The document discusses the role of assurance professionals within assurance frameworks, highlighting the impact of the Sarbanes-Oxley Act (SOX) on internal control assessments and auditing practices. It emphasizes the benefits of SOX compliance, the importance of robust internal controls, and the utilization of methodologies such as COSO and COBIT for effective governance. Additionally, it addresses the evolving responsibilities of internal auditors and the demand for consulting services in audit and risk management.

1. Assurance and the Three E’s: Efficiency, Effectiveness, and EconomyRuoyu (Sophia) Cui

2. AgendaRole of Assurance Processionals within Assurance FrameworksOpportunities within Internal Control FrameworksTools, Methodologies, and TechniquesMarket for Consulting ServicesImpact of SOX and Role of Internal Auditor

3. Role of Assurance Processionals within Assurance FrameworksCanadian Auditing Standards (CAS)Understanding of entity, including internal controlsAssess adequacy of controlsCommunicate control deficiencies and other significant mattersInternational Auditing and Assurance Standards Board (IAASB)Assertion based framework facilitate better governance More timely identification and resolution of control deficiencies

4. Role of Assurance Processionals within Assurance Frameworks (cont’d)SOX 404Management to report on assessment of internal controlAuditor to assess management’s reportJune 2010 Proviti SOX compliance survey1: “70 percent of the 400 executive respondents in year four or beyond of their SOX-compliance programs agreed that improving their internal control environment was highly beneficial to their operations”,“SOX compliance…has triggered benefits that include increased efficiency and effectiveness of processes and operations, greater understanding of control design, and operating effectiveness.”1S. Glover, “SOX Compliance Proves Beneficial To Organizations, Fuels Risk Consciousness”, National Underwriter (Nov 2010): 34, 36. http://www.proquest.com.proxy.lib.uwaterloo.ca/ (accessed June 9, 2011).

5. Opportunities within Internal Control FrameworksCOSOPromotes risk-based approach to designing the internal control systemCOBITThree integrated dimensions: IT processes, IT resources, business requirements (including effectiveness and efficiency)Four domains in IT governance : planning, acquisition and implementation, delivery and support, and monitoring and evaluation

6. COBIT Framework for IT Process Defined within the Four Domains of IT GovernanceSource: COBIT 3rd Edition Implementation Tool Set. COBIT Steering Committee and the IT Governance Institute. (July 2000).

7. Tools, Methodologies, and TechniquesEnterprise Resource Planning (ERP) and Business Process Management (BPM) systemsContinuous auditing and business monitoringRisk-focused approach to internal audit

8. ERP and BPM SystemsERPEliminates duplicate files and redundant manual data entry. Incorporates control features that support SOX and other types of complianceE.g. establishes security roles, user IDs, passwords, and specific module accesses Unable to retaining complete histories in the transaction processesLack of documentation of policies and procedures. Difficult to obtain a consolidated picture of the entity’s operations BPMFills in gaps in the ERP systemIntegration of information contained in separate business applicationsSelf-documenting and secure audit trails

9. Continuous Auditing and Business MonitoringIdentify key risk indicators (KRI)Enhance controls over current and potential risksSoftware to assist management with regular evaluation

10. Risk-Focused Approach to Internal Audit“KMAP” (KPMG’s Management Assurance Process) internal audit methodologyPwC 2012 Internal Audit Report:“internal audit groups with a risk-centric mind-set will focus on providing assurance over both risk and control by 2012”11R. Cathcart and G. Kapoor, “An Internal Audit Upgrade”, The Internal Auditor, 67, no. 3 (June 2010): 47. http://www.proquest.com.proxy.lib.uwaterloo.ca/ (accessed June 9, 2011).

11. Market for Consulting ServicesERP and BPM systems design and implementationChange managementAdoption of continuous auditingSOX complianceEvaluation control processesInternal audit services

12. Impact of SOX9 types of non-audit services prohibited, including:financial information system design and implementationinternal auditing outsourcingexpert servicesNon-audit services received from external auditors pre-SOX were not replaced by hiring other consulting firms1Non-audit services were either permanently reduced or absorbed into the workload of companies’ internal auditors1Increased level of responsibility placed on internal auditors1 C. Grant, N. Park, and S. Wheeler, “Non-audit, external audit, and internal audit services in a post-SOX world”, Internal Auditing 1 (Jan 2009): 28-32, 34-35. http://www.proquest.com.proxy.lib.uwaterloo.ca/ (accessed June 9, 2011).

13. ConclusionAssurance professionals can assist businesses in improving processes:Under the current assurance and internal control frameworksThrough consulting work relating to design and implementation of systems/tools/methodologies. SOX severely limits external auditors’ ability to perform non-assurance type services Increased responsibility for internal auditorsNeed to ensure internal audit staff has the necessary level of expertise and competence

14. Thank you!

15. List of ReferencesB. Tsay, “Designing an Internal Control Assessment Program Using COSO's Guidance on Monitoring”, The CPA Journal 80, no. 5, (May 1): 52-57. http://www.proquest.com.proxy.lib.uwaterloo.ca/ (accessed July 3, 2011). Canadian Auditing Standards, Knotia.ca, accessed July 2, 2011. C. Grant, N. Park, and S. Wheeler, “Non-audit, external audit, and internal audit services in a post-SOX world”, Internal Auditing 1 (Jan 2009): 28-32, 34-35. http://www.proquest.com.proxy.lib.uwaterloo.ca/ (accessed June 9, 2011) C. O’Connor, “IT Process and Control Frameworks” (University of Waterloo, Waterloo, ON, Feb 8, 2010). COBIT 3rd Edition Implementation Tool Set. COBIT Steering Committee and the IT Governance Institute. (July 2000). E. Zimmer, “The Next Wave of Business Monitoring”, The Internal Auditor, 67, no. 4 (Aug 2010): 43. http://www.proquest.com.proxy.lib.uwaterloo.ca/ (accessed June 9, 2011). F. Lin, L. Guan, and W. Fang. “Critical Factors Affecting the Evaluation of Information Control Systems with the COBIT Framework”, Emerging Markets, Finance & Trade 46, no. 1, (January 1, 2010): 42. http://www.proquest.com.proxy.lib.uwaterloo.ca/ (accessed July 4, 2011).

16. List of References (cont’d)J. Lollar, H. Beheshti, and B. Whitlow, “The role of integrative technology in competitiveness”, Competitiveness Review, 20, no. 5 (Sept 2010): 423-433. http://www.proquest.com.proxy.lib.uwaterloo.ca/ (accessed June 9, 2011). J. Oringel and G. R. Aldhizer, “Continuous Auditing and Monitoring: Enhancing the Efficiency and Effectiveness of Auditing and ERM”, Internal Auditing, Vol. 24, Iss. 5 (Oct 2009): 17-26. http://www.proquest.com.proxy.lib.uwaterloo.ca/ (accessed June 9, 2011). K. Lumpur, “KPMG offers cost-effective approach to managing risk”, Business Times (Feb 2001): 4. http://www.proquest.com.proxy.lib.uwaterloo.ca/ (accessed June 9, 2011). K. Walker, “SOX, ERP, and BPM: A Trifecta That Can Make Your Business Run Better”, Strategic Finance, 90, no. 6 (Dec 2010): 47-53. http://www.proquest.com.proxy.lib.uwaterloo.ca/ (accessed June 9, 2011). M. Jones and J. Iwasaki, “Governance Benefits of New Assurance Reports,” International Journal of Disclosure and Governance 8, no. 1 (Feb 2011): 4-15. http://www.proquest.com.proxy.lib.uwaterloo.ca/ (accessed June 9, 2011). R. Cathcart and G. Kapoor, “An Internal Audit Upgrade”, The Internal Auditor, 67, no. 3 (June 2010): 47. http://www.proquest.com.proxy.lib.uwaterloo.ca/ (accessed June 9, 2011). S. Glover, “SOX Compliance Proves Beneficial To Organizations, Fuels Risk Consciousness”, National Underwriter (Nov 2010): 34, 36. http://www.proquest.com.proxy.lib.uwaterloo.ca/ (accessed June 9, 2011).