOX process group audits. SOX project audits follow the classic procedure.
heyareusedbypreferencewhenasubsidiaryisintroducingtheSOXprocesses.
heobjectiveistoindoutwhetherthesubsidiaryissuicientlypreparedforthe
SOXcomplianceprocedures.heaimofSOXqualityauditsistogainascompre-
hensiveanoverviewaspossibleofhowwell theSOXprocessescomplywith the
quality standards. Process group audits focus on various SOX-related process
groups(formoreinformationseeSectionC,Chapter8).
AuditexecutionpassesthroughtheentireSOXlifecycleindetail.Adistinction
mustbedrawnbetweenthecomprehensiveauditsectionandtheindividualcase,
selectedbysampling(seeSectionB,Chapter4.1.2).herelevanttemplatesforre-
cordingthetestresultsfromthedesignassessmentreviewandcontroltestingare
suitableforuseasworkingpapers(fordetails,seeSectionC,Chapter8).
heSOXauditactivitiesareoiciallyconcludedataclosingmeeting,wherethe
resultsarepresentedanddiscussed.hisincludestheprocessgroupreview,asum-
mary of the signiicant indings for each process group, a preview of the Board
summary,andtheclariicationofanyunresolvedissues.Allinvolvedpartiesfrom
theSOXorganizationand, ifappropriate,also theprocessowners shouldattend
thisclosingmeeting.
heBoardsummaryisasigniicantreportingelement.Foreachauditsegment,
itprovidesthesummarystatusonthebasisofInternalAudit’sindings.hisreport
shouldalsobesent toall involvedparties in theSOXorganizationandall those
responsibleinInternalAudit.
helastremainingstepisthenormalfollow-upphase.Duringthisphase,the
auditors,inconsultationwiththeSOXorganization,investigatewhenandtowhat
extentInternalAudit’srecommendationshavebeenimplementedbytakingappro-
priateaction.hefollow-upisprecededbysettingtimeframeswithinwhichthese
investigationsaretotakeplace.hishastobecloselycoordinatedbetweenInternal
AuditandtheSOXorganization.
ScopeScope
AuditPreparationAuditPreparation
DiferentAudittypesDiferentAudittypes
AuditexecutionAuditexecution
ClosingMeetingClosingMeeting
ReportingReporting
follow-Upfollow-Up
Special Topics and Supplementary Discussion
Services Provided by Internal Audit Relating to the Sarbanes-Oxley Act
Integration along the Audit Roadmap
D|14|14.3
590
he extent of Internal Audit’s involvement in the SOX processes depends on
anumberoffactors.Inthelongterm,InternalAuditcannotbyitselfensurethatthe
SOXprovisionsareproperlyimplemented.Forthisreason,otheroperationalpar-
tiesmustcarrythemainresponsibilitybyconductingassessmentsandtests.But
thiscanonlybeorganizedifthereisnooverlapofresponsibilitiesandnoconlictof
interestregardingthecontrolfunctions.Ifthisworksproperly,InternalAuditmay
dependontheseresultsandverifythemwithqualiiedsamples.
HIntSAnDtIPS ;
• WhenpreparingforSOXaudits,auditorsshouldalsotrytoconsulttheresults
ofotheraudits.
• AuditorsshouldestablishatanearlystagewhethertheSOXprocessdocumen-
tationiscomplete.
LInKSAnDRefeRenCeS e
• COMMITTEEOFSPONSORINGORGANIzATIONSOFTHETREADWAYCOM-
MISSION (COSO). 2003. Enterprise Risk Management Framework. New York, NY:
AICPA.
• INSTITUTEOFINTERNAlAUDITORS.2006.Sarbanes-Oxley Section 404: A Guide
for Management of Internal Control Practitioners. AltamonteSprings,Fl:heInstituteof
InternalAuditors.
• PUBlICCOMPANYACCOUNTINGOVERSIGHTBOARD(PCAOB).2004.Audit-
ing Standard No. 2: An Audit of Internal Control Over Financial Reporting Performed in
Conjunction With an Audit of Financial Statements. http://www.pcaobus.org/Standards/
Standards_and_Related_Rules/Auditing_Standard_No.2.aspx(accessedMay31,2007).
• PUBlIC COMPANY ACCOUNTING OVERSIGHT BOARD (PCAOB). 2004. Staf
Questions and Answers: Auditing Internal Control over Financial Reporting. http://www.
pcaob.org/standards/staff_questions_and_answers/2005/01-21.pdf(accessedMay31,
2007).
• U.S.CONGRESS.2002.Sarbanes-Oxley Act of 2002. 107th Congress of the United States of
America. HR 3763. WashingtonDC:GovernmentPrintingOice.
14.3.3 Coordination of SOX Activities
KeyPOIntS •••
• InternalAudit’sinvolvementinSOXcertiicationactivitiesincludesintroducing
theSOXregulationsandlong-termtaskassignment.
• EicientcooperationbetweenthediferentauditteamswithinInternalAuditis
necessaryrightfromthestartofSOXimplementation.
extentofInternalAudit’sInvolvement
extentofInternalAudit’sInvolvement
591
• Inthelong-run,InternalAuditmustleavetheunitstoperformtheoperational
aspectsofSOXandconcentrateontheactualaudittask.
• hetasksandresponsibilitiesaregraduallybeingredistributedamongthedif-
ferentauditteamswithinInternalAudit.
Asdescribedearlier,InternalAudit’sinvolvementintheSOXactivitiesafectsthe
wholedepartmentinavarietyofways.heearlyyearsofSOXimplementationdif-
ferfromthelonger-termfocusanddistributionoftasks,becauseduringtheSOX
introductionphase,theobjectivesanddeadlinescanonlybemetifalltheinvolved
partiespooltheireforts.
Existingresponsibilitiesshouldbediscussedasfollows:
• heprocessownersandtheSOXorganizationhavecentralresponsibilityforthe
currentprocessdocumentation,andmustguaranteenotonlythattheinancials
arecorrect,butalsothattheinternalcontrolsystemisworking.heBoardmust
ensurethatthesigniicanceofthisresponsibilityiscleartoallinvolved,andthe
annual tasksundertheSOXlifecyclemustbeanintegralcomponentof their
activitiestoensurethattheentireorganizationiscompliantwithSOX.
• InternalAuditshouldberesponsibleformonitoringtheimplementedcontrols.
InternalAuditcanusediferentformsofauditing:Eitherafullauditorasam-
ple-basedaudit.Onlyifoperationalunitscooperateandauditworkisfocused
efectivelycanthenecessaryassurancebereachedforcertiicationbymanage-
mentandtheBoard.
InternalAuditmustalsodeterminehowtheSOX-relatedtasksareassignedwithin
thedepartment.Itshouldgenerallybeassumedthat,asprocessaudits,SOXaudits
formalong-termcomponentofa“normal”standardauditandtieinwiththeother
long-termcomponentsaccordingly.
heSOXauditteamprimarilyconductsauditsonthebasisofaSOXworkpro-
gram,examiningthelocalsubsidiary-speciicresults,teststandards,andsigniicant
internalcontrols.heteamthenforwardstheresultstotheregionalauditteamsfor
furtherassessmentandauditingifappropriate,orforincorporatingthemintoan
auditalreadyscheduled.heregionalauditteamsalsoconductauditsonthebasis
ofastandardworkprogram,whichallowsthemtotestsigniicantinternalcontrols.
heresultsaremadeavailabletotheSOXteamsothatitcanassessthemandcon-
duct further SOX-speciic audits, if appropriate. he mutual exchange of audit
resultsmustbepreciselytimedandcoordinatedinordertoavoidduplicationand
exploitsynergies.
Although it is sensible to form a dedicated SOX audit team during the early
phase of SOX implementation, in the longer term, the tasks will tend to spread
amongallauditteams.Ingeneral,thisisdoneintheinterestoftime,butalsorelates
tothecontentoftheaudits.Withregardtotime,theSOXactivitiesaretiedintoa
ixed timeframe, (i.e., theaudit cyclemustbecompletedwithinoneiscalyear).
SOXauditsconductedbyInternalAuditmustcomplywiththistimeframetopro-
Short-termandLong-termInvolvementShort-termandLong-termInvolvement
ResponsibilitiesResponsibilities
AssignmentoftasksAssignmentoftasks
CooperationBetweenSOXAuditteamandRegionalteam
CooperationBetweenSOXAuditteamandRegionalteam
taskforAllAuditteamstaskforAllAuditteams
Special Topics and Supplementary Discussion
Services Provided by Internal Audit Relating to the Sarbanes-Oxley Act
Integration along the Audit Roadmap
D|14|14.3
592
duceusableresults.hisshouldberelectedintheannualauditplan,iforganiza-
tionalunitsearmarkedforauditingaresubjecttotheSOXprovisions.Ifthisisthe
case,InternalAuditshouldconsiderwhethertheauditsshouldfollowthemodiied
SOX Audit Roadmap rather than the standard Audit Roadmap (see Section D,
Chapter14.3.2).Inthelongerterm,InternalAuditcanalsousetheinternalcontrol
managementtooltoaddressandconducttheSOXauditsofprocessgroupsusing
thestandardworkprogramanddocumenttheresultsinthetool.hiswouldturn
theSOX-relevantauditproceduresintoanintegralpartofastandardaudit,with
thediferencethattheauditwouldbeconductedexclusivelybytheregionalaudit
teamsandnolongerbytwoindependentauditteams.
HIntSAnDtIPS ;
• SigniicantSOX-relatedauditresultsshouldalwaysbesharedwithallInternal
Auditcolleaguestomaximizethelearningefect.
LInKSAnDRefeRenCeS e
• INSTITUTEOFINTERNAlAUDITORS.2006.Sarbanes-Oxley Section 404: A Guide
for Management of Internal Control Practitioners. AltamonteSprings,Fl:heInstituteof
InternalAuditors.
14.4 Impact of Introducing SOX
KeyPOIntS •••
• heintroductionofSOXhasmanydiferentconsequencesfortheafectedcom-
panies,bothinternallyandexternally.
• SOXsupportsInternalAudit’sdevelopmentintoanactivemanagementinstru-
ment.
• InternalAudit’sfocusonsupportingcompliantSOXcertiication,thequestfor
bestpractices,anditsuniversalauditmandatemakeitacompetentpartnerfor
manyparties.
heintroductionofSOXhasexternaland internalconsequences for thevarious
organizationalunits.FromInternalAudit’sperspective,theseconsequencescanbe
summarizedasfollows:
• heintroductionofSOXpresentsanimportantopportunityforInternalAudit
toplayakeyroleinthecertiicationprocess.hisisjustiiedbecauseofInternal
Audit’sknowledgeoftheinternalcontrolsystem.InternalAuditshouldusethis
opportunity, while making sure that it complies with the department’s own
principlesandfulillsitsgeneralauditmandate.
SigniicantAspectsSigniicantAspects
OpportunitytoPlayKeyRole
OpportunitytoPlayKeyRole
593
• AsaresultofInternalAudit’sroleinthecertiicationprocess,theBoardofDi-
rectorsandmanagementwilltakegreaternoticeofInternalAudit.hissupports
InternalAudit’sefortstodevelopintoanactivemanagementinstrument.he
attentionitreceivesasaresultofSOXcanenhanceInternalAudit’sacceptance
asamanagementinstrument.
• herearefurtherconsequencesforInternalAudititselfinthatitmustcooperate
withadditionalpartnersandreorganizeitstaskstructure,atleastpartially.hese
internalefectsshouldnotbeunderestimated,becausetheymayentailchanges
totheentireprocesslow.hisalsoinvolvesclosercooperationwithallparties
afectedbySOX,includingtheexternalauditors.
• Internal Audit also derives various other beneits from SOX. For example, a
comprehensiveinternalcontrolsystemmakestheprocessesmoreself-regulat-
ing,whichmeansthatInternalAuditcanbeevenmorefocusedonsigniicant
auditcontent,becauseautomatedprocedureshelpreducetheextentofauditing.
Acloselyrelatedaspectisthequestforbestpractices,whichcanbemaintained
centrallyand ina standard format for theentireGroupor transferred to the
serviceorganizations.
• SOXcertiicationensuresbothinternallyandexternallythattheprocessesofthe
organizationarecompliant.hisalsoguarantees that theinancialstatements
arereportedcorrectlyandwithoutomissions,whichcreatesareputationoftrust
and security among stakeholders. he efect this has, especially on business
partnerssuchascustomers,suppliers,andbanks,mustnotbeunderestimated.
Moreover, SOX certiication completes the image of a successful company. Al-
thoughtheydonotdirectlygeneratesalesorproits,thepositiveefects–especially
increased investor conidence resulting from the conirmation of internationally
recognizedcompliance–canboostbusinesssuccess.Aneicientandefectivepro-
cedureisaprerequisiteinthisregard.
If a company wants to take a leading role among national and international
competitors,itmuststayabreastofthelatestdevelopments.hus,SOXcanandwill
actasatrendsetterandleadtofurtherdevelopmentsforcompaniesnot(yet)di-
rectlyafected,astheywillnotbeabletoescapethistrend.
HIntSAnDtIPS ;
• When preparing reports on SOX audits or support services, auditors should
highlightanybestpractices.
• Inthemanagementsummaries,theyshouldestablishalinktotheSOXrequire-
mentsandtheirimplementation.
• InformationaboutInternalAudit’sSOXactivitiesshouldbemadeavailableto
allstakeholders.
PerceptionasManagementInstrumentPerceptionasManagementInstrument
IncreasedCooperationIncreasedCooperation
AdditionalBeneitsofSOXAdditionalBeneitsofSOX
CertiicationasBasisoftrustCertiicationasBasisoftrust
efectsonBusinessSuccessefectsonBusinessSuccess
trendsettertrendsetter
Special Topics and Supplementary Discussion
Services Provided by Internal Audit Relating to the Sarbanes-Oxley Act
Impact of Introducing SOX
D|14|14.4
594
LInKSAnDRefeRenCeS e
• DElOITTE.2005.Optimizing the Role of Internal Audit in the Sarbanes-Oxley Era.www.
deloitte.com/dtt/cda/doc/content/us_ERS_Internal%20Audit%20POV.pdf(accessedMay
31,2007).
• INSTITUTEOFINTERNAlAUDITORS.2006.Sarbanes-Oxley Section 404: A Guide
for Management of Internal Control Practitioners. AltamonteSprings,Fl:heInstituteof
InternalAuditors.
• REDING, k. F., P. J. SOBEl, U. l. ANDERSON, etal. 2007. Internal Assurance and
Consulting Services. AltamonteSprings,Fl:heInstituteofInternalAuditors.
• RITTERBERG,l.ANDP.k.MIllER.2005.heGoodNewsAboutCompliance.Inter-
nal Auditor 62(3):55–60.
596
For many years, Internal Audit stayed on the sidelines of day-to-day business op-
erations and was generally perceived as a group of “box-checkers,” feared rather
than valued as a control body at the behest of corporate management. We hope that
the exploration contained in this handbook has changed this perception and, using
the developments at SAP as an example, refuted it at least in part. Even if some ele-
ments of these original views persist, the irst important steps toward a changed
perception of Internal Audit have been taken.
he reorientation is not about totally reinventing Internal Audit, because much
of what has long been accepted as good and correct still applies to this day. Tradi-
tional audit activities at the day-to-day working level will always form part of the
audit work carried out to achieve the desired results. he requirements for documen-
tation and reporting, for example, have not lost their signiicance. In addition,
a healthy measure of respect for Internal Audit within the company may be expedient,
because Internal Audit would otherwise not be able to fulill its audit mandate in
the interest of company management and all employees. herefore, Internal Audit’s
further development should continue to be integrated into the framework and basic
principles of audit work and the auditors’ self-image and into every company’s own
corporate governance system. Any attempt to change or redeine this radically
should be resisted. Internal Audit’s roots must not be forgotten, irrespective of
overall economic or business developments.
Many aspects of Internal Audit have started to change. he internal audit frame-
work and its changes, which we have covered extensively in this handbook, will
shit the tasks of Internal Audit further toward ensuring holistic entrepreneurial
compliance and business eiciency in the future. As our discussion has shown,
a number of approaches and methods already exist at SAP. he implementation of
the Audit Roadmap, internal and external cooperation models, increasing interna-
tionalization, strong involvement in the implementation of and compliance with
the provisions of SOX, but also the increasing requirements in terms of audit-related
additional services are all factors that are inluencing and changing Internal Audit’s
self-image for the long term. hese issues afect not only large corporations, but
increasingly also medium-sized companies.
In the age of enhanced customer focus, Internal Audit also must develop its role
as a service provider. As an instrument of corporate management, it is irst and
foremost responsible for monitoring the implementation of and compliance with
policies and guidelines. Since the application of these rules can contribute to secur-
ing the company’s continued existence, Internal Audit must perform its task with
consistent determination. At the same time, it should develop diferent types of
tasks and topics and cooperation models and fulill its primary mandate with the
appropriate customer focus.
he question of a comprehensive sotware solution that is integrated into the
company’s IT processes will pose another challenge for Internal Audit in the future.
he discussion in the preceding sections can make a valuable contribution here,
because in many respects, it covers the principles needed for a comprehensive, in-
Perception of Internal Audit
Perception of Internal Audit
Limits of Further Development
Limits of Further Development
Changed FrameworkChanged Framework
Customer FocusCustomer Focus
Software Solution for Internal Audit
Software Solution for Internal Audit
Conclusion E
597
ternationally applicable audit concept. In the future, there should be special consid-
eration for auditing with automatically generated Scopes, audit plans, etc. and for
continuously identifying audit topics, in-process, on the basis of thresholds or risk
assessments. his entails that Internal Audit will adopt a proactive role, which
requires support from an integrated system of audit sotware and application sot-
ware.
Another focus for Internal Audit in the future will be on highlighting the addi-
tional beneits the department can deliver. It is easy to show on the basis of a single
inding whether the implementation of an audit recommendation has led to an
improved situation or process. An individual assessment like this can be made
easily and accurately. he greater challenge, however, is to demonstrate the results
of audit work throughout the company. his is a very complex issue, because it is
diicult to accurately trace improvements back to the work of Internal Audit. hese
achievements are measurable efects, expressed as cost savings or enhanced beneits.
However, these results should be aggregated on the basis of meaningful structures,
e.g., responsibilities or processes.
Another important aspect of internal audit work is the development and ex-
amination of indings over time. Findings should be aggregated across the company
so that trends can be identiied as to whether the work of Internal Audit promises
results in certain areas and the processes and internal controls have in fact im-
proved. If the same indings are made repeatedly, either the existing arrangements
pertaining to the inding are not or only barely applicable, or communication or the
speed of change is not adequate. In such cases, information events or training may
be needed to ensure the requirements are clear to all employees. hus, error fre-
quency and control weaknesses must be analyzed in detail, because their root may
be found in the organization, the process, or even among employees or company
management. Lasting improvements can only be made if the cause has been identi-
ied.
he treatment of fraud remains a signiicant issue. It is important to establish
whether a fraud happened unintentionally or was committed deliberately, and
whether it was a one-time or a repeated occurrence. As part of its preventive
activities, Internal Audit can help investigate combinations of topics, such as the
perception of injustice among employees, the extent of compliance awareness in the
company, and the need for appropriate guidelines. he main challenge for Internal
Audit in the future will be to coordinate its activities closely with other corporate
units, e.g., the global compliance organization, Risk Management, Human Re-
sources, as well as operational management.
Two aspects are of key importance for the future of Internal Audit:
• First, Internal Audit must deine its own strategic reporting system, which goes
far beyond current reporting levels. Currently, reports have a strong operational
focus, and those prepared for management provide summaries rather than anal-
yses and forecasts. Internal Audit should identify trends and future (focus) areas
for action on the basis of its experience with regard to these and other factors.
Highlighting Additional Beneits of Internal Audit
Highlighting Additional Beneits of Internal Audit
Development of Findings over TimeDevelopment of Findings over Time
FraudFraud
Future of Internal AuditFuture of Internal Audit
598
his can relate to the audit topics per se or, more importantly, to the resulting
areas of action for corporate management and the relevant supervisory bodies.
Possible instruments in this context include, for example, portfolio analyses and
forecasts of the distribution and development of audit topics and indings. his
enhanced reporting allows Internal Audit to demonstrate its ability to add value
by identifying areas for improvement preemptively.
• Second, Internal Audit must cooperate with other parties, both within and out-
side the company. Internal Audit’s tasks can no longer be accomplished in isola-
tion. he complex requirements of the company and of external stakeholders
and regulators can only be met eiciently with internal and external coop-
eration. Importantly, this includes cooperation with other companies, profes-
sional associations and government institutions as a suitable means to develop
a globally consistent interpretation of compliance.
Important irst steps have been taken, but there is no doubt that much work is still
required to adapt the signiicance, position, and function of Internal Audit to the
changed framework. here is still a long way to go before these objectives can be
achieved. hus, this book is certainly not the end of the journey but hopefully a
signiicant milestone.
OutlookOutlook
600
A
ABAP 411
ABAP report for IT audit 412
ABAP workbench 417
accruals 319
for contingent losses 323
for legal and consulting
costs 324
accrued liabilities audit 318
accruals for contingent
losses 323
analytical comparisons 323
bonus accruals 322
other accruals 324
outstanding invoices 321
preparation 319
tax accruals 324
vacation accruals 320
ad-hoc audits 89, 157, 437, 467
Audit Roadmap 158
ageing structure list 315
analytical audit procedures 144,
229, 307, 346, 347, 353
analysis of assets 311
analysis of liabilities 312
analysis of the income
statement 312
plausibility analysis 307
purpose 229, 309
ratio analysis 308
trend analysis 308
types 230
annual audit plan
structure 204, 467
annual audit planning 202, 463
annual audit plan 204, 467
audit inventory 203
execution planning 204, 469
irmly planned audit 467
interrelation of global and
regional planning 471
inventory of possible audit
topics 463
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
iterative process 465
overview 202, 203
procedure 467
risk assessment 464
risk proiles 203
sub-phases 203
attorney-client privilege 240
audit 2, 3
content 95
deinition 2
ieldwork 223
follow-up audit 276
follow-up phase 272
objectives 3
planning 192
preparation 211
project-like characteris-
tics 80, 92
reporting 247
status check 274
test procedures 227
audit activities see ieldwork
activities
audit announcement 211, 334
ad-hoc audits 213
addressees 213
contents 212
reasons 211
template 212
timeframe 213
audit approaches 115, 142, 143,
146, 147
choice of audit
approach 147
compliance-based 146
relation between audit ield
and the audit approach to be
used 149
results-based 147
risk-based audit approach
as a framework 145, 148, 446
system-based 145
transaction-based 146
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
audit category 115, 150
global audit 152
local audit 150
regional audit 152
Audit Committee 77, 269
audit content 95
Scopes 95
audit control 550
beneits 552
deinition 550
audit cycle 115, 159, 278
statuses 160
auditee 301
audit ields 114, 117
Audit Information System
(AIS) 236
audit inventory 203
audit lead 80, 209, 304
responsibilities 80
audit management 49
budgets 51
IT solution 103, 200
Audit Manager 76, 78, 84
responsibilities 76, 79
audit mandate 27
audit method 114
content determinants 114
formal determinants 115
audit objectives 216
auditor judgment 258
auditor proiles 83
global auditor 84
senior auditor 84
audit performance
record 548
audit principles 67
audit procedures 3
audit process
overview 298
audit-related other services 44,
165
cost-efectiveness
analysis 165, 167
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
Subject Index F
601
implementation support 165,
175
pre-investigation 165, 170
review 165, 172
audit request 111, 206
impact 208
reasons 206
template 207
types 208
audit risk 143
Audit Roadmap 93, 186, 298
advantages 189
electronic implementa-
tion 186
execution 223
ieldwork activities 224
follow-up phase 272
main phases 93, 186, 298
modiications 187
planning 192
preparation 211
quality assurance 188
reporting 249
special Audit Roadmaps 282
standard Audit
Roadmap 187
sub-phases 187
audit summary 243, 249
audit survey 497, 519
IIA Practice Advisory
1310-1 520
internal marketing 554
purpose 519
structure 520
audit teams 79, 80, 209, 304
audit lead 209
selection 209
structure and organiza-
tion 79
tasks 209
audit topics 25, 463
external sources 463
audit types 155
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
audit typology 115
audit universe 101
data and information
pool 103
deinition 101
structure and content 101
B
bad debt allowance 308
general 308, 315
speciic 316
balance conirmations 314, 326
basic audit 160
link between basic audit
and audit type 160
batch-input 426
benchmarking 73, 508
key performance
indicators 513, 525
structure 525
best practices 59
billing 530
models 533
BilReG 11
Board 41, 263
responsibility 27
role 33
Board of Directors
see Board
Board summary 253, 263
template 264
bonus accruals 322
budget 529
business audit 139
main purpose 141
reasons 140
versus business review 141
business review 139, 380
cooperation 380
reporting 383
steps 383
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
C
Canadian Securities
Administrators 12
charter 27
audit procedures 34
cooperation 34
deining the purpose, author-
ity, and responsibility
of Internal Audit 35
internal coordination
process 34
organizational structure 33
procedural foundation
for audit activities 33
purpose 27
staf structure 34
structure 30
Chief Audit Executive (CAE) 33,
76
responsibilities 77, 83
China: Code of Corporate
Governance 12
cluster sampling 229
COBIT® 10, 130, 291, 409
Code of Conduct 62, 65, 69, 561
responsibility 302
tone 301
collectibility of receivables 317
Committee of Sponsoring
Organizations of the
Treadway Commision
see COSO
communication 302
completeness 247
compliance 23, 41, 58, 67
compliance-based audit
approach 146
conidentiality 254
conirmations
external 227
consulting project audits 351
ASAP roadmap 354
–
–
–
–
–
–
–
–
–
–
–
–
–
–
602
cost-plus contracts = time
and material contracts 352
ixed-price projects 351, 358
maximum-price projects 352
multiple element arrange-
ments 366
percentage of completion
method 360
potential indications for dei-
ciencies 355, 357
revenue recognition 362
special aspects 360
time and material con-
tracts 358
Contract Information System
(CIS) 369
control activities 216
controls 2
detective 2
directive 2
preventive 2
cooperation 441, 593
communication and informa-
tion low 441
corporate security func-
tion 454
external auditors 457
external institutions and other
interested parties 460
global quality manage-
ment 450
global risk management 444
guest auditors 221
management and supervisory
bodies 455
marketing 555
Core Scope 192, 200, 305
corporate culture 59
corporate governance 31, 41
safeguarding the internal
control system 42
corporate management process
control 48
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
information 48
integration of Internal
Audit 47
monitoring 48
objectives 48
planning 48
COSO 6, 568
COSO cube 10, 568
Enterprise Risk Management
(COSO ERM) 9
Internal Control Integrated
Framework (COSO IC) 9
link between SOX
and COSO 569
COSO Enterprise Risk Manage-
ment Framework
(COSO ERM) 9, 569
COSO Internal Control Frame-
work (COSO IC) 9, 569
cost/beneit analysis 162
cost management 529
billing models 533
budget 529
direct audit-related costs 532
direct non-audit-related
costs 532
indirect costs 532
time recording 530
cultural awareness 67
cultural diference 60
currency translation 318, 327
customer conirmations 402
customer contract conirma-
tions 314
alternative audit work 405
audit tasks 404
contract selection 403
external auditors 403
process 402
quality assurance 405
reporting 405
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
D
days sales outstanding see DSO
document analysis 227
documentation 432
Audit Roadmap 437
legal requirements 434
main objectives 432
medium 436
requirements 433
responsibilities and authoriza-
tions 436
retention period 436
sources 433
DSO 308, 316
E
eiciency and efectiveness
operational 24
escalation 502
criteria 504
hierarchy 503
overall audit statement 518
scenarios 503
stages 503
ethical principles 65
evidence 223, 240
execution 223
analytical audit
procedures 310
closing meeting 225
control and documenta-
tion 216
extent of audit 225
ieldwork activities 223
IT tools 236
methodological tools 235
opening meeting 223
organizational tools 233
referencing 244
selection of ieldwork
activities 226
working papers 239
execution plan 204
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
Subject Index F
603
Executive Board 30
external auditors 38, 457
cooperation 42
contract conirmations 403
Sarbanes-Oxley Act
(SOX) 582
F
fairness and impartiality 59
ieldwork
materiality 223
ieldwork activities 226
IT tools 236
methodological tools 235
organizational tools 233
selection 226
types 226
working papers 239
inancial audit 118, 127, 307
accounts to be audited 128
accrued liabilities audit 318
analytical procedures 307
revenue audit 329
revenue recognition 128
trade accounts payable
audit 325
trade accounts receivable
audit 313
US-GAAP 128
Financial Instruments
and Exchange Law
see J-Sox
inancial reporting 24, 31
accuracy and reliability 24
indings 252, 257, 260, 514
Board-relevant 258
classiication 257
locally relevant 258
regionally relevant 258
lowcharts 235
follow-up audit 161, 276, 523
additional audit topics 161
irst follow-up audit 276
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
follow-up audit report 278
follow-up rating 522
link between follow-up audit
and audit type 161
responsibility 278
second follow-up audit 277
status 277
follow-up audit report 278
template 279
follow-up phase 272
follow-up audit 276
link with the Audit Road-
map 274
measuring audit out-
come 280
particularities for SOX support
services 587
reporting 278
responsibility 273
status check 274
sub-phases 272
updating the audit
report 278
follow-up rating 280
fraud 31
action guide 562
fraud ilter 557
in purchasing 338
investigation 31
prevention 32, 335, 557
prevention model 559
fraud audit 118, 135, 284
annual audit planning 284
deinition 136
documentation 286
execution 285
focus 136
follow-up 286
involvement of other
parties 137
preparation 285
preventive audit ield-
work 561
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
preventive audits 137, 284
reporting 286
Scopes 284
special Audit Roadmap 284
G
German Accounting Legislation
Reform Act (BilReG) 11
German Corporate Governance
Code (DCGK) 11
German Transparency
and Disclosure Act
(TransPuG) 11
GIAS 60
career paths 85
Code of Conduct 62
employee proiles 82
integration model 108
organizational structure 75
GIAS@Work 271
GIAS Letter 270
global audits 60, 61, 81, 152, 384
Audit Roadmap 154
challenges 153
execution 154, 387
follow-up 387
planning 154, 386
preparation 154, 386
reporting 154, 387
special attributes 385
global challenges 60, 104, 106,
384
external 106
internal 107
other 107
outsourcing 107
guest auditors 542
costs 545
deinition 542
reasons 542
selection process at SAP 543
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
604
H
Hong Kong: Listing
Standards 12
I
implementation 272, 280
monitoring 280
responsibility 273
implementation report 252, 259
monitoring 260
template 259
independence 13, 37, 66
dual role of Internal
Audit 39
Institute of Internal Auditors
(IIA) 4
code of ethics 62
Internal Audit 4
added value 58, 519
as a corporate management
instrument 47
as a service and competence
center 52
audit tools 20
beneits 38
charter 27, 33
corporate governance 41
cost/beneit analysis 162
deinition 4
development 47
functional position 17
independence 13, 37
management 547
mandate 60
mission 58, 60
operational objectives 23
organizational framework 33
organizational integration 16
organizational status 13, 25
organizational status
within SAP 72
proactive management
focus 49
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
process in general 5
proit center organization 51
purpose, authority,
and responsibility 35
regulatory framework 8
requirements 16, 19
resources 51
role 4, 18
self-image 39
standardized process 28
strategic objectives 22
tasks 30
internal control
COSO key concepts 6
deinition 2
internal control system 19,
42, 124, 341
objectives 2
SOX 125
internal control management
tool 237, 579
internal controls 219, 392, 574
attributes 392
design assessment 577
eiciency testing 579
examples 42
management of internal
controls 573
maturity 395
signiicance 575
work program 215
internal control system 341
IT organization 427
internal control testing
procedures 231
purpose 231
International Financial Reporting
Standards (IFRS) 19, 296
interview 231
question catalogs 233
question types 232
types 231
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
IT audit 118, 129, 290, 409
ABAP reports 412
ABAP Workbench 417
access protection 419, 422
batch input 426
COBIT® 130, 291
execution 292
external guidelines 130
ieldwork activities 417, 421,
424, 425, 429
focus 132
follow-up 292
internal controls 133
IT system risks 410
legal requirements 131
planning 291
preparation 291
risks 416, 421, 424, 425, 428,
429
SAP systems 415
SAP Workbench
Organizer 413
special Audit Roadmap 290
system access 411
system audit 410
tables 412, 418
transactions 412
WBOT
(transport system) 413
work program 292
IT audit management
solution 94, 473
compliance database 483
master database 481
quality assurance 481
requirements 474, 479
IT security 290
audit data protection 475
IT tools 236
audit sotware 478
internal control management
tool 574
necessity 477
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
Subject Index F
605
SAP AIS 411
J
J-Sox 12
K
key performance indicators 508
audit survey 519
balanced scorecard
approach 527
follow-up rating 522
guiding principle 510
objectives 508
overall audit statement 513
standard indicators 512
target groups 511
Key Scope 193, 215, 305
KonTraG 11
L
liabilities in foreign
currency 327
liabilities to ailiated
companies 327
liability 41
license agreements 342
license audits (see as well
unannounced license
audits) 367
content 367
Core Scope 368
execution 370
revenue recognition 368, 370
M
management process audit 118,
288, 372
challenges 121
deinition 372
feedback 378
focus 374
follow-up 289
guidelines 289
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
information folder 377
Key Scopes 376
objective 373
question catalogs 377
recommendations 289
reporting 289
special Audit Roadmap 288
work program 377
management summary 252, 261
overall audit statement 262
template 262
marketing 553
external 555
internal 553
master data 328
materiality principle 223
memorandum 253, 266
methodological tools 235
mission 60
mixed audit teams 75
multi-period analysis 230
N
New York Stock Exchange
(NYSE) Listing Standards 9
non-audit-related other
services 44, 165
internal consulting 165, 180
ongoing support 165, 178
project management 165, 182
NYSE 296
O
objectivity 66
observations 230, 257, 260, 514
ofsetting account analysis 330
open items list 315, 327
operational audit 118, 123
main audit objects 123
main objective 124
purchasing audit 333
sales process audit 340
SOX 125
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
organizational tools 233
audit lists 233
question catalogs 233
other services 165
audit-related other
services 165
necessity of indepen-
dence 166
non-audit-related other
services 165
outsourcing 336
outstanding invoices 321
overall audit statement 513
classiication 514
escalation 504, 518
examples 517
IIA Standard 2410 514
P
payment proposal list 328
PCAOB 53, 566
peer review 94, 537
at SAP 538
deinition 537
execution 539
follow-up 540
IIA assessment 540
main focus 540
main objective 537
partners 538
preparation 539
performance measurement 188,
281
periodic reporting 250, 269, 270
annual report to the Audit
Committee 269
planning 88
annual audit planning 202
audit requests 205
audit team 208
problem of ad-hoc
engagements 89
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
606
Scopes 192
Scope templates 193
plausibility analysis 230, 307
preparation 300
analytical audit
procedures 310
audit-speciic informa-
tion 220
audit announcement 211
training 221
work program 214
priority Board issues 264
template 265
probability-proportional-to-size
sampling 229
professional principles
reporting principles 247
purchase order
requisitions 328
purchasing 328
purchasing audits 333
planning 334
procurement process 336
release strategies 337
Q
quality assurance 91, 93, 188,
281, 407, 485
Audit Roadmap 488
audit survey 497, 500
customer contract conirma-
tions 405
deinitions 486
departmental quality
measures 495
IIA standards 498, 500
major beneits 485
process and documenta-
tion 498
quality assurance monitoring
sheet 498
quality gates 487, 488
structure 488
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
unannounced license
audits 408
question catalogs 368
R
ratio analysis 308
recognition of liabilities 326
recognition of receivables 313
recommendations 252, 272
implementation 272
reconciliation 314, 326
referencing 216, 244
example for referencing
structure 245
regional audits 81
regional teams 76, 78
structure and tasks 78
regression analysis 230
regulatory framework
Canada 8
China 8
Germany 8
Hong Kong 8
Japan 8
United Kingdom 8
United States of America 8
reliability of audit docu-
ments 292
reporting 247
annual report to the Audit
Committee 269
audit summary 249
Board summary 263
classiication of indings 257
distribution administra-
tion 476
follow-up rating 523
GIAS reporting structure 250
GIAS standard report
package 252, 255
implementation report 258
integration into the Audit
Roadmap 248
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
link to follow-up phase 249
link to working papers 249
management summary 261
memorandum 266
other GIAS information
services 270
overall audit statement 514
particularities in business
reviews 383
periodic reporting 269
priority Board issues 265
professional guidelines 247
report addressees 254
report contents 251
report distribution 254
report formats 249
report types 251
results presentation 267
status check 278
target groups 251
timeframe 254
results-based audit
approach 147
results presentation 268
revenue audit 329
ieldwork 331
ofsetting account
analysis 330
revenue recognition
criteria 330
revenue recognition 329
criteria 330
ixed-price projects 362
license audits 368, 370
percentage of
completion 360
revenue 362
time and material
projects 364
revenue recognition assur-
ance 402
customer contract conirma-
tion cycle 402
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
Subject Index F
607
quality assurance 406, 407
unannounced license
audits 406
risk-based audit approach 143
risk assessment 342, 464
overall risk rating 465
risk categories 515
risk indicators 464
risk categories 218, 257
risk management 59
cooperation with Internal
Audit 444
risk management audits 447
risk management
process 449
risk management system 31
risk management tool 238
risk monitoring 24
risk proile 203, 344
S
safeguarding of internal
controls 23
sales process audit 340
contract process 343
contract types 341
documents to be re-
viewed 343
internal control system 341
procedure 341
risk management 344
risk proile 344
sampling 227, 334
purposive 228, 368
random 228, 368
SAP AG 29, 296
inancial reporting 296
global orientation 384
SAP Workbench Organizer 413
Sarbanes-Oxley Act (SOX) 8
beneits for Internal
Audit 593
central process catalog 575
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
certiication 53, 593
control eiciency testing 397,
579
design assessment 391, 577
efectiveness of the internal
controls 54
evidence of the functioning
of internal controls 56
impact on the audit work
of Internal Audit 56
internal control management
tool 578, 586
internal controls 42, 218, 392,
573
legal framework 565
lifecycle 577
link between SOX
and COSO 569
objectives 53
process and control steps 575
processes 575
process lowcharts 400
process groups 575
process owner 581
process responsibility 55
responsibilities 591
role of CEO and CFO 582
role of Internal Audit 55, 571,
581, 583
Section 302 53, 566
Section 404 54, 389, 566
Section 806 54
services of Internal Audit 583
SOX auditors 581, 591
SOX champions 581
testers’ independence 398
whistleblower protection 54
scanning 230
Scopes 95, 102, 117, 192, 305, 586
access authorizations 193
application 199
contents 194
Core Scope Index 194
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
Core Scopes 117, 192, 200
functions to processes
relationship matrix 196
Key Scopes 117, 192
link between audit type
and Scope 192
maintenance 193
overview of available Core
Scopes at SAP 200
processes to objects
relationship matrix 197
Scope in detail 198
table of Key Scopes 195
templates 193
updating 193
work program 214
Securities and Exchange
Commission (SEC) 8, 296
segregation of duties 314
service contracts 342
services by Internal Audit
audit-related services 45
career development 45
expertise 44
implementation support 39
non-audit-related
services 45
ongoing support 39
SOP 329
SOX audit services 389, 584,
586, 587
Audit Roadmap 588
COSO framework 389
extent of Internal Audit’s
involvement 590
process group audits 389,
585, 589
project audits 389, 584, 589
quality audits 389, 585, 589
SOX documentation 56
added value 56
SOX process group audits 389
account mapping 394
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
608
control eiciency testing 397
design assessment 391
desk review 391
execution 391
preparation 390
risk mapping 393
templates 391
walkthrough 394
SOX support services 584, 586
follow-up 587
special Audit Roadmaps
fraud 284
IT audits 290
management process
audits 287
reasons 282
special audits 156
Audit Roadmap 156
standard audits 155
Audit Roadmap 156
standard report package 255
appendices 256
audit report index 255
Board summary 263
implementation report 258
management summary 261
Statement of Position see SOP
status check 160, 275
classiication 275
link between status check
and audit type 160
reporting 278
stratiied sampling 229
subsidiary audits 341, 346
analytical audit proce-
dures 307
inancial reporting 348
preparation 346
work program 346
substantive accuracy 328
substantive testing 144, 227, 307
Supervisory Board 30
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
system-based audit
approach 145, 146
system authorizations 314
T
target groups of Internal
Audit 97
external 99
internal 98
other 100
tasks of Internal Audit 29
tax accruals 324
team work 304
test procedures 216, 227
time recording 530
advantages 531
timesheets 88
trade accounts payable
audits 325
balance conirmations 326
critical authorizations 328
ieldwork activities 326
open items list 327
payment proposal list 328
preparation 326
purchase order requisi-
tions 328
trade accounts receivable
audits 313
ageing structure list 315
balance conirmations 314
customer contract
conirmations 314
open items list 315
preparation 314
traic light system 281
training 221
transaction-based audit
approach 146
trend analysis 230, 308
truthfulness 247
Turnbull Report 12
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
U
unannounced license audits 406
execution 407
quality assurance 408
US Generally Accepted Accouting
Principles (US-GAAP) 19,
296, 315, 319, 325, 329, 340, 356
V
vacation accruals 320
W
walkthrough 230, 394
WBOT 414
whistleblower 54, 384
fraud ilter 558
work done sheet 242
working papers 239, 303
access authorization 240
audit summary 243
iling 240
optional working papers 242
purpose 239
referencing 244
standard templates 242
types 240
work done sheets 242
work program 214, 305, 492
advantages 214
analytical audit
procedures 309, 310
fraud audit 285
function 214
integration of audit content
with audit activities 217
internal controls 218
IT audit 292
management process
audit 289
risks 218
template 215
test procedures 216
working paper reference 216
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–