Preface

This book is a complete guide and a definition of a common body of knowledge (CBOK) for the processes and profession of internal auditing—what professionals need to know to successfully perform individual internal audits and what an enterprise needs to know to launch an effective internal audit function. With a heritage that goes back to the first days of internal auditing after World War II when Victor Brink produced the first edition, the chapters following outline a professional CBOK and describe internal auditing today. Although it is often misused, the word modern beginning with the title of the first edition says a lot about this book’s heritage and the contemporary practice of internal auditing. In the first edition it described a new and evolving profession. The early internal auditors were often little more than accounting clerks or clerical support staff for their external auditors. Brink envisioned them as professionals performing much broader services to management.

Due to the pervasiveness of information technology processes and the Internet in all areas of commerce, the rules for a consistent definition of internal controls, and our evolution to a truly global economy, internal auditors today must operate in an ever-changing environment. Internal auditors need increasing levels of knowledge and understanding in many areas, but sorting through what is important and what is just nice to know represents challenges for internal auditors at all levels. This newly revised eighth edition discusses modern internal auditing in terms of areas where there is a strong knowledge requirement as well as other areas where only a general level of knowledge is needed. This edition updates our three common CBOKs for the profession of internal auditing.

The practice of internal auditing is important to enterprises today worldwide, and senior management members, government regulators, and other professionals need to have a general understanding and set of expectations of the roles and capabilities of internal auditors. That is, just as internal auditors need a CBOK to better define their profession, the outside world needs to better understand internal auditors and how they can serve management at all levels.

The following chapters describe this CBOK for internal auditors—knowledge areas that should be important to all internal auditors, no matter their level of experience, their business area, or where they are working in the world. The CBOK topics presented here are not based on surveys of what other internal auditors are doing today; they are based on this author’s long-term, 40-plus years of experience in internal auditing as well as his extensive professional activities and research.

The following are some of the CBOK elements found in each chapter:

Part One: Foundations of Modern Internal Auditing. These two introductory chapters highlight the importance of internal auditing today in all aspects of business, government, and other activities, as well as why a CBOK is important.

1. Significance of Internal Auditing in Enterprises Today. This introductory chapter talks about the origins of internal auditing. It does not contain key CBOK information, but provides important background knowledge and history for today’s internal auditor and explains what led Victor Brink to write the first edition.
2. An Internal Audit Common Body of Knowledge. In this chapter, we explain and expand the concept of an internal auditing CBOK and why it is important to the profession.

Part Two: Importance of Internal Controls. The review and assessment of internal controls are key internal audit activities. The five chapters in this part describe internal control reviews in terms of the newly revised COSO internal control framework, the Sarbanes-Oxley Act (SOx) requirements, and several internal control frameworks including COBIT.

1. The COSO Internal Control Framework. This recently revised internal control framework has become the worldwide standard for assessing internal controls; every internal auditor needs to understand the Committee of Sponsoring Organizations (COSO) internal control framework and how to use it in internal audit assessments of internal controls.
2. The 17 COSO Internal Control Principles. These principles were introduced as part of the newly revised framework and provide guidance to better help internal auditors to plan and perform their reviews of internal controls.
3. Sarbanes-Oxley Act (SOx) and Beyond. SOx became law in the United States in 2002 and has massively changed how we assess and measure internal accounting controls almost worldwide. The chapter discusses the current status of SOx including its AS5 auditing standards and other elements of this extensive set of legislation that are particularly important to internal auditors.
4. COBIT and Other ISACA Guidance. In our very IT-dependent world, internal auditors need a more IT-oriented framework to help them measure and assess internal controls as part of their review efforts. The Control Objectives for Information and related Technology (COBIT) tool is important here, and all internal auditors should have a least a general understanding of this worldwide-recognized internal control framework.
5. Enterprise Risk Management: COSO ERM. Risk management is an important internal audit knowledge area, and internal auditors need to understand and make use of COSO Enterprise Risk Management (COSO ERM) as part of their internal audit planning and assessment activities. The chapter describes this risk assessment framework and why it is important for internal auditors.

Part Three: Planning and Performing Internal Audits. The six chapters in this part discuss some important general concepts and elements of the practice of modern internal auditing, ranging from professional governing standards to assessing those areas in the enterprise that should be candidates for internal audits.

1. Performing Effective Internal Audits. This chapter contains an introduction on the overall practice of planning, performing, and completing an effective internal audit. These are the steps of what it takes to perform an internal audit.
2. Standards for the Professional Practice of Internal Auditing. All internal auditors need to have a strong knowledge and understanding of these Institute of Internal Auditors (IIA)–issued standards. The chapter provides an overview of the more important elements of the standards and where to search for more information.
3. Testing, Assessing, and Evaluating Audit Evidence. A major activity in internal auditing is to examine a record or artifact of audit evidence and then to decide if it meets audit review criteria. This is a basic internal audit knowledge area that must follow internal auditing best practices.
4. Continuous Auditing and Computer-Assisted Audit Techniques. The ongoing growth of 24/7 systems and processes is changing the way that internal auditors should assess and evaluate internal controls. This chapter introduces online continuous monitoring tools that internal auditors should consider a key CBOK knowledge area.
5. Control Self-Assessments and Internal Audit Benchmarking. The IIA has developed some extensive criteria for internal auditors at any level to look at what they are doing at a point in time and then to make an assessment of that work. The chapter describes these processes as well as guidance for improving and reviewing the quality of internal audit work.
6. Areas to Audit: Establishing an Audit Universe and Audit Programs. There are a wide variety of areas in any enterprise that are potential candidates for review, but internal auditors should tailor that list down to what is generally known as an audit universe. The chapter provides some guidance on how to build and assess potential review areas necessary to plan and perform internal audits.

Part Four: Organizing and Managing Internal Audit Activities. The five chapters in this part discuss the process of launching, performing, and completing internal audits.

1. Charters and Building the Internal Audit Function. Best practices here cover the building and managing of an effective internal audit function. The chapter’s theme is on how a new enterprise would launch and build its own internal audit function, including an audit committee–approved audit charter.
2. Managing the Internal Audit Universe and Key Competencies. Beyond the knowledge and technical skills involved in understanding the COSO internal control framework and IT general controls, internal auditors must possess some core key competencies, such as interviewing and writing skills. These apply to all levels of an internal audit function, ranging from audit management to audit staff members. The chapter will focus on some necessary CBOK skills for all levels of internal auditors.
3. Planning Audits and Understanding Project Management. Whether building an audit schedule for an upcoming fiscal period or planning a specific audit engagement, internal auditors at all levels need to have an understanding of good project management techniques. This chapter discusses project management for internal auditors.
4. Documenting Audit Results through Process Modeling and Workpapers. As another specialized internal audit skill, internal auditors need efficient and cost-effective procedures to review and document overall business processes of all types. While...