Each month Dan Swanson, a senior security and internal audit professional will provide his list of recommended resources for AuditNet readers. If you have questions about this page or the links, you can reach Dan at www.securitybenchmark.com and dswanson_2005@yahoo.com.

---

Compliance and Ethics

Broadly understood, compliance with an organization’s policies and procedures is a very important activity that helps make organizational governance effective. Monitoring and maintaining compliance is not just to keep the regulators happy; compliance with regulatory requirements and the organization’s policies and procedures is a critical component of an effective enterprise-wide risk management program. It can also be an important way in which an organization achieves its business goals, sustains its ethical health, works towards long-term prosperity, and preserves and promotes its values.

An effective C&E program is best implemented as integrated processes that are owned by designated functions and managed by senior executives who have overall responsibility and accountability. Today, compliance is a daunting challenge, but it also provides a significant opportunity to establish and promote “operational effectiveness” throughout the organization.   

A periodic health checkup is vital

The board and management periodically need to evaluate the design and operating effectiveness of the company’s C&E program, and to assess its overall performance. Such an evaluation supplements the ongoing, day-to-day monitoring of C&E related activities. An internal audit provides for a more in-depth analysis of the C&E program, including its design, effectiveness, and performance. Some leading resources to assist your efforts are provided below.

Compliance and Audit Resources (resource sidebar)

Key resources

1. The OCEG Internal Audit Guide (IAG) for the audit of a compliance and ethics program.

2. The OCEG Framework and Foundation-level and Domain-level guidelines by the Open Ethics and Compliance Group (OCEG).

3. Auditing ethics and compliance programs article

4. Some excellent presentations on ethics and ethical self assessment and in 'resources' ethical dilemmas.  

5. The NACD web site -

6. The “Expressing Opinions on Internal Control” resource repository.

7. “Organizational Governance - Guidance for Internal Auditors”

Ethics Resource Center

Ethics & Philosophy (resources)

National Business Ethics Survey - Business Ethics

http://www.web-miner.com/busethics.htm

United States Office of Government Ethics

Ethics and Compliance Officers Association

164-page CD-based publication "A Practitioner's Guide to Corruption Auditing" by Muhammad Akram Khan - see  

Compliance resources

The Open Compliance and Ethics group (OCEG)

Expressing Opinions on Internal Control -

“Internal Auditing’s Role in Sections 302 and 404 of the Sarbanes-Oxley Act”

American National Standard - Guidelines for Quality and/or Environmental Management System Auditing

The IIA:

• “Enterprise-Wide Governance Guidance for Internal Auditors”
• “Internal Auditing’s Role in Sections 302 and 404 of the Sarbanes-Oxley Act”
• The Role of Internal Audit in Sensitive Communications

• “Sarbanes-Oxley Section 404: A Guide for Management by Internal Control Practitioners”.

• “Sarbanes-Oxley Section 404 Work: Looking at the Benefits
• “Practical Considerations Regarding Internal Auditing Expressing an Opinion”.

• “Audit Committee Briefing – Internal Audit Standards: Why They Matter”.

• “Frequently Asked Questions (About the Internal Audit Profession)
• “Expressing an Opinion on Internal Control” - (resource repository)

• “The Role of Internal Audit in Enterprise-wide Risk Management”.

NACD:

• NACD Blue Ribbon Commission (BRC) reports –

1.       NACD BRC on Board Evaluation-2005 Edition

2.       The NACD BRC on Board Leadership

3.       The NACD BRC on Director Compensation

4.       The NACD BRC on Audit Committees

5.       The NACD BRC on Director Professionalism

6.       The NACD BRC on Role of the Board in Corporate Strategy

7.       The NACD BRC on Risk Oversight

COSO:

• “Executive Summary - Internal Control - Integrated Framework (COSO IC-IF)” 
• “Enterprise-Wide Risk Management - Integrated Framework (COSO ERM-IF)”

Audit

Internal and IT Audit guidance – The Institute of Internal Auditors, Inc. (IIA)

www.theiia.org/guidance and www.theiia.org/technology

IT Audit and Control – Information Systems Audit and Control Association (ISACA)

Federal Financial Institutions Examination Council (FFIEC)
http://www.ffiec.gov/ffiecinfobase/resources/re_01.html
http://www.ffiec.gov/ffiecinfobase/html_pages/it_01.html'

American Society for Quality (ASQ)

U.S. General Accountability Office (GAO) - http://www.gao.gov/aac.html
Auditing System Conversions article 

Auditing Ethics

Conduct an Ethics Audit

Ethics Audit Essential for Every Business

The Ethics Audit

Audit Your Ethics 

Doing Your Own Ethics Audit -

City of Austin Citywide Ethics Audit Report 

What is an Ethics Audit? -

Interviewing for Values

Do the Big Four Need an Ethics Audit?