ROBERT R. MOELLER

John Wiley & Sons, Inc.

Sarbanes-Oxley and theNew Internal Auditing Rules

fm.tex (i-xii) 12/12/03 2:56 PM Page iii

Innodata0471646733.jpg

fm.tex (i-xii) 12/12/03 2:56 PM Page iii

Sarbanes-Oxley and theNew Internal Auditing Rules

fm.tex (i-xii) 12/12/03 2:56 PM Page i

fm.tex (i-xii) 12/12/03 2:56 PM Page ii

ROBERT R. MOELLER

John Wiley & Sons, Inc.

Sarbanes-Oxley and theNew Internal Auditing Rules

fm.tex (i-xii) 12/12/03 2:56 PM Page iii

This book is printed on acid-free paper.

Copyright 2004 by John Wiley & Sons, Inc. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New JerseyPublished simultaneously in Canada

No part of this publication may be reproduced, stored in a retrieval system, ortransmitted in any form or by any means, electronic, mechanical, photocopying,recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior writtenpermission of the Publisher, or authorization through payment of the appropriateper-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive,Danvers, MA 01923, 978-750-8400, fax 978-750-4470, or on the web atwww.copyright.com. Requests to the Publisher for permission should beaddressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, 201-748-6011, fax 201-748-6008, e-mail: permcoordinator@wiley.com.

Limit of Liability/Disclaimer of Warranty: While the publisher and author haveused their best efforts in preparing this book, they make no representations orwarranties with respect to the accuracy or completeness of the contents of thisbook and specifically disclaim any implied warranties of merchantability orfitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategiescontained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall beliable for any loss of profit or any other commercial damages, including but notlimited to special, incidental, consequential, or other damages.

For general information on our other products and services, or technical support,please contact our Customer Care Department within the United States at 800-762-2974, outside the United States at 317-572-3993 or fax 317-572-4002.

Wiley also publishes its books in a variety of electronic formats. Some contentthat appears in print may not be available in electronic books.

For more information about Wiley products, visit our web site at www.wiley.com.

Library of Congress Cataloging-in-Publication Data

Moeller, Robert R.Sarbanes-Oxley and the new internal auditing rules / Robert R. Moeller.p. cm.

Includes bibliographical references and index.ISBN 0-471-48306-0 (CLOTH)1. Auditing, InternalLaw and legislationUnited States. 2. United

States. Sarbanes-Oxley Act of 2002. I. Title.KF1357.M64 2004346.73'063 dc22 2003018290

Printed in the United States of America.

10 9 8 7 6 5 4 3 2 1

fm.tex (i-xii) 12/12/03 2:56 PM Page iv

http://www.copyright.comhttp://www.wiley.com

To my best friend and wife, Lois Moeller

fm.tex (i-xii) 12/12/03 2:56 PM Page v

fm.tex (i-xii) 12/12/03 2:56 PM Page vi

contents

Preface xi

CHAPTER 1 Introduction 1

Accounting and Auditing Scandals and Internal Audit 1What Are the New Rules? 3Who Will Find this Book Useful? 7

CHAPTER 2 Internal Audit and the Sarbanes-Oxley Act 9

Where Were the Auditors? Standards Failure 10Sarbanes-Oxley Overview: Key Internal Audit Concerns 12Impact of the Sarbanes-Oxley Act on the Modern 57

Internal Auditor

CHAPTER 3 Heightened Responsibilities for Audit Committees 59

Audit Committee Charters and Other Requirements 60Boards Financial Expert and Internal Audit 64Helping to Establish Documentation Procedures 67Controlling Other Audit Services 69Establishing Open Communications 70

CHAPTER 4 Launching an Ethics and Whistleblower Program 71

Launching an Organization Ethics Program 72Establishing a Mission or Values Statement 79Codes of Conduct 81Whistleblower and Hotline Functions 89Auditing the Organizations Ethics Functions 99

vii

fm.tex (i-xii) 12/12/03 2:56 PM Page vii

Chapter 5 COSO, Section 404, and Control Self-Assessments 103

SOA Section 404 104COSO Internal Control Framework 123Violation Penalties: Organizational Sentencing Guidelines 146Control Self-Assessments 155

Chapter 6 IIA, CobiT, and Other Professional Internal Audit Standards 165

Institute of Internal Auditors Standards for Professional Practice 165CobiT and Information Technology Governance 175ASQ Audit Standards: A Different Approach 183

Chapter 7 Disaster Recovery and Continuity Planning after 9/11 189

Business Continuity Planning and the New Language of Recovery Planning 190

Continuity Planning and Service-Level Agreements 194New Technologies: Critical Data Mirroring Techniques 195Establishing Effective Contingency Policies: What Are

We Protecting? 197Building the Disaster Planning Business Continuity Plan 198Testing, Maintaining, and Auditing the Continuity Plan 206Continuity Planning Going Forward 211

Chapter 8 Internal Audit Fraud Detection and Prevention 213

Red Flags: Fraud Detection for Auditors 214Public Accountings New Role in Fraud Detection 220IIA Standards for Detecting and Investigating Fraud 223Fraud Investigations for Internal Auditors 225Information Systems Fraud Prevention Processes 226

Chapter 9 Enterprise Risk Management, Privacy, and Other Legislative Initiatives 231

Enterprise Risk Management 231Concurrent with SOA: Other Legislation Impacting Internal Auditors 243

viii CONTENTS

fm.tex (i-xii) 12/12/03 2:56 PM Page viii

Chapter 10 Rules and Procedures for Internal Auditors Worldwide 257

SOA International Requirements 258International Accounting and Auditing Standards 259COSO Worldwide: International Internal Control Frameworks 267ISO and the Standards Registration Process 272ITIL Service Support and Service Delivery Best Practices 279

Chapter 11 Continuous Assurance Auditing Future Directions 293

Implementing Continuous Assurance Auditing 294Internet-Based Extensible Mark-Up Languages: XBRL 302Data Warehouses, Data Mining, and OLAP 306Newer Technologies, the Continuous Close, and SOA 311

Chapter 12 Summary: Internal Auditing Going Forward 313

Future Prospects for Internal Auditors 313

Glossary 317

Index 321

Contents ix

fm.tex (i-xii) 12/12/03 2:56 PM Page ix

fm.tex (i-xii) 12/12/03 2:56 PM Page x

H1 head xi

preface

After years of gradually changing, the profession of internal auditing in thelate 1990s was very different from the internal auditing profession ofan earlier decade. Perhaps one of the more significant changes was that themajor public accounting firms were aggressively assuming responsibility forinternal audit functions through what was called outsourcing. Many inter-nal audit professionals suddenly found themselves working for their publicaccounting firms as outsourced internal auditors. Although there were manygood things to say about this trend, new internal audit roles and responsi-bilities were evolving and the profession of internal auditing was changing.This was all happening during the dot-com bubble of the 1990s, duringwhich time the stock market was going in only one directionupandsome serious thinkers were predicting that there would never be anothermarket downturn.

A series of events in the later 1990s and early 2000 changed all of thisand the rules. Suddenly we were faced with a series of corporate failures andaccounting scandals, many of which were caused by corporate executiveswho liberally bent the rules or blatantly reported false financial results fortheir organizations. Corporate scandals are nothing new in the United States;there has been a major failure about once every ten years over the last cen-tury. However, this was different. The traditional watchdogsauditors andboard membersappeared to be asleep at the switch. There was a clamorto do something! The end result was that, in 2002, the U.S. Congress passedthe Sarbanes-Oxley Act, a major new rule that impacts both internal andexternal auditors, corporate senior management, their boards of directors,and more. Among other matters, the act prohibited the public accountingpractice of outsourcing internal audit services. The Sarbanes-Oxley Act,often referenced as just SOA, is the major new rule discussed throughoutthis book. Internal auditors now have some new responsibilities with regardto their audit committees and external auditors and for overall corporategovernance. This book explains these changes and how internal audit canhelp with other requirements, such as launching an ethics and whistle-blowerprogram or performing effective internal controls reviews under the COSO(Committee of Sponsoring Organizations) framework.

xi

fm.tex (i-xii) 12/12/03 2:56 PM Page xi

Some of what we call new rules are not really rules at all but are bestpractices that have gained the attention of professionals worldwide. Businessrecovery and continuity procedures after the World Trade Center terroristattack of September 11, 2001, are an example. Some organizations hadprocesses in place that allowed easier recovery from that event, and we dis-cuss those approaches. Even though internal auditors may not be initiatingsuch practices, they need to have