The Operational Auditing Handbook

Andrew Chambers is Professor of Internal Auditing at London South Bank University and professor emeritus of Cass Business School, London. He runs Management Audit LLP specializing in auditing and corporate governance work, and is a member of the international Internal Auditing Standards Board. Graham Rand specialises in IT auditing, risk management and operational review. His career, in the UK and overseas, has featured involvement in a range of organisations, principally in the electrical retail, financial services and public sectors. Much of his current consultancy is on Information Management, Records Management, IT Security and providing support on the development of Risk Management and Information Security environments.

Preface xv

Acknowledgements xvii

Part I Understanding Operational Auditing 1

1 Approaches to Operational Auditing 3

Definitions of “Operational Auditing” 3

Scope 4

Audit Approach to Operational Audits 12

Resourcing the Internal Audit of Technical Activities 16

Productivity and Performance Measurement Systems 19

Value for Money (VFM) Auditing 22

Benchmarking 23

2 Business Processes 27

Introduction 27

An Audit Universe of Business Processes 28

Self Assessment of Business Processes 30

A Hybrid Audit Universe 30

Reasons For Process Weaknesses 30

Identifying the Processes of an Organisation 32

Why Adopt a “Cycle” or “Process” Approach to Internal Control Design and Review? 35

Business Processes in the Standard Audit Programme Guides 35

The Hallmarks of a Good Business Process 36

Academic Cycles in a University 37

3 Developing Operational Review Programmes For Managerial and Audit Use 40

Scope 40

Practical Use of SAPGs 41

Format of SAPGs 45

Risk in Operational Auditing 50

4 Governance Processes 75

Introduction 75

Internal Control Processes being Part of Risk Management Processes 75

Risk Management Processes being Part of Governance Processes 76

Objectives of Governance, Risk Management and Control Processes 77

The COSO View of Objectives 78

Should there be a Single Set of Objectives? 80

The Internal Governance Processes 81

The Board and External Aspects of Corporate Governance 81

The Board’s Assurance Vacuum 82

Risk and Control Issues for Internal Governance Processes 84

Risk and Control Issues for the Board 87

Risk and Control Issues for External Governance Processes 90

5 Risk Management Processes 95

Introduction 95

Objectives of Risk Management 95

Essential Components of Effective Risk Management 98

The Scope of Internal Audit’s Role in Risk Management 99

Tools for Risk Management 101

The Risk Matrix 101

Risk Registers 106

Risk Management Challenges 107

Control Issues for Risk Management Processes 112

6 Internal Control Processes 116

Introduction 116

Paradigm 1: COSO on Internal Control 118

Paradigm 2: Turnbull on Internal Control 128

Paradigm 3: COCO on Internal Control 129

Paradigm 4: A Systems/Cybernetics Model of Internal Control 130

Paradigm 5: Control by Division with Supervision 135

Paradigm 6: Control by Category 137

The Objectives of Internal Control 139

Determining Whether Internal Control is Effective 141

Control Cost-Effectiveness Considerations 142

Issues for Internal Control Processes 143

7 Review of the Control Environment 147

Introduction 147

Control Objectives for a Review of the Control Environment 147

Risk and Control Issues for a Review of the Control Environment 148

Fraud 149

8 Reviewing Internal Control Over Financial Reporting—The Sarbanes-Oxley Approach 151

Introduction 151

Costs and Benefits 154

2007 SOX-LITE 155

Revised Definitions of “Significant Deficiency” and “Material Weakness” 156

Using a Recognised Internal Control Framework for the Assessment 157

Risk and Control Issues for the Sarbanes-Oxley s. 302 and s. 404

Compliance Process 171

9 Business/Management Techniques and Their Impact On Control and Audit 178

Introduction 178

Business Process Re-Engineering 178

Total Quality Management 181

Delayering 187

Empowerment 189

Outsourcing 191

Just-In-Time Management (JIT) 195

10 Control Self Assessment 199

Introduction 199

Survey and Workshop Approaches to CSA 200

Selecting Workshop Participants 200

Where to Apply CSA 200

CSA Roles for Management and for Internal Audit 201

Avoiding Line Management Disillusionment 202

Encouragement from the Top 203

Facilitating CSA Workshops, and Training for CSA 204

Anonymous Voting Systems 205

Comparing CSA with Internal Audit 205

Control Self Assessment as Reassurance for Internal Audit 206

A Hybrid Approach—Integrating Internal Auditing Engagements with CSA Workshops 206

Workshop Formats 207

Utilising CoCo in CSA 208

Readings 210

Control Self Assessment 210

11 Evaluating the Internal Audit Activity 214

Introduction 214

Ongoing Monitoring 214

Periodic Internal Reviews 215

External Reviews 216

Common Weaknesses Noted by Quality Assurance Reviews 217

Internal Audit Maturity Models 218

Effective Measuring of Internal Auditing’s Contribution to the Enterprise’s Profitability 219

Control Objectives for the Internal Audit Activity 232

Part II Auditing Key Functions 237

12 Auditing the Finance and Accounting Functions 239

Introduction 239

System/Function Components of the Financial and Accounting Environment 239

Control Objectives and Risk and Control Issues 240

Treasury 241

Payroll 243

Accounts Payable 246

Accounts Receivable 248

General Ledger/Management Accounts 251

Fixed Assets (and Capital Charges) 253

Budgeting and Monitoring 256

Bank Accounts and Banking Arrangements 258

Sales Tax (VAT) Accounting 261

Taxation 263

Inventories 266

Product/Project Accounting 268

Petty Cash and Expenses 270

Financial Information and Reporting 272

Investments 274

13 Auditing Subsidiaries, Remote Operating Units and Joint Ventures 276

Introduction 276

Fact Finding 277

High Level Review Programme 278

Joint Ventures 279

14 Auditing Contracts and the Purchasing Function 285

Introduction 285

Control Objectives and Risk and Control Issues 285

Contracting 289

Contract Management Environment 290

Assessing the Viability and Competence of Contractors 295

Maintaining an Approved List of Contractors 297

Tendering Procedures 299

Contracting and Tendering Documentation 302

Selection and Letting of Contracts 304

Performance Monitoring 306

Valuing Work for Interim Payments 308

Contractor’s Final Account 310

Review of Project Outturn and Performance 313

15 Auditing Operations and Resource Management 317

Introduction 317

System/Function Components of a Production/Manufacturing Environment 318

Control Objectives and Risk and Control Issues 318

Planning and Production Control 318

Facilities, Plant and Equipment 321

Personnel 324

Materials and Energy 327

Quality Control 330

Safety 332

Environmental Issues 335

Law and Regulatory Compliance 338

Maintenance 339

16 Auditing Marketing and Sales 343

Introduction 343

System/Function Components of the Marketing and Sales Functions 343

General Comments 344

Control Objectives and Risk and Control Issues 344

Product Development 345

Market Research 348

Promotion and Advertising 350

Pricing and Discount Policies 353

Sales Management 355

Sales Performance and Monitoring 359

Distributors 362

Relationship with the Parent Company 366

Agents 368

Order Processing 371

Warranty Arrangements 375

Maintenance and Servicing 377

Spare Parts and Supply 380

17 Auditing Distribution 383

Introduction 383

System/Function Components of Distribution 383

Control Objectives and Risk and Control Issues 384

Distribution, Transport and Logistics 384

Distributors 388

Stock Control 392

Warehousing and Storage 395

18 Auditing Human Resources 399

Introduction 399

System/Function Components of the Personnel Function 399

Control Objectives and Risk and Control Issues 399

Human Resources Department 400

Recruitment 404

Manpower and Succession Planning 408

Staff Training and Development 410

Welfare 413

Performance-Related Compensation, Pension Schemes (and other Benefits) 415

Health Insurance 422

Staff Appraisal and Disciplinary Matters 424

Health and Safety 427

Labour Relations 430

Company Vehicles 432

19 Auditing Research and Development 437

Introduction 437

System/Function Components of Research and Development 437

Control Objectives and Risk and Control Issues 437

Product Development 438

Project Appraisal and Monitoring 442

Plant and Equipment 445

Development Project Management 447

Legal and Regulatory Issues 450

20 Auditing Security 453

Introduction 453

Control Objectives and Risk and Control Issues 454

Security 454

Health and Safety 457

Insurance 460

21 Auditing Environmental Responsibility 463

Introduction 463

Environmental Auditing 465

The Emergence of Environmental Concerns 465

EMAS—The European Eco-Management and Audit Scheme 466

Linking Environmental Issues to Corporate Strategy and Securing Benefits 467

Environmental Assessment and Auditing System Considerations 468

The Role of Internal Audit 470

Example Programme 470

Part III Auditing Information Technology 477

22 Auditing Information Technology 479

Introduction 479

Introduction to Recognised Standards Related to Information Technology and Related Topics 480

System/Function Components of Information Technology and Management 486

Control Objectives and Risk and Control Issues 488

23 It Strategic Planning 489

24 It Organisation 493

25 It Policy Framework 496

26 Information Asset Register 502

27 Capacity Management 511

28 Information Management (IM) 514

29 Records Management (RM) 524

30 Knowledge Management (KM) 542

31 It Sites and Infrastructure (Including Physical Security) 554

32 Processing Operations 559

33 Back-Up and Media Management 562

34 Removable Media 566

35 System and Operating Software (Including Patch Management) 570

36 System Access Control (Logical Security) 576

37 Personal Computers (Including Laptops and PDAS) 580

38 Remote Working 585

39 Email 590

40 Internet Usage 598

41 Software Maintenance (Including Change Management) 605

42 Networks 609

43 Databases 613

44 Data Protection 616

45 Freedom of Information 627

46 Data Transfer and Sharing (Standards and Protocol) 636

47 Legal Responsibilities 645

48 Facilities Management 648

49 System Development 651

50 Software Selection 655

51 Contingency Planning 658

52 Human Resources Information Security 661

53 Monitoring and Logging 667

54 Information Security Incidents 671

55 Data Retention and Disposal 680

56 Electronic Data Interchange (EDI) 688

57 Viruses 691

58 User Support 694

59 Bacs 696

60 Spreadsheet Design and Good Practice 699

61 It Health Checks 707

62 It Accounting 710

Appendix 1 Index to SAPGs on the Companion Website 712

Appendix 2 Standard Audit Programme Guides 719

Appendix 3 International Data Protection Legislation 729

Appendix 4 International Freedom of Information Legislation 763

Appendix 5 Information Management Definitions 835

Appendix 6 IT and Information Management Policies 839

Bibliography 852

Index 859