Request for Proposal Documents/Update-to-the-IIA-textbook-IA-Assurance...update of Internal Auditing: Assurance and Advisory Services (textbook) and is soliciting proposals in response

1

Request for Proposal

To provide updates to

Internal Auditing: Assurance and Advisory Services

30 August 2019

Issued by:

Internal Audit Foundation 1035 Greenwood Blvd., Suite 401

Lake Mary, Florida 32746 USA

www.theiia.org/Foundation

http://www.theiia.org/Foundation

2

1. Introduction

The Internal Audit Foundation, a Washington, D.C., nonprofit organization headquartered in Lake Mary, Florida, is seeking an author, or team of authors, to collaborate with on the update of Internal Auditing: Assurance and Advisory Services (textbook) and is soliciting proposals in response to this Request for Proposal (RFP).

2. Project Background and Description

In Q1 2019, the Foundation conducted market research via surveys and individual interviews to validate the interest and need for updates to the textbook. The research confirmed the need and identified several new topic areas as identified below (see Section 3: Project Scope and Deliverables).

A. Project overview

This fifth edition is an update to the fourth edition and will address:

1) Technology disruptions to the profession

2) Additional focus on critical thinking (case studies)

3) Updated revisions to the Lines of Defense

4) A global perspective that includes:

a) Multinational examples

b) Interpersonal skills related to global differences

B. This product supports the Foundation’s overall mission to expand knowledge and

understanding of internal auditing and to advance the profession globally by providing

an understanding of the definition, overview, and processes of internal auditing for

students and new entrants to the internal audit profession.

C. This revision to the textbook is intended to enhance internal audit students’ knowledge

and understanding of the following:

1) The Competency Framework for Internal Audit Practitioners

2) International Standards for the Professional Practice of Internal Auditing (Standards)

3) Alignment of textbook topics to the Certified Internal Auditor (CIA) exam

4) Lines of Defense (revised)

5) Business disruptions

6) New technologies (e.g., artificial intelligence [AI], robotic process automation [RPA],

machine learning, etc.)

D. Intended audience (typical user profile)

1) Primary and secondary audiences

a) Internal Auditing Education Partnership (IAEP) programs and students

b) Internal audit departments

3

E. Target industry/sector for this product and its global application

1) Global/universal audience

2) Educational institutions

3) New audit shops

4) Audit shops with rotational and non-internal audit background hires

F. Other possible content uses

1) One continuous case study

2) Additional ad hoc cases

3) Some cases could be reclassified as research projects/group assignments (e.g., many

Knowledge Leader/Protiviti projects)

3. Project Scope and Deliverables

The table of contents for the fourth edition is included as an attachment to this RFP.

However, alternative configurations of the content/chapters will be considered. Please see

below for topics that are to be included in the update.

A. Revisions to include

1) The internal audit environment

a. Governance, risk management, and control (GRC)

i. Governance – Ch 3

ii. Risk – Ch 4-5

iii. Control – Ch 6

1. Inclusion of compliance as a subset of control

b. Revised Three Lines of Defense (introduce early to provide a proper basis for

better discussion of GRC)

2) Guidance

a. International Professional Practices Framework (IPPF)

b. Public sector auditing standards

3) Competencies – Ch 1 – Competencies Needed to Excel as an Internal Auditor

a. New competency framework (consider adding to existing chapter or as a

standalone chapter)

4) Introduction to the Engagement Process (Ch 12)

a. Engagement-level risk assessment

B. Disruptive innovations (add chapter or weave throughout content) 1) Discuss disruptive innovations and new technologies that will impact what internal

auditors audit, the additional skill sets required, and how audit engagements will change. (We want to spark excitement – why it’s an exciting field to be in!) a. Automation (e.g., blockchain, RPA, cognitive intelligence, etc.)

4

b. Business disruptions (e.g., Uber/taxi, Netflix/Blockbuster, Amazon/malls, automated/driverless vehicles, etc.)

2) NOTE: May incorporate and discuss these innovations and their effects on business models (and business processes) in Ch 5 and the risks of these innovations in Ch 7.

3) Suggested resources: Internal Audit of the Future (PwC/IAF), IA’s Response to Disruptive Innovation (Christ, et al.), Blockchain Technology and IA (Crowe/IAF), Agile Auditing (Rick Wright)

C. Ethics and culture (woven throughout the book)

1) Discuss corporate culture and codes of ethics and why they should be audited a. Suggested resources: The IIA’s Professional Guidance (PGs) and the culture

maturity matrix in Evaluating Culture (Angie Chin) 2) Add to chapter on Governance and Internal Controls (Ch 3)

a. Auditing corporate culture and ethics

D. Soft skills (add chapter or weave throughout content)

1) NOTE: This section could be a new chapter that combines with competencies for internal auditors earlier in the book; re: Ch 3 or 7 (before or after the GRC Ch [3-6]).

2) Discuss interpersonal skills needed especially by internal auditors, such as communication, organizational, critical thinking, emotional intelligence, cognitive bias, etc. a. Consideration of global communication differences b. Global organizational differences

3) Soft skills a. Critical thinking

i. Sampling

ii. Risk management decision-making process

iii. Critical thinking -> decision making

1. Impacted by bias

iv. Consider problem solving for internal auditors

b. Cognitive bias c. Recency bias d. Ethics e. Business acumen

Chapters [3-6]) i. Goals and objectives of the organization

1. Organizational structure

ii. Goals and objectives of the business function

1. Business process flowchart

f. Ability to get insights from internships 4) NOTE: May incorporate and discuss soft skills within the Competency Framework

chapter.

5

5) Suggested resources: People Centric Skills 2.0 (Danny Goldberg), Total Quality Auditing (Amanda Jo Erven), The Art of Diagnosis: Solving the Right Problem the First Time (re: bias) (Jackson Nickerson)

E. CIA certification (add to narrative throughout the book)

1) Create a recurring narrative throughout the book that “points to CIA certification” and, where applicable, aligns text topics with the CIA exam. For instance, what part of the CIA exam is each chapter related to? How does it tie in? This may be done by adding a callout box to each chapter. Consider adding exam practice questions to help encourage sitting for certification. a. NOTE: The objective of this book is NOT to prepare for the CIA exam; rather, to

make students/readers aware that there is a natural progression to the profession and certain parts of the book are relevant to eventual professional certification.

b. Suggested resources: CIA exam syllabus, The IIA’s CIA Exam Practice Questions, and the IPPF

F. Data Analytics and Audit Sampling (Ch 11) (revise chapter)

1) Reduce size of chapter; eliminate excessive detail on performing statistical sampling; rather, emphasize how data analytics works and how auditors use it.

2) Explore the use of technology and software for data analysis and sampling. 3) Suggested resources: Data Analytics (Grant Thornton/IAF)

G. Risk Management (Ch 4) (revise chapter)

1) Revise explanation of certain risk-related topics, such as: a. Organizational vs process level – this can be confusing to students. For example,

there is risk at the organization level, but there's also risk at the process level. The current edition does try to distinguish between the two, but it also conflates the two. Make clearer that the risk assessment for the individual engagement is different than the risk assessment for the annual planning. Perhaps separate the two concepts. Do a better job of showing the interrelationships among the different risks.

b. Risk matrices – the way in which the current edition deems risk and control matrices, or RCMs, is not accurately portrayed. RCMs should have the control objective clearly stated, the risk clearly stated, and the control activity clearly stated.

2) Suggested resources: Guide to Risk Assessment, 2nd edition (Rick Wright) H. End-of-chapter questions (revise)

1) Revise end-of-chapter questions to increase strategic and critical thinking. Build more context, more of an explanation into each of the scenarios that have questions asked. (Don't assume students understand anything about the process. A paragraph or two is sufficient if it's well done.)

2) Add “challenge” questions pulled from the CIA Exam Study Guide.

6

I. Case study (prefer to add) 1) Refer to previous fourth edition and propose how to weave in a case study

throughout the text or as an appendix. 4. Project Timeline

RFP and Selection 08/2019 – 11/2020 Contracting 11/2019 – 01/2020 Content Development 01/2020 – 09/2020 Copy Editing/Typesetting 09/2020 – 12/2020 Manufacturing 12/2020 – 02/2021 Release 03/2021

5. Submission Guidelines and Requirements

The following submission guidelines and requirements apply to this RFP. First and foremost, only qualified individuals with prior experience on projects such as this should submit proposals in response to this RFP. Respondents may propose to be an individual team member working on one specific topic/section(s) of the project, or be included as part of a team proposing to work on the entire project. Proposals to provide overall editorial services separate from content development may also be submitted. Proposals should include a summary page and appendices as described below, and should

be organized in the following order:

A. Proposal summary page

1) Proposal title

2) Primary author’s name, contact information, and credentials

3) Date proposal submitted

B. Project description and approach

1) Approach to the scope of work

2) Description/role of team members

3) Annotated table of contents. Note: The table of contents of the fourth edition is

included with this RFP, but alternative arrangements of the content will be

considered.

4) Projected timeline for completion

5) Project budget

C. Author(s)

1) Brief description of qualifications and experience of each author

7

2) A review of author’s previous works if applicable (books, articles, etc.)

D. Appendices

1) Curriculum vitae (CV) for each author (three pages maximum)

2) Previous author affiliation with The IIA or Internal Audit Foundation (previous

research or educational products published, volunteer participation, chapter officer,

etc.)

3) Samples of previous similar work

4) References

6. Evaluation Criteria

The Foundation will evaluate proposals based on the following factors: a. Responsiveness to the requirements set forth in this RFP b. Relevant past performance/experience c. Samples of previous relevant work d. Project budget and cost

The Internal Audit Foundation reserves the right to award to the bidder that presents the best value to the Foundation and to the internal audit profession as determined solely by the Foundation in its absolute discretion.

7. Project Timeline

The Proposal Award timeline is as follows:

Request for Proposal Issuance 30 August 2019

Questions and Clarification Period 30 Aug - 13 Sept 2019

Responses to RFP Due 27 September 2019

Selection of Top Bidders/Notification to Unsuccessful Bidders 28 October 2019

Contract Award and Negotiation 11/2019 – 01/2020

Project Start 31 January 2020

Project Completion 31 January 2021

8. Project Budget

While cost is a factor, other criteria will form the basis of the award decision, as more fully described in the Evaluation Criteria section above. Bidders should include their financial compensation expectations within their proposal.

8

9. Key Contacts and Project Management

Interested parties should submit proposals by no later than 27 September 2019 to:

The Internal Audit Foundation Attn: Carrie Summerlin, Vice President

1035 Greenwood Blvd., Suite 401 Lake Mary, Florida 32746 USA

[email protected]

To learn more about the Internal Audit Foundation, go to www.theiia.org/Foundation.

mailto:[email protected]

http://www.theiia.org/Foundation

CONTENTS

Preface xv

Acknowledgments xix

About the Authors xxi

FU N DAM ENTAL I NTERNAL AU D IT CO N CEPTS

CHAPTER 1

Introduction to Internal Auditing 1-1

Learning Objectives 1-1

Definition of Internal Auditing 1-3

The Relationship Between Auditing and Accounting 1-7

Financial Reporting Assurance Services: External Versus Internal 1-8

The Internal Audit Profession 1-9

The Institute of Internal Auditors 1-13

Competencies Needed to Excel As an Internal Auditor 1-17

Internal Audit Career Paths 1-20

Summary 1-22

Review Questions 1-23

Multiple-Choice Questions 1-24

Discussion Questions 1-26

Cases 1-27

CHAPTER 2

The International Professional Practices Framework: Authoritative Guidance for the Internal Audit Profession 2-1


The History of Guidance Setting for the Internal Audit Profession 2-2

The International Professional Practices Framework 2-4

Mandatory Guidance 2-6

Recommended Guidance 2-27

IIA-4e-FM-v8.indd 5 3/7/17 7:42 AM

csacher

Typewritten Text

Internal Auditing: Assurance and Advisory Services, 4th Edition

csacher

Typewritten Text

csacher

Typewritten Text

csacher

Typewritten Text

csacher

Typewritten Text

How the International Professional Practices Framework is Kept Current 2-32

Standards Promulgated by Other Organizations 2-35

Summary 2-38




Cases 2-44

CHAPTER 3

Governance 3-1


Governance Concepts 3-3

The Evolution of Governance 3-15

Opportunities to Provide Insight 3-17

Summary 3-18

Appendix 3-A: Summary of Key U.S. Regulations 3-19




Cases 3-25

CHAPTER 4

Risk Management 4-1


Overview of Risk Management 4-2

COSO ERM Framework 4-4

ISO 31000:2009 Risk Management – Principles and Guidelines 4-16

The Role of the Internal Audit Function in ERM 4-19

The Impact of ERM on Internal Audit Assurance 4-22


Summary 4-23




Cases 4-29

IIA-4e-FM-v8.indd 6 3/7/17 7:42 AM

CHAPTER 5

Business Processes and Risks 5-1


Business Processes 5-2

Documenting Business Processes 5-8

Business Risks 5-10

Business Process Outsourcing 5-24


Summary 5-27

Appendix 5-A: Applying the Concepts: Risk Assessment for Student Organizations 5-28




Cases 5-36

CHAPTER 6

Internal Control 6-1


Frameworks 6-2

Definition of Internal Control 6-7

The Objectives, Components, and Principles of Internal Control 6-8

Internal Control Roles and Responsibilities 6-17

Limitations of Internal Control 6-20

Viewing Internal Control from Different Perspectives 6-23

Types of Controls 6-24

Evaluating the System of Internal Controls: An Overview 6-28


Summary 6-30




Cases 6-35

IIA-4e-FM-v8.indd 7 3/7/17 7:42 AM

CHAPTER 7

Information Technology Risks and Controls 7-1


Key Components of Modern Information Systems 7-6

IT Opportunities and Risks 7-10

IT Governance 7-13

IT Risk Management 7-13

IT Controls 7-14

Implications of IT for Internal Auditors 7-20

Sources of IT Audit Guidance 7-23

Summary 7-25




Cases 7-32

CHAPTER 8

Risk of Fraud and Illegal Acts 8-1


Overview of Fraud in Today’s Business World 8-2

Definitions of Fraud 8-6

The Fraud Triangle 8-10

Key Principles for Managing Fraud Risk 8-12

Governance Over the Fraud Risk Management Program 8-15

Fraud Risk Assessment 8-18

Illegal Acts and Response 8-20

Fraud Prevention 8-22

Fraud Detection 8-24

Fraud Investigation and Corrective Action 8-25

Understanding Fraudsters 8-26

Implications for Internal Auditors and Others 8-28


Summary 8-33




Cases 8-39

IIA-4e-FM-v8.indd 8 3/7/17 7:42 AM

CHAPTER 9

Managing the Internal Audit Function 9-1


Positioning the Internal Audit Function in the Organization 9-3

Planning 9-7

Communication and Approval 9-8

Resource Management 9-9

Policies and Procedures 9-13

Coordinating Assurance Efforts 9-14

Reporting to the Board and Senior Management 9-16

Governance 9-18

Risk Management 9-19

Control 9-21

Quality Assurance and Improvement Program (Quality Program Assessments) 9-22

Performance Measurements for the Internal Audit Function 9-26

Use of Technology to Support the Internal Audit Process 9-26


Summary 9-29




Cases 9-36

CHAPTER 10

Audit Evidence and Working Papers 10-1


Audit Evidence 10-1

Audit Procedures 10-4

Working Papers 10-14

Summary 10-16




Cases 10-24

IIA-4e-FM-v8.indd 9 3/7/17 7:42 AM

CHAPTER 11

Data Analytics and Audit Sampling 11-1


Data Analytics 11-2

Steps to Internal Audit Data Analytics 11-5

Use of Data Analytics 11-6

Future of Internal Audit Data Analytics 11-7

Audit Sampling 11-9

Statistical Audit Sampling in Tests of Controls 11-11

Nonstatistical Audit Sampling in Tests of Controls 11-20

Statistical Sampling in Tests of Monetary Values 11-23

Summary 11-26




Cases 11-33

CO N DUCTI N G I NTERNAL AU D IT EN GAG EM ENTS

CHAPTER 12

Introduction to the Engagement Process 12-1


Types of Internal Audit Engagements 12-2

Overview of the Assurance Engagement Process 12-3

The Consulting Engagement Process 12-12

Summary 12-12




Cases 12-18

IIA-4e-FM-v8.indd 10 3/7/17 7:42 AM

CHAPTER 13

Conducting the Assurance Engagement 13-1


Determine Engagement Objectives and Scope 13-4

Understand the Auditee 13-8

Identify and Assess Risks 13-21

Identify Key Controls 13-28

Evaluate the Adequacy of Control Design 13-30

Create a Test Plan 13-31

Develop a Work Program 13-33

Allocate Resources to the Engagement 13-35

Conduct Tests to Gather Evidence 13-37

Evaluate Evidence Gathered and Reach Conclusions 13-39

Develop Observations and Formulate Recommendations 13-41


Summary 13-46




Cases 13-55

CHAPTER 14

Communicating Assurance Engagement Outcomes and Performing Follow-Up Procedures 14-1


Engagement Communication Obligations 14-2

Perform Observation Evaluation and Escalation Process 14-5

Conduct Interim and Preliminary Engagement Communications 14-17

Develop Final Engagement Communications 14-19

Distribute Formal and Informal Final Communications 14-22

Perform Monitoring and Follow-Up 14-28

IIA-4e-FM-v8.indd 11 3/7/17 7:42 AM

Other Types of Engagements 14-30

Summary 14-30




Cases 14-38

CHAPTER 15

The Consulting Engagement 15-1


Providing Insight Through Consulting 15-4

The Difference Between Assurance and Consulting Services 15-5

Types of Consulting Services 15-7

Selecting Consulting Engagements to Perform 15-11

The Consulting Engagement Process 15-13

Consulting Engagement Working Papers 15-18

The Changing Landscape of Consulting Services 15-21

Capabilities Needed 15-21

The Impact of Culture and the Internal Auditor as a Trusted Advisor 15-23


Summary 15-25




Cases 15-30

Notes BM-1

Glossary BM-7

Appendices BM-19

Appendix A: The IIA’s Code of Ethics BM-19

Appendix B: The IIA’s International Standards for the Professional Practice of Internal Auditing BM-21

Index BM-39

IIA-4e-FM-v8.indd 12 3/7/17 7:42 AM

ADDITIONAL CONTENT ON THE COMPANION WEBSITEACL Software

CaseWare IDEA Software

TeamMate+

The IIA’s Code of Ethics

The IIA’s International Standards for the Professional Practice of Internal Auditing

Case StudiesCase Study 1, “Auditing Entity-Level Controls”

Case Study 2, “Auditing the Compliance and Ethics Program”

Case Study 3, “Performing a Blended Consulting Engagement”

Case Study 3, “Performing a Blended Consulting Engagement, abridged version”

Students and instructors can access this material at the following address: www.theiia.org/IAtextbook

IIA-4e-FM-v8.indd 13 3/7/17 7:42 AM