ringkasan CHAPTER 6 8 9 10 12 SOA
Transcript of ringkasan CHAPTER 6 8 9 10 12 SOA
-
7/23/2019 ringkasan CHAPTER 6 8 9 10 12 SOA
1/29
CHAPTER 6
IIA, CobiT, and Other Professional Internal Audit Standards
The key internal auditor standard is the Professional standards for the practice of internal auditing of
the institute of Internal Auditors (IIA), a set of guidance materials known as the Red Book by many
internal auditors. This chapter summarizes the current IIA standard and some of the exposure draft
proposed changes currently in process.
INSTITUTE OF INTERNAL AUDITORS STANDARDS FOR PROFFESIONAL PRACTICE
As the primary internal audit professional organization worldwide, the IIA has had a code of ethics as
well as a set of standards to support its definition of internal auditing:
Internal auditing is an independent, objective assurance and consulting activity designed
to add value and improve an organizations operations. It helps as organization
accomplish its objectives by bringing a systematic, disciplined approach to evaluate and
improve the effectiveness of risk management, control, and governance processes.
In many respects, the IIA has made changes to reflect the reality of changes in business processes
and internal control procedures. The professional internal auditors is obligated to be aware of any
changes to internal audit standards and to modify practices, if necessary, based on those standards
changes.
IIAs Code of Ethics
The IIAs Code of Ethics promotes an ethical culture in the profession of internal auditing. This code
is displayed in exhibit 6.1
-
7/23/2019 ringkasan CHAPTER 6 8 9 10 12 SOA
2/29
Internal Auditings Professional Practice Standards
As the key internal audit professional organization, the IIAs internal auditing standards board
develops and issues standards that define the basic practice of internal auditing. These stnadards,
known as the Standards for the professional Practice of Internal Auditing, are designed to:
Deline basic principles that represent the practice of internal auditing as it should be
-
7/23/2019 ringkasan CHAPTER 6 8 9 10 12 SOA
3/29
Provide a framework for performing and promoting a broad range of value added internal
audit activities
Establish the basis for the measurement of internal audit performance
Foster improved processes and operations
Internal Audit Attribute Standards
The IIA standards address the characteristics of organizations and individuals performing internal
audit activities and cover 13 broad areas listed by their standards paragraph numbers:
1000 purpose, authority, and responsibility. The purpose, authority, and responsibility of
the internal audit activity should be formally defined in a charter, consistent with the
standards, and approved by the board of directors.
1100 independence and objectivity. The internal audit activity should be independent and
internal auditor should be objective in performing their work.
1200 proficiency and due professional care. Engagement should be performed with
proficiency and due professional care.
1300 quality assurance and improvement program. The CAE should develop and maintain
a quality and improvement program that covers all aspects of the internal audit activity and
continously monitors its effectiveness.
Internal Audit Performance Standards
These standards describe the nature of internal audit activities and provide quality criteria againts
which their performance can be measured. There are six Performance Standards, outlined below
along with substandards and implementation standards that apply to compliance audits, fraud
investigations, and control self assessment projects.
2000 managing the internal audit activity: the CAE should manage the internal audit
activity effectively to ensure it adds velue to the organization. This standard covers six
substandards: planning, communication and approval, resource management, policies and
procedures, coordination, and reporting to the board and senior management.
2100 nature of work: internal audit activity includes evaluations and contributions to the
improvement of risk management, control , and governance systems.
2110 risk management: internal audit should assist the organization by identifying and
evaluating significant exposures to risk and contributing to the improvement of risk
management and control systems.
-
7/23/2019 ringkasan CHAPTER 6 8 9 10 12 SOA
4/29
The 2120 and 2130 substandards cover control and governance. This proposed standard change
on governance is very appropriate and timely, given the SOA:
2130 governance: internal audit activity, consistent with the organizations structure,
should contribute to governance processes by proactively assisting management and the
board in fulfilling their responsibilities by: assessing and promoting strong ethics and values
within organization, assessing and improving the process by which accountability is ensured,
assessing the adequacy of communications about significant residual risks within the
organization, helping to improve the boards interaction with management and the external
and internal auditors, serving as an educational resource regarding changes and trends in
the business and regulatory environment.
2200 engagement planning: internal auditors should develop and record a plan for each
engagement.
2300 performing the engagement: internal auditors should identify, analyze, evaluate, and
record sufficient information to achieve the engagements objectives.
2400 communicating results: internal auditors should communicate their engagement
results promptly.
2500 monitoring progress: the CAE should establish and maintain a system to monitor the
disposition of results communicated to management.
2600 resolution of managements acceptance of risks: when the CAE believes some
auditee manager has accepted a level of residual risk that may be unacceptable to the
overall organization, the matter should be discussed with senior management.
IIA Standards in Todays SOA World
SOA has made internal auditors much more important in todays world of strong corporate
governance and effective internal controls. Internal auditors need a strong set of standards to
operate effectively under these rules, and the current IIA standards, along with the draft changes in
process, seem to very much satisfy those needs. While the basic concepts behind internal auditing
have really not changed, the current standards for the professional practice of internal auditing
provide important guidance and direction in the post SOA worls.
Todays experienced internal auditor should examine the current IIA standards and make certain
that all internal audit activities are consistent with these standards. The CAE should review the
standards with the audit committee to help them to better understand and appreciate internal
audits role in the organization.
-
7/23/2019 ringkasan CHAPTER 6 8 9 10 12 SOA
5/29
CHAPTER 8
INTERNAL AUDIT FRAUD DETECTION AND PREVENTION
An internal auditor needs to understand the concepts surrounding fraud in order to effectively
perform audits that search for fraudulent activities. The common law definition of fraud is the
obtaining of money or property by means of false token, symbol, or device. Fraud can be costly to
any victim organization, and effective internal controls are an organizations first line of defense. A
comprehensive, fully implemented, any regularly monitored system of internal controls is essential
for the prevention and detection of losses that arise from fraud.
RED FLAGS: FRAUD DETECTION FOR AUDITORS
It is easy to analyze the facts after
a fraud has been discovered as a
lesson learned exercise, but
auditoes should use a skeptical
eye to look for indicators of
possible fraudulent activities in
advance. They should look for
what are called red flags. Exhibit8.1 lists a series of red flags that
may point to potential financial
fraud activities.
None of these is an absolute
indicator of fraud, but auditor
should always be skeptical in their
reviews and be aware of such
warning signals. When an auditor
sees evidence of one or more of
these or other red flags, it is time
to dig a little deeper.
Unfortunately, internal auditors
often fail to detect frauds for
several reasons:
-
7/23/2019 ringkasan CHAPTER 6 8 9 10 12 SOA
6/29
Auditors have an unwillingness to look for fraud. Due to limited fraud training or the lack of
experience with past fraud incidents, auditors historically have not looked that hard for
fraud. They have tended to view fraud investigation as a police detective type of activity, not
their prime responsibility.
Too much trust is placed on auditees. Internal auditors, in particular, try to maintain a
friendly, cordial attitude toward people in their organization. Because thay encounter these
same people in the company cafeteria or at an annual company picnic, there is usually a
level of trust here. Internal auditors quite correctly try to give their auditees the benefit of
the doubt.
Not enough
emphasis is placed on audit
quality. Internal audit
findings often encounter
some of the same red flags
mentioned in exhibit 8.1.
audit report findings may
point out such matters as
missing records or accounts
that were not reconciled.
However, quality reviews of
the auditors work often do
not raise potential fraud
related issues.
Fraud concerns
receive inadequate support
from management. The hint
of a possible fraud requires
auditors to extend
procedures and dig a bit
deeper. However, audit
management may be
reluctant to give an auditor
extra time to dig deeper.
Unless there are strong
-
7/23/2019 ringkasan CHAPTER 6 8 9 10 12 SOA
7/29
suspicious, audit managers may want the audit team to move on and stop spending time in
what they feel is an extremely low risk area.
Auditors sometimes fail to focus on high risk fraud areas. Fraud can occur in many areas,
from employee travel expense reporting to treasury function relations with offshore banks.
There may be a much greater risk of significant financial fraud in the latter, auditors often
tend to focus on the former. Although there can be many possibilities for fraud in employee
travel expense reporting, amounts often are not too significant. There is always a need to
focus on higher-risk areas.
Fraud is a word that can have many meaning, but we are referring to it in terms of fraud as a
criminal act.
To help detect fraud, auditors also need to have an understanding of why people commit fraud. An
organization can have the red flag environment described in exhibit 8.1, but it will not necessarily be
subject to fraudulent activities activities unless one or more employees decide to engage in fraud.
Exhibit 8.2 lists some
typical reasons for
committing a fraud.
These are all reasons
where strong internal
controls are in placeand the fraud is
typically committed
by only one person.
Although major frauds
involving senior
management
perticipation are
difficult to detect,
frauds that occur at
much lower levels in the organization are easier to identify with a proper level of auditor
investigation. However rather than just internal control violation, an internal auditor should think of
these items in terms of potential areas for employee fraud. Exhibit 8.3 is a checklist for some of
these old, classic fraud detection methods. Auditors have performed these procedures for years but
sometimes forget.
-
7/23/2019 ringkasan CHAPTER 6 8 9 10 12 SOA
8/29
IIA STANDARD FOR DETECTING AND INVESTIGATING FRAUD
Through observation, internal auditors maybe in a better position to see a red flag than an external
auditor. the internal auditor is to be concerned about such matters as the possibility of wrongdoing
and should consider evidence of any improper or illegal activities in an audit.
Recognizing that it may be difficult to detect fraud, IIA Standard 1210.A2 provides the guidance: the
internal auditor should have sufficient knowledge to identify the indicators of fraud but is not
expected to have the expertise of a person whose primary responsibility is detecting and
investigating fraud. Our italicized phrase recognizes that internal auditors are not expected to have
the expertise to deal with fraud issues.
-
7/23/2019 ringkasan CHAPTER 6 8 9 10 12 SOA
9/29
This same fraud
standard is supported
by an IIA practice
advisory, 1210.A2-1
identification of fraud.
Despite the words from
the standard that
internal auditors are
not expected to have
the expertise, the
supporting practice
advisory provides an
internal auditor with
some guidance on
detecting and
investigating fraud. We
have included an
adapted portion of this
practice advisory:The IIA practice
advisory does not really educate internal auditors on red flag types of conditions that might suggest
potential fraudulent activity. Rather, it suggests that if an organization does not have good policies
and procedures, or lacks a code of conduct, such an environment could encourage fraud.
FRAUD INVESTIGATIONS FOR INTERNAL AUDITORS
Fraud related investigations cause internal auditors to operate rather differently from normal
financial or operatinal audits. In any fraud related review, auditors should concentrate on three
major objectives:
1) Prove the loss. Fraud related reviews usually start out with the finding that someone stole
something. The investigative review led by internal audit should assemble relevant material to
determine overall size and scope of the loss.
2)
Establish responsibility and intent. This is the who did it? step. As much as possible, the audit
team should identify everyone responsible for the matter and determine if there was any
special or different intent associated with the fraud action.
-
7/23/2019 ringkasan CHAPTER 6 8 9 10 12 SOA
10/29
3) Prove the audit investigative methods used. The investigative team needs to be able to prove
that its fraud related conclutions were based on a detailed, step by step investigative process,
not just a wild, uncoordinated witch hunt. The review should be documented using the best
internal audit review processes. Of particular importance here, all documents used need to be
secured.
-
7/23/2019 ringkasan CHAPTER 6 8 9 10 12 SOA
11/29
CHAPTER 9
ENTERPRISE RISK MANAGEMENT, PRIVACY, AND OTHER LEGISLATIVE INITIATIVES
ENTERPRISE RISK MANAGEMENT
This section discuss overall risk management as well as what will soon become a common new term
or concept, Enterprise Risk Management (ERM). Although ERM concerns the overall organization,
internal auditors ned to understand how to use risk management to evaluate and plan individual
audit projects. The chapter briefly discusses risk management concepts with an emphasis on their
applicability to individual internal audit projects.
Risk Assessment for Internal Auditors
Internal auditors have a need to understand and control the risks surrounding their individual audit
plans and activities. Project managers have used risk management approach for some years, and this
is not a new rule or tool for internal auditors. However internal auditors often do not use a formal
risk management approach in planning and completing audit projects. Every internal audit faces a
range of uncertainties ranging from having no information about some subject area to total certainty
and complete information, and internal audits should be planned and managed with these concepts
in mind. Exhibit 9.3 shows this uncertainty spectrum, ranging from none to complete information.
PMIs literature suggests that project risk should be managed following 4 phases of risk
management:
-
7/23/2019 ringkasan CHAPTER 6 8 9 10 12 SOA
12/29
1) Risk Management Phase One: Identification. The internal auditor shoul attempt to identify all
the possible risks that could iimpact the success of an upcoming internal audit project, ranging
from high impact/ high probability all the way to low impact/low probability.
2) Risk Management Phase Two: Assessment. Having identified a range of risks, a next step to
rank them in terms of the type of risk, their potential impact, and probability.
3) Risk Management Phase Three: Response. The internal audit risk manager should develop
appropriate response strategies. These strategies may range from the simple decision to accept
the risk if ti occurs to comprehensive plans for deployment of resources to control a risk event.
4) Risk Management Phase Four: Documentation. Other project manager often miss this step, but
internal auditors should be well aware of the need for documentation. However, this overall
risk management process always should be documented in some detail.
CONCURRENT WITH SOA: OTHER LEGISLATION IMPACTING INTERNAL AUDITORS
The Gramm Leach Bliley Act
Gramm Leach Billey Act is a privacy related set of requirements that aim to protect consumers
personal financial information held by financial institutions. With GLBA these nontraditional
financial institutions are now regulated by the Federal Trade Commission (FTC). An internal
auditor working for a bank or insurance company today probably has been involved already with
GLBA and its privacy related provisions.
Financial Privacy Rule
Consumer frequently encounter the GLBA financial privacy rule today when they receive a note from
a credit card provider talking about privacy rules. An internal auditor should recognixe that all
personal financial information is very private and cannot just be arbitrarily sold or otherwise
distributed. Internal auditors working with any financial institutions or applications should be aware
of how GLBA privacy rules apply to their organization.
GLBA Safeguards Rule
The acts safeguards rule requires financial institutions to have a security plan in place to protect the
confidentiality of personal consumer information. An organization can take 5 steps to start
becoming compliant with the GLBA safeguards rule:
1)
Environmental risk analysis.
2)
Designing and implementing safeguards
3)
Monitoring and auditing
-
7/23/2019 ringkasan CHAPTER 6 8 9 10 12 SOA
13/29
4) Constant improvement program
5) Overseeing security providers and partners
The safeguard rule applies to a wide range of providers of financial products and services, including
mortgage brokers, nonbank lenders, appraisers, credit reporting agencies, proffesional tax
preparers, and retailers that issue their own credit cards.
GLBA Pretexting Provisions
GLBA prohibits pretexting the use of false pretenses, including fraudulent statements and
impersonation to obtain consumers personal financial information. GLBA is one of the new rules
that will impact many internal auditors, particularly those in any type of financial institution.
HIPAA and Internal Auditors
The Health Insurance Portability and Accountability Act (HIPAA) will have a major impact on the
privacy and security of personal medical records and other personal records. The original HIPAA
legislatin had 4 primary objectives:
1)
Ensure health protability by eliminating preexisting condition job locks
2)
Reduce healthcare fraud and abuse
3) Enforce standards for health information
4)
Guarantee security and privacy of health information
-
7/23/2019 ringkasan CHAPTER 6 8 9 10 12 SOA
14/29
CHAPTER 10
RULES AND PROCEDURES FOR INTERNAL AUDITORS WORLDWIDE
This chapter looks at SOA from international perspective. Although some rules are yet to be
released, we look at the act from the focus of a non US corporation. The emphasis will be on internal
auditor responsibilities. The chapter also provides an overview of International Auditing Standards
(IAS), a set of guidelines with US roots that are now envolving into their own set of guidance
standards.
Many professionals have seen the words ISO registered included in customer brochures and other
advertising materials. Although the US often pushes its standards on the rest of the world, ISO (the
International standards Organizations) is an international set of guidelines that many US
organizations have adopted. ISO is important for todays global economy and international audit can
help to ensure effective ISO compliance. ISO quality standards, the ISO registration process, and ISO
quality audits are introduced in this chapter.
This chapter also introduces the Information Technology Infrastructure Library (ITIL) of service
delivery and support processes, an important set of guidance material that originated in the UK, is
common in Europe, has become established in Canada, and is just being reduced in the US. Although
not a new rule, ITIL represents some best practices procedures that should become better
recognized by internal auditors worlwide.
SOA INTERNATIONAL REQUIREMENTS
Foreign companies are required to provide certification of their financial statements by their chief
executive officers (CEOs) and chief financial officers (CFOs). Thus, foreign CFOs and CEOs are
subjecting themselves to possible US legal liabilities. For violators, the prosecution process may be
challenging, but a foreign national who is even indicated unde a US law will have trouble visiting the
US until the matter is resolved. Foreign registered organizations must either begin to comply with
SOA rules or seek delisting of their securities that are registered on US exchanges. At the time of this
publication, only a few foreign companies have openly opted out of the US markets because of this
new SOA regulatory environment.
In years to come there will be a move toward tighter governance sandards in all major foreign
countries, makin gthose SOA and related regulations more palatable. This chapter discusses the
increasingly important International Accounting and Auditing (IAA) standards, the Committee of
Sponsoring organizations (COSO) international control standards worlwide, such as Canadas Criteria
of Control (CoCo), and the ISO registration process.
-
7/23/2019 ringkasan CHAPTER 6 8 9 10 12 SOA
15/29
INTERNATIONAL ACCOUNTING AND AUDITING STANDARDS
The ISA auditing standards are somewhat consistent with the US pre-SOA statements of Auditing
Standards (SAS documents) and probably will be consistent with the audititng standards to be issued
under PCAOB as well. Exhibit 10.1 lists the current ISA auditing standards. Similar to the earlier SAS
process in the US, ISAs are released after publication of an exposure draft.
-
7/23/2019 ringkasan CHAPTER 6 8 9 10 12 SOA
16/29
To provide a flavor of these standards, exhibit 10.2 shows ISA 610 on considering the work of
international auditors.
-
7/23/2019 ringkasan CHAPTER 6 8 9 10 12 SOA
17/29
-
7/23/2019 ringkasan CHAPTER 6 8 9 10 12 SOA
18/29
-
7/23/2019 ringkasan CHAPTER 6 8 9 10 12 SOA
19/29
-
7/23/2019 ringkasan CHAPTER 6 8 9 10 12 SOA
20/29
The International Accounting Standards Board (IASB) publishes accounting standards in a series of
pronouncements called International Financial Reporting Standards (IFRSs). Those pronouncements,
designated international accounting standards, provide a basis for all countries worldwide and in
particular, provide accounting standards for developing countries that do not have established
auditing standards.
For internal auditors, the IIA standards as discussed in chapter 6, are international standard that
apply to internal audits no matter what the country. International auditors may encounter different
accounting standards or even different local financial statement auditing standards, but they always
should follow the overall IIA professional standards. It is almost certain that the ISA and IAS
standards will take the place of country by country standards, with the exeption of the US with its
international leadership role. The information systems audit and control association (ISACA) control
objectives for information and related technology (CobiT) framework also is a worldwide standard.
-
7/23/2019 ringkasan CHAPTER 6 8 9 10 12 SOA
21/29
COSO WORLDWIDE: INTERNATIONAL INTERNAL CONTROL FRAMEWORKS
CoCo: Canadas Variation of COSO
According to CoCo, control companies those elements of an organization including its resources,
systems, processes, culture, structure, and tasks that, taken together, support its people in the
achievement of the organizations objectives. CoCo emphasizes that the essence of control is
purpose, commitment, capability, monitoring, and learning within the internal control framework, as
presented in exhibit 10.3
The criterion for commitment, for example, consists of these areas:
Shared ethical value, including integrity, should be establishes communicated, and practiced
throughout the organization.
Human resource policies and practices should be consistent with an organizations ethical
value and with the achievement of its objectives.
Authority, responsibility, and accountability should be clearly defined and consistent with an
organizations objectives so that decisions and actions are taken by the appropriate people.
An atmosphere of mutual trust should be forested to support the flow of information
between people and their effective performance toward achieving the organizations
objectives.
The CoCo model has similar detailed criteria for its other 3 major elements. Based on these
elements, the model helps to shape internal control concepts while developing a new terminology
that might become codified in future standards. The CICA CoCo guidance goes on to state that
managements overriding objective is to ensure, as far as practical, the orderly and efficient conduct
-
7/23/2019 ringkasan CHAPTER 6 8 9 10 12 SOA
22/29
of the entitys business. Management discharges its internal control responsibilities through action
directed to:
Optimizing the Use of Resources. Internal control assists management in optimizing the use
of resources by ensuring as far as practical that reliable information is provided to
management for the determination of business policies and by monitoring the
implementation of those policies and the degree of compliance with them.
Prevention or Detection of Error and Fraud.A management internal controls objective is
the prevention and detection of unintentional mistakes or errors and fraud the intentional
misrepresentation of financial information or misappropriation of assets. The guidance goes
on to state that any control should be weighed againts the relative likelihood of error and
fraud occuring and the consequences if any were to occur, including their effect on the
financial statements.
Safeguarding of Assets. An organizations assets shoul be safeguarded, partly through
internal controls and partly through business policies. Internal control protects against loss
arising from unintentional exposure to risk in processing transactions or handling related
assets. The degree of intentional exposure to risk is determined by business policies.
Maintaining Reliable Control Systems. These are policies and pocedures established and
maintained by management to collect, record, and process data and report the resulting
information or to enhance the reliability of such data and information. Management
requires reliable control systems to provide information necessary to operate the entity and
produce such accounting and other records necessary for the preparation of financial
statements.
The preciding paragraph have briefly outlined the CoCo framework. CoCo represents a tighter, easier
to grasp model of internal control than the somewhat complex COSO framework. The CoCo control
framework represents a different way of thinking about internal control and provides a good way for
managers to consider how their organizations are performing.
Internal Control Standards in the United Kingdom
The UK had some of the same concerns as th US regarding improper financial reporting during the
1990s. Although its focus was more on inappropriate statements made by directors, it also included
failures of internal control. The result of a 1999 study similar to the us Tradeway Commission report,
oriented toward directors of public companies, places a strong emphasis on objective setting, risk
identification and risk assessment when evaluating internal controls. The report calls on directors to
regularly consider:
-
7/23/2019 ringkasan CHAPTER 6 8 9 10 12 SOA
23/29
The nature and extent of the risks facing the company
The extent and categories of risk that it regards as acceptable for the company to bear
The likelihood of those risks materializing
The companys ability to reduce the incidence and impact on the business risks that do
materialize
The costs of operating particular controls relative to the benefit thereby obtained in
managing the related risks
What is significant about the Turnbull approach is the emphasis on understanding business objective
and then analyzing risks as first steps in designing effective internal controls. The turnbull report
then suggests a framework for evaluating the effectiveness of internal controls based on
understanding the risks, designing controls based on those risks, and performing tests to evaluate
the controls.
Although there are some differences in the text, the report provides the same three basic objectives
of internal controls as do COSO and CoCo: effectiveness and efficiency of operations, reliability of
internal and external financial reporting, and compliance with applicable laws and regulations. The
really important concept of the turnbull approach is the emphasis on risk assessment. It states that
emphasis should be placed on developing controls for high impact and higher likelihood risks.
Internal Control Frameworks Worldwide
With the wide range of independent national accounting authorities and some differences in
business practices, there are some variations in internal control frameworks or models worldwide.
The turnbull report states an internal audit function should be able to:
Provide objective assurance to the board and management as to the adequacy and
effectiveness of the companys risk management and internal control framework
Assist management to improve the processes by which risks are identified and managed
Assist the board with its responsibilities to strengthen and improve the risk management
and internal control framework
Developed before SOA this is excellent guidance for internal audit to understand risks and to help
improve the internal control sturcture in any organization, no matter where in the world it is based.
ISO AND THE STANDARDS REGISTRATION PROCESS
ISO standards have been in place for some years and the quality auditors, have been responsible for
auditing according to the ISO standards. With the ever increasing globalization of business, however
-
7/23/2019 ringkasan CHAPTER 6 8 9 10 12 SOA
24/29
all internal auditors should have an understanding of these ISO 90000 quality standards as well as
the process for achieving ISO certification.
ISO 90000 Quality Standards: Overview
The ISO quality standards important to internal auditors are:
ISO 9000:2000, Quality Management Systems Fundamentals and Vocabulary. This
standard is strating point and defines the fundamental terms and definitions used in the ISO
9000 family
ISO 9001:2000, Quality Management Systems Requirements. The requirements standard is
used to assess the ability to meet customer and applicable regulatory requirement and to
address customer satisfaction. This is the only standard in the ISO 9000 family againts which
a third party certification can be implemented.
ISO 9004:2000,
Quality Management
Systems Guidelines for
Performance Improvement.
This standard provides
guidance for continual
improvement of quality
management systems to
benefit all parties through
sustained customer
satisfaction.
Exhibit 10.4 describes this
ISO based Quality
Management
Implementation process.
-
7/23/2019 ringkasan CHAPTER 6 8 9 10 12 SOA
25/29
The overall ISO process is one off establishing effective documentation over existing procedures and
process.
-
7/23/2019 ringkasan CHAPTER 6 8 9 10 12 SOA
26/29
Quality Audit and Registration
Although neither IIA internal nor AICPA financial assets auditors give much attention to ASQ quality
auditors in their proffesional literature, there are some strong analogies among the three groups of
auditors. Quality auditor are based in the ISO standards just discussed. Management should have
established quality processes as part of normal operations and will be reviewing compliance to those
standards through internal self checks or reviews by the organizations quality audit function.
ISO standards provide guidance to establish and maintain an ongoing set of quality audits for an
organization. They are based on what was called a Plan Do Check Act cycle. Under this, the key
actions to define an audit program are:
Establish the objectives and extent of the audit program
Establish responsibilities, resources, and procedures
Ensure the implementation of the audit program
Monitor and review the audit program to improve its efficiency and effectiveness
Ensure that appropriate program records are maintained
Exhibit 10.5 illustrates the tiered level of ISO quality documentation.
-
7/23/2019 ringkasan CHAPTER 6 8 9 10 12 SOA
27/29
In our discussion of new rules for internal auditors, we have introduced the ISO continous
improvement and quality audit process only very briefly. Quality auditors are moving out of the
production floor and are more frequently calling themeselves internal auditor.
Exhibit 10.6 summarizes the major principles behind ISO 9000. If an internal auditors organization is
already involved in an ISO registration effort, internal audit should get involved with the process,
helping where it can and otherwise embracing ISOs concepts.
-
7/23/2019 ringkasan CHAPTER 6 8 9 10 12 SOA
28/29
CHAPTER 12
SUMMARY: INTERNAL AUDITING GOING FORWARD
The prime objective of this book has been to describe the major elements of the Sarbanes Oxley Act
(SAO) and its impact on corporate governance, financial reporting and internal auditing. SOA has had
a major impact on the public accounting industry and its operational organization, the American
Institute of Certified Public Accountants (AICPA). Auditing standards will no longer be set by the
AICPAs Auditing Standards Board, the somewhat congenial process of external auditor peer reviews
and self governance has changed to a rule based environment, and chief financial officers (CFOs) are
faced with the danger of personal criminal liability for issuing fraudulently incorect financial
statements.
Chapter 9s discussion of HIPAA and GLBA are two example of legislative initiatives to protect this
personal privacy, but effective internal controls implemented by organizations also will help to
provide this protection.
FUTURE PROSPECTS FOR INTERNAL AUDITORS
The future looks brighter than ever for internal audit professional. Shortly after the enactment of
SOA and going forward but we do not have any strong statistics here the job market for internal
sudit proffesioanal in the United States has increased. Newly impowered audit committees arerealizing that their organizations internal audit functions are an important component of overall
corporate governance. Internal auditor and their professional organization, the iIA, are accepting
this challenge and the Information Systems Audit and Control Association (ISACA) also has promoted
this governance concept.
Internal audit function need to accept this new challenge. The designated accounting and financial
expert on the audit commettee needs the help of internal audit to explain internal control issues
within the organization, to better assess audit risks, and to plan and perform effective internal
audits. Internal audit now typically has a level of responsibility for SOA section 404 reviews of
internal controls in the organization; the external auditors merely attest to the adequacy of that
review. This is a very major change that will alter the relationships between internal and external
auditors. Prior to the implementation of SOA, external auditors often assessed internal control risks,
did some of the audit work themeselves, and then asked internal audit to perform other review
work under their general supervision. Although there will be no doubt much planning and
coordination, internal audit through the audit committee - per SOA is often responsible for
reviewing and testing the results of internal controls and presenting those documentated results to
-
7/23/2019 ringkasan CHAPTER 6 8 9 10 12 SOA
29/29
external audit. Some coordination will be necessary, but internal audit really is responsible here.
There will certainly be some rough spots until internal audit assumes full responsibility for internal
control reviews following the evolving PCAOB internal control auditing standards as well as the
requirements of the external audit firms, but internal audit is assuming a role of increasing
importance in the organization today.
Internal audit functions also need to get more involved in other SOA related issues. One area of
particular importance is the ethics and whistleblower function in an organization. As discussed in
chapter 2 and 3, the audit committee is responsible for establishing a financial reporting related
whistleblower function, an organization shoul consider expanding any such program to all functions
in an organization and including all employees and other stakeholders. Although such functions can
be managed by a human resources function or some specialized ethics function, internal audit and
its chief audit executive (CAE) should get their hands on such functions to assess that they are in
compliance with SOA and meet the expectations of the audit committee.
SOA has introduced a wide set of new rules for corporate governance, financial reporting, and
auditing. This book has introduced the Sarbanes Oxley Act to internal auditors and other interested
parties, including audit committee members and corporate financial and general management. We
also have introduced some other new rules and technology trands that will impact internal controls
and corporate governance going forward.
New rules are never sealed in cement but tend to change as society, legislation, and businesspractices change. The corporate accounting scandals of recent years, the demise of the major public
accounting firm Arthur Andersen and the introduction of SOA have all been drivers for these
changes. In upcoming years, as the PCAOB becomes established or as we experience more
international auditing and accounting standards convergence, these rules will continue to evolve as
future new new rules