Description
Book SynopsisThe operational auditing HANDBOOK
Auditing Business and IT Processes
Second Edition
The Operational Auditing Handbook Second Edition clarifies the underlying issues, risks and objectives for a wide range of operations and activities and is a professional companion for those who design self-assessment and audit programmes of business processes in all sectors.
To accompany this updated edition of The Operational Auditing Handbook please visit www.wiley.com/go/chambers for a complete selection of Standard Audit Programme Guides.
Table of Contents
Preface xv
Acknowledgements xvii
Part I Understanding Operational Auditing 1
1 Approaches to Operational Auditing 3
Definitions of “Operational Auditing” 3
Scope 4
Audit Approach to Operational Audits 12
Resourcing the Internal Audit of Technical Activities 16
Productivity and Performance Measurement Systems 19
Value for Money (VFM) Auditing 22
Benchmarking 23
2 Business Processes 27
Introduction 27
An Audit Universe of Business Processes 28
Self Assessment of Business Processes 30
A Hybrid Audit Universe 30
Reasons For Process Weaknesses 30
Identifying the Processes of an Organisation 32
Why Adopt a “Cycle” or “Process” Approach to Internal Control Design and Review? 35
Business Processes in the Standard Audit Programme Guides 35
The Hallmarks of a Good Business Process 36
Academic Cycles in a University 37
3 Developing Operational Review Programmes For Managerial and Audit Use 40
Scope 40
Practical Use of SAPGs 41
Format of SAPGs 45
Risk in Operational Auditing 50
4 Governance Processes 75
Introduction 75
Internal Control Processes being Part of Risk Management Processes 75
Risk Management Processes being Part of Governance Processes 76
Objectives of Governance, Risk Management and Control Processes 77
The COSO View of Objectives 78
Should there be a Single Set of Objectives? 80
The Internal Governance Processes 81
The Board and External Aspects of Corporate Governance 81
The Board’s Assurance Vacuum 82
Risk and Control Issues for Internal Governance Processes 84
Risk and Control Issues for the Board 87
Risk and Control Issues for External Governance Processes 90
5 Risk Management Processes 95
Introduction 95
Objectives of Risk Management 95
Essential Components of Effective Risk Management 98
The Scope of Internal Audit’s Role in Risk Management 99
Tools for Risk Management 101
The Risk Matrix 101
Risk Registers 106
Risk Management Challenges 107
Control Issues for Risk Management Processes 112
6 Internal Control Processes 116
Introduction 116
Paradigm 1: COSO on Internal Control 118
Paradigm 2: Turnbull on Internal Control 128
Paradigm 3: COCO on Internal Control 129
Paradigm 4: A Systems/Cybernetics Model of Internal Control 130
Paradigm 5: Control by Division with Supervision 135
Paradigm 6: Control by Category 137
The Objectives of Internal Control 139
Determining Whether Internal Control is Effective 141
Control Cost-Effectiveness Considerations 142
Issues for Internal Control Processes 143
7 Review of the Control Environment 147
Introduction 147
Control Objectives for a Review of the Control Environment 147
Risk and Control Issues for a Review of the Control Environment 148
Fraud 149
8 Reviewing Internal Control Over Financial Reporting—The Sarbanes-Oxley Approach 151
Introduction 151
Costs and Benefits 154
2007 SOX-LITE 155
Revised Definitions of “Significant Deficiency” and “Material Weakness” 156
Using a Recognised Internal Control Framework for the Assessment 157
Risk and Control Issues for the Sarbanes-Oxley s. 302 and s. 404
Compliance Process 171
9 Business/Management Techniques and Their Impact On Control and Audit 178
Introduction 178
Business Process Re-Engineering 178
Total Quality Management 181
Delayering 187
Empowerment 189
Outsourcing 191
Just-In-Time Management (JIT) 195
10 Control Self Assessment 199
Introduction 199
Survey and Workshop Approaches to CSA 200
Selecting Workshop Participants 200
Where to Apply CSA 200
CSA Roles for Management and for Internal Audit 201
Avoiding Line Management Disillusionment 202
Encouragement from the Top 203
Facilitating CSA Workshops, and Training for CSA 204
Anonymous Voting Systems 205
Comparing CSA with Internal Audit 205
Control Self Assessment as Reassurance for Internal Audit 206
A Hybrid Approach—Integrating Internal Auditing Engagements with CSA Workshops 206
Workshop Formats 207
Utilising CoCo in CSA 208
Readings 210
Control Self Assessment 210
11 Evaluating the Internal Audit Activity 214
Introduction 214
Ongoing Monitoring 214
Periodic Internal Reviews 215
External Reviews 216
Common Weaknesses Noted by Quality Assurance Reviews 217
Internal Audit Maturity Models 218
Effective Measuring of Internal Auditing’s Contribution to the Enterprise’s Profitability 219
Control Objectives for the Internal Audit Activity 232
Part II Auditing Key Functions 237
12 Auditing the Finance and Accounting Functions 239
Introduction 239
System/Function Components of the Financial and Accounting Environment 239
Control Objectives and Risk and Control Issues 240
Treasury 241
Payroll 243
Accounts Payable 246
Accounts Receivable 248
General Ledger/Management Accounts 251
Fixed Assets (and Capital Charges) 253
Budgeting and Monitoring 256
Bank Accounts and Banking Arrangements 258
Sales Tax (VAT) Accounting 261
Taxation 263
Inventories 266
Product/Project Accounting 268
Petty Cash and Expenses 270
Financial Information and Reporting 272
Investments 274
13 Auditing Subsidiaries, Remote Operating Units and Joint Ventures 276
Introduction 276
Fact Finding 277
High Level Review Programme 278
Joint Ventures 279
14 Auditing Contracts and the Purchasing Function 285
Introduction 285
Control Objectives and Risk and Control Issues 285
Contracting 289
Contract Management Environment 290
Assessing the Viability and Competence of Contractors 295
Maintaining an Approved List of Contractors 297
Tendering Procedures 299
Contracting and Tendering Documentation 302
Selection and Letting of Contracts 304
Performance Monitoring 306
Valuing Work for Interim Payments 308
Contractor’s Final Account 310
Review of Project Outturn and Performance 313
15 Auditing Operations and Resource Management 317
Introduction 317
System/Function Components of a Production/Manufacturing Environment 318
Control Objectives and Risk and Control Issues 318
Planning and Production Control 318
Facilities, Plant and Equipment 321
Personnel 324
Materials and Energy 327
Quality Control 330
Safety 332
Environmental Issues 335
Law and Regulatory Compliance 338
Maintenance 339
16 Auditing Marketing and Sales 343
Introduction 343
System/Function Components of the Marketing and Sales Functions 343
General Comments 344
Control Objectives and Risk and Control Issues 344
Product Development 345
Market Research 348
Promotion and Advertising 350
Pricing and Discount Policies 353
Sales Management 355
Sales Performance and Monitoring 359
Distributors 362
Relationship with the Parent Company 366
Agents 368
Order Processing 371
Warranty Arrangements 375
Maintenance and Servicing 377
Spare Parts and Supply 380
17 Auditing Distribution 383
Introduction 383
System/Function Components of Distribution 383
Control Objectives and Risk and Control Issues 384
Distribution, Transport and Logistics 384
Distributors 388
Stock Control 392
Warehousing and Storage 395
18 Auditing Human Resources 399
Introduction 399
System/Function Components of the Personnel Function 399
Control Objectives and Risk and Control Issues 399
Human Resources Department 400
Recruitment 404
Manpower and Succession Planning 408
Staff Training and Development 410
Welfare 413
Performance-Related Compensation, Pension Schemes (and other Benefits) 415
Health Insurance 422
Staff Appraisal and Disciplinary Matters 424
Health and Safety 427
Labour Relations 430
Company Vehicles 432
19 Auditing Research and Development 437
Introduction 437
System/Function Components of Research and Development 437
Control Objectives and Risk and Control Issues 437
Product Development 438
Project Appraisal and Monitoring 442
Plant and Equipment 445
Development Project Management 447
Legal and Regulatory Issues 450
20 Auditing Security 453
Introduction 453
Control Objectives and Risk and Control Issues 454
Security 454
Health and Safety 457
Insurance 460
21 Auditing Environmental Responsibility 463
Introduction 463
Environmental Auditing 465
The Emergence of Environmental Concerns 465
EMAS—The European Eco-Management and Audit Scheme 466
Linking Environmental Issues to Corporate Strategy and Securing Benefits 467
Environmental Assessment and Auditing System Considerations 468
The Role of Internal Audit 470
Example Programme 470
Part III Auditing Information Technology 477
22 Auditing Information Technology 479
Introduction 479
Introduction to Recognised Standards Related to Information Technology and Related Topics 480
System/Function Components of Information Technology and Management 486
Control Objectives and Risk and Control Issues 488
23 It Strategic Planning 489
24 It Organisation 493
25 It Policy Framework 496
26 Information Asset Register 502
27 Capacity Management 511
28 Information Management (IM) 514
29 Records Management (RM) 524
30 Knowledge Management (KM) 542
31 It Sites and Infrastructure (Including Physical Security) 554
32 Processing Operations 559
33 Back-Up and Media Management 562
34 Removable Media 566
35 System and Operating Software (Including Patch Management) 570
36 System Access Control (Logical Security) 576
37 Personal Computers (Including Laptops and PDAS) 580
38 Remote Working 585
39 Email 590
40 Internet Usage 598
41 Software Maintenance (Including Change Management) 605
42 Networks 609
43 Databases 613
44 Data Protection 616
45 Freedom of Information 627
46 Data Transfer and Sharing (Standards and Protocol) 636
47 Legal Responsibilities 645
48 Facilities Management 648
49 System Development 651
50 Software Selection 655
51 Contingency Planning 658
52 Human Resources Information Security 661
53 Monitoring and Logging 667
54 Information Security Incidents 671
55 Data Retention and Disposal 680
56 Electronic Data Interchange (EDI) 688
57 Viruses 691
58 User Support 694
59 Bacs 696
60 Spreadsheet Design and Good Practice 699
61 It Health Checks 707
62 It Accounting 710
Appendix 1 Index to SAPGs on the Companion Website 712
Appendix 2 Standard Audit Programme Guides 719
Appendix 3 International Data Protection Legislation 729
Appendix 4 International Freedom of Information Legislation 763
Appendix 5 Information Management Definitions 835
Appendix 6 IT and Information Management Policies 839
Bibliography 852
Index 859
