INTERNAL AUDIT STATUS

UPDATE REPORT
FY 20XX INTERNAL AUDIT PLAN – SUMMARY
The Company XYZ internal audit plan was approved by the audit & compliance committee in MM YYYY and is subject for review
at periodic committee meetings. Periodically, internal audit (IA) and/or administration will recommend adjustments to this plan for
the committee’s consideration.

Project Name Audit Reporting Status % Completed

Epic Meaningful Use Risk Analysis MM YYYY 100%

Medication Management and Drug Diversion MM YYYY 0%

Physician Documentation and Coding MM YYYY 0%

Home Health and Hospice Audit MM YYYY 0%

Quality Core Measures/Value Based Purchasing Data Integrity MM YYYY 0%

Review

ABC Payroll/Human Resources Post-Implementation Review MM YYYY 0%

Update 20XY Audit Plan MM YYYY 0%

Previous Audit Follow Up MM YYYY 25%

Internal Audit Planning, Administration and Meetings Ongoing 25%

Legend Not Started On Target Delayed Behind Schedule Complete

¹Administration may allocate additional hours for special projects that arise throughout the year.

2
COMPLETED AUDITS (1/4)
ABC Post-Implementation Review: Specific to audited controls and fixed assets

Background/Objectives

On April 1st, 20XX Company XYZ went live with the implementation of Infor ABC business management applications. The
implementation of Infor ABC business management applications has provided substantially increased functionality for end users
and system administrators. However, the implementation of enterprise resource planning (ERP) systems has been problematic for
many organizations similar to Company XYZ and poses additional risks.
Internal audit evaluated the ABC implementation’s impact on previously audited ERP controls and identified the control activities
and control gaps within the fixed asset process. The primary objectives of the review were to identify ERP control changes
resulting from the ABC implementation; to perform a crosswalk of previously existing controls to current controls; and to review
controls to ensure that fixed assets are appropriately identified, recorded and included in depreciation calculations.

Risk Factors

The successful completion and implementation of the ABC ERP system is critical to establishing and maintaining adequate
internal controls over financial reporting. ABC allows more transparency into transactions affecting financial reports. Materials
management also faces risks, including contracting issues, cost, and evaluation of supplier support, all of which are addressed by
the ABC implementation.

3
COMPLETED AUDITS (2/4)
ABC Post-Implementation Review (Continued)

Audit Scope

The scope of the review included the previously audited areas of accounts payable, materials management and cash
management (specific to back-end functions). The scope also included fixed assets.

Results

Internal audit noted many positive processes and controls within each of the areas we reviewed, including detailed policies and
procedures and automated controls. Overall, there were minimal changes to the internal control structure for each of the areas
reviewed as a result of the ABC implementation. Our audit did, however, identify a few opportunities for Company XYZ to improve
the fixed asset control environment and inventory management efficiency:
• The setup of useful lives for fixed assets, as well as the roll-forwards for construction in process (CIP) and fixed assets are not
formally reviewed by management. Management will implement a formal review for accuracy of inputs by the end of 20YY.
• Policies and procedures have not been updated to reflect changes from the ABC implementation. Areas affected include
procurement, materials management, fixed assets and accounts payable. Management will make appropriate updates by Q1
20YY.
• Inventory management has an increased manual component with the discontinuing of supply scan. Currently, inventory
technicians have to complete a manual count of each inventory item daily and enter the count into a mobile device. This
facilitates automatic ordering based on par levels; however, it creates a significant effort by inventory techs to count all supplies
daily. Management is evaluating available ABC applications to address the opportunity.

4
COMPLETED AUDITS (3/4)
NIST Cybersecurity Framework Audit

Background/Objectives

Company XYZ included a review of its information security program as part of its 20YY audit plan. For this review, Company XYZ
determined that it would like to compare its existing program to an industry leading framework and chose the National Institute of
Standards and Technology (NIST) Cybersecurity Framework (CSF). The NIST CSF is composed of the following key areas:
• Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data and capabilities.
• Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
• Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
• Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.
• Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or
services that were impaired due to a cybersecurity event.

Risk Factors

Information security is a key risk to any enterprise. Cybersecurity threats exploit the increased complexity and connectivity of
critical systems, placing an organization’s security, reputation and sensitive information at risk. Cybersecurity risk affects a
company’s bottom line, as a security breach can drive up costs and impact revenue and business operations. It can harm an
organization’s ability to gain and maintain customers.

5
COMPLETED AUDITS (4/4)
NIST Cybersecurity Framework Audit (Continued)

Audit Scope

Internal audit performed a review of the information security program, via inquiry and document inspection, against these core
areas of the NIST CSF. The scope of the review was not limited to a particular department or area; however, fieldwork was
conducted primarily with the IT and information security departments.

Results

Our audit identified three high-level observations for Company XYZ to improve its information security program. These
opportunities for improvement include:
• Network Segmentation – Company XYZ does not have network segmentation for critical data or sensitive equipment. As
such, any device that is connected to the Company XYZ network can connect to any other network connected device.
Monitoring and controlling network access can be achieved through network access controls to ensure that only approved
devices are connected to the network and that connected devices can only access approved resources.
• Policies and Procedures – The Company XYZ policies and procedures should be reviewed at least annually to ensure
policies address each area of information technology, cybersecurity and the technologies in use by Company XYZ. The lack of
formal processes and accountability may cause key information technology tasks to not be performed, creating gaps in the
overall security and operations at Company XYZ and leading to potential security compromises.
• Incident Response Plan – An incident response plan should be implemented for Company XYZ which will establish
thresholds of when a security event is an incident. The incident response plan will also define the actions to be taken for the
different types of incidents and define escalation and notification procedures.

6
STATUS OF MANAGEMENT ACTION PLANS
Internal audit validates the completion of action items which have been agreed to in previous reports. The status of all
outstanding action items as of MM DD, 20YY is listed below:
Report
Audit Status by Report or Assessment # of Action Items Open Due Dates on Track?
Issued
IT General Controls Audit MM YYYYY 14 5 Y*
HIPAA Security Audit MM YYYYY 22 9 Y*
Courion Pre-Implementation MM YYYYY 4 1 N1*
Cash Controls and Reconciliation Process Review MM YYYYY 7 1 N2
Materials Management Purchasing Process Review MM YYYYY 9 6 N3
Observation/Patient Status Review MM YYYYY 6 6 Y
Denials Management Review MM YYYYY 5 4 N4
Meaningful Use Risk Analysis MM YYYYY 11 5 Y*
Epic Pre-Implementation Review MM YYYYY 4 3 N5*
NIST Cybersecurity Framework Audit MM YYYYY 15 15 Y
* During FYQ3, IT and IA reassessed action plans for all IT observations and adjusted due to new and current initiatives. This
resulted in an extension of due dates and acceptance of risk on a few occurrences. IA is comfortable with the adjustments. In 20XX,
a complete review of open items impacted by the ABC and Epic implementations will be addressed. These are detailed below:
1. Requires involvement of HR to perform cleanup of users within HCM, IT can not complete/close until this occurs. This will be addressed
when ABC is implemented.
2. Armored truck pickup has been tabled due to point of collections location changes with EPIC implementation. The plan is to reevaluate
locations of cash deposit pick-ups after implementation.
3. Three past-due items were intended to be executed as part of the ABC implementation. Due to issues with the implementation, these items
have been tabled and will be addressed once ABC is operating appropriately.
4. One past-due item of instituting KPIs will executed as a part of the EPIC implementation.
5. IT addressed part of issue; remaining action item will be closed in a 2-3 weeks.