Managing the Audit Function. A Corporate Audit Department Procedures Guide, 3rd edition

This is a valuable learning tool, caste in the form of a US audit procedures manual, which coincidentally could save organisations from writing their own, or with only a need to supplement at the margins. Alternatively organisations may wish to benchmark their audit manuals with the present one. A huge advantage is that the authors integrate information systems audit material, and hence incorporate the latest guidance from both the Institute of Internal Auditors and the Information Systems Audit and Control Association (ISACA). Thus, for example, the codes of ethics of both organisations are set out. The historical dimension is not neglected, and although within one line one passes from 8500bc to ad1397, the authors devote more attention to later events more within present consciousness. However they do light upon Britain’s past Enron situation, the South Sea Bubble scandal of 1720. In mitigation it can be said that audit and accounting was in a pretty rudimentary state at this time, but it has been through such gigantic corporate scandals that wake‐up calls are received and reform undertaken.

The book is divided into four parts. Part One deals with the Fundamentals of the Internal Audit Function : background and history, auditing standards and responsibilities, and the internal control system. Part Two is on Management and Administration: department organisation, and personnel, administration and recruitment. More explicit treatment of continuing professional development would be useful here. Part Three is on Technical Procedures: planning, performance and reporting. Part Four is on Long‐Term Effectiveness: corporate governance, quality assurance, continuous improvement and marketing. When considering whom one’s customers are, it would be valuable perhaps to extend the discussion to include stakeholders, since this is becoming much more commonplace in corporate governance discussion.

Although not obsessed with fraud, the book is well aware of its existence. Section 3.8 is concerned with malicious activities (the word “rouges” on page 123 should be “rogues”). Written in the context of the Post Enron world and the Sarbanes‐Oxley Act (2002), prescient risk assessment and control models are indicated and compared, as in the helpful table on page 85 which is extracted from the ISACA Web site. Corporate governance and audit committees are also fully treated. Some sections contain more meat than others, and the leaner ones may leave the reader a bit hungry, such as the five lines on international audits (p. 249). Of course a manual is not a textbook, and this one concentrates on management considerations. It is a matter of judgement what to include and omit. Nevertheless this text sometimes appears to be a mixture of a textbook and a manual. That may be to the good, since it can serve a wider purpose, whereby those who are not audit directors may eavesdrop and hence gain a more in‐depth appreciation of the internal audit function, and maybe increase their own chances of becoming an internal audit director in due course.

The classification of types of internal audit may not meet everyone’s requirements, nor the definition that the operational/managerial audit “can be defined as an extension of a financial audit” (p. 240). It would seem to be a lot more than a mere extension of a financial audit and indeed of the very essence of internal audit activity. Where else does the intrinsic value of internal audit lie?

I could not make total sense of the Index. It looks like part of it may be missing. It gives letters A, C, E, F and G, then I and S with nothing in between or after. This may be because of a decision to bunch most of the entries under the headings of internal audit, internal auditing and internal controls. The Sarbanes‐Oxley Act is repeated under both internal controls and the letter S, where surprisingly it crops up twice with the same page references. Inconsistently CAATs and CobiT only appear under internal controls, whereas COSO is duplicated. Maybe a qualified librarian might like to concoct a more consistent and helpful index. Personally I would expect to find quality assurance under Q, and risk assessment under R and so forth.

This book deserves a place in the internal audit function’s library, as well as in academic libraries. It provides timely help to the internal audit director, plus an insight into what might otherwise be the unknown for aspiring directors and to students of the subject.