Professional Documents
Culture Documents
2 Source: www.knowledgeleader.com
AUDIT PLANNING MEMO: SAMPLE 1
The purpose of this audit plan is, first, to contribute to the effectiveness of the audit and, second, to contribute to
the audit efficiency. This memorandum should be completed and approved as part of initial audit planning. When
completing this document, there may be occasions when matters already documented in other work papers are
relevant. There is no need to rewrite such material if a specific reference can be made.
This memorandum is structured so that planning documentation common to all projects is presented. All items
should be read and considered on every project. When a section is not applicable, indicate "N/A" with a brief
explanation of why it is not applicable.
The project profile should be used as the starting point for project planning.
Company Management
List the names and titles of the company's management with whom the audit year will have substantial contact in
the course of the audit and the project sponsor.
Name Title
(Insert Text)
3 Source: www.knowledgeleader.com
• Functions and related management control objectives to be tested are agreed upon.
• The auditee's participation is discussed.
• The audit approach is explained.
• Possible efficiencies and cost savings are identified.
• The project sponsor’s role is defined.
• Protocols for obtaining management comments are in place.
• Timing of the review (including submission of the draft report and the anticipated date of the closing meeting) is
determined.
Management in Attendance
(Insert Text)
(Insert Text)
Manager
Any work requiring systems specialty knowledge or other specialist assistance should be coordinated with the
appropriate auditors in the planning phase of the engagement to ensure that such work is done timely and
efficiently, avoiding effort duplication.
IT Auditor Assistance
List below the planned IT auditor applications that should be used on the engagement. All application requests
should be cleared through the appropriate manager.
(Insert Text)
4 Source: www.knowledgeleader.com
RISK ASSESSMENT
RISK INDICATORS
The project profile and the opening meeting held with management should provide a basis for the risk assessment
process. When evaluating the risk level of the project, the following items should also be considered:
Regulatory Requirements
Statutory and regulatory requirements impacting the project should be considered and assessed in terms of their
relevance to the project. Consideration should also be given to the potential consequences of noncompliance with
statutory and/or regulatory requirements and our role in detecting such noncompliance. Our work should be
planned to address this risk.
Documentation
(Insert Text)
Prior Audits
Previous Audit History
(Insert Text)
Review previous reports, management responses, exceptions noted last audit period, pre-audit file comments,
etc. List items that require follow-up or special attention during the current audit (e.g., recommendations not
implemented).
(Insert Text)
Extent of Change
Document any significant current events, issues and considerations and how such conditions will impact the
overall audit approach (restructuring, new products, changes in operations, management, changes in compliance
requirements and other regulations, environment, etc.). Consider management's position on operational change
as well as other prior events and issues, which has a carry-over impact on the current audit project.
5 Source: www.knowledgeleader.com
(Insert Text)
Documentation
(Insert Text)
Other Factors
Consider the impact of other factors, including:
• What materiality of the area is under review?
• Will the audit results be certified to any external body?
• Will there be external audit reliance?
• Is there a high risk of fraud?
• Has management expressed any concerns about the area under review?
Documentation
(Insert Text)
Documentation
(Insert Text)
6 Source: www.knowledgeleader.com
Documentation
APPROACH
Once determined, the detailed work to be performed should be documented in the standard work program format.
When determining the approach to the project, the following issues should be considered:
Documentation
(Insert Text)
AUDITEE ASSISTANCE
Describe below the nature of any significant assistance that may be provided by the auditee's staff and the effect
on the audit work to be performed. Attach the request list if applicable.
The degree of testing of such controls and techniques is based on the auditor’s judgment depending on the risk.
Summarize the internal control evaluation approach to be used for this audit area below:
(Insert Text)
7 Source: www.knowledgeleader.com
OPERATIONAL AND FUNCTIONAL STRUCTURE
Generally, process maps or flow charts should be used for each audit area. Indicate which method should be
utilized:
• Process Maps
• Flow Charts
• Other (Describe)
(Insert Text)
SAMPLING
The primary sampling applications employed in the audit will be:
Application Technique*
Justification for the sampling approach should be documented in the appropriate sampling memo filed at (Insert
Location).
Signoff (Approach)
8 Source: www.knowledgeleader.com
AUDIT PLANNING MEMO: SAMPLE 2
To:
From:
Date:
Subject:
AUDIT OBJECTIVES
The objective of this review is to evaluate the adequacy of the design of the new controls implemented or planned
to be implemented in (Insert Department Name) and evaluate the effectiveness of any existing controls that,
based on sample testing, have consistently been in operation during the audit sample period. These procedures
will be performed for all processes determined as in-scope (see below). This review should be performed for
operations of (Company). Compliance with federal and state (Company) regulations should not be included in the
review (covered by a separate party) nor will comply with Section 404 of the Sarbanes-Oxley Act of 2002 (SOX)
(tested under separate arrangement).
Internal audit last performed an operational review of (Insert Location) (Insert Department) on (Insert Date).
Internal audit conducted a fraud investigation in the area of (Insert Department) on (Insert Date) and performed
follow-up testing for the action plans that resulted from that investigation on (Insert Date). Procedures were
performed for (Insert Department) about the testing of internal controls over financial reporting (i.e., Section 404)
for the controls deemed in-scope, as determined by the Section 404 scoping exercise.
Since (Insert Date), (Company) has been aggressively implementing the strategic growth plan (the plan). The
goals of the plan are to regain and exceed the company's historical growth rate, diversify its business and acquire
new, middle-market clients.
As of (Insert Date), the company hired a total of XX new managing directors as part of the plan, the majority of
which are based in (Insert Location). As of that same date, there were XX full-time equivalent (FTE) employees,
an XX% increase since (Insert Date) and XX% increase since (Insert Date). Total (Insert Product) has increased
XX% from $XX at (Insert Date) to $XX at (Insert Date).
The (Insert Location) (Insert Department) staff has increased over XX% since the implementation of the
company’s strategic growth plan (from XX employees to XX employees as of [Insert Date]). Before the
implementation of the plan, (Insert Department) was organized under one (Insert Position Title), (Name). Now
(Insert Department) is divided into three groups, each led by a manager:
• (Insert Group Name)
− (Insert Group Description)
(Insert Name) will be on-site in (Insert Location) for XX days in (Insert Date) to conduct training for the (Insert
Department). The director of (Insert Department) expects the managers to have their controls documented in
management’s control repository (i.e., “portal”) by the end of the (Insert Date) quarter.
(Insert Department) has added XX employees as part of the plan, bringing total (Insert Product) operations
employees to XX. (Insert Product) volume has increased by approximately XX% as of (Insert Date). (Insert
Department) has begun “straight-through” processing for (Company) clients.
9 Source: www.knowledgeleader.com
SCOPE OF WORK
In (Insert Date), internal audit conducted an (Insert Department) review across all (Company) locations that
included the following areas:
• (Insert Areas)
As such, those areas will not be covered as part of the (Insert Location) operations review.
Areas covered by the scope of this engagement are based on the (Insert Date) risk assessment and the
(Company) risk model developed as part of the (Company) enterprise risk management (ERM) program. Internal
audit’s risk assessment methodology is risk-based. As such, the scope of internal audit’s work may rotate to
achieve coverage of the significant risk areas within the company. Factors that may affect the areas covered may
include prior-year findings by internal audit, regulator findings and expectations, industry developments and
trends, quality of internal controls (as determined by SOX testing), and strategic business changes contemplated
or being executed by (Company).
ERM CONSIDERATION
In (Insert Date), (Company) initiated an ERM implementation to identify, source and prioritize the key business
risks facing the organization. Where applicable, information collected via the execution of applicable ERM
processes will be leveraged and integrated for this review.
Below are the risks from the customized (Company) risk model, developed as part of ERM, that will be addressed
as part of this review. The expected scope, as part of this review, is detailed below:
FRAUD
Certain fraud prevention controls within (Insert Department), specifically those implemented in response to the
(Insert Date) fraud, will be evaluated and tested.
COMPLIANCE (NON-REGULATORY)
Compliance with relevant operational policies and procedures should be tested as part of this review. As noted
above, compliance with federal and state (Company) regulations and Section 404 of the Sarbanes-Oxley Act of
2002 will not be included in this review.
10 Source: www.knowledgeleader.com
BUSINESS MODEL AND CULTURE
(Company)’s recent changes in strategy had significant impact on the business model and culture throughout the
entire organization. Through observation and inquiry, internal audit will evaluate the impact of these changes on
the culture and operations in the (Location) (Insert Department).
CLIENT SATISFACTION
As a result of the strategic growth plan, (Company) has developed new client relationships as part of an enhanced
focus on the (Insert Product) portfolios. These clients may expect/require a different degree of service or
efficiency than the historical client base. Additionally, new management and new procedures may increase the
likelihood of errors within (Insert Department), which could directly affect client satisfaction. Internal audit will
conduct a design review around new controls and will conduct sample testing of select existing controls where the
design and implementation of said controls have been completed and elicits a sufficient population.
NATURE OF WORK
Stages Dates
At the client status meeting, we anticipate reviewing and validating all detailed findings with client personnel so
management can begin to formulate their responses to our report recommendations.
11 Source: www.knowledgeleader.com
SAMPLE SIZES
Sample sizes, unless otherwise noted, will comply with internal audit and SOX sample sizes for control frequency.
Total Hours XX
The focus of the review concerning IT controls will be limited, focusing on understanding key processes rather
than independent validation, such as key reports used by management. Reviews of the system controls are
included in the scope of internal audit’s SOX testing.
SPECIALISTS INVOLVED
Members of the audit team have banking experience. Other specialists should be consulted as needed.
EXPECTED DELIVERABLES
The expected deliverable for this project should be a review report. Sarbanes-Oxley testing results will be
documented separately in the (Company) portal as part of the (Insert Date) (Company) Sarbanes-Oxley testing.
The final report should be sent to the auditee and included in the audit committee mailing (which includes several
members of senior management of [Company]). As part of the audit committee, we will discuss the final report,
specifically focusing on overall themes and findings rated a one (1) and two (2).
AUDITEE CONCERNS
The auditee did not identify any specific concerns related to this audit. All auditee personnel should be available
on-site or via phone during the duration of testing. Special instructions were not identified.
(Company)’s internal audit director, (Insert Name), will participate in initial scoping discussions and should provide
oversight for audit execution. Internal audit should draft and finalize the audit report. The internal audit director
should participate in client opening and closing meetings. After fieldwork, the internal audit director and audited
department should be provided a copy of the final report.
12 Source: www.knowledgeleader.com
REVIEWED AND APPROVED
By:
By:
By:
13 Source: www.knowledgeleader.com
AUDIT PLANNING MEMO: SAMPLE 3
Date:
To:
Company:
Prepared By:
GENERAL INFORMATION
The internal audit team, with roles and responsibilities, includes the following people:
• (Insert Internal Audit Names and Team Roles)
It is anticipated that the fieldwork, working papers and deliverable drafts will be completed by (Insert Person/Team
Completing This Work).
It is predicted that a site visit to (Insert Location) will be conducted during this review.
BUSINESS HOURS
(Insert Hours of Operation)
KEY CONTACTS
14 Source: www.knowledgeleader.com
INTERNAL AUDIT SCOPE AND APPROACH
The scope of this review includes an assessment of (Insert Text Here). Specifically, this review will include:
• (Insert Text Here)
DELIVERABLES
Project deliverables will consist of the following:
• (Insert List of Deliverables)
It is planned that the above deliverables will be delivered to you by (Insert Date) for your review and subsequent
discussion.
15 Source: www.knowledgeleader.com