This is the AuditNet Standard Risk Control Audit Matix which incorporates formats

used by many audit organizations in their documentation working papers.

There are format templates for risk control, audit procedures, questionnaires and
checklists.

There is a blank workpaper and a report summary that can in used by audit
organizations.

AuditNet has prepared a monograph for guidance on preparing and developing audit
work programs, checklists, questionnaires and matrices.

The monograph is available to AuditNet subscribers. For more information go to

www.auditnet.org
Audit Program Licensing Terms
1. You accept that this product is intended for your use, and you will not duplicate in
any form or manner, electronic or otherwise, copies of this product nor distribute this
product to anyone else.

2. You recognize that the product and its content are the sole property of AuditNet®
(the Publisher), and that we have copyrighted the product.

3. You agree that the Publisher is not responsible for any interruption of service or
malfunction that is a consequence of the Internet, a service provider, personal
computer, browser or other software or hardware components. You accept that there
is no guarantee that this product is totally error free. You further understand and
accept that the Publisher intends to provide reliable information but does not
guarantee the accuracy or completeness of any information, and is not responsible for
any results obtained from the use of such information.

4 This license is effective until terminated, when the license or subscription period
ends without renewal, or when you destroy this product and any related
documentation. The Publisher may terminate your license without notice if you fail to
comply with the conditions set forth in this agreement, and may pursue any other legal
recourse.
This document was created by AuditNet® using advanced Internet search
techniques.

The document is from a site which has not identified restrictions on permitted use
and are sharing this information for the benefit of the audit community.

However, while we have attempted to provide accurate information no

representation is made or warranty given as to the completeness or accuracy of the
document.

In particular, you should be aware that the document may be incomplete, may
contain errors, or may have become out of date.

While every reasonable precaution has been taken in the preparation of this
document, neither the author nor AuditNet® assumes responsibility for errors or
omissions, or for damages resulting from the use of the information contained
herein. The information contained in this document is believed to be accurate.

However, no guarantee is provided. Use this information at your own risk.

Audit Program Licensing Terms
1. You accept that this product is intended for your use, and you will not
duplicate in any form or manner, electronic or otherwise, copies of this
product nor distribute this product to anyone else.

2. You recognize that the product and its content are the sole property of
AuditNet® (the Publisher), and that we have copyrighted the product.

3. You agree that the Publisher is not responsible for any interruption of
service or malfunction that is a consequence of the Internet, a service
provider, personal computer, browser or other software or hardware
components. You accept that there is no guarantee that this product is
totally error free. You further understand and accept that the Publisher
intends to provide reliable information but does not guarantee the accuracy
or completeness of any information, and is not responsible for any results
obtained from the use of such information.

4 This license is effective until terminated, when the license or subscription

period ends without renewal, or when you destroy this product and any
related documentation. The Publisher may terminate your license without
notice if you fail to comply with the conditions set forth in this agreement,
and may pursue any other legal recourse.
Audit Program Area: 401k Deferred Compensation Plan
Auditor
AUDIT PROCEDURES WP Ref Initials

Audit Objectives
1. Follow-up on the recommendations made in the prior audit report
(XXX ).

2. Determine whether the XXX deferred compensation plan (401K) (and

as applicable, 457) complies with all federal, state and local requirements.
3. Ensure XXX’s compliance with its agreement with the XXX.
Preliminary Survey
1. Obtain and review the prior report and related audit workpapers.
2. Obtain a copy of the contract between XXX and XXX for deferred
compensation services. If the latest contract is not available, obtain a copy
of the letter of agreement with XXX that outlines key terms and/or changes
from the prior contract.
3. Obtain and review copies of XXX’s latest audit report, including
internal control letter and/or SAS 70 report. Determine comfort level of
XXX’s internal control environment.
4. Obtain and review latest IRS determination letter.
5. Obtain and review copy of Plan Document, noting any significant
changes from date of IRS qualification letter.
6. Obtain and review latest non-discrimination test.
7. Obtain and review employee packet.
8. Meet with the Manager of Deferred Compensation to discuss the
nature and timing of the audit and to obtain background information and
documentation. Discuss the required non-discrimination tests and whether
a “highly compensated employees” test is required.
9. Obtain and review the past year’s Deferred Compensation
Committee’s minutes. Abstract key information.
10. Prepare a letter to be sent to Plan’s attorney confirming legal issues
relating to Plan status.
Audit Tests
Follow-up on Prior Audit Recommendations

1. Determine whether the employee enrollment package was updated

and the form revised to indicate that the 20% maximum per pay-period
deferral rate can be adjusted upward provided that the employee’s year-to-
date salary is sufficient to meet the overall percentage specified in the law.

2. Determine whether XXX Comptroller, in conjunction with XXX and

Legal Counsel, determined the implications of the payroll data discrepancies
on the results of the ADP tests for 1993 and 1994 and their impact on the
401(k) plan’s compliance with the IRS non-discrimination and contribution
percentage/dollar limits regulations. (e.g. exceptions >20% but < $ limit
were not refunded.)
3. Determine whether the XXX Comptroller, in conjunction with the full
Deferred Compensation Committee, has reviewed each agency’s
administration control procedures and determined the causes of the non-
compliance with the IRS contribution percentage/dollar limits.
4. Determine whether XXX Comptroller is submitting participant
statistics to XXX on a quarterly basis, as specified in the service agreement
with XXX, and reviewing the ADP test results promptly to ensure full
compliance with the non-discrimination and contribution percentage/dollar
limits regulations.
5. Determine whether the XXX Comptroller developed the necessary
administrative controls to ensure that all approved deferral rates in excess
of 20% are automatically adjusted at year-end to a maximum of 20%.

6. Determine whether the Manager of Deferred Compensation is

receiving affiliates’ quarterly payroll reconciliations to ensure that they are
actually performed, and that any errors made by XXX are identified and
resolved timely. Excessive occurrences of certain types of errors should be
reported to the XXX Comptroller for his review.
7. Obtain a copy of the draft Human Resources policies concerning
deferred compensation withholdings.
Current Tests
1. Review the results of the non-discrimination tests for reasonableness.
Follow-up on the reasons for the stated exceptions. Request and review
highly compensated employees test, if applicable.

2. Verify whether non-discrimination test data used by XXX was tested

before use and deemed valid. Consider ACL test to compare data used by
XXX and data maintained by XXX (this may not be necessary).
3. Obtain copies of a sample of each agency’s 401(k) withholding file
(either the hard copy summary sheet, or, if using ACL for this test, the data
file).
4. Obtain from Treasury Department evidence of each agency’s wire
transfer of funds for the sample pay periods in step 3 above.

5. Obtain copies of the confirmations of the wire transfer for the sampled
periods received by the Manager of Deferred Compensation from the
agencies, and agree the details of the confirmations to the amount shown
on the 401 (k) withholding file and the amount wired into Treasury.
6. Obtain copies of the Manager of Deferred Compensation’s
instructions to Treasury authorizing the funds to be wired to XXX. Agree
the amount to the amount received from the agency.
7. Ascertain whether monies received by XXX are credited to the
participants’ accounts as of the date the monies are received by XXX.

8. Ensure that XXX is in compliance with the contract requirements

proving for it to: install a system for identification of individuals who may
exceed Code Section 415 limits, and monitor compliance with all applicable
Code percentage and dollar limits, and send timely instructions to XXX to
stop contributions and/or return or recharacterize contributions that exceed
any such limits.
9. Review a sample of change requests to determine if any requests
appear to exceed the allowable percentage contributions (20% for 401(k);
25% for 457).
10. Obtain and review a sample of XXX’s monthly payroll report for all
agencies and ensure that the amounts reported as received by XXX agree
with XXX’s records.
11. Ensure that testing criteria used by XXX agrees with Internal
Revenue Code criteria.
12. Ensure that XXX DC Manager is performing the following:

· Confirming that funds wired to XXX are posted to participant’s

accounts timely.

· Reconciling agencies’ quarterly reconciliations with XXX’s quarterly

reconciliations, and resolving outstanding items.
13. Consider using ACL to identify all employees with contributions to both
the 401 K plan and the 457 plan. Investigate all matches to determine the
appropriateness of contributions to both plans.

14. Consider using ACL to review the % and $ contributed to the 457 plan
in 1998 to ensure that the maximum % limit and $ limits were adhered to.

15. Consider using ACL to determine whether employees who were

deducting more than 20% from 1998 salary adjusted their contribution rate
at year end. To do this, obtain a data file of 401k contributions for the first
pay period of 1999 and identify those with contrib rate > 20%. Trace those
employees back to 1998 pay records to determine their deferral rate in 1998
and whether it was updated. Alternatively, consider matching those results
to the last pay period in 1998 and identifying participants with deferral rates
>20% in both periods.
16. Identify a sample of participants who joined the plan during 1998 and
determine whether they were permitted to accelerate their contributions and
if so, what administrative controls were in place to control the process to
ensure that maximum contribution levels were not exceeded and that the
contribution rate was adjusted at year end.
17. Determine whether XXX has billed XXX and XXX has paid XXX for
reimbursable administrative costs, as detailed in the contract. If billing is for
less than the maximum allowed, ascertain whether the basis used to
determine billable amount was reasonable.
Time Date Date Checked
Spent Expected Finished Remarks By:
Introduction: The table below presents an example internal control review template with related control points that may be in
place within the respective control cycle. This is not intended to prescribe a “cookie-cutter” approach to internal control
reviews; instead it is intended to represent a number of control points, of which management should identify the most
significant in maintaining its control over business cycle information.

Significant control points identified during process mapping should be tested during an internal control review. Other, less
significant points should be included in the process flow narrative describing the Control cycle. An example narrative is
presented below, in the right-hand column. It is the management’s option to include the narrative below, or to present it as a
separate document (such as internal process overviews or agency-based procedures). For that reason, the example
narrative below is “grayed out.” If this template is utilized but alternative documentation describes the process in the internal
control program work papers, please feel free to remove the column.

The Control objectives below are broken down into the following sub-cycles: General/Control Environment, (list additional
cycles for the area under review).

For the purpose of this generic document, the following terms are used: Define terms for example in the area of fixed asset -
Assets that are capitalized and depreciated over a period longer than one year are referred to as “fixed assets,” or as “capital
assets”- the terms are used interchangeably; and the person responsible for managing fixed assets at the department level
is termed the “Property Control Coordinator,” with the understanding that at one branch, it may be Facilities Management,
while at another it may be an official from the Business Office. Management are encouraged to substitute below the terms
that are in widespread use among their staff.

Notes:

(1) Each broad area is divided into subcycles. A subcycle is a sequence of related processes for which one set of
objectives and risks can be determined. Audit Assertions are the implicit or explicit claims and representations made by the
management responsible for the preparation of financial statements regarding the appropriateness of the various elements
of financial statements and disclosures - See more at: http://accounting-simplified.com/audit/introduction/audit-assertions.
(2) Management must designate which of the control points that it deems to be significant or key, for testing as part of the
internal controls (IC) review. Only the significant control points are required to be tested.
(3) In addition to noting a weakness and means of remediation, the control in place and the test performed should also be
noted in this column. (This will help management enact and/or maintain the proper monitoring to identify control
weaknesses in the future.)
 POTENTIAL CONTROL
PROCESS AREA OBJECTIVES/ASSERTIONS (1)
POINT(S)(2)
Cash Receipts
Cash Disbursements
Procurement
Human Resources
Payroll
Accounts Receivable
Investments
Grants
Inventory
Financial Reporting
Fixed Assets
IT
RISK SUGGESTED CONTROL TEST
 IC REVIEW CONCLUSION (3)
/IDENTIFIED /WEAKNESSES/ACTION
TAKEN PROCESS NARRATIVE (SAMPLE WORDING)
 Project Work Schedule

A. General Information

Project Title: Prepared By:

Date Prepared: Version:

B. Project Work Plan (Schedule)

These are the key elements of your project that must be completed on-time and on-budget for your project to be successful and therefore require monitoring by the project manager and stakeholders. The status of these
items should be reported in your Project Status Report.

The element column below demonstrates the pattern to report milestones, tasks, and activities, i.e., a milestone is achieved by a series of tasks and each task is achieved by a series of activities. A deliverable, or group of
deliverables, should be given for each milestone. Overwrite the example given with the milestones, tasks, and activities for this project.

Element Description Deliverable Assigned To Required Hours Due Date Dependencies

milestone 1
task 1
activity 1
activity 2
activity 3
task 2
activity 1
activity 2
activity 3
task 3
activity 1
activity 2
activity 3
milestone 2
task 1
activity 1
activity 2
activity 3
task 2
activity 1
activity 2
activity 3
 Internal Audit Schedule (Year ______)
Audit Title Auditor Jan Feb Mar Apr May June July Aug Sep Oct Nov Dec

Checking & Corrective Action

Key: SCH Scheduled

AUD Audited
CLS Closed
 TEMPLATE INSTRUCTIONS

CORRECTIVE ACTION PLAN (CAP)

ASSERTION/EVALUATION PHASE VALIDATION PHASE
DESCRIPTION OF WEAKNESS: CLOSURE
FIP-RELATED ORIGINAL TARGET CURRENT TARGET STATUS: RELATED SYSTEM Multiple Component Material CAP CLOSURE LEAD DATE OF CAP CAP CLOSURE VERIFICATION CLOSURE
CAP ID # ASSESSABLE YEAR REPORTED DATE ISSUED DATE DATE "On Track" or PRIORITY LEVEL DEALBREAKER Y/N (IF APPLICABLE) RISK LEVEL Weaknesses may be linked CORRECTIVE ACTION SUMMARY POC % COMPLETE CLOSURE ACTIVITIES ACTIVITIES VERIFICATION
UNIT "Slipped" under a single DoD Weakness PERFORMED PERFORMED PERFORMED BY

Enter the CAP ID #, Enter the Enter the year Enter the date Enter the target date Enter the target date Identify Identify the priority level Identify whether the Enter the name of Identify whether the deficiency Describe the issue(s) recognized Present a high-level summary of action Enter the name of Identify the Enter the date Describe the Describe the activities Enter the name of
as identified in the name of the when the (month/ for correcting the for correcting the whether for correcting the deficiency relates to the IT system(s) is a control deficiency ("CD"), in the design or operation of the procedures to resolve the reported the Reporting percentage of (month/year is activities taken to performed to the organization that
Reporting Entity's assessable deficiency was year is deficiency reported on deficiency reported on corrective deficiency. one of the FIAR impacted by the significant deficiency ("SD"), or control or control(s) that does not deficiency. For example: Entity's or Service corrective sufficient) when remediate the validate/verify that performed the
or Service unit affected first reported to sufficient) the prior year's ICOFR the current year's actions are "On Guidance deficiency, if material weakness ("MW"). allow management or Provider's actions corrective actions deficiency. the deficiency had verification activities.
Provider's CAP. by the the OUSD(C) FIAR when the Statement of ICOFR Statement of Track" or have Deficiencies that must dealbreakers. applicable. employees, in the normal course (1) New system implementation; management office completed. were implemented been remediated.
deficiency. Directorate. deficiency was Assurance. Assurance. "Slipped." be corrected to allow for of performing their assigned (2) Process or control changes that will be responsible for to remediate the
originally assertion are Priority 1. functions, to prevent or detect implemented; coordinating deficiency.
identified. Significant deficiencies misstatements related to (3) Testing existing compensating controls closure of the CAP.
are Priority 2. Control financial information on a timely and improving them, or identifying
deficiencies are Priority basis. compensating controls that need to be put
3. in place until new system is deployed; and
(4) Analyze test results to determine if the
weakness has been corrected.

Template Instructions – Documentation Demonstrating Remediation of Deficiencies – Activities 4.1 (Reporting Entity)/4.1 (Service Provider) 2
 TEMPLATE INSTRUCTIONS

CORRECTIVE ACTION PLAN (CAP)

ASSERTION/EVALUATION PHASE VALIDATION PHASE
DESCRIPTION OF WEAKNESS: CLOSURE
FIP-RELATED ORIGINAL TARGET CURRENT TARGET STATUS: RELATED SYSTEM Multiple Component Material CAP CLOSURE LEAD DATE OF CAP CAP CLOSURE VERIFICATION CLOSURE
CAP ID # ASSESSABLE YEAR REPORTED DATE ISSUED DATE DATE "On Track" or PRIORITY LEVEL DEALBREAKER Y/N (IF APPLICABLE) RISK LEVEL Weaknesses may be linked CORRECTIVE ACTION SUMMARY POC % COMPLETE CLOSURE ACTIVITIES ACTIVITIES VERIFICATION
UNIT "Slipped" under a single DoD Weakness PERFORMED PERFORMED PERFORMED BY

Enter the CAP ID #,

as identified in the
Reporting Entity's
or Service
Provider's CAP.

Template Instructions – Documentation Demonstrating Remediation of Deficiencies – Activities 4.1 (Reporting Entity)/4.1 (Service Provider) 2
 T
C
Ç
F
TB
PBC
G/L
AFR
PBIA
^
Rx
<
 T
V
A
check mark
X
Black
Red
Green
Blue
√
F
CF
R
N/A
S
W
GL
T
PBC
WI
Rx
E#

JE
O
Audit tick marks are abbreviated notations used on audit work papers to denote auditing actions taken. These tick marks are u
manager's perspective, to see which activities have been completed. They are also useful as evidence, to show which audit ste
to support the audit opinion given to the financial statements of a client. In addition, the use of tick marks compresses the spa
describe audit actions taken, which improves the usability of the audit documentation. Examples of auditing activities for whic
used include:

The numbers in the column were manually added and matched to the total shown (footed)
The totals in the report were manually added and matched to the grand total shown (cross footed)
The computation on the report was independently verified
The amount was traced to the ledger balance
Supporting documents were examined
A cancelled check was examined
An asset was physically confirmed

Audit tick marks are not standardized across the industry. Instead, a common set of tick marks is used within each audit firm, w
across the industry. Tick marks may just as easily be used within an internal audit department as by outside auditors, and may
department.

When used, a tick mark should be sufficiently distinct that it cannot be confused with another type of tick mark. Also, an audit
internally publish a listing of "official" tick marks used and what each one means, so that they are used by the staff in a consist
audits.

Customized tick marks were more heavily used when auditing was done primarily on paper documents. When used in that ma
more likely to be recorded with a colored pencil, such as in red. Since the advent of auditing software, tick marks can be desig
standardized within the software.

Following are examples of tick marks used by others:

Traced face amount, interest rate, issue and maturity dates to note receivable documents
Agreed to confirmation
Calculation checked and agreed
Footed
Agreed to trial balance
Prepared/provided by client
Agreed to the general ledger
Agreed to the Annual Financial Report
Prepared by component internal audit
Footed,
Recalculated by System auditor
Crossfooted
traced to ___ (fill in the blank)
violation of law
agrees with ___ (fill in the blank - example: agrees with audit calculation)
in compliance OR no error
error (you should specify error type)
facts
violation
questions to ask
responses
attribute tested successfully
Foots
cross-foots
recalculated without exception
(attribute) not applicable
identified control strength
identified control weakness
agreed to general ledger
traced successfully to
Prepared by client
waived due to immateriality
reasonable explanation
Exception (with the sub-script“#” replaced with number 1, 2, 3, etc)

error corrected with journal entry # . Therefore, no exception noted.

verified by auditor observation
Audit Program Area:

A fundamental element of internal control is the segregation of certain key duties. The basic idea
underlying segregation of duties is that no employee or group should be in a position both to
perpetrate and to conceal errors or fraud in the normal course of their duties. In general, the
principal incompatible duties to be segregated include:

- Custody of assets
- Authorization or approval of related transactions affecting those assets
- Recording or reporting of related transactions
- Execution of the transaction or transaction activity

An essential feature of segregation of duties/responsibilities within an organization is that no one

employee or group of employees has exclusive control over any transaction or group of
transactions.

Based on the above criteria, this worksheet has been designed to highlight conflicting duties
performed by one individual or group of individuals (potential lack of proper segregation of duties).
Audit teams are encouraged to use this form to help identify potentially commingled duties within
accounting processes that may constitute a control weakness.

Instructions

1) The Tester should inquire to determine which individuals are responsible for certain duties within
the company/location.

2) The matrix should be used to determine if there is potential for a segregation of duties conflict.
Use the following key to identify the potential financial risk and segregation of duties conflicts:

X - Segregation of duties conflict

H - High financial risk
M - Medium financial risk
L - Low financial risk

3) The potential issues should be investigated to ensure a mitigating control prevents the individuals
from performing both tasks.

4) If a control is not present, a conflict of duties may be present.

The concept of Segregation of Duties is to separate the major
responsibilities of authorizing transactions, custody of assets, recording of
transactions and reconciliation/verification of transactions for each business
process. From a separation of duties perspective, the completion of more
than one of these functions would be considered performing "incompatible
duties". In other words, no one employee should have responsibility to
complete two or more of these major responsibilities. However, staff
limitations may make this impractical and that is when Compensating
controls must be considered.

Instructions
We should always strive for the optimum degree of segregation of duties.
However, due to limited staff sizes at some organizations, optimum
separation of duties cannot be achieved. In those circumstances you
should at least strive for an acceptable(minimal) level of segregation of
duties which when combined with compensating controls will minimize the
impact of control deficiencies and exposure to errors or irregularities. A
minimal level of segregation of duties could possibly be achieved by
verifying that no one employee performs more than two of the "incompatible
duties". For example, an employee might perform the authorization and
verification/reconciliation functions but they should not record the
transaction or maintain custody of assets. A compensating control would be
managerial review.
The risk assessment process identifies audit areas that present the highest risks to the achievement of the organization's strate
and objectives, and continues to be based on Internal Audit’s judgment and knowledge of the entity.

Strategic/Financial Impact (25% weighting factor)

5 Significant alignment to strategies and objectives and/or material financial impact with identified moderate to high potential ris
4 Significant alignment to strategies and objectives and/or financial targets with low to moderate identified potential risk.
3 Average alignment to achieving strategies and objectives and/or financial targets with potential challenges.
2 Relatively minor strategic and/or financial impact.
1 No discernible strategic or financial impact.

Control Environment (25% weighting factor)

5 No control/significant changes in operations, management or software applications.
4 Limited control/moderate changes in operations, management or software applications.
3 Moderate control/minor changes in operations, management or software applications.
2 Good controls/minor changes in operations, management or software applications.
1 Best practice/no changes in operations, management or software applications. High level of clear and simple control
documentation.
Factors to consider include historical operating performance, documented control procedures, control activities, department or
process structure/function (self-contained vs. cross functional), key personnel, new system implementations, internal vs. outsou
resources used in operations.
Prior Audits and Management Action Plans (MAPs)/Other Mitigating Controls (20% weighting factor)
5 Never audited/ not audited in the last 3 years; significant audit adjustment posted and management letter comment by extern
auditor; aged past due High Risk MAPs; or department/process in existence less than or equal to one year.
4 Audited in the last 2-3 years; management letter comment by external auditors; past due Moderate MAPs; department/proces
existence between 1-2 years.
3 Audited in the last 1-2 years and moderate issues identified but all MAPs have been validated by IA as complete.
2 Audited in last 1-2 years and low to moderate issues identified but all MAPs have been validated by IA as complete.
1 Audited in last 1-2 years and no issues identified.

Consideration should be given to audits that will be completed in the remainder of the current fiscal year in evaluating this facto

Business Environment and Complexity (15% weighting factor)

5 High Risk and/or highly complex- likely to be a significant threat to the organization's.
4 Above Average Risk -likely to be a threat to the organization's.
3 Average Risk and/or moderate complexity - may occasionally be a threat to the organization.
2 Below Average Risk and/or fewer complexities - not very likely to a significant threat to the organization.
1 Low Risk and/or not complex - very low threat, virtually no chance of significantly threatening the organization.

Business environment risks are typically external risks and include:

• Industry risk such as change in reimbursement or accounting policies or practices.
• Economy risk such as local economic conditions (loss of a major employer).
• Competitor risk such as competition or strategic position in marketplace.
• New legislation and/or focus by regulatory agencies on new or existing regulations.
External risks may not be very manageable, but often represent the greatest threat to the organization's and cannot be ignored
Evaluate how the identified external risks threaten the specific strategies and objectives, and whether management can manag
influence or monitor these risks.
Consideration should be given to the complexity of the function, process, procedures and systems that may impact internal con

Auditor and/or Management Concerns (15% weighting factor)

5 IA or management does not believe the risk is managed to the desired outcome, and can provide specific examples of why th
believe the department or process should be audited.
4 IA or management believes the risk is only occasionally managed to the desired outcome.
3 IA or management believes the risk is managed to the desired outcome a majority of the time.
2 IA or management believes the risk is typically managed to the desired outcome.
1 IA or management believes that the department or process has strong internal controls and risk is consistently managed to th
desired outcome.
AREA:

Process Control Objective Risk

 Assertion Documentation W/P
Control Considerations E,A,C,V,P Description of control Ref.
 Do controls meet Testing
objective? exceptions
Yes/No Test noted? Resolution / remediation/ comments
W/P Ref Yes/No W/P Ref
Audit Program

Audit Procedure Control Objective

 Performed Date
Risk if Objective Not Met Control Technique By Expected
 Date Budget Actual Document
Completed Hours Hours Reference Source Reviewed By
Remarks/Comments
 Audit Program Area

Global Audit Procedure Control Objective Risks Control Control KeyControl? Frequency
Ref No, Activity Description
Number
Owner Exceptions Type Document Mapping to
Reference Standards
 Client Name
Internal Control Framework

Date Completed:
Completed By:
Reviewed By:

Question Yes No* Comments /Description

To the best of my knowledge, the answers and comments noted above are accu
internal controls within this department:

* For a “No” answer, cross-reference to either a compensating control or to audit work which has been performed
Control Questionnaire Template
or is to be performed.
 Name and Title of Person Completing Form (please print) Name and Title of Department Dir

Signature of Person Completing Form Signature of Departmen

4/21/2024
Date Form Completed Date of Department Directo

* For a “No” answer, cross-reference to either a compensating control or to audit work which has been performed
Control Questionnaire Template
or is to be performed.
 Employee Responsible for Task

s noted above are accurate and reflect the current

this department:

* For a “No” answer, cross-reference to either a compensating control or to audit work which has been performed
Control Questionnaire Template
or is to be performed.
Name and Title of Department Director (please print)

Signature of Department Director

Date of Department Director's Signature

* For a “No” answer, cross-reference to either a compensating control or to audit work which has been performed
Control Questionnaire Template
or is to be performed.
AREA:

Process Objective
Control Risk Control Considerations
 Do controls meet
objective?
Assertion Documentation W/P Yes/No Test
E,A,C,V,P Description of control Ref. W/P Ref
 Testing
exceptions
noted? Resolution / remediation/ comments
Yes/No W/P Ref
Description of Item Performed By (Initials) Date Completed
Reviewed by
(Initials) Budget Hours Actual Hours Document Reference
Source Reviewed By
Remarks/Comments
Finding Ref # Control Testing Finding
Management Response & Treatment