CHAPTER 6 IIA, CobiT, and Other Professional Internal Audit Standards
The key internal auditor standard is the Professional standards for the practice of i nternal auditing of the institute of Internal Auditors (IIA), a set of guidance materials known as the Red Book by many internal auditors. This chapter summarizes the current IIA standard and some of the exposure draft proposed changes currently in process.
INSTITUTE OF INTERNAL AUDITORS STANDARDS FOR PROFFESIONAL PRACTICE
As the primary internal audit professional organization worldwide, the IIA has had a code of ethics as well as a set of standards to support its definition of internal auditing: Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps as organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
In many respects, the IIA has made changes to reflect the reality of changes in business processes and internal control procedures. The professional internal auditors is obligated to be aware of any changes to internal audit standards and to modify practices, if necessary, based on those standards changes.
IIA’s Code of Ethics
The IIA’s Code of Ethics promotes an ethical culture in the profession of internal auditing. This code is displayed in exhibit 6.1
Internal Auditing’s Professional Professional Practice Standards Stand ards
As the key internal audit professional organization, the IIA’s internal auditing standards board develops and issues standards that define the basic practice of internal auditing. These stnadards, known as the Standards for the professional Practice of Internal A uditing, are designed to:
Deline basic principles that represent the practice of internal auditing as it should be
Provide a framework for performing and promoting a broad range of value added internal audit activities
Establish the basis for the measurement of i nternal audit performance
Foster improved processes and operations
Internal Audit Attribute Standards
The IIA standards address the characteristics of organizations and individuals performing internal audit activities and cover 13 broad areas listed by their standards paragraph numbers:
1000 – purpose, authority, and responsibility. The purpose, authority, and responsibility of the internal audit activity should be formally defined in a charter, consistent with the standards, and approved by the board of directors.
1100 – independence and objectivity. The internal audit activity should be independent and internal auditor should be objective in performing their work.
1200 – proficiency and due professional care. Engagement should be performed with proficiency and due professional care.
1300 – quality assurance and improvement program. The CAE should develop and maintain a quality and improvement program that covers all aspects of the internal audit activity and continously monitors its effectiveness.
Internal Audit Performance Standards
These standards describe the nature of internal audit activities and provide quality criteria againts which their performance can be measured. There are six Performance Standards, outlined below along with substandards and implementation standards that apply to compliance audits, fraud investigations, and control self assessment projects.
2000 – managing the internal audit activity: the CAE should manage the internal audit activity effectively to ensure it adds velue to the organization. This standard covers six substandards: planning, communication and approval, resource management, policies and procedures, coordination, and reporting to the board and senior management.
2100 – nature of work: internal audit activity includes evaluations and contributions to the improvement of risk management, control , and governance systems.
2110 – risk management: internal audit should assist the organization by identifying and evaluating significant exposures to risk and contributing to the improvement of risk management and control systems.
The 2120 and 2130 substandards cover control and governance. This proposed standard change on governance is very appropriate and timely, given the SOA:
2130 – governance: internal audit activity, consistent with the organization’s structure, should contribute to governance processes by proactively assisting management and the board in fulfilling their responsibilities by: assessing and promoting strong ethics and values within organization, assessing and improving the process by which accountability is ensured, assessing the adequacy of communications about significant residual risks within the organization, helping to improve the board’s interaction with management and the external and internal auditors, serving as an educational resource regarding changes and trends in the business and regulatory environment.
2200 – engagement planning: internal auditors should develop and record a plan for each engagement.
2300 – performing the engagement: internal auditors should identify, analyze, evaluate, and record sufficient information to a chieve the engagement’s objectives.
2400 – communicating results: internal auditors should communicate their engagement results promptly.
2500 – monitoring progress: the CAE should establish and maintain a system to monitor the disposition of results communicated to management.
2600 – resolution of management’s acceptance of risks: when the CAE believes some auditee manager has accepted a level of residual risk that may be unacceptable to the overall organization, the matter should be discussed with senior management.
IIA Standards in Today’s SOA World
SOA has made internal auditors much more important in today’s world of strong corporate governance and effective internal controls. Internal auditors need a strong set of standards to operate effectively under these rules, and the current IIA standards, along with the draft changes in process, seem to very much satisfy those needs. While the basic concepts behind internal auditing have really not changed, the current standards for the professional practice of internal auditing provide important guidance and direction in the post SOA worls. Today’s experienced internal auditor should examine the current IIA standards and make certain that all internal audit activities are consistent with these standards. The CAE should review the standards with the audit committee to help them to better understand and appreciate internal audit’s role in the organization.
CHAPTER 8 INTERNAL AUDIT FRAUD DETECTION AND PREVENTION
An internal auditor needs to understand the concepts surrounding fraud in order to effectively perform audits that search for fraudulent activities. The common law definition of fraud is “the obtaining of money or property by means of false token, symbol, or device”. Fraud can be costly to any victim organization, and effective internal controls are an organization’s first line of defense. A comprehensive, fully implemented, any regularly monitored system of internal controls is essential for the prevention and detection of losses that arise from fraud.
RED FLAGS: FRAUD DETECTION FOR AUDITORS
It is easy to analyze the facts after a fraud has been discovered as a “lesson learned” exercise, but auditoes should use a skeptical eye to look for indicators of possible fraudulent activities in advance. They should look for what are called “red flags”. Exhibit 8.1 lists a series of red flags that may point to potential financial fraud activities.
None of these is an absolute indicator of fraud, but auditor should always be skeptical in their reviews and be aware of such warning signals. When an auditor sees evidence of one or more of these or other red flags, it is time to
dig
a
little
deeper.
Unfortunately, internal auditors often fail to detect frauds for several reasons:
Auditors have an unwillingness to look for fraud. Due to limited fraud training or the lack of experience with past fraud incidents, auditors historically have not looked that hard for fraud. They have tended to view fraud investigation as a police detective type of activity, not their prime responsibility.
Too much trust is placed on auditees. Internal auditors, in particular, try to maintain a friendly, cordial attitude toward people in their organization. Because thay encounter these same people in the company cafeteria or at an annual company picnic, there is usually a level of trust here. Internal auditors quite correctly try to give their auditees the benefit of the doubt.
Not
enough
emphasis is placed on audit quality.
Internal
findings
often
audit
encounter
some of the same red flags mentioned in exhibit 8.1. audit report findings may point out such matters as missing records or accounts that were not reconciled. However, quality reviews of the auditor’s work often do not raise potential fraud related issues.
Fraud
concerns
receive inadequate support from management. The hint of a possible fraud requires auditors
to
extend
procedures and dig a bit deeper.
However,
management
may
audit be
reluctant to give an auditor extra time to dig deeper. Unless
there
are
strong
suspicious, audit managers may want the audit team to move on and stop spending time in what they feel is an extremely low risk area.
Auditors sometimes fail to focus on high risk fraud areas. Fraud can occur in many areas, from employee travel expense reporting to treasury function relations with offshore banks. There may be a much greater risk of significant financial fraud in the latter, auditors often tend to focus on the former. Although there can be many possibilities for fraud in employee travel expense reporting, amounts often are not too significant. There is always a need to focus on higher-risk areas.
Fraud is a word that can have many meaning, but we are referring to it in terms of fraud as a criminal act. To help detect fraud, auditors also need to have an understanding of why people commit fraud. An organization can have the red flag environment described in exhibit 8.1, but it will not necessarily be subject to fraudulent activities activities unless one or more employees decide to enga ge in fraud. Exhibit 8.2 lists some typical
reasons
for
committing a fraud. These are all reasons where strong internal controls are in place and
the
typically
fraud
is
committed
by only one person.
Although major frauds involving
senior management
perticipation difficult
to
are detect,
frauds that occur at much lower levels in the organization are easier to identify with a proper level of auditor investigation. However rather than just internal control violation, an internal auditor should think of these items in terms of potential areas for employee fraud. Exhibit 8.3 is a checklist for some of these old, classic fraud detection methods. Auditors have performed these procedures for years but sometimes forget.
IIA STANDARD FOR DETECTING AND INVESTIGATING FRAUD
Through observation, internal auditors maybe in a better position to see a red flag than an external auditor. the internal auditor is to be concerned about such matters as the possibility of wrongdoing and should consider evidence of any improper or illegal activities in an audit. Recognizing that it may be difficult to detect fraud, IIA Standard 1210.A2 provides the guidance: “ the internal auditor should have sufficient knowledge to identify the indicators of fraud but is not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud .” Our italicized phrase recognizes that internal auditors are not expected to have
the expertise to deal with fraud issues.
This
same
fraud
standard is supported by
an
IIA
advisory,
practice 1210.A2-1
identification of fraud. Despite the words from the
standard
that
internal auditors are not expected to have the
expertise,
supporting
the
practice
advisory provides an internal auditor with some
guidance
detecting
on and
investigating fraud. We have
included
an
adapted portion of this practice advisory: The
IIA
practice
advisory does not really educate internal auditors on red flag types of conditions that might suggest potential fraudulent activity. Rather, it suggests that if an organization does not have good policies and procedures, or lacks a code of conduct, such an envi ronment could encourage fraud.
FRAUD INVESTIGATIONS FOR INTERNAL AUDITORS
Fraud related investigations cause internal auditors to operate rather differently from normal financial or operatinal audits. In any fraud related review, auditors should concentrate on three major objectives: 1)
Prove the loss. Fraud related reviews usually start out with the finding that someone stole something. The investigative review led by internal audit should assemble relevant material to determine overall size and scope of the loss.
2)
Establish responsibility and intent. This is the “who did it?” step. As much as possible, the audit team should identify everyone responsible for the matter and determine if there was any special or different intent associated with the fraud action.
3)
Prove the audit investigative methods used. The investigative team needs to be able to prove that its fraud related conclutions were based on a detailed, step by step investigative process, not just a wild, uncoordinated witch hunt. The review should be documented using the best internal audit review processes. Of particular importance here, all documents used need to be secured.
CHAPTER 9 ENTERPRISE RISK MANAGEMENT, PRIVACY, AND OTHER LEGISLATIVE INITIATIVES
ENTERPRISE RISK MANAGEMENT
This section discuss overall risk management as well as what will soon become a common new term or concept, Enterprise Risk Management (ERM). Although ERM concerns the overall organization, internal auditors ned to understand how to use risk management to evaluate and plan individual audit projects. The chapter briefly discusses risk management concepts with an emphasis on their applicability to individual internal audit projects.
Risk Assessment for Internal Auditors
Internal auditors have a need to understand and control the risks surrounding their individual audit plans and activities. Project managers have used risk management approach f or some years, and this is not a new rule or tool for internal auditors. However internal auditors often do not use a formal risk management approach in planning and completing audit projects. Every internal audit faces a range of uncertainties ranging from having no information about some subject area to total certainty and complete information, and internal audits should be planned and managed with these concepts in mind. Exhibit 9.3 shows this uncertainty spectrum, ranging from none to complete information.
PMI’s literature suggests that project risk should be managed following 4 phases of risk management:
1)
Risk Management Phase One: Identification. The internal auditor shoul attempt to identify all
the possible risks that could iimpact the success of an upcoming internal audit project, ranging from high impact/ high probability all the way to low impact/low probability. 2)
Risk Management Phase Two: Assessment. Having identified a range of risks, a next step to
rank them in terms of the type of risk, their potential impact, and probabili ty. 3)
Risk Management Phase Three: Response. The internal audit risk manager should develop
appropriate response strategies. These strategies may range from the simple decision to accept the risk if ti occurs to comprehensive plans for deployment of resources to control a risk event. 4)
Risk Management Phase Four: Documentation. Other project manager often miss this step, but
internal auditors should be well aware of the need for documentation. However, this overall risk management process always should be documented in some detail.
CONCURRENT WITH SOA: OTHER LEGISLATION IMPACTING INTERNAL AUDITORS The Gramm – Leach – Bliley Act
Gramm Leach Billey Act is a privacy related set of requirements that aim to protect consumers personal financial information held by financial institutions. With GLBA these nontraditional “financial institutions” are now regulated by the Federal Trade Commission (FTC). An internal auditor working for a bank or insurance company today probably has been involved already with GLBA and its privacy related provisions.
Financial Privacy Rule
Consumer frequently encounter the GLBA financial privacy rule today when they receive a note from a credit card provider talking about privacy rules. An internal auditor should recognixe that all personal financial information is very private and cannot just be arbitrarily sold or otherwise distributed. Internal auditors working with any financial institutions or applications should be aware of how GLBA privacy rules apply to their organization.
GLBA Safeguards Rule
The act’s safeguards rule requires financial institutions to have a security plan in place to protect the confidentiality of personal consumer information. An organization can take 5 steps to start becoming compliant with the GLBA safeguards rule: 1)
Environmental risk analysis.
2)
Designing and implementing safeguards
3)
Monitoring and auditing
4)
Constant improvement program
5)
Overseeing security providers and partners
The safeguard rule applies to a wide range of providers of financial products and services, including mortgage brokers, nonbank lenders, appraisers, credit reporting agencies, proffesional tax preparers, and retailers that issue their own credit cards.
GLBA Pretexting Provisions
GLBA prohibits “pretexting” the use of false pretenses, including fraudulent statements and impersonation to obtain consumers’ personal financial information. GLBA is one of the new rules that will impact many internal auditors, particularly those in any type of financial institution.
HIPAA and Internal Auditors
The Health Insurance Portability and Accountability Act (HIPAA) will have a major impact on the privacy and security of personal medical records and other personal records. The original HIPAA legislatin had 4 primary objectives: 1)
Ensure health protability by eliminating preexisting condition job locks
2)
Reduce healthcare fraud and abuse
3)
Enforce standards for health information
4)
Guarantee security and privacy of health information
CHAPTER 10 RULES AND PROCEDURES FOR INTERNAL AUDITORS WORLDWIDE
This chapter looks at SOA from international perspective. Although some rules are yet to be released, we look at the act from the focus of a non US corporation. The emphasis will be on internal auditor responsibilities. The chapter also provides an overview of International Auditing Standards (IAS), a set of guidelines with US roots that are now envolving into their own set of guidance standards. Many professionals have seen the words “ISO registered” included in customer brochures and other advertising materials. Although the US often pushes its standards on the rest of the world, ISO (the International standards Organizations) is an international set of guidelines that many US organizations have adopted. ISO is important for today’s global economy and international audit can help to ensure effective ISO compliance. ISO quality standards, the ISO registration process, and ISO quality audits are introduced in this chapter. This chapter also introduces the Information Technology Infrastructure Library (ITIL) of service delivery and support processes, an important set of guidance material that originated in the UK, is common in Europe, has become established in Canada, and is just being reduced in the US. Although not a new rule, ITIL represents some best practices procedures that should become better recognized by internal auditors worl wide.
SOA INTERNATIONAL REQUIREMENTS
Foreign companies are required to provide certification of their financial statements by their chief executive officers (CEOs) and chief financial officers (CFOs). Thus, foreign CFOs and CEOs are subjecting themselves to possible US legal liabilities. For violators, the prosecution process may be challenging, but a foreign national who is even indicated unde a US law will have trouble visiting the US until the matter is resolved. Foreign registered organizations must either begin to comply with SOA rules or seek delisting of their securities that are registered on US exchanges. At the time of this publication, only a few foreign companies have openly opted out of the US markets because of this new SOA regulatory environment. In years to come there will be a move toward tighter governance sandards in all major foreign countries, makin gthose SOA and related regulations more palatable. This chapter discusses the increasingly important International Accounting and Auditing (IAA) standards, the Committee of Sponsoring organizations (COSO) international control standards worlwide, such as Canada’s Criteria of Control (CoCo), and the ISO registration process.
INTERNATIONAL ACCOUNTING AND AUDITING STANDARDS
The ISA auditing standards are somewhat consistent with the US pre-SOA statements of Auditing Standards (SAS documents) and probably will be consistent with the audititng standards to be issued under PCAOB as well. Exhibit 10.1 lists the current ISA auditing standards. Similar to the earlier SAS process in the US, ISAs are released after publication of an exposure draft.
To provide a flavor of these standards, exhibit 10.2 shows ISA 610 on considering the work of international auditors.
The International Accounting Standards Board (IASB) publishes accounting standards in a series of pronouncements called International Financial Reporting Standards (IFRSs). Those pronouncements, designated international accounting standards, provide a basis for all countries worldwide and in particular, provide accounting standards for developing countries that do not have established auditing standards. For internal auditors, the IIA standards as discussed in chapter 6, are international standard that apply to internal audits no matter what the country. International auditors may encounter different accounting standards or even different local financial statement auditing standards, but they always should follow the overall IIA professional standards. It is almost certain that the ISA and IAS standards will take the place of country by country standards, with the exeption of the US with its international leadership role. The information systems audit and control association (ISACA) control objectives for information and related technology (CobiT) framework also is a worldwide standard.
COSO WORLDWIDE: INTERNATIONAL INTERNAL CONTROL FRAMEWORKS CoCo: Canada’s Variation of COSO
According to CoCo, control companies those elements of an organization including its resources, systems, processes, culture, structure, and tasks – that, taken together, support its people in the achievement of the organization’s objectives. CoCo emphasizes that the essence of control is purpose, commitment, capability, monitoring, and learning within the internal control framework, as presented in exhibit 10.3
The criterion for commitment, for example, consists of these areas:
Shared ethical value, including integrity, should be establishes communicated, and practiced throughout the organization.
Human resource policies and practices should be consistent with an organization’s ethical value and with the achievement of its objectives.
Authority, responsibility, and accountability should be clearly defined and consistent with an organization’s objectives so that decisions and actions are taken by the appropriate people.
An atmosphere of mutual trust should be forested to support the flow of information between people and their effective performance toward achieving the organization’s objectives.
The CoCo model has similar detailed criteria for its other 3 major elements. Based on these elements, the model helps to shape internal control concepts while developing a new terminology that might become codified in future standards. The CICA CoCo guidance goes on to state that management’s overriding objective is to ensure, as far as practical, the orderly and efficient conduct
of the entity’s business. Management discharges its internal control responsibilities through action directed to:
Optimizing the Use of Resources. Internal control assists management in optimizing the use
of resources by ensuring as far as practical that reliable information is provided to management for the determination of business policies and by monitoring the implementation of those policies and the degree of compliance with them.
Prevention or Detection of Error and Fraud. A management internal controls objective is
the prevention and detection of unintentional mistakes or errors and fraud – the intentional misrepresentation of financial information or misappropriation of assets. The guidance goes on to state that any control should be weighed againts the relative likelihood of error and fraud occuring and the consequences if any were to occur, including their effect on the financial statements.
Safeguarding of Assets. An organization’s assets shoul be safeguarded, partly through
internal controls and partly through business policies. Internal control protects against loss arising from unintentional exposure to risk in processing transactions or handling related assets. The degree of intentional exposure to ri sk is determined by business policies.
Maintaining Reliable Control Systems. These are policies and pocedures established and
maintained by management to collect, record, and process data and report the resulting information or to enhance the reliability of such data and information. Management requires reliable control systems to provide information necessary to operate the entity and produce such accounting and other records necessary for the preparation of financial statements. The preciding paragraph have briefly outlined the CoCo framework. CoCo represents a tighter, easier to grasp model of internal control than the somewhat complex COSO framework. The CoCo control framework represents a different way of thinking about internal control and provides a good way for managers to consider how their organizations are performing.
Internal Control Standards in the United Kingdom
The UK had some of the same concerns as th US regarding improper financial reporting during the 1990s. Although its focus was more on inappropriate statements made by directors, it also included failures of internal control. The result of a 1999 study similar to the us Tradeway Commission report, oriented toward directors of public companies, places a strong emphasis on objective setting, risk identification and risk assessment when evaluating internal controls. The report calls on directors to regularly consider:
The nature and extent of the risks facing the company
The extent and categories of risk that it regards as acceptable for the company to bear
The likelihood of those risks materializing
The company’s ability to reduce the incidence and impact on the business risks that do materialize
The costs of operating particular controls relative to the benefit thereby obtained in managing the related risks
What is significant about the Turnbull approach is the emphasis on understanding business objective and then analyzing risks as first steps in designing effective internal controls. The turnbull report then suggests a framework for evaluating the effectiveness of internal controls based on understanding the risks, designing controls based on those risks, and performing tests to evaluate the controls. Although there are some differences in the text, the report provides the same three basic objectives of internal controls as do COSO and CoCo: effectiveness and efficiency of operations, reliability of internal and external financial reporting, and compliance with applicable laws and regulations. The really important concept of the turnbull approach is the emphasis on risk assessment. It states that emphasis should be placed on developing controls for high impact and higher likelihood risks.
Internal Control Frameworks Worldwide
With the wide range of independent national accounting authorities and some differences in business practices, there are some variations in internal control frameworks or models worldwide. The turnbull report states an internal audit function should be able to:
Provide objective assurance to the board and management as to the adequacy and effectiveness of the company’s risk management and internal control framework
Assist management to improve the processes by which risks are identified and managed
Assist the board with its responsibilities to strengthen and improve the risk management and internal control framework
Developed before SOA this is excellent guidance for internal audit to understand risks and to help improve the internal control sturcture in any organization, no matter where in the world it is based.
ISO AND THE STANDARDS REGISTRATION PROCESS
ISO standards have been in place for some years and the quality auditors, have been responsible for auditing according to the ISO standards. With the ever increasing globalization of business, however
all internal auditors should have an understanding of these ISO 90000 quality standards as well as the process for achieving ISO certification. ISO 90000 Quality Standards: Overview
The ISO quality standards important to internal auditors are:
ISO 9000:2000, Quality Management Systems – Fundamentals and Vocabulary. This standard is strating point and defines the fundamental terms and definitions used in the ISO 9000 family
ISO 9001:2000, Quality Management Systems – Requirements. The requirements standard is used to assess the ability to meet customer and applicable regulatory requirement and to address customer satisfaction. This is the only standard in the ISO 9000 family againts which a third party certification can be implemented.
ISO
9004:2000,
Quality
Management
Systems – Guidelines for Performance Improvement. This
standard
guidance
provides
for
improvement
continual of
management
quality
systems
to
benefit all parties through sustained
customer
satisfaction. Exhibit 10.4 describes this ISO
based
Quality
Management Implementation process.
The overall ISO process is one off establishing effective documentation over existing procedures and process.
Quality Audit and Registration
Although neither IIA internal nor AICPA financial assets auditors give much attention to ASQ quality auditors in their proffesional literature, there are some strong analogies among the three groups of auditors. Quality auditor are based in the ISO standards just discussed. Management should have established quality processes as part of normal operations and wil l be reviewing compliance to those standards through internal self checks or reviews by the organization’s quality audit function. ISO standards provide guidance to establish and maintain an ongoing set of quality audits for an organization. They are based on what was called a Plan Do Check Act cycle. Under this, the key actions to define an audit program are:
Establish the objectives and extent of the audit program
Establish responsibilities, resources, and procedures
Ensure the implementation of the audit program
Monitor and review the audit program to improve its efficiency and effectiveness
Ensure that appropriate program records are mai ntained
Exhibit 10.5 illustrates the tiered level of ISO quality documentation.
In our discussion of new rules for internal auditors, we have introduced the ISO continous improvement and quality audit process only very briefly. Quality auditors are moving out of the production floor and are more frequently calling themeselves internal auditor. Exhibit 10.6 summarizes the major principles behind ISO 9000. If an internal auditor’s organization is already involved in an ISO registration effort, internal audit should get involved with the process, helping where it can and otherwise embracing ISO’s concepts.
CHAPTER 12 SUMMARY: INTERNAL AUDITING GOING FORWARD
The prime objective of this book has been to describe the major elements of the Sarbanes Oxley Act (SAO) and its impact on corporate governance, financial reporting and internal auditing. SOA has had a major impact on the public accounting industry and its operational organization, the American Institute of Certified Public Accountants (AICPA). Auditing standards will no longer be set by the AICPA’s Auditing Standards Board, the somewhat congenial process of external auditor peer reviews and self governance has changed to a rule based environment, and chief financial officers (CFOs) are faced with the danger of personal criminal liability for issuing fraudulently incorect financial statements. Chapter 9’s discussion of HIPAA and GLBA are two example of legislative initiatives to protect this personal privacy, but effective internal controls implemented by organizations also will help to provide this protection.
FUTURE PROSPECTS FOR INTERNAL AUDITORS
The future looks brighter than ever for internal audit professional. Shortly after the enactment of SOA and going forward but we do not have any strong statistics here – the job market for internal sudit proffesioanal in the United States has increased. Newly impowered audit committees are realizing that their organization’s internal audit functions are an important component of overall corporate governance. Internal auditor and their professional organization, the iIA, are accepting this challenge and the Information Systems Audit and Control Association (ISACA) also has promoted this governance concept. Internal audit function need to accept this new challenge. The designated accounting and financial expert on the audit commettee needs the help of internal audit to explain internal control issues within the organization, to better assess audit risks, and to plan and perform effective internal audits. Internal audit now typically has a level of responsibility for SOA section 404 reviews of internal controls in the organization; the external auditors merely attest to the adequacy of that review. This is a very major change that will alter the relationships between internal and external auditors. Prior to the implementation of SOA, external auditors often assessed internal control risks, did some of the audit work themeselves, and then asked internal audit to perform other review work under their general supervision. Although there will be no doubt much planning and coordination, internal audit through the audit committee - per SOA – is often responsible for reviewing and testing the results of internal controls and presenting those documentated results to
external audit. Some coordination will be necessary, but internal audit really is responsible here. There will certainly be some rough spots until internal audit assumes full responsibility for internal control reviews following the evolving PCAOB internal control auditing standards as well as the requirements of the external audit firms, but internal audit is assuming a role of increasing importance in the organization today. Internal audit functions also need to get more involved in other SOA related issues. One area of particular importance is the ethics and whistleblower function in an organization. As discussed in chapter 2 and 3, the audit committee is responsible for establishing a financial reporting related whistleblower function, an organization shoul consider expanding any such program to all functions in an organization and including all employees and other stakeholders. Although such functions can be managed by a human resources function or some specialized ethics function, internal audit and its chief audit executive (CAE) should get their hands on such functions to assess that they are in compliance with SOA and meet the expectations of the audit committee. SOA has introduced a wide set of new rules for corporate governance, financial reporting, and auditing. This book has introduced the Sarbanes Oxley Act to internal auditors and other interested parties, including audit committee members and corporate financial and general management. We also have introduced some other new rules and technology trands that will impact internal controls and corporate governance going forward. New rules are never sealed in cement but tend to change as society, legislation, and business practices change. The corporate accounting scandals of recent years, the demise of the major public accounting firm Arthur Andersen and the introduction of SOA have all been drivers for these changes. In upcoming years, as the PCAOB becomes established or as we experience more international auditing and accounting standards convergence, these rules will continue to evolve as future new “new rules”