EY Internal Audit Requirements:

Must have worked on at least one end-to-end ICFR/SOX implementation project and must be hands on with all
SOX/ICFR documentation

Experience with development of Corporate Governance policies and procedures including governance framework,
code of conduct, employee code of ethics, delegation of authority matrix, RACI matrix, SOD matrix, policies and
procedures, risk management framework, compliance framework etc

Risk and
COSO Summary

Components Principles
1 Demonstrate commitment to integrity and ethical Values

2 Exercises oversight responsibility

Control
3 Establish Structure and Authority
Environment
4 Demonstrate commitment to competence

5 Enforce accountability

6 Specific suitable objectives

7 Identifies and analyzes Risk

Risk
Assessment
8 Assess Fraud risk

9 Identifies and analyzes significant change

10 Selects and Develops control activities

Control 11 Selects and develops general controls over technology

Activities

12 Deploys through policies and procedures

13 User relevant information

Information
and 14 Communicates internally
Communication
15 Communicates Externally

16 Conduct ongoing and / or separate evaluations

Monitoring
Activities
17 Evaluates and Communicates deficiencies.
Component 1 – Control Activities

The management demonstrates commitment to integrity and

ethical values as well as competence, exercise oversight
Control Activities
responsibility, establishes structure, authority, and responsibility,
and enforces

The Effectiveness of foundation of the

organization, its people – Individual
attributes, including integrity, ethical  Code of Conduct / Ethics
value and competence, and the  HR Policy and Procedures
environment in which the
organization operates.

The establishment of structure of the

company, taking into consideration of
 Organization Structure
the appropriateness of authority,
responsibility, and communication of  Job Description
information
Component 2 – Risk Assessment
The management demonstrates commitment to integrity and
ethical values as well as competence, exercise oversight
Risk Assessment
responsibility, establishes structure, authority, and responsibility,
and enforces

The effectiveness of current risk  Risk Assessment Process

management activities  Risk Management Framework

The identification of fraud risks in  Risk Tolerance

current risk assessment activities  Specific assessment of fraud risk
Component 3 – Control Activities

The organization establishes and executes control, including

controls over technology to ensure that action identified by
Control Activities management address risks for the achievement of the company’s
objectives. Control activities can be deployed through policies and
procedures.

The effectiveness of current risk  Policies and Procedures

management activities  Segregation of Duties

The identification of fraud risks in  IT Structure

current risk assessment activities  IT General Controls
Component 4 – Information and Communication

The organization uses relevant information that have been

Information and Communication communicated both internally and externally to support the
functioning of internal audit.

Communication of information in a  Policies and Procedures

timely manner  Internal and External Information

The obtaining, generating and using of

 Relevance and Quality of Information
relevant and quality information for
the functioning of internal controls  Communication Channel
Component 5 – Monitoring Activities

The entire process and controls must be monitored and

modifications made as necessary through on-going and /or
Monitoring Activities
separate evaluations as well as the evaluation and communication
of deficiencies.

The effectiveness of the monitoring of  Report and Monitoring

all activities.  Control Self – Assessment

The selection, development and

performance of ongoing and/or
 Internal Audit
separate evaluations to ascertain
whether the components of internal  Ongoing Evaluation
control are present and functioning