SWANSON on Internal Auditing

SWANSON on Internal Auditing: Raising the Bar

DAN SWANSON
Copyright Date: 2010
Published by: IT Governance Publishing
Pages: 318
https://www.jstor.org/stable/j.ctt5hh7vr
  • Cite this Item
  • Book Info
    SWANSON on Internal Auditing
    Book Description:

    As a profession, internal audit sits somewhere between having a low profile that is barely mentioned in governance regulations, through to making a key contribution to better corporate transparency by improving how risk is perceived and addressed. A low-key approach has the danger that the value of internal audit may be overlooked, while a higher profile creates greater expectations which must be fully met as auditors reach out towards a new, more challenging role. This book provides concise commentary on strategic issues regarding the way internal audit is established, planned and performed. High-level issues sit alongside practical guidance to ensure the book has an appeal to all levels of internal audit management and staff, as each reader can dip into a range of important topics.

    eISBN: 978-1-84928-068-6
    Subjects: Technology

Table of Contents

  1. Front Matter
    (pp. 1-4)
  2. WHAT OTHERS ARE SAYING ABOUT THIS BOOK
    (pp. 5-6)
  3. FOREWORD
    (pp. 7-10)
    Matt Kelly

    Wise advice, even in this day of high-tech business, and even if attributable to Kermit the Frog!

    They say that a good reporter knows a little about everything, and a lot about nothing. I’ve always believed in the wisdom of that statement through all my years as a reporter covering local government, crime, politics, science, and human interest – but not until I started writing about corporate governance did I fully appreciate how well that saying applies to business professions as well. Perhaps it fits best of all to the internal auditor.

    In the seven years that I have written...

  4. PREFACE
    (pp. 11-12)
    KH Spencer Pickett
  5. ABOUT THE AUTHOR
    (pp. 13-13)
  6. ACKNOWLEDGEMENTS
    (pp. 14-17)
  7. Table of Contents
    (pp. 18-23)
  8. BOOK OVERVIEW
    (pp. 24-29)
    KH Spencer Pickett

    Raising the Barprovides a fascinating insight into the key issues facing the internal auditor. The author, Dan Swanson, is a seasoned internal audit professional who is well known in the field of internal auditing, governance, compliance and risk management. For many years, he has spearheaded drives to share and debate new developments that affect the work of the internal audit professional. This new book encompasses a compilation of articles that Dan has prepared over the years, many of which have been published inCompliance Week, brought together in this important new knowledge portal.

    The challenges for internal auditing are...

  9. INTRODUCTION
    (pp. 30-36)
    Norman Marks

    Whether you are new to internal auditing or an experienced practitioner or academic, there will be something for you inRaising the Bar. Dan Swanson’s collection of insights covers a diverse collection of management subjects and governance issues.

    I am pleased to see Dan include some of my work, notably a reference to the “State of Internal Auditing” that was published inEDPACSin 2009. Probably with that in mind, I am honored that he asked that I contribute my views concerning the future of our profession.

    This is indeed a critical time for internal auditing. Fortunately, leadership at the...

  10. PART 1: INTERNAL AUDITING
    • CHAPTER 1: INTRODUCTION TO INTERNAL AUDIT
      (pp. 38-52)

      Internal auditing can provide managers and the Board with valuable assistance by giving objective assurance about their organization’s governance, risk management and control processes. Establishing a robust internal audit function is a long-term and worthwhile investment for most organizations because an internal audit department can act as an independent advisor for the Board and senior management. Where an organization has not established an internal audit department, the identification of the benefits and role(s) internal audit could play should be the initial step. Where an internal audit function has been in operation, a review of its recent performance to identify improvement...

    • CHAPTER 2: THE PROFESSIONAL PRACTICE OF INTERNAL AUDIT
      (pp. 53-89)

      The internal audit department’s unique position within a company provides management and audit committee members with valuable assistance, by giving objective assurance on governance, risk management and control processes. Audit committees, of course, are responsible for providing oversight to the internal audit efforts within the organization – so how audit committees work with their internal audit staff is crucial to the success of the entire internal audit operation.

      As one of the cornerstones of corporate governance (along with the Board of Directors, senior management and external auditing), internal auditing can provide strategic, operational and tactical value to an organization’s operations....

    • CHAPTER 3: IMPROVING INTERNAL AUDIT RESULTS
      (pp. 90-116)

      In the past few years, massive efforts have been expended to prepare and implement the requirements of the Sarbanes-Oxley Act, in particular, Section 404(b). While a corporation’s management and board of directors have always been responsible for internal control, the level of scrutiny by the investing public and the regulatory bodies has reached new levels. As a result, today, more than ever before, an organization’s internal audit function must be robust and contribute to ensuring the accuracy of financial reporting. There’s no question that fostering a strong internal audit department should be a high priority for management. Indeed, the Institute...

    • CHAPTER 4: MY FAVORITES
      (pp. 117-124)

      This chapter contains a series of excerpts from some of my favorite resources. I am sure you will find these references invaluable in your internal audit practice and research.

      Internal auditors play a valuable role in ensuring that IT investments are well managed and have a positive impact on an organization. Their assurance role supports senior management, the audit committee, the Board of Directors and other stakeholders. Internal auditors need to take a risk-based approach in planning their many activities on IT project audits. With limited audit resources, auditors must focus on the highest-risk project areas, while adding value to...

    • CHAPTER 5: IIA RELATED GUIDANCE
      (pp. 125-130)

      I’ve had the privilege to participate in a variety of IIA papers over the years, presented below are excerpts from some of the more significant reports and internal audit guidance.

      The IIA’sInternational Professional Practices Framework (IPPF)is the authoritative guidance on the internal audit profession. The IPPF presents internationally consistent mandatory and strongly recommended guidance for the practice of internal auditing anywhere in the world.

      Internal auditing is one of the cornerstones of corporate governance, along with the Board of Directors, senior management and external auditing. Because of an internal auditor’s unique position within the organization, they provide audit...

    • CHAPTER 6: PRIORITIES FOR THE COMING DECADE
      (pp. 131-150)

      Everyone talks about the need for good risk management programs, but nobody seems to know how to audit them to ensure they actually work. Who bears responsibility for setting the parameters of an enterprise risk management (ERM) program is pretty clear: the Board of Directors and the C-level executives. They decide what the risks are, what level of risk they’re willing to tolerate, and what risks they do not want to tolerate. They are responsible for monitoring and responding to ERM outputs and obtaining assurance that the organization’s risks are acceptably managed within the boundaries specified. Also, remember that risk...

  11. PART 2: IT AUDITING
    • CHAPTER 7: TACKLING IT AUDIT
      (pp. 152-203)

      Change to a company’s IT infrastructure is a significant source of risk for every business. To protect the corporate crown jewels, robust change-management practices are absolutely critical. The need for a positive “control environment” within IT and a very unforgiving attitude regarding unauthorized IT changes cannot be overstated. In fact, a recent study by the IT Process Institute indicates that “best of breed” IT shops outperform their counterparts by a huge margin on many different performance indices. The two controls that were almost universally present in these high performers were:

      monitoring systems for unauthorized changes

      having defined consequences for intentional,...

    • CHAPTER 8: HEALTHCARE INTERNAL AUDITING
      (pp. 204-207)

      I write a quarterly IT column for the Association of Healthcare Internal Auditors (AHIA) in their internal audit publication entitledNew Perspectives. With permission, excerpts of the articles are presented below (the complete articles are available at the links shown).

      Welcome toNew Perspectives on Healthcare Risk Management, Control and Governance, the quarterly Journal of the Association of Healthcare Internal Auditors.New Perspectivesaddresses up-to-date information, current trends and issues in the areas of financial auditing, operational auditing, medical auditing, management and consulting, and information systems auditing, as well as the healthcare industry and the auditing profession. Excerpt from the...

    • CHAPTER 9: IT AUDIT CHECKLISTS
      (pp. 208-215)

      IT Audit Checklists are a T2P (Truth to Power) members-only free resource (involves a short registration). Originally published by the IT Compliance Institute, the checklists offer practical guidance and experience-based insight to help IT, compliance and business managers prepare for more successful and productive internal audits. In addition to helping you understand what auditors look for and why, IT Audit Checklists support proactive operational self-assessments. By measuring your internal processes against the managerial, operational and technical control objectives in these papers, you can uncover new opportunities for system and process improvements – and address them pro-actively: (Checklists are available on...

    • CHAPTER 10: AUDITNET® DAN SWANSON’S COLUMNS
      (pp. 216-222)

      I’ve written a monthly internal audit column for AuditNet for several years, provided below is a summary of the various articles and highlighted resources produced from that long-term effort. For easy access to the various columns go to:www.auditnet.org/dsarticles.htm.

      Fraud is a complicated subject and linkage to good risk management and good governance practices are, of course, critical (to reduce fraud); in fact, without the latter in place the fight against fraud is doomed to eventual failure. 60 resources you should find useful (this war has been going on for many years) are available at:www.auditnet.org/articles/DSIA201004.htm.

      Summer is a time...

    • CHAPTER 11: IT WORLD CANADA: IT SECURITY RESOURCE BLOG
      (pp. 223-239)

      I’ve posted numerous resource blogs to the IT World Canada website. Provided below are summaries of the various postings, while focused on IT security, numerous management subjects are also covered:www.itworldcanada.com/blogs/security/default.aspx.

      Getting IT under control is all about consistent and repeatable IT processes. Change and release management has become a defining performance factor in high performing IT shops. Significant research has also been completed which identifies the huge benefits of tackling change management “head on”:http://blogs.itworldcanada.com/security/2009/03/19/have-you-started-your-journey-yet/.

      Do you feed your employees, or do you teach them how to fish? Do you like to swoop in and save the day? Do...

    • CHAPTER 12: SENTINEL: THE IT GOVERNANCE NEWSLETTER
      (pp. 240-242)

      Over the past five years I’ve published a monthly IT Governance newsletter entitledSentinel. Each month this newsletter highlights leading resources across several management topics, including: organizational governance, IT governance, risk management and internal audit, IT audit, IT management, and finally the “Picks of the Month”.

      This newsletter is available at: :www.itgovernance.co.uk/media/newscats.aspx?cat_id=7&title=Newsletters.

      30/06/2010Sentinel - Edition 60 - 30 June 2010

      28/05/2010Sentinel - Edition 59 - 31 May 2010

      26/04/2010Sentinel - Edition 58 - 29 April 2010

      31/03/2010Sentinel - Edition 57 - 01 April 2010

      22/02/2010Sentinel - Edition 56 - 22 February 2010

      28/01/2010Sentinel...

    • CHAPTER 13: CIO CANADA: IT MANAGEMENT COLUMNS
      (pp. 243-246)

      Over the course of several years in the late 1990s I highlighted leading IT management resources of use by CIOs and other senior IT managers. The more popular columns are presented below.

      When it comes to IT management, sometimes nothing is as valuable as the lessons learned by those facing similar management challenges:www.itworldcanada.com/news/positioning-the-cio-for-success/129284.

      Here’s an online report worthy of recommending to senior management. EntitledManaging Information Technology Planning for Business Impact, it is an executive-level guideline developed by the International Federation of Accountants (IFAC).33

      Sound IT strategic planning combined with good project management, and audit and control of IT...

    • CHAPTER 14: KEEPING OUR KIDS SAFE!
      (pp. 247-248)

      Some great resources to help keep our kids safe are provided below.

      www.teachermovie.com

      This is an excellent site about safe surfing, anti-bullying, etc. Wired Kids also form the basis of a group that works in schools – Teenangels – kids teaching kids about Internet safety and etiquette:www.wiredkids.org/.

      Securing your personal computer at home plays a crucial role in protecting our nation’s Internet infrastructure. You’ll find simple steps, practices and resources to learn the basics on how to teach your children to stay safe on the Internet.

      This website gives you the information needed to secure your computer. You’ll find...

  12. PART 3: MAKING A DIFFERENCE
    • CHAPTER 15: LEARN FROM THE PAST AND “THINK”
      (pp. 250-252)

      While I never met W. Edwards Deming in person, this quote continues to inspire me:

      You have heard the words; you must find the way. It will never be perfect. Perfection is not for this world; it is for some other world. I hope what you have heard here today will haunt you the rest of your life. I have done my best.

      Continuous improvement really is a life-long journey:http://blogs.itworldcanada.com/security/2009/01/23/dan-swanson-nobodys-perfect/.

      Lisa D McNary begins her article on Dr Deming with the following quote:

      It’s rather pleasant the way the human mind slips backwards and forwards through the years. Looking...

  13. APPENDIX A: AN EDPACS ARTICLE
    (pp. 253-285)
    Gary Hinson
  14. APPENDIX B: INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS)
    (pp. 286-287)
  15. APPENDIX C: GLOBAL TECHNOLOGY AUDIT GUIDES
    (pp. 288-289)
  16. APPENDIX D: A PRIMER ON CORPORATE DUTIES
    (pp. 290-300)
  17. APPENDIX E: ASSURANCE CONUNDRUM
    (pp. 301-307)
    Andrew Dyson
  18. APPENDIX F: THE PERILS OF MOUNT MUST READ™: CONFESSIONS OF A CLIFF NOTE JUNKY
    (pp. 308-309)
  19. APPENDIX G: NORMAN MARKS ON GOVERNANCE
    (pp. 310-311)
  20. APPENDIX H: CHARLES LE GRAND ON TECHNOLOGY
    (pp. 312-313)
  21. ITG RESOURCES
    (pp. 314-316)
  22. WHAT OTHERS ARE SAYING ABOUT THIS BOOK
    (pp. 317-318)