Consulting Projects

- Meet with or reach out to key project members at least once a week to keep current on project developments.
- Review status of project at each staff meeting.
- Maintain notes of meetings and all recommendations/value add activities using this template.
- Keep copies of key emails, chats, supporting documents in designated repository (preferably Internal Audit OneDrive).
- Retain final project files within the Audit Tool projects upon completion.
ject developments.

y Internal Audit OneDrive).

 Project Name Project #

(Expected) Project End

Project Start Date Date

Auditor and Manager

Project Leader(s) and Key Contacts

Detailed Project Description

Relevant Guidance or Research Utilized

(i.e. Accounting Standard Codification, Corporate Accounting Instructions, External Accounting Guides)

What applications are impacted by the project (if any)?

Are any applications being added or replaced during this project?

Are any other systems expected to impacted? (i.e. databases, operating systems, interfaces into other applications)

Is project expected to change or add to existing ICFR controls? (if YES complete Impact to ICFR tab)

Scope of Auditor's Involvement

Nature of Auditor's Involvement

(i.e. Providing guidance on an ad-hoc basis, attending regular project committee meetings, providing on-going monitoring an
Future Audit Considerations (Additional Testing to be Performed at Conclusion of Project)

Other Considerations
 Time Anticipated From Auditor

(Actual) Project End Date

ng Guides)

nto other applications)

R tab)

roviding on-going monitoring and support for testing, etc.)

 Activity Tracking - Track meetings, corresponden

Meeting Attendees/ Meeting Title / E-Mail Subject/

Date Documents Provided By / Document Name
Communication With
Activity Tracking - Track meetings, correspondence, testing, recommendations and value add activities.

Description of Internal Audit Activity: Information Discussed/ Testing

Performed/ Recommendations and Value Add Activities
endations and value add activities.
Key Attachments (meeting Link to document or zip
invitations, e-mail, other file (to be added when
Management Actions / Commitments supporting documents) moved to the Audit Tool)
CLIENT NAME: Company International
YEAR-END:

The request list below contains items required for assessment of controls over the current new system implementation or migration. Spec
not be available or may be embedded in a variety of documents. Please provide examples of any relevant items available that demonstrate

Ref Control Objective

Sys
Design and configuration requirements were properly defined and approved, particularly with
SI3 respect to logical access security (SOD) and automated application controls.
An appropriate type and amount of testing was performed and any bugs/issues logged through
resolution and completion of user acceptance.
SI4
The application was properly/timely authorized to “go-live” at an approved date.
SI5
The application was (or planned to be) monitored post-implementation for identifying issues once in
SI6 production.
Data migration or conversion was adequately planned, executed and validated for accuracy and
DM1 completeness.
New System Ac

LAC 2.1 Logical access requires a unique userID and a password that is not plainly visible.

LAC 2.2 Logical access is restricted to authorized users of the application.

User authentication requires a password that must comply with generally accepted standards for
LAC 3.1 effectiveness, and/or additional measures to prevent unauthorized access.

Users with elevated super user and/or administrative user privileges in the application is limited to
LAC 4.1 only those personnel with corresponding job responsibilities for system administration.

Direct access to the application's database is restricted to only those personnel with corresponding
DDB1 responsibilities for data administration.

Note: The new system will also be in-scope for process-based controls (user administration and program change controls testing as
ementation or migration. Specific project documents and approaches vary, so listed items may
tems available that demonstrate the control objective was achieved.

Requested Documentation
System Migration Controls
Requirements definition, design/configuration decisions, SOD matrix or equivalent
document.

Testing strategy/approach, example/completed test plan, issues log and user

acceptance documentation.

Project document/email thread demonstrating approvals of "go-live" date.

Post-implementation monitoring log, approach, signoffs.

Data migration plan, data mapping approach, data conversion and validation steps
and results.
New System Access Controls (Post-implementation)
Screenshot of application log-in screen showing username and a password that is
not displayed in clear text.
System-generated listing of all application users, including their roles within the
application, if feasible.

Screenshot(s) of password configuration (i.e. minimum length, expiration,

complexity, lockout, etc.)

Note: If tokens, bio-metric devices or other two-factor methods are used to

authenticate to the system, evidence of the authentication process.

System-generated listing of parties with “super user” and administrator access (if
not already provided in the listing provided for LAC 2.2).

For SQL, please see SQL tab for queries requested.

gram change controls testing as applicable) from the date of implementation through year-end.
Client comments (if any) Attachments
Time Tracking - this template below is optional to capture/track activites in detail - you may be
required to track in other systems at management's discretion

Date Time Spent Activities Performed

 Documentation of Changes to Internal Controls for Financial Reporting

Impact (Addition,
Cycle Control Number Control Wording
Change, Deletion)
ntrols for Financial Reporting Documentation of Attributes of Additional Controls or Cha

Rationale Behind Change in Control Key vs. Non-Key Risk Control is Addressing
n of Attributes of Additional Controls or Changes to Existing Controls

Assertions Covered by Control Risk Rating of Control Control Owner

 Additional Impacts of Changes in Internal Controls to Consider

Segregation of Duties Ensured?

dditional Impacts of Changes in Internal Controls to Consider Ensure Change in Internal Con

Impact of Change on Process Cycle? Change Communicated to

(i.e. ensure process is still designed appropriately to mitigate risk of Internal Audit Manager/Director
material misstatement)
ure Change in Internal Controls was Appropriately Communicated, Approved, and Implemented

Change Implemented into

Change Communicated to Change Implemented into Key Relevant Planned Audit
Control Owner Controls Matrix Procedures