April 1999 Issue


The internal audit is on the brink of a third paradigm shift that will dramatically affect the way auditors approach their work, contend Georges Selim and David McNamee, authors of the Institute of Internal Auditors (IIA) Research Foundation's latest study, Risk Management: Changing the Internal Auditor's Paradigm.

"The first internal audit paradigm focused on observing and counting," the authors write. The second "changed the paradigm from a focus on re-performance to a focus on risk. The third paradigm is based on viewing the business process through a focus on risk." This will lead the internal auditor to an active, anticipatory risk-based function. The auditor's role will be in supporting management and playing a key role in corporate governance.

The authors recommend that, in addition to participating in the governance function, the chief internal auditor needs to employ the three segments of risk analysis: assessment, management, and communication. The book includes tools for understanding these components and determining when to use them. A thorough understanding of the business process from an owner's perspective is encouraged by the authors, as is a framework for discussion of risk management as a means to generate ideas relating to other business activities.

Also recently released by the IIA is An Auditor's Guide to Encryption, an overview targeted to the auditor concerned with information security. The book presents a brief history of codes, ciphers, and cryptology that leads to contemporary computer hacking. Topics such as decryption algorithms, electronic data interchange, and secure sockets layers are discussed.

"Auditors are responsible for assessing controls over the safety of an organization's assets," the authors write. "To discharge this responsibility, they must recognize unique sources of risk to information and the countermeasures management might use to protect the system." For example, there is a special emphasis placed on password security, and how to prevent compromising breaches in that security that all too often could have been prevented. Here, the auditor can play an invaluable role in making staff members aware of their responsibilities in password selection and protection and their part in helping to keep a company's information secure.

Both volumes are currently available through the IIA's website at www.theiia.org. *

Home | Contact | Subscribe | Advertise | Archives | NYSSCPA | About The CPA Journal

The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.

©2009 The New York State Society of CPAs. Legal Notices

Visit the new cpajournal.com.