Internal Audit Handbook

• During audits, an independent party compares the existing condition to predetermined criteria (such as US-GAAP, or the policies and procedures of the organization).

• Audits serve two important control functions. Firstly, they are detective control mechanisms by which auditors identify and investigate variances or deviations from predetermined standards. Secondly, they are used as preventive control mechnisms because the expectation of an audit should deter individuals from engaging in fraudulent financial reporting or making careless errors.

• In the course of their evaluation, auditors identify business risks and evaluate the effectiveness and efficiency of the control systems designed to avoid, reduce or eliminate those risks. Auditors should also be aware of the risk of fraudulent activities.

• The primary goal of auditing is to serve the company by providing an independent and objective evaluation of the organization’s adherence to operational, financial and compliance policies, guidelines and regulations.

• Likewise, audits are performed to protect the interests of third parties, such as investors and creditors.

• Internal Audit is influenced by a variety of factors, including regulatory and legal requirements, internal expectations, and competitors. Internal Audit can and must meet these factors with flexibility and in accordance with company objectives and the standards established by the professional institutes.

• The external environment and internal factors demand that internal audit functions are integrated within the business processes of the organization.

• The mission statement expresses the basic definition of GIAS’ fundamental accountability.

• The global audit approach of Internal Audit at SAP requires that international circumstances are taken into consideration.

• All cultural, legal, statutory, and work-related differences have to be taken into account, and different interpretations of auditing must be considered when operating in an international environment.

• In addition, all organizational prerequisites and procedures have to be defined for each audit so that they agree with all participants’ perception of audits.

• At SAP, Internal Audit is a staff department that reports directly to the CEO.

• It is crucial that the organization of Internal Audit at SAP reflect the requirements associated with the global responsibilities that the Executive Board bears.

• The combination of global responsibility and regional structure enables Internal Audit to flexibly carry out a wide variety of tasks.

• At the same time, this approach creates additional opportunities to use Internal Audit’s existing global know-how.

• Employee profiles provide formal requirements in terms of the individual functions at GIAS.

• In determining formal requirements it is important to distinguish between disciplinary and technical requirements on one side and social and personal requirements on the other.

• A mix of various skills is necessary to ensure that audits are in compliance with international audit principles.

• Internal Audit uses a variety of content determinants and formal determinants to identify the appropriate audit method to use for a specific engagement.

• Content determinants include the audit fields and the audit approaches.

• Formal determinants include: the audit category, type, and status of the audit within the audit cycle.

• Thus audit methods are characterized by a framework of standard parameters, which allows auditors to treat different audits according to standard rules. Individual criteria may be added to the predefined standard parameters at any time.

• Other services that Internal Audit can perform in addition to traditional audit work can be classified as audit-related and non-audit-related other services.

• Audit-related other services include cost-effectiveness analysis, preliminary investigations, reviews, and implementation support.

• Non-audit-related other services include primarily ongoing support, internal consulting, and project management.

• The Audit Roadmap is a model for visualizing all phases and process steps of an audit in terms of form and content.

• It is aimed at giving auditors all the necessary standard information on the basis of a standardized, globally binding process model.

• A standard Audit Roadmap helps to achieve uniform audits throughout the company.

• The main phases of the Audit Roadmap are planning, preparation, execution, reporting, and follow-up.

• Each of these phases is divided into sub-phases, which have to be executed in a specified sequence.

• The Audit Roadmap is intended for use as an audit process model for standard audit topics.

• In addition, Audit Roadmaps can be defined for special audit content, specifically for a certain sector, company, or audit.

• Even though Scopes are integrated into the audit process, they are defined independent of individual audits.

• Core Scopes represent closed business or organizational audit areas, which can be broken down into any number of audit segments, referred to as Key Scopes.

• Scopes have the advantage that they can be used in individual ways and combined with each other in different audits.

• Scopes require regular updating. Audit employees should be assigned responsibility for keeping Scopes current.

• Access authorizations have to be defined for Scopes so that confidentiality is guaranteed.

• Audit announcements give Internal Audit and the unit to be audited the opportunity to come to a common understanding on the actual audit and its contents well in advance of the audit.

• Such announcements are advisable within a certain period, depending on the audit or service type.

• Although there are many arguments in favor of audit announcements, it should be critically examined whether announcing the audit jeopardizes audit objectives.

• Whatever the circumstances, announcements have to be in general terms so that the extent of the audit can be supplemented with results from fieldwork or other audits at any time.

• The opening meeting is primarily used to exchange information between auditees and Internal Audit about the audit.

• Fieldwork activities are subject to the materiality principle.

• Auditors must ensure that the work program is completed fully and consistently. All work program objectives must be achieved by suitable fieldwork activities.

• The audit activities and their results are documented in the working papers.

• Closing meetings are held to communicate audit results to the auditees.

• The results of the fieldwork conducted by Internal Audit are summarized and documented in an audit report.

• The reporting principles for external auditors apply also to Internal Audit’s work.

• Impartial reporting must be complete, truthful, and clear.

• To ensure that the information is optimized, the reports should be made available as quickly as possible.

• Depending on the addressee, there are different reporting formats and writing styles.

• The follow-up phase serves to ensure that all recommendations given after the basic audit are implemented by the deadline.

• The follow-up phase breaks down into four sub-phases: status check I, follow-up I, status check II, and follow-up II.

• Different areas of responsibility are distinguished in the overall process.

• In addition to Internal Audit, other parties may be involved in the follow-up process.

• The Audit Roadmap is a framework that can be adapted to define modified procedures.

• These include further development of the standard Audit Roadmap and highlighting individual process models.

• There are many different reasons for special Audit Roadmaps: Increasingly complex topics, use of IT, different target groups, blurring of audit categories, standardization of alternative services, and modular breakdown of the services provided by Internal Audit.

Section C of this handbook provides practical examples of internal audit work at SAP. Chapter C.2 presents audit basics. Chapters C.3 and C.4 provide selected examples of financial and operational audits while Chapter C.5 gives details of combined audit topics. Chapters C.6 through C.9 deal with selected topics specific to SAP, and Chapter C.10 describes IT audits.

• Before the start of standard and special audits listed in the annual audit plan, Internal Audit should send out audit announcements to the auditees.

• The work program is compiled with due consideration for the objectives of the audit.

• An opening meeting with the auditees is conducted before the fieldwork begins. A closing meeting is held after fieldwork is complete to review the results of the audit fieldwork.

• The audit report contains information on the objective, extent, and results of the audit.

• During the follow-up phase, Internal Audit checks whether the audit recommendations have been implemented.

• Analytical procedures consist of an analysis of figures and ratios and/or groups of figures and ratios and their development over a defined period.

• Analytical procedures are important tools for effectively performing any type of audit.

• There are different categories of analytical procedures, e.g., plausibility checks, trend analysis, and ratio analysis.

• Analytical procedures can be used during audit preparation, audit execution, and reporting.

• Purchasing audits can be conducted at a strategic or operational level.

• Purchasing audits should include a focus on fraud prevention.

• Supplier selection is also a primary focus of a purchasing audit. Proper documentation should be in place to allow the supplier selection process to be tracked.

• Subsidiary audits are preformed using a standard work program.

• Subsidiary-specific matters are added to this standard work program based on analytical audit procedures performed during audit preparation and the meetings held with colleagues from the various corporate departments.

• Significant audit topics in a subsidiary audit are: General topics, financial reporting, consulting, licenses, human resources, purchasing, and risk management.

• The business review is not one of Internal Audit’s traditional audit tasks.

• Projects with customers (consulting or development) or other matters arising from SAP’s relations with customers or partners may be examined during a business review.

• The review focus may differ, depending on the circumstances and the specific request. Its focus may be one of the following: Pure implementation performance, contractual and financial aspects, or the nature and design of business relations.

• A business review normally involves several rounds of meetings between the customer and the relevant management at SAP, where the current status, interim results, proposals, and actions are discussed.

• Finally, a report is created for the Board member in charge and for the customer, explaining the matters identified and the action proposals discussed.

• As the trend towards globalization continues, Internal Audit must respond by conducting global audits.

• Internal Audit must be able to handle global topics adequately, however, a special process model for global audits is not necessarily needed.

• Global audits entail greater coordination and communication efforts.

• In global audits, GIAS can use its strengths with regard to global presence under centralized management with decentralized operations.

• Global audits present special challenges for each auditor, which can have a positive effect on his or her personal career development.

• There are three types of SOX audits: audits of the implementation of SOX in each of the company’s units, audits of the quality of SOX work undertaken locally, and audits of various SOX-related process groups, processes, and control systems.

• Preparation for a SOX audit for process groups is of crucial importance and should include the following steps: review of the available documentation regarding the processes to be audited, review of the results of design assessments and testing procedures, and discussion of issues with the local SOX champion and the central SOX team.

• The execution of the SOX audit for process groups includes reviews of design assessment tests, control effectiveness tests, and of the existing flowcharts.

• Auditors must ensure that the population and any samples have originated in the current fiscal year. Samples taken from the previous year cannot prove that the controls are effective at the time of the audit.

• Auditors must document the sampling method so that the audit can be reperformed.

• The GIAS revenue recognition assurance program supports the company in ensuring compliance with revenue recognition rules.

• This concept includes, for example, customer confirmations and unannounced license audits that are used in addition to regular audit activities.

• Internal Audit’s general quality assurance program has been adapted to the special requirements of revenue recognition assurance work.

• Internal and external compliance and reliability requirements on financial reporting must be supported by a company’s information technology.

• The extent of the IT audit is influenced by the domains of Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate.

• Possible risks for an IT system include non-compliance, inconsistent data, user error, uncontrollability, and unreliability.

• In addition to system tests, the organizational analysis of the IT system is a key component of IT audits.

• Documentation is a key element of each audit.

• Important objectives of documentation include providing evidence that the audit work is compliant, ensuring readiness to give information, and presenting the audit history across audit cycles.

• This results in a number of different tasks, including ensuring the completeness of the information, the traceability of the findings and recommendations, and providing a safeguarding function.

• The audit lead has to assess and take adequate account of the different sources of information and how balanced they are.

• Communication and information exchange are important components of the work of an internal audit department.

• The confidentiality of information must be observed at all times.

• The correct tone and style of communication are as important as the right timing.

• Internal Audit has to conduct itself professionally and objectively in verbal and written communication.

• A large variety of sources may help identify possibly auditable topics.

• Internal sources include Internal Audit itself and other corporate departments as well as the Key Scopes defined by Internal Audit.

• Among the external sources for auditable topics are the external auditors, and other internal audit departments.

• Work templates are provided on a central server for the operational level of the audit, allowing auditors to copy the documents they need for further processing.

• Standard commercial software, IT tools for data selection, and all SAP application systems, including their audit-specific components, are available for supporting audit work.

• From a formal perspective, IT use should be standardized in the form of internet- based audit software

• Quality assurance is important for every internal audit department so that it can provide the best possible services.

• Organizations such as the IIA or AICPA have integrated quality assurance into their standards and recommendations.

• The benefits of a quality assurance program include consistent application of processes across global, regional, and local audits, standardization and completeness of documentation, and reporting reliability.

• Continuous process improvement (CPI) is also part of the quality assurance program. It is one of the key requirements for Internal Audit to meet expectations successfully.

• Escalation processes may result from (1) a red traffic light status in the overall audit statement, (2) the fact that recommendations have not been implemented, or (3) from a disagreement about some of the audit findings or recommendations.

• During escalation, all responsible parties, including the Board, are informed directly.

• The overall audit statement for a basic audit is primarily intended to assess the quality of the findings, but the overall follow-up rating looks mainly at the effectiveness of the implementation process.

• If there is any disagreement, the audit team, the audit lead, and/or the Audit Manager should attempt to de-escalate the situation or reach a consensus with the auditee without varying the original audit finding.

• However, if the disagreement persists, a “management disagreed” classification is added to the audit report and the Board summary.

• Performance indicators and ratios serve a variety of different purposes in Internal Audit.

• The available data material is very complex and offers many different levels for comparison and analysis.

• Internal Audit can define comparisons in the form of benchmarking or a balanced scorecard.

• To allow Internal Audit to perform its tasks effectively, the organization must provide adequate resources to guarantee that the department’s capacity is fully utilized and it produces the best possible results.

• A tracking system can be used to allocate costs to Internal Audit's activities and thus measure resource utilization.

• A time management system is an important tool for allocating the cost of time and effort spent to audit activities. By recording time Internal Audit management can also analyze how employees use their time.

• Internal Audit’s total costs may include time and effort, direct audit-related costs, direct non-audit-related costs, and indirect costs.

• An effective cost monitoring process also supports Internal Audit’s billing process.

• There are several different cost transfer models that can be used. Selection of the appropriate model depends on the administrative burden created by the billing process and the nature of the audit activities conducted in the company.

• Internal Audit’s performance should be assessed from both a financial and nonfinancial perspective.

• A peer review, also known as a quality assurance review (or QAR), is the evaluation of an internal audit department by independent professionals in the same field as required by the IIA.

• A peer review examines the internal audit department’s compliance with professional standards and suggests improvements in order to align the department with best practices recognized in the profession.

• Generally, internal audit departments can decide for themselves whom to select as audit partner.

• The peer review goes through the normal phases of an audit project, i.e., planning, preparation, execution, reporting, and follow-up.

• Guest auditors may be used in all types of audits.

• The use of guest auditors may be necessary or desirable when specialist knowhow is needed, capacity problems exist, or employees have to be trained.

• There are qualitative and quantitative criteria for the selection of guest auditors.

• At SAP, the selection of guest auditors follows a set procedure.

• Guest auditors should be integrated into the audit team from an organizational and technical point of view.

• Before the start of the audit, basic auditing procedures should be explained to guest auditors during a training day.

• The relationship with the guest auditor should be maintained even after the end of the audit.

• Cost allocation for the use of guest auditors must be clarified before the audit, and all costs have to be budgeted.

• Audit management is influenced by the different management levels within the internal audit department and their respective focus on different tasks.

• Audit management consists of different components: audit planning, quality management, performance management, and audit control.

• By providing quality audit results quickly and making objective and useful recommendations, Internal Audit can effectively market itself throughout the organization.

• To reach all those with an active or passive interest, Internal Audit should offer different forms of information.

• Internal Audit should use the company’s intranet, distribute printed documents, hold information events, and draw attention to its work in publications.

• Audit surveys are also part of Internal Audit’s internal marketing.

• Fraud can be committed in any company. Therefore all companies should prepare their process structures for such an eventuality.

• Fraud should be identified and evaluated reactively and proactively. All measures should also be taken for adequate prosecution of those who commit fraud.

• An organization should have a clear, unambiguous code of conduct.

• Guidelines and instructions must be comprehensible and accessible to all employees.

• An organization should have a shared set of values and clearly communicate the consequences that fraud entails.

• SOX was passed by the United States Congress in 2002 with an aim to protect investors and restore the public’s confidence in the capital markets.

• Among the many provisions of SOX, sections 302 and 404 of SOX are of particular importance to internal auditors.

• SOX section 302 makes management, particularly the CEO and the CFO, responsible for the compliance of the company’s financial reports.

• To meet these obligations, SOX section 404 requires management to provide evidence that all core business processes relevant to the financial reports, including the internal controls, are documented and effective.

• In addition, SOX has created the Public Company Accounting Oversight Board, or PCAOB.

For many years, Internal Audit stayed on the sidelines of day-to-day business operations and was generally perceived as a group of “box-checkers,” feared rather than valued as a control body at the behest of corporate management. We hope that the exploration contained in this handbook has changed this perception and, using the developments at SAP as an example, refuted it at least in part. Even if some elements of these original views persist, the first important steps toward a changed perception of Internal Audit have been taken.