Audit Committee Report - Internal Audit Plan - 0

AUDIT COMMITTEE REPORT –
INTERNAL AUDIT PLAN

TABLE OF CONTENTS (1/2)
04 Audit Committee Report – internal Audit Plan: Sample 1 24 Typical Contents of an AC Report: Annual
05 Corporate Audit: Business Risk Assessment 25 Sample Calendar
06 Business Risk Assessment 26 Dashboard: Sample
07 Business Risk Assessment: Interviews and Surveys 31 Key Issues: Summary
08 Business Risk Assessment: Risk Data Gathering 35 Sample Audit Scope
09 Business Risk Assessment: Process and Location 36 Audit Calendar
Universe 44 Audit Report Summary
10 Business Risk Map 48 FYXX Budget Status Update
11 Audit Plan Highlights 49 Internal Audit Budget
12 XXXX Audit Plan 50 Benchmarking Analysis
14 Key Business Risks and Audit Plan Linkage 51 Internal Audit Staffing Summary
15 Audit Committee Report – internal Audit Plan: Sample 2 52 Internal audit Personnel Profiles
16 Overview 53 Department Status
17 Internal Audit Plan: Summary 54 Audit Committee Report – internal Audit Plan: Sample 4
18 Internal Audit Focus Areas: Detail 55 Business Self-Assessment Overview
20 Audit Committee Report – internal Audit Plan: Sample 3 56 Summary of the Internal Audit Approach
21 Key Factors in Determining Content 57 Business Risk Model for Company ABC: A Common Language
22 Typical Audit Committee Agenda 58 Session Results Assessment of Control Environment
23 Typical Contents of an AC Report: Quarterly
2
TABLE OF CONTENTS (1/2)
59 Session Results: Risk/Control Map 78 Audit Committee Report – internal Audit Plan:
60 Session Results: Key Themes Sample 7
62 Proposed Internal Audit Plan 79 FYXX QX Internal Audit Update
63 Proposed Audit Timetable 80 FYXX QX Calendar
65 Appendix A: Customized Risk Definitions 81 Key Issue Summary
67 Audit Committee Report– internal Audit Plan: Sample 5 82 Key Issue Status and Revisions
68 Activities 83 Significant Issue Summary FYXX QX
69 Internal Audit/SOX Timeline 84 Issue Trend Analysis – Top Trends
70 Walk-Throughs/Interim Testing Timeline 85 Coverage Enhancement
71 Goals Update 86 Hiring Update
72 Audit Committee Report – internal Audit Plan: 87 FYXX Planned Organization Structure
Sample 6 88 Department Status
73 Summary of Internal Audit Activities 89 Appendix
Completed/In Progress 90 FYXX QX Internal Audit Trend
74 (Insert Year) Process and IT SOX Compliance Update 92 FYXX Open Item Detail
75 SOX Project Milestones and Timeline 93 Hiring Update
76 Next Steps 96 Capability Maturity Model Defined
77 Other Items 97 Schedule Acronym Definitions
3
AUDIT COMMITTEE REPORT – INTERNAL
AUDIT PLAN: SAMPLE 1
CORPORATE AUDIT: BUSINESS RISK ASSESSMENT
Input Planning Process Output
Conduct Risk
Assessment
Interviews With
Management Validate
Process
Facilitate Risk
Universe
Assessment
Management Perform Approval
Prioritize
Surveys Risk by FY (Insert Year)
Audit Areas and
Universe Controller and Audit Plan
Draft Plans
CFO
Integrate Audit
Team Risk Audit Committee
Location Approval
Assessment Universe
Include Prior
Internal
Audit Results
5
BUSINESS RISK ASSESSMENT
When performing the risk assessment process, the internal audit utilized the business risk model to create a common risk language for discussions
with management. We also linked the risks identified to the corresponding processes.
Environment Risk Process Risk Information For Decision-Making Risk

Competitor Financial Empowerment Governance Strategic
Price Leadership Organizational Culture Environmental Scan
Customer Wants
Interest Rate Authority/Limit Ethical Behavior Business Model
Technological Innovation Currency Performance Incentives Board Effectiveness Business Portfolio
Equity Change Readiness
Succession Planning Investment Valuation/Evaluation
Sensitivity Commodity Communications
Organizational Structure
Financial Instrument
Stakeholder Expectations Measurement (Strategy)
Resource Allocation
Rating Agency Information Reputation Planning
Technology Lifecycle
Capital Availability Liquidity Image and Branding
Integrity
Cash Flow Stakeholder Relations
Sovereign/Political Access
Opportunity-Cost Availability
Concentration Public Reporting
Legal Infrastructure
Financial Reporting: Evaluation
Internal Control: Evaluation
Regulatory
Integrity Taxation
Industry Management Fraud Pension Fund
Credit Employee Fraud
Default Regulatory Reporting
Financial Markets Third-Party Fraud
Concentration Operations
Settlement Illegal Acts
Catastrophic Loss Customer Satisfaction Performance Gap Product Service Failure Operational
Collateral Unauthorized Use
Human Resources Cycle Time Environmental Management Fraud
Knowledge Capital Channel Effectiveness Health and Safety Employee Fraud
Product Development Partnering Privacy/Information-Security Third-Party Fraud
Efficiency Outsourcing/Offshoring Trademark/Brand Erosion Illegal Act
Capacity Compliance Unauthorized Use
Scalability Business Interruption
6
BUSINESS RISK ASSESSMENT: INTERVIEWS AND SURVEYS
Worldwide Headquarters
• General Counsel
• CFO
• Controller
An internal audit conducted interviews
with 25 members of management to Operations
discuss the following: • Supply Chain
• Objectives and goals for their areas of • Environmental Health and
responsibility Safety
• Strategies • Location 3
• Risks that would threaten the
achievement of this strategy
• Processes where the risks would
manifest themselves
Finance
7
BUSINESS RISK ASSESSMENT: RISK DATA GATHERING
Internal audit also gathered information from the following sources:
Integrated Audit Team Prior Internal Audit Results
• Potential audit areas were identified based on understanding • Before two years’ internal audit reports were reviewed.
gathered from the external audit team.
• Prior audit universe risk ratings and general risk assessments
• The external audit team's process, risk and control analysis were included.
were reviewed.
• Audit issues and risk trends were analyzed.
8
BUSINESS RISK ASSESSMENT: PROCESS AND LOCATION
UNIVERSE
Categorize Identify Create
Locations were categorized by customer Key processes being performed throughout A matrix of processes and locations, including
group, product and geographic location. the company were identified. the last time these processes and locations
were subject to audits, was created.
9
BUSINESS RISK MAP
• Budget and Planning • Technological Innovation • Liquidity: Cash Flow • Competitor

High
• Compliance/Legal • Trademark/Brand Name • Inventory and Obsolescence • Operational Performance
• Efficiency/Productivity Erosion • Information Systems Access Measurement
• Performance Incentives • Leadership • Product/Service Quality • Customer Satisfaction
• Credit: Default • Reputation • Regulatory Reporting • Organization Design
• Information Technology • Financial Reporting Evaluation
Strategy, Reputation, Etc.)
Infrastructure • Strategic Performance

Significance (to Assets,
• Shareholder Relations Measurement

• Management • Price: Currency
Fraud/Illegal Acts • Globalization
• Business Portfolio • Outsourcing • Labor Availability

• Labor/Employee • Information Systems Integrity • Capacity
• Catastrophic Event • Authority/Limit • Compliance: Policies
• Cycle Times • Product Costing • Health and Safety
• Resource Availability • Accountability • Information Availability
• Resource Price Volatility • Communications • Liquidity: Opportunity Cost
• Sensitivity • Resource Allocation • Environmental
• Employee Fraud/Illegal Acts
Low
• Contract Commitment
Likelihood (considering controls and inherent risks)

Low High
10
AUDIT PLAN HIGHLIGHTS
External audit teams were Focus on corporatewide Cash flow and working capital
included in the financial processes increased. improvement opportunities were
processes. identified.
Cash flow and working capital Internal audit, external audit and Location reviews will focus on Process specialists were used.
improvement opportunities were management performed a joint several critical processes
identified. risk assessment. identified during X risk
assessment to leverage
resources and share best
practices. These processes
include inventory management,
warranty, forecasting and close-
the-books.
11
XXXX AUDIT PLAN (1/2)
Categories Scope Timing Comments

Process Reviews: 6%
• Payroll Operations Q3
Worldwide Implement outsourced processes and new HR/payroll software.
• T&E Administration Q1
Information Technology Reviews: 20%
• Oracle Access Controls Q2
• Network Security Q2 Follow up on the process and significant control issues from prior year.
• Network Security Follow up on outsourced services and significant control issues from
Q2
the prior year.
Worldwide
• Centralized IT Function Q1
• E-Commerce Security Q3 Check for emerging risks as e-commerce develops.
• Interfaces Ensure data integrity issues and follow up on delays in modules

Q1
implementation.
Business Process Reviews: 23%
• Direct Materials Purchasing Q4 Use critical supply chain components.
• Deductions and Credit Memos Q3 Ensure accurate and efficient processing.
• Import/Export Process Q2
• Consolidation Worldwide Q2 Ensure that systems are not integrated.
• Cash Management Q2
• Currency Management Q1 Utilize the currency hedging group.
• Credit and Collections Q1 Use this key area for process improvement.
12
XXXX AUDIT PLAN (2/2)
Categories Scope Timing Comments

Location Reviews: 35%
• Location 1 Location 2 Q2 Review general controls.
• Location 1 Location 2 Q1 Follow up on significant control issues from the prior year.
Other: 16%
• Corporate Compliance Program Worldwide Q1 Review the monitoring process.
• Records Retention Worldwide Q1 Perform a high-level review of policies and practices.
• Access Controls Design Location 2 Q1 Participate in security structure redesign.
• Minority Interest Calculation Location 3 Q2

• Risk Assessment XXXX Worldwide Q4
• Prior Audit Issues Follow-Up Worldwide
• Discretionary Projects Worldwide
13
KEY BUSINESS RISKS AND AUDIT PLAN LINKAGE
The risks stated above are risks at the company level. Each process audit will include a process-level risk assessment.
Risk Audit Risk Audit

• Credit and Collections Consolidation Price: Currency • Currency Management
Financial Reporting • Deductions and Credit Memos • Credit and Collections
Evaluation • Sites • Payroll Operations
• Minority Interest Calculation Liquidity: Cash Flow • Deductions and Credit Memos
• Cash Management
Information Systems Integrity • Centralized IT Function
• Direct Materials Purchasing
• Access Controls Product/Service Quality • E-Commerce Security
• E-Commerce Security
Inventory and Obsolescence • Sites
Information Systems Access • Network Security
Strategic Performance
• Network Security • Compliance
Measurement
• Location 3 Centralized IT Function • Records Retention
Budget and Planning • Sites Compliance/Legal • Import/Export Process
Regulatory Reporting • Import/Export Process • Corporate Compliance Program
• T&E Administration
Outsourcing • Payroll Operations
• Network Security
14
OVERVIEW
In (Insert Date),
OurCompany
approachXtoestablished
automatinganat internal audit function.
scale begins The results
with an iterative of our
process internal auditthe
of establishing strategy
Strategy and Exploring both technical solutions
analysis wereand
presented to the board of directors.
program elements/methods, while putting in place the building blocks of an operating model to enable continued and repeated
successes.
Before this meeting, Company X’s executive management and the audit committee requested and contributed to creating an internal audit
plan. The plan included in this document incorporates the following assumptions:
An outsourced internal The internal audit plan The plan will be flexible The plan will include a
audit function will be will be based on an to focus on changing or prioritization of the audit
created to enhance risk annual budget between evolving risks. areas included in the
management practices $X and $X. strategy document.
at Company X.
16
INTERNAL AUDIT PLAN: SUMMARY
Listed below is the anticipated internal audit plan for the first two years. Typically, the internal audit plan is subject to revision depending on
Details of each audit area are included on the following pages. Actual time changes to the business overtime . As such, a portion of the second-year
allocated to individual projects will be based on approved project scopes. internal audit plan is listed as “discretionary.” Any changes to the plan,
including allocating discretionary hours to a specific project, will be subject
to the audit committee's approval.
Year-One Internal Audit Plan Est. Hours Year Two Internal Audit Plan Est. Hours
Compliance Assessment (Insert Hours)
Compliance
(Insert Hours)
Trading Practices Process Review (Insert Hours) (Scope Based on Year-One Assessment)
Accounting Process Review (Insert Hours)

Net Asset Value (NAV) Valuation Process Review (Insert Hours)
Audit Issue Tracking and Follow-Up (Insert Hours)
Trade Execution Process Review (Insert Hours)
Audit Committee Meetings and Management
Audit Issue Tracking (Insert Hours) (Insert Hours)
Meetings
Audit Committee Meetings and Management
(Insert Hours) Discretionary (Insert Hours)
Meetings
Total Internal Audit Budget (Insert Hours) Total Internal Audit Budget (Insert Hours)
17
INTERNAL AUDIT FOCUS AREAS: DETAIL (1/2)
Timing Comments
Trading Practices Process Review

Review policies and internal controls to prevent “late-trading” transactions from occurring. Review policies and internal (Insert Hours)
controls to restrict and detect “market-timing” trading practices.
Compliance Process Review

Review Company X’s compliance program and related risk assessment processes. This review will include compliance
activities regarding the Investment Advisors Act of 1940 and the Investment Company Act of 1940.
This includes:
• Overall Compliance Risk Assessment • Soft-Dollar Oversight

(Insert Hours)
• Fee Disclosure • Fund Governance Rule Review
• Advertising • Anti-Money Laundering
• Personal Trading and Insider Trading • Privacy and Security of Shareholder Information
• Shareholder Performance and Management • Investment Company Names – Rule 35D-1
Net Asset Value (NAV) Valuation Process Review

Review the appropriateness of operational procedures and supervisory structures in place concerning both “market value”
and “fair value” determinations. At a high level, review controls within processes for market value pricing obtained by third
parties. At a detailed level, review processes for monitoring events that necessitate the need to use fair value pricing to (Insert Hours)
protect fund shareholders (e.g., foreign securities).
18
INTERNAL AUDIT FOCUS AREAS: DETAIL (2/2)
Timing Comments
Trade Execution Process Review

Review processes for determining the best execution reasonably available for customer orders. Cover an evaluation of (Insert Hours)
decision points, including the opportunity to get a better price than what is currently quoted, the speed of execution and
the likelihood the trade will be executed.
Accounting Process Review

Review the integrity of information and processes related to accounting and management reporting. Specific areas (Insert Hours)
covered will include control over expense identification and allocations (including expense caps).
Audit Issue Tracking/Audit Follow-Up

Follow up on the implementation status of internal audit action items. Also include actions related to external audit or (Insert Hours)
regulatory compliance internal control concerns.
Audit Committee Meetings and Management Meetings (Insert Hours)
19
KEY FACTORS IN DETERMINING CONTENT
Understanding Board Expectations

• Audit committee charter Frequency of Meetings
• Internal audit department charter

• Committee members and their backgrounds, focusing on
any changes since the last meeting
• Prior audit committee reports and minutes
• Any arrangements that have been documented Allotted Agenda Time
concerning report content expectations
• Board communication style
Understanding Board Expectations

• Understanding board expectations is critical when determining content.
• By reviewing key documents such as the audit committee charter, internal audit can understand the committee’s risks and needs.
• Internal audit should meet separately with the audit committee (and senior management, if deemed appropriate) to determine a reporting
framework and expectations upfront.
2
1
TYPICAL AUDIT COMMITTEE AGENDA
• Initiate call-to-order meetings.
• Review and approve minutes from prior meetings.
• Conduct an audit committee report by internal auditors.
• Facilitate an audit committee report by external auditors.
• Include other matters (legal, hotline, compliance, etc.).
• Conduct committee meetings in executive sessions.
• Present formal quarterly or annual reports to shareholders by the CEO and CFO and confirm approval.
• Identify the date and time of the next meeting.
• Adjournment
Executive Session:
Report by Internal Auditors: • Internal audit should also be
• Internal audit will typically prepared to attend the
report first prior to external executive session, where
audit and other members of outside board members can
senior management (allotted question internal and external
time may vary during the year). audits without the presence of
senior management.
2
2
TYPICAL CONTENTS OF AN AC REPORT: QUARTERLY
Today’s C-Suite and Boardroom Agenda
• Dashboard report on current activities
• Changes to an annual plan
• Status of the annual audit plan
• Critical findings or emerging trends
• Internal audit staffing, impact of resource limitations and costs vs. budget year-to-date
• Results of special investigations
• Department performance metrics/scorecard
Typical audit committee reports will include a

Quarterly Audit Committee Reports:
summary of:
• How reports are summarized should follow agreed-upon • Reports issued during the quarter showing most essential
reporting arrangements. findings and aggregating others
• The committee may not want to review all reports, although • Monitoring and follow-up activities
they have access to all prepared material. • Financial values of any frauds that may have occurred
• The goal is to summarize what the committee needs to know
about common findings in a logical summary format and report
separately on more important matters such as:
− Matters that might affect the fairness of financial reporting
− Breaches of the company’s ethics policies
− Details of any frauds discovered
− Significant delays in management responding to or acting on
findings and recommendations.
23
TYPICAL CONTENTS OF AN AC REPORT: ANNUAL
• Year-in review reports, including themes or trends identified Annual Audit Committee Reports:
• Risk assessment and audit plan updates Except for any additional items, the annual report is typically a
summary of the four quarterly reports.
• Results of the internal quality assurance and improvement
program • Additional items to cover may include:
• Results of the external quality assurance review, timing/frequency − A statement that all work continues to be performed by IIA
of the external assessment and reviewer’s background Standards
• Review and approval updates to the internal audit department − Details of changes in personnel in the internal audit department
charter − The professional development courses that were given or
• Confirmation of the independence of the internal audit activity attended during the year
• Reporting of any impairments of independence or objectivity − The date of the following scheduled internal audit quality
assurance review
• Disclosure of nonconformance with the IIA Standards
24
SAMPLE CALENDAR
The audit committee agenda will typically include discussion around:
• Internal Audit • Legal, Compliance and Regulatory

• External Audit • Financial Reporting Oversight
• Risk Management • Committee Structure and Function
The table below depicts the areas specific to the internal audit update.
Q1 Q2 Q3 Q4 As Needed
1. Evaluate Internal and Independent Audit Processes
A. Internal Audit
Charter, Mission and Objectives P
Appointment and Compensation of the Chief Audit Executive P
Budget, Staffing and Resources, Including Any Resource Constraints P
Scope, Procedures and Timing of Audits (Audit Plan) P

Review of Audit Results and Reports P P P P
Review of Internal and External Quality Assurance Procedures P
Confirmation of Internal Audit Independence P
25
DASHBOARD: SAMPLE (1/5)
Engagements Completed Since Last Meeting ERM Assessment and Other Dept. Activities for Q1
1 = Low and 5 = High • Finalize documentation of audit operating methodologies.

• Accounts Payable: Location 4 2
• Analyze money, quality and time costs in the current accounts payable
• Procurement Review: Location 4 2 process.
• Sales and Distribution: Location 5 • Reduce the volume of accounts payable transactions.
2
• Disbursements: Location 6 • Implement rigorous, pervasive policies to protect against disbursement fraud
3
• Location 3 Regulatory Readiness: Location 3 and overpayments.
• Channel Stocking: Location 9 2
• Retail Channel: Location 4 2
Location 9 Location 4 Engagements/Audit Plan Activity for Q1

3 2
Business Unit Delinquency Status
Engagements/Audit Plan Activity for Q1
BU1 On Track
• Vendor Selection: Location 9 BU2 On Track
• Accounts Payable: Location 5 BU3 On Track
• Employee Disbursements: Location 7/Location 4
BU4 On Track
• Supplier Controls Review: Location 8
• Revenue Recognition: EMEA BU5 On Track
• Accounts Payable: Location 9 BU6 On Track
• Location 11 Government: Lobbyist Compliance
26
Reports Issued Q1 Scheduled Events

Issues Reported
• Accounts Payable: Location 4
Issue Observed in Accounts Payable Audit/Area
• Procurement Review: Location 4 FY10
TBD: Internal audit
50
• Sales and Distribution: Location 5 department training and
36 45 High
• Disbursements: Location 5 location TBD. 40
• Location 3 Regulatory Readiness: Location 3 Campus Recruiting 30 Medium
• Retail Channel: Location 4 20 14
9
In
10 4 4 3 4 2 5
Review Stage DSF 0
Charge
AP: (Insert
Business Corp IT Fraud Operations
Fieldwork N/A Units
Location 10 Name)
(Insert
SAP SOD Reporting 14
Name)
Close the (Insert
Fieldwork N/A Issue Status
Books Name)
TBD TBD Fieldwork N/A
(Insert (Insert Issue Status Summary
TBD TBD Fieldwork N/A 120
TBD TBD Planning N/A
Date) Date) 107
Location 9 Privacy: 100 High
TBD TBD Reporting 28
Location 3 80 Medium
TBD TBD Reporting 14
Global Acquisition 60
TBD TBD Fieldwork N/A Procurement Due 40 29
TBD TBD Fieldwork N/A Diligence 6 4 14
20 1
P-Card 0
TBD TBD Reporting N/A
PCE Revised/Past Due Not Due Closed
Compliance
27
Key Message Points
• Cash account reconciliations have improved; however, remediation efforts related to system design deficiencies are ongoing.
• There is no formal communication between AP and the merchandising (buyer) department to develop uniform, beneficial practices for
supplier management, and communication with suppliers should be managed to establish mutually agreeable practices.
Summary of Completed Activities (Second Quarter) Summary of Completed Activities (Third Quarter)
• Completed Activities • Audits scheduled for Q3

− Payroll − Retail Stores and Back Office
− Accounts Receivable and Vendor Management − Accounts Payable
− Continuation of Premium Accounts Reconciliation − Vendor Master File Maintenance
Special Project
Audit Finding Remediation Status

Risk Rating Beginning Balance as Currently Open Past Past Due Findings
New Closed 8
Category of (Insert Date) Open Due 10
High 2 1 0 3 0 4
5
Medium 10 5 2 13 5 0
Low 17 0 2 15 3 0
High Medium Low
Total
29 6 4 31 8
Findings
28
Quarterly Accounts Payable Review

Issue Status
Review the vendor master
Review expense payable,
file creation for expense
stock and relay.
payables.
Review the accuracy and
timeliness of input and Review interface integrity
payment processing (EDI
and manual) for
completeness.
from the AP subledger to the
general ledger (GL). 89%
Review access to systems Review monthly
and check stock/signature reconciliation of the AP
plates. subledger to the GL.
Review the PO and invoice
Review daily balancing Completed
matching process (pre- and
performed by AP.
post-paid).
Review vendor maintenance
Review the disbursement within AP vendor master file 6% 4%
approval process. (stock and relay) along with
access controls.
Review controls over stop
payments and reissues.
In Process Planned
• Vendor master files • Wire
reviews created by transfers
Rating Legend merchandising
Unsatisfactory Needs Improvement • MSA online (rebates,
deductions)
Satisfactory Not Applicable
29
We assessed the existence and effectiveness of controls about the business objectives of the accounts payable process. Possible control improvements
(rated as “Moderate” or “Limited” powers) are referenced in the Detailed Issues and Action Plans section for further details.
Completeness and Accuracy: Authority/Limit Rating Detailed Issues and Action Plans Reference
Suppliers are properly authorized prior to procuring goods/services. Detailed Issue and Action Plan No. 5
Accounts payable disbursements are properly authorized. Detailed Issue and Action Plan Nos. 1, 2, 5 and 7
Access to applicable AP systems is properly segregated. Detailed Issue and Action Plan Nos. 2, 9 and 12
Timeliness: Effectiveness/Efficiency Rating Detailed Issues and Action Plans Reference

Disbursements are made to maximize cash flow. Detailed Issue and Action Plan Nos. 1 and 2.
Costs are reduced as much as possible. Detailed Issue and Action Plan No. 2, 7, 8 and 10
Processing time is minimized. Detailed Issue and Action Plan Nos. 2, 3, 4, 5 and 6
Performance measures used to control the process are reliable. N/A
Strong Controls Moderate Controls Limited Control
30
KEY ISSUES: SUMMARY (1/4)
Responsible
Issues Business Impact Due Date
Person
Cash flow is negatively impacted
Merchandise Payables: Invoices are paid before
due to inaccurate payments to (Insert Name) (Insert Date)
verifying the receipt of goods.
vendors.
Expense Payables: There are no approval and
Vendors will not be the best cost,
authorization procedures for supplier selection (Insert Name) (Insert Date)
quality and time supplier for XXX.
before purchasing goods.
Expense Payables: A purchase order system or
other upfront approval process is not used for Financial loss occurs from
(Insert Name) (Insert Date)
recurring expense or non-merchandise-related unauthorized disbursements.
purchases.
Expense Payables: Proof of receipt must not be Financial loss occurs from
submitted with approved invoices prior to payment. inaccurate payments to vendors.
Multiple versions of the vendor master file are Additional costs may incur from
utilized and maintained. inaccurate payments to vendors.
Data integrity may be lost, and
Access to the various systems utilized during the AP
systems may be inappropriately (Insert Name) (Insert Date)
process is not adequately secured or monitored.
used.
31
The following chart summarizes the significant (red and orange) issues identified between (Insert Months). Topics are grouped by status (Revised, Not Due or Closed) and
report within the above categories.
Issue Date Report Name Report Rating Coverage Area Number of Issues Number of Red Issues Status
Date 1 Report 1 COSO Level 4 Geographic 8 8N
Date 2 Report 2 COSO Level 2 Corp Function 0
Date 3 Report 3 COSO Level 1 Geographic 0

Date 4 Report 4 COSO Level 2 Revenue 0
Date 8 Report 8 COSO Level 3 Geographic 2 2N
Date 9 Report 9 COSO Level 2 IT 0
Date 11 Report 11 COSO Level 3 Geographic 2 1R and 1N

Date 15 Report 15 COSO Level 3 Process 1 1C

TBD TBD TBD TBD N Not Due R Revised C Closed
The 15 above listed reports include 29 orange-rated issues. Red issues averaged 7% during the last 12 months. Types of issues continue to include reconciliations and
clearing of aged items, fixed assets, time and expense approval, and system access.
32
Significant Issues
• Review 1 • Review 1
− Issue 1 − Issue 1
• Review 1 • Review 1
t*
c
Boar − Issue 1 − Issue 1
d
pa
Si
Im
gn
Less Than 5%
ific
ts
en
Disclosure Committee
an
The control weaknesses noted above were not material to XXXX, but items 2 and 4
em
eoc
were significant to the countries’ balance sheets.
t
ta
lS
fC
Executive Management
ia
on
nc
Significance
tro
4 3
na
Tier 1 (Board) Tier 2 (Executive Mgmt) Tier 3 (Local Mgmt)

Control Criteria
lF
Less Than 1%
Fi
ail
ial
ur
t
Impact to the
en
e
Impact to the Segment, Impact Isolated to the
t
Pervasiveness Corporate
Po
2 1 Region or Business Unit Function or Location

Entity
Local Management
Relation to Financial
Direct Marginal Relationship Indirect
Reporting
* Calculated as a percentage of pre-tax net income and defined as Fraud Potential High Medium Low
more than a remote chance.
Reputation Impact High Medium Low
Potential Impact to
High Medium Low
Business Objectives
33
Rating
Internal Controls Report Internal Audit
Process Owner Progress
Information Issued Follow-Up
At Issuance Current
Internal Audit Summary
• Significant tax issue has been resolved.

Audit 1 (Insert Date) In-process • Cash reconciliation enhancements are in process.
• Controllers are reassigned in (Insert Month).
• The VP of risk management is spearheading efforts to

address short-term recommendations.
Audit 2 (Insert Date) No Rating In-process
• Efforts will focus on enhancing capabilities at corporate and
service centers.
Audit 3 (Insert Date) In-process Efforts are underway to address identified issues.
Audit 4 (Insert Date) In-process Efforts are underway to address identified issues.
Minor improvement opportunities are being addressed by local

Audit 5 (Insert Date) In-process
control owners.
Minor improvement opportunities are being addressed by local

Audit 6 (Insert Date) In-process
control owners.
34
SAMPLE AUDIT SCOPE
AP Vendor File Maintenance Accounting

Understand Processes Understand Processes Understand Processes
Assess Control Design Assess Control Design Assess Control Design
Assess Control Gaps Assess Control Gaps Assess Control Gaps
Test Test Test
In Scope Out of Scope
• Review expense payables, stock and relay. • Petty cash at RDCs

• Review for completeness, accuracy and timeliness of input and payment • Direct Ship
processing (EDI and manual). • Wire transfers
• Review access to systems and check stock/signature plates. • T&E from XXX
• Review the PO and invoice matching process (pre- and post-paid). • MSA online (rebates and deductions)
• Review the disbursement approval process. • Review of vendor master files created by merchandising
• Review controls over stop payments and reissues.
• Review daily balancing performed by AP.
• Review vendor maintenance within the AP vendor master file (stock and relay)
and access controls.
• Review the vendor master file creation for expense payables.
• Review interface integrity from AP subledger to GL.
• Review monthly reconciliation of AP subledger to GL.
35
AUDIT CALENDAR (1/8)
• Geography • IT Project • India Assets Management

• Accounts Payable • Technical Support • Gift and Hospitality
Location 29
• Accounts Receivable • T&E • FCPA
• Service Center • Recruitment • Outsourcing
• Business Unit Revenue • QA Performance
• Accounts Payable • IT Projects Review
Location 3
• Accounts Receivable • Service Center
• Compliance
• Accounts Payable • Treasury • Strategy Implementation
• Business Unit 1 • Regulatory
Location 2 • Business Unit 2 • Accounts Receivable
• Pharmaceuticals • Regional
• Compliance Export • Market Pricing
• Fixed Assets • OTC: Location 11 • IT Projects Review
• Transfer Pricing • Quarterly Companywide JE
• FCPA Review (Q1-Q4).
Location 8
• Royalty Audits • HR Payroll and Accounting
• Quarterly SOX Testing
(Q1-3)
36
(Insert Date)
Q1 Q2 Q3 Q4
(Insert Date) IT Audit Plan: Company X Audit Plan and Activities Jan – April – July – Oct –
March June Sept Dec
Accounts Payable Review
Accounts Receivable Review
ITIL: Change Management and Service Desk
PIMS: Interface Engine
Audit Committee Reporting
Quarterly Follow-Up (Performed by Internal Audit)
IT Risk Assessment (Initial)
Update IT Risk Assessment
Coordinate With External Auditor

Color Legend
Complete In Process Not Started
37
Jan – Mar Apr – Jun Jul – Sept Oct – Dec
Review accounts payable.

 Review accounts receivable.  Review 4
Internal
Audit Review anti-money laundering.  Review 5
Review 3. Conduct a risk assessment.


  Validate self- 
Draft the (Insert Year) 404 scope. Finalize the (Insert Year) 404 scope. Execute testing.
assessments.

Update the self-assessment   Validate self- Monitor deficiency 
Schedule audits.
program. assessments. remediation.

Roll out the self-assessment  Monitor deficiency
program. remediation.
SOX 404 
Update control  Complete self- Complete self- 
documentation. assessments. assessments.

Complete  Evaluate tested Evaluate tested 
self-assessments. controls. controls.
 Remediate  Remediate
Remediate deficiencies. 
deficiencies. deficiencies.
Not In Fieldwork Report

Deferred
Started
Scoped
Progress Complete Drafted
Complete 
38
Q1 Q2
Security Management/Governance Business Continuity/Disaster Recovery
Co-Branded Credit Cards Treasury
Joint Ventures Joint Ventures
Site Audits Site Audits
Corporate Governance Construction
Service Center PCI Fixed Assets
Sarbanes-Oxley, PCI, Data Privacy and Partial Scope Site Audits
Receivables
Core (Site, SOX and PCI) Headline/Management Request
Development
Back to Basics and Other Audit Activities
High-Level Audit Scope Summaries
• Security Management/Governance: Assess the completeness and sufficiency of security policies and evaluate enterprisewide compliance.
• Co-Branded Credit Card: Evaluate critical contractual requirements and related milestones associated with year-one activities.
• Joint Ventures: Review site operations and assess financial information flow from the site through a partner to company books.
• Site Audits: Assess financial statements and operational, financial and IT controls (some efforts directly support external auditors).
• Corporate Governance: Assess compliance with new corporate governance policies (e.g., disclosure controls, Reg FD, whistleblower incidents, Insider Trading Policy). Evaluate employee stock
trading activities to confirm compliance with stated policies. Review enterprisewide email distribution lists for completeness and accuracy. Propose enhancements as necessary.
• Service Center PCI: Evaluate security configuration controls at the service center to confirm compliance with PCI requirements.
• Business Continuity/Disaster Recovery: Follow up on (Insert Date) internal audit results (operations, service centers and corporate) and evaluate processes related to recent service incidents/outages.
• Construction: Evaluate the project-specific closeout process.
• Fixed Assets: Integrate the SOX financial review with a detailed operational focus on fixed assets processes for accounting and reporting (Location 2).
• Development: Supplement SOX testing with a deep-dive assessment of up to four deals.
• Receivables: Supplement SOX testing with a deep-dive assessment of key receivables processes.
• Treasury: Integrate the SOX financial review with a detailed operational focus on capital management, liquidity and investment policies, and related metrics.
39
Audit Hot Spot Description and Internal Audit Coverage
1 Corporate Governance Effectiveness of Training and Policy Compliance (Insider Trading, Integrity and Corporate
Governance)
• Conduct substantive testing of stock trades for policy compliance.
• Integrate it into site visits.
• Ensure SOX process and IT testing (including entity-level controls), data privacy and PCI compliance.
• Evaluate communication protocols (e.g., email distribution lists).
2 Cash Investment and Deployment Policy Compliance for Cash Usage, Including Marketable Securities and Significant Deployment
• Integrate the SOX and risk-based audit: Treasury.
• Integrate the SOX development audit with a deep-dive review of up to four significant deals.
• Assess delegation of authority compliance.
3 Construction Proper Accounting for Construction Funding Considering Change in Corporate Oversight
• Select relevant construction projects.
4 Financial Shared Service Center Completion of Corporate and Site Conversion
• Integrate the risk-based, IT and SOX review (North America and India).
• Evaluate cost structure, cost savings and performance metrics.
5 Business Continuity/Disaster Ability to Recover and Sustain Business Operations After a Service Interruption
Recovery
• Evaluate processes related to recent service incidents/outages.
• Follow up on (Insert Date) review and remediation.
40
(Insert Month) (Insert Month) (Insert Month)
Location 9 R Location 4
R Location 14/Location 15
Location 16 Follow-Up P Location 1 : Location 17
Location 12 P Location 19 : Location 18
Location 13 P Location 20 : Finance Solutions

Cost Structure P Quarterly Testing :
Business Continuity Planning
P
Service Center Time and Expense
P Active Directory and Exchange
Identity Management (Technical) : Payroll Systems Approach
P
International Planning and Operations Service/Problem Management
(Technical)
Workstation Security
Quarterly JEs R
Benefits P Asia Pacific : Government Atlantic and Location 3
Pensions
P PAC : Quarterly JE
Management and Communication

Revenue Corporate Functions Information Technology SOA
Geographic Affiliates/BPOs Process/Compliance Management and
Communication
R Report Issued P Fieldwork Complete : In-Process Reviews
41
Processes
Note: Timing to be
HR and
confirmed with Business Procurement
Order to Mgt Inventory Third-Party Fixed
Warranty Disbursements Logistics
Legal and
Payroll/
Treasury/ Financial
Cash Operations Management Outsourcing Assets Regulatory Tax Reporting
Unit owners. T&E
Location Audit Scope Risk Coverage
Financial
Reporting
Efficiency
Cross Location Process Review:
Enterprisewide Sales Order Processing and
Revenue Recognition
  
Compliance
Precision Financial
Antennas Reporting
(Location 24
Upon Company
Major Process Areas (Initial
Audit)            
X and Location Compliance
25)
Supply Chain
(Sourcing)
Fraud
Location 23 and
Location 9
Major Process Areas Follow-Up
Organizational
Culture             
Compliance
Communication
Financial
EMS Location 22 Reporting
and Location 4:
New Acquisition
Post-Acquisition: Integration
Status Review           
Compliance
42
Processes
Note: Timing to be
HR and
confirmed with Business Procurement
Order to Mgt Inventory Third-Party Fixed
Warranty Disbursements Logistics
Legal and
Payroll/
Treasury/ Financial
Cash Operations Management Outsourcing Assets Regulatory Tax Reporting
Unit owners. T&E
Location Audit Scope Risk Coverage
Business
Interruption
(AOP Move) Fixed Assets and
AOP (Location
21)
Physical Inventory Observation
and Reconciliation
  
Product/Service
Failure
AHQ
Business Process Review:
Treasury Cash Pooling
Financial
Reporting  
Compliance
Location 26,
Location 27 and
Location 28
Location 3 Freight Payments
Outsourcing Review
Supply Chain
  
(Sourcing)
Compliance
AOP
Ongoing Senior Management T
and E Review 
Ethical Behavior
Special Project/Prior-Year
Global Follow-Up/ Compliance
Whistleblower Investigations
43
AUDIT REPORT SUMMARY (1/4)
We assessed the existence and effectiveness of controls about the business objectives of the accounts payable process. Possible control
improvements (rated as “Moderate” or “Limited” controls) are referenced in the Detailed Issues and Action Plans section for further details.
Completeness and Accuracy: Authority/Limit Rating Detailed Issues and Action Plans Reference
Suppliers are properly authorized prior to procuring goods/services. Detailed Issue and Action Plan No. 5
Accounts payable disbursements are properly authorized. Detailed Issue and Action Plan Nos. 1, 2, 5 and 7
Access to applicable AP systems is properly segregated. Detailed Issue and Action Plan Nos. 2, 9 and 12
Timeliness: Effectiveness/Efficiency Rating Detailed Issues and Action Plans Reference
Disbursements are made to maximize cash flow. Detailed Issue and Action Plan Nos. 1 and 2.
Costs are reduced as much as possible. Detailed Issue and Action Plan No. 2, 7, 8 and 10
Processing time is minimized. Detailed Issue and Action Plan Nos. 2, 3, 4, 5 and 6
Performance measures used to control the process are reliable. N/A
Strong Controls Moderate Controls Limited Control
44
Objectives and Scope Timing

Background Scheduled: Actual:
To complete the audit, the project name renovation was selected, which was deemed
representative of the population of renovations since the corporate office construction/project Planning (Insert Date) TBD
management department coordinates the processing of all renovations for the North American
Fieldwork (Insert Date) TBD
locations.
Scope Pre-Close
(Insert Date) TBD
The internal audit was tested to determine if the company is accruing and paying the appropriate Meeting
sales and use tax. Closing Meeting Week of (Insert Date) TBD
Report
Week of (Insert Date) TBD
Distribution
Significant
• TBD
Issues:
Issue Follow-Up TBD TBD

• TBD
Total Weeks X TBD
• TBD
Total Hours XX TBD
Internal Audit Team: Management Contacts:

• TBD • TBD
• TBD • TBD
• TBD • TBD
• TBD • TBD
45
Background
The company engaged a third party to perform a network security assessment of the organization’s external, internal
and wireless technology infrastructure (scope included several computing platforms, ranging from desktop computers to
servers and databases that support critical applications and store business-critical information).
Summary
Results
In general, the company’s technology environment appears to be configured and managed in a manner consistent with several generally accepted industry
standards and practices. The organization has a well-architected network security infrastructure and effective operational IT processes. Although many strong
controls and processes were observed, testing identified two specific issues during the internal network vulnerability assessment that allowed internal audit access
to all of the servers, workstations and information across the company’s technology environment.
• Easily Guessable Administrative Database Passwords: Two database servers used for the capital expenditure system have easily guessed administrative
account passwords. Internal audit used this compromised account to identify technical system information and other network account information stored on the
database server that was leveraged to take complete control of the company network. With complete control of the environment, internal audit could access
various file storage servers and workstations containing sensitive business and employee information, including mergers and acquisitions documents, financial
information, employee and executive compensation, employee performance reviews, and legal documents.
• Re-Use of Administrative Credentials: The default administrative accounts stored locally on most Windows devices are configured with the same password
(i.e., this password is re-used throughout the company’s environment). Leveraging credentials obtained through the issue noted above, this password was
obtained and used to access various servers, workstations, and applications throughout the company’s environment. Individually, this issue did not provide a point
of access during the assessment; however, when combined with the case above, it resulted in a significant amount of access. This type of issue underscores the
importance of security controls in layers.
IT management has already remediated the issues identified during this audit. IT management also implements several long-term process improvements (including
regular security audits) to address the root-cause problems.
46
Report Name: Information Security Audit – Issued (Insert Date)
Overall Rating: High
Background and Scope:
Many companies store and process a large volume of personal and sensitive information on behalf of employees and customers. Recent company-specific assessment
activities (e.g., SOX, PCI and data privacy audits) have identified a trend in security-related issues, which has led to an increased focus on information security within
corporate IT, legal and operations. Adequate information security relies on robust technical configurations, automated and/or manual processes and human behavior to
ensure the confidentiality, integrity, and availability of corporate systems and data. The scope included:
• Network Security: A vulnerability assessment was conducted to determine if processes, procedures and configurations are adequately designed and
implemented to provide reasonable protection against internal, external and wireless-based attacks.
• User-Level Security Practices: Several business-critical security processes and technologies that support end-user information security activities were
evaluated.
• Governance: The roles, responsibilities and supporting policies and procedures related to directing, managing and enforcing the information security program
throughout the organization were reviewed.
Summary Findings: The scorecard below summarizes ratings and findings by scope area.
Scope Area Rating Issues Summary
Multiple network security controls are not operating effectively in company data centers and corporate locations.
Network Security (Internal) High In some cases, systems and databases have weak passwords, and unauthorized users on the network may be
able to access sensitive employee, customer and company information.
Employees provided valid email usernames and passwords during electronic and telephonic social engineering
Network Security (External) Medium
exercises.
Management Response (At Report Issuance): Management agrees with the items outlined in the report and will take corrective action to address
identified issues.
47
FYXX BUDGET STATUS UPDATE
Actuals/Forecast Q1 Actual Q2 Actual Q3 Forecast Q4 Forecast Total

Direct Payroll X X X X X
Direct Non-Payroll Co-Source X X X X X
Training X X X X X
Travel X X X X X
Employment Costs X X X X X
Other X X X X X
Total X X X X X
YTD Cost X X X X
The approved budget is $XM. Internal audit is actively managing all costs and expecting to finish the year within budget.
In comparison to (Insert Year):
• The number of reports issued increased from X to X.
• An additional X unplanned projects were completed as of (Insert Month).
48
INTERNAL AUDIT BUDGET
Effective (Insert Date), (Insert Year), the

company restructured its corporate compliance
functions under internal audit. As part of this The table at right outlines the (Insert Year) budget,
restructuring, the following groups transitioned to (Insert Year) actuals and (Insert Year) budget. IT
internal audit: Compliance (SOX and PCI)
• IT Compliance (SOX and PCI) Note: The (Insert Year) budgeted spend includes
• SOX Compliance adequate contingency to cover variable costs (e.g.,
SOX rework).
• Compliance Audit (including site-specific audit
teams)
The internal audit team successfully executed
the complete (Insert Date) plan under budget,
thereby realizing cost savings of $500K.
Spend FTEs
(Insert Year) Budget X X
(Insert Year) Actual X X
(Insert Year) Budget X X
49
BENCHMARKING ANALYSIS
The internal audit provided the audit committee with several departmental benchmarking statistics in (Insert Month). The graphs below provide updated
information about our internal audit headcount and spending (at an annualized run rate) compared with three of our site company competitors.
The average internal audit spend for our company and three other competitors is 0.11% as a percentage of company revenue. The chart below outlines
the percentage for each site:
Competitor 1 XX Competitor 3 XX
Competitor 2 XX Company XX
50
INTERNAL AUDIT STAFFING SUMMARY
Leveraging a combination of industry and public accounting experience, our talented team is capable of successfully executing the audit plan. We will
continue to leverage resources from a co-sourced provider as needed for efficient audit coverage both geographically and in areas requiring specialized
skills.
Vice President
Certifications: CPA
Experience: X years
Internal Audit
Leadership
Director: Sites and Service Centers Director: SOX, IT and Fraud
Certifications: CPA, CIA, MBA Candidate Certifications: CIA, MBA
Experience: X years Experience: X years
Certifications: CIA, CISA, MBA

Manager/Sr. Certifications: CPA
Experience: X years Candidate OPEN
Manager Experience: X years
Experience: X years
Audit Team Six Senior and Staff Auditors Three Compliance Auditors
51
INTERNAL AUDIT PERSONNEL PROFILES
Part of the measure of an internal audit department is the qualifications of the personnel. There are currently X full-time employees within the
department.
Sixty-five percent of the personnel (23 of 35) hold a relevant Forty-nine percent of the personnel (18 of 35) are fluent in a second
certification, including 100% of the management group. language.
Certified Public Accountant 13 Cantonese; 2; 8% Polish ; 1; 4% Italian; 2;

8%
Mandarin;
Chartered Certified Accountant 2 4; 17%
French; 5;
21%
Chartered Accountant 3
Japanese;
Certified Internal Auditor 6 1; 4%
Certified Fraud Examiner 3 Hindi; 3;

13% Spanish; 2;
8%
0 2 4 6 8 10 12 14 Greek; 1; 4%
German
Note: Some individuals hold more than one certification. Note: Some individuals speak more than one foreign
language.
52
DEPARTMENT STATUS
The chart below depicts the six core infrastructure components of an internal audit department, and below each lists the attributes that define a mature function, which links
closely to the requirements of the QA review. The scale on the left is used to evaluate the current process maturity of each component along with the desired goal state.
Management Distinguishing
Maturity Level Strategies and Policies Organization and People Methodology Technology Knowledge
Reporting Factors
Written and approved IA Development of IA resource Audit reports Risk assessment and Technology Tools: Access to process
mission and charter budget Executive planning Risk assessment best practice
Increased Quality
Specific, communicated strategy Recruiting process management Periodic risk assessment knowledge
Planning and
Optimizing Compliance with the IIA standards Traditional-accounting reporting and performed scheduling Access to
communication Common control/risk risk/process Continuously
Alignment of IA within the Non-traditional-operational Workflow
Audit committee language expertise Improving
organization Utilization of other professionals Self-assessment
reporting and Defined audit universe Knowledge sharing Process
Independent and objective IA Process experts Data analysis
communication process
function Control models
Managed Outside service providers Continuous Professional
Quality assurance reviews Annual audit plan monitoring
In-house rotation (guest auditor) organization
Self-assessment scheduling
program Follow-up affiliations
Audit execution Predictable
IA procedures manual Competency models Customer Benchmarking
Audit project planning Process
Enterprise risk assessment Training programs satisfaction
(global) Audit project staffing Tools integration
Professional certifications
Defined Annual audit plan development Work Plans
Performance reviews
External audit coordination Standardized
Succession planning Standard,
Integration of 404 strategy documentation and
Management development Consistent
retention requirements
Anti-fraud program coordination Process
Follow-up
Organization's awareness of IA
Repeatable Computer assisted auditing
Development of IA department
techniques
ongoing improvement initiatives
Disciplined
Process
Initial
Increased Risk Goal State: 2 Goal State: 3 Goal State: 2 Goal State: 2 Goal State: 3 Goal State: 2
Current State: 3 Current State: 4 Current State: 2 Current State: 4 Current State: 4 Current State: 3
53
BUSINESS SELF-ASSESSMENT OVERVIEW
The internal audit department performed a business self- The objectives of the BSA session were as follows:
assessment (BSA) session. A BSA session is a focused • Increase awareness and create a common understanding of business risk
discussion of risks facing the corporation and evaluation of the (a common language).
effectiveness of management controls designed to mitigate
• Facilitate an understanding of the need to manage business risks.
exposures.
• Identify and prioritize key business risks.
• Assess current management of key business risks.
• Facilitate the development of an ongoing internal audit plan.
During the self-assessment session, management discussed the definition, significance, likelihood and effectiveness of management
controls over risks challenging Company ABC. Internal audit utilized electronic voting software to measure management's perceptions
regarding risks.
The term “business risk” is the threat that an event, action or non-action will adversely affect the company’s ability to achieve its
business objectives and execute its strategies successfully.
Under this definition, business risk includes both the occurrence of a negative event (e.g., lack of needed liquidity) and the failure to take
advantage of an opportunity (e.g., failure to recruit and retain quality personnel). Appendix A presents definitions for all risks considered
during the session.
55
SUMMARY OF THE INTERNAL AUDIT APPROACH
Business Risk Model Risk Prioritization Provides Basis For

H
Developing Audit Plan
Environment Risk • Operational
I • Financial
m
p
Process Risk a
Basis for Avoiding/Transferring
Empowerment Financial c
Operations
t Risk
Insert Text Information Insert Text
Technology
Integrity Assigning Functional
L Likelihood H Responsibility for Monitoring
Information For Decision-making Risk Risk
Performance Reporting to
Business Risk Assessment Senior Management and Board
Session
Being Proactive Toward Risk

Management
56
BUSINESS RISK MODEL FOR COMPANY ABC: A
COMMON LANGUAGE
Linkage to Our
The Model
Approach
The business risk model is used to identify business risks impacting: • The risks included in the business risk model
• The company as a whole Are customized to the company.
• A specific process within the company • We then use this information to develop short-
and long-term audit plans responsive to these specific risks.
Environment Information For
Process Risk
Risk Decision-making Risk
Financial Risk Empowerment Integrity Risk Financial
Capital Availability Change Employee Fraud Budget and Planning
Financial Markets Readiness Accounting Information
Liquidity Operations
Cash Flow
Customer Satisfaction
Information Processing/ Operational
Human Resources
Technology Risk Performance
Product Development
Credit Relevance Efficiency Measurement
Collateral Access Cycle Time
Availability Compliance
Infrastructure Health and Safety Strategic
Environmental Demographics
Resource Allocation
Planning
57
SESSION RESULTS ASSESSMENT OF CONTROL ENVIRONMENT
The group was asked to assess how well Company ABC currently manages the overall internal control environment. The key results were:
• Overall, the strength of the internal control environment across the business was 76%. This is relative to an extreme control environment of 100%.
• The group considered that management is aware of business risks (81%). Staff awareness of business risks (60%) and the importance of controls (68%) may
represent an opportunity to improve chance and control awareness.
• The participants considered improving their awareness of risks and felt that the control environment was an important priority, with a rating of 94%.
• The group also felt that improving the risk management process would add value to the organization, with a score of 94%.
• The group felt (71%) that areas within Company ABC need more effective controls.
The group evaluated Statements 1-7 related to their assessment of the control environment on a scale of 1 (do not agree) to 9 (agree). For Question 8, the group assessed
the overall control environment using the same scale (1 = low and 9 = high).
Statements:
8 Management is aware of business risks.
Staff is aware of business risks.
Results of Votes
6 Management fully considers business risks when making decisions.

4
Staff is aware of the importance of controls.
2 We have a few business risks that are not adequately controlled.
Improving the awareness of risks and the control environment should be an
0 important priority for the company.
1 2 3 4 5 6 7 8 Improving the risk management process will add value to the organization.
Statements How do you rate the business risk management process and control
environment overall?
58
SESSION RESULTS: RISK/CONTROL MAP
The group utilized their collective knowledge of Company ABC’s existing

control environment to gauge the relative strength of controls governing each
risk. A 9-point scale was used, with 9 indicating a high degree of management
control and 1 indicating the lowest degree of control. These are shown below
in the Company ABC risk/control map. The main objective of this analysis is to Control
Opportunities
identify risks that may be either under controlled (upper left quadrant) or 2
1 18
overcontrolled (lower right quadrant) relative to their potential significance to 9 10 5
the company. 12
6 14 3
9 13
11 17
4 24 19
1. Capital Availability 15.Relevance (Systems)
Significance
22
2. Financial Markets 16.Employee Fraud 15 7 26
3. Capacity 17.Credit/Collateral 25
16 23
21 8
4. Compliance (Legal and Customer 18.Liquidity/Cash Flow 20
Requirements) 19.Performance Measurement
5. Customer Satisfaction 20.Accounting Information 5
6. Efficiency 21.Budget and Planning Potential
7. Environmental 22.Demographics Cost Savings
8. Health and Safety 23.Planning Control
9. Human Resources Zone
24.Resource Allocation
10.Product Development (Process) 25.Product Development (Capacity)
11.Change Readiness 26.Compliance (Policies and Procedures)
12.Access (Systems)
13.Availability (Systems) 1 5 9
Control Environment
14.Infrastructure (Systems)
59
SESSION RESULTS: KEY THEMES (1/2)
Control Opportunities: Controls May Be Less Than Needed
A lack of requisite knowledge, skills and experiences among the organization's key personnel threatens the
Human Resources
achievement of critical business objectives.
Financial Markets Movements in prices, rates, indices, etc., threaten the value of the organization's financial and real assets.
The risk is that the organization does not have an effective information technology infrastructure (e.g.,
Infrastructure
hardware, networks, software, people and processes) to effectively support the current and future needs of the
(Systems)
business in an efficient, cost-effective and well-controlled fashion.
Inefficient operations threaten the organization's capacity to produce goods or services at or below cost
Efficiency
incurred by competitors or world-class-performing companies.
The people within the organization are unable to implement process and product/service improvements quickly
Change Readiness
enough to keep pace with changes in the marketplace.
Compliance (Legal
Noncompliance with customer requirements, laws and regulations may result in lower-quality/higher-
and Customer
production costs, lost revenues, unnecessary delays, penalties, fines, etc.
Requirements)
60
SESSION RESULTS: KEY THEMES (2/2)
Potential Cost Savings – Controls May Be More Intensive Than Needed
Relevance (Systems) Irrelevant information created or summarized by an application system may adversely affect users' decisions.
An unimaginative and cumbersome strategic planning process may result in irrelevant information threatening the
Planning
organization’s capacity to formulate viable business strategies.
Overemphasis on financial accounting and/or actuarial information to manage the business may result in the manipulation of
Accounting Information
outcomes to achieve financial targets at the expense of not meeting customer satisfaction.
Activities harmful to the environment expose the organization to liabilities for bodily injury, property damage, cost of removal
Environmental
and punitive damages.
Nonexistent, unrealistic, irrelevant, or unreliable budget and planning information may cause inappropriate financial
Budget and Planning
conclusions and decisions.
Compliance (Policies and

Noncompliance with company policies and procedures leads to losses.
Procedures)
Failure to provide a safe working environment for workers exposes the organization to compensation liabilities, loss of
Health and Safety
business reputation and other costs.
61
PROPOSED INTERNAL AUDIT PLAN
Scope of the Internal Audit Plan Internal Audit Process

• Through follow-up discussions with management, the internal audit group identified • The internal audit group will conduct the
business processes affecting the critical business risks identified in the self- audit projects indicated in the plan. Audit
assessment session. These include analysis in capital allocation, human resources, reports will indicate the audit work's
information systems and disbursements. objective, scope and results.
• Through these discussions, management also indicated its desire to implement an • The audit committee will be presented with
ongoing controls monitoring process. Internal audit will facilitate the developing and the results of audit work regularly, including
implementing of a control self-assessment (CSA) process. A comprehensive CSA can the status of recommendations for
effectively enhance the awareness of controls throughout the organization through completed audits.
facilitated workshops, surveys and one-on-one interviews. CSA is particularly effective
as the organization grows geographically; it can gauge levels of understanding and
compliance and allows management to focus resources appropriately.
• The scope of the Company ABC internal audit plan allocates resources to areas
appropriate for internal audit analysis, which management believes may be either
under or overcontrolled. In addition to the CSA, internal audit projects are scheduled
each calendar quarter to allow for regular management reporting and audit committee
communications. The scope of specific audits and any needed changes to the plan will
be agreed upon in advance with management.
62
PROPOSED AUDIT TIMETABLE (1/2)
Audit Project Risks Scope Scheduled Date
• Compliance
• Remote locations
• Change Readiness
Control Self-Assessment • Cash Apps, AP, Etc. (Insert Month)
• Planning
• Policies and Procedures
• Access
• Compliance
• Internal Control
Accounts Payable/Construction • Efficiency
• Documentation/Calculations (Insert Month)
Draws • Liquidity/Cash Flows
• Contract Adherence
• Customer Satisfaction
• Capital Availability
• Market Assumptions
• Liquidity/Cash Flows
Market Segment Capital • Documentation/Calculations
• Compliance (Insert Month)
Allocations • Vendor Relationships
• Planning
• Comparison to Actuals
• Efficiency
• Authorizations
• Accounting Information
• Timing
• Efficiency
Wire Transfers/Cash Apps/AR • Application of Cash (Insert Month)
• Relevance
• Receivables Management
• Compliance
• Recording of Transactions
63
PROPOSED AUDIT TIMETABLE (2/2)
Audit Project Risks Scope Scheduled Date
• Disaster Recovery
• Compliance
Information Systems General • Change Control
• Availability (Insert Month)
Controls • Data Security
• IT Infrastructure
• Operations
• Human Resources • Policy Compliance

Personnel Planning/Payroll • Customer Satisfaction • Planning/Approvals (Insert Month)
• Compliance • Interviews/Assessments
• Documentation/
Approvals
• Compliance
CAM Fees • Disbursement Process (Insert Month)
• Liquidity/Cash Flows
• Contract Adherence
• Re-Calculation of Disbursements
• Contracting
• Customer Satisfaction
Property Management • Personnel Policies (Insert Month)
• Compliance
• Management Reporting
• Product Development • Authorizations

Contract Administration • Compliance and Relevance • Timing (Insert Month)
• Planning • Standards
64
APPENDIX A: CUSTOMIZED RISK DEFINITIONS (1/2)
Capital Availability: Insufficient access to capital threatens the organization's capacity to grow, execute its strategies and generate future financial returns.
Financial Markets: Movements in prices, rates, indices, etc., threaten the value of the organization's financial and real assets.
Capacity: Insufficient capacity threatens the organization's ability to meet customer demands, or excess capacity threatens the organization's ability to generate competitive
profit margins.
Compliance: Noncompliance with customer requirements or laws and regulations may result in lower-quality/higher-production costs, lost revenues, unnecessary delays,
penalties, fines, etc.
Customer Satisfaction: A lack of focus on customers threatens the organization's ability to meet or exceed customer expectations.
Efficiency: Inefficient operations threaten the organization's capacity to produce goods or services at or below cost levels incurred by competitors or world-class-performing
companies.
Environmental: Activities harmful to the environment expose the organization to liabilities for bodily injury, property damage, removal cost, punitive damages, etc.
Health and Safety: Failure to provide a safe working environment for workers exposes the organization to compensation liabilities, loss of business reputation and other
costs.
Human Resources: A lack of requisite knowledge, skills and experiences among the organization's key personnel threatens the achievement of critical business objectives.
Product Development: Inadequate capability for product development threatens the organization's ability to meet or exceed customers' needs and wants consistently over
the long term.
Budget and Planning: Nonexistent, unrealistic, irrelevant or unreliable budget and planning information may cause inappropriate financial conclusions and decisions.
Demographics: The failure to utilize information or properly recognize trends in demographics, which can result in changes in the demand for a company's products, and
failure to react in a timely manner to these changes, can have a pervasive negative impact on the company's position, market share and/or long-term viability/profitability.
Planning: An unimaginative and cumbersome strategic planning process may result in irrelevant information threatening the organization's capacity to formulate viable
business strategies.
65
APPENDIX A: CUSTOMIZED RISK DEFINITIONS (2/2)
Change Readiness: The people within the organization are unable to implement process and product/service improvements quickly enough to keep pace with changes in
the marketplace.
Access: Failure to adequately restrict access to information (data or programs) may result in unauthorized knowledge and use of confidential information, or overly restricting
access to information may preclude personnel from performing their assigned responsibilities effectively and efficiently.
Availability: Unavailability of important information when needed threatens the continuity of the organization's critical operations and processes.
Infrastructure: The risk that the organization does not have an effective information technology infrastructure (e.g., hardware, networks, software, people and processes) to
effectively support the current and future needs of the business in an efficient, cost-effective and well-controlled fashion.
Relevance: Irrelevant information created or summarized by an application system may adversely affect users' decisions.
Employee Fraud: Fraudulent activities perpetrated by employees, customers or suppliers against the organization for personal gain (e.g., misappropriation of physical,
financial or information assets) expose the organization to financial loss.
Credit-Collateral: The partial or total loss of value of an asset provided to the organization as collateral exposes the organization to financial loss.
Liquidity-Cash Flow: The inability of a company to fund its operations or financial obligations, which may lead to default or loss of production.
Performance Measurement: Process performance measures do not provide a reliable portrayal of business performance and do not accurately reflect reality (i.e., they do
not provide reliable information about reality because they do not reflect what is happening within the business processes).
Accounting Information: Overemphasis on financial accounting and/or actuarial information to manage the business may result in the manipulation of outcomes to achieve
financial targets at the expense of not meeting customer satisfaction.
Resource Allocation: The company's resource allocation process does not establish and sustain competitive advantage or maximize shareholder returns.
Compliance: Noncompliance with company policies and procedures leads to losses.
Product Development: Inadequate internal capacity limits the company’s ability to facilitate effective product development.
66
ACTIVITIES
QX (YEAR)
• Established the FYX internal audit budget and obtained audit committee approval for the FYX internal audit plan
• Met with management and external auditors for (Insert Year) risk scoping exercise
• Began “continuous testing” strategy
• Substantially completed X walk-throughs for all key financial processes, including a new process: HR/payroll
− X walk-throughs are complete, and one walk-through (debt) is under internal auditor review.
• Began testing the operating effectiveness of critical controls in conjunction with walk-throughs
− Completed interim testing of (Insert Figure) controls (includes (Insert Figure) ITGCs).
• Began a non-SOX internal audit project focused on the financial statement close process (“financial statement close optimization”)
• Discussed the impairment and accounts receivable (AR) reserve process with management
− Exceptions weren’t noted during the asset impairment walk-through.
• To date, one control exception was identified in the debt process regarding the timeliness of a property-specific debt covenant. The loan agreement with
(Insert Company) required (Insert Company X) to provide monthly financials within 30 days of month-end. Due to an attachment error, the correct
financials were not provided to the lender within the period specified by the covenant.
68
INTERNAL AUDIT/SOX TIMELINE
(Insert (Insert (Insert (Insert (Insert (Insert (Insert (Insert (Insert (Insert (Insert
Activity
Month) Month) Month) Month) Month) Month) Month) Month) Month) Month) Month)
SOX Planning with Management
SOX Risk Assessment Review
Meetings With Auditors
Assist Management With Fraud Risk
Year
Assessment
Process and Control Design Analysis
Interim Control Testing
Audit Committee Updates
Update/Remediation Testing
Upcoming Q4 Activities
• Complete walk-throughs of all processes and provide necessary documentation to external auditors.
• Perform and complete testing procedures to confirm the operating effectiveness of all remaining key controls.
• Continue to work with management to evaluate control design (as needed) based on process changes.
• Coordinate with external audit throughout the engagement by remaining in consistent communication.
• Utilize walkthrough and prior experience to identify and monitor transactions to be tested at year-end (e.g., PPA, acquisitions, etc.).
• Plan/complete non-SOX internal audits as requested.
• Develop remediation plans as necessary for any identified control exceptions.
69
WALK-THROUGHS/INTERIM TESTING TIMELINE
(Insert Month) (Insert Month) (Insert Month) (Insert Month)
• Financial Close
• Payroll • External Reporting • Remaining Interim
• Acquisitions
• Purchase-to-Pay • (Insert Company X) Controls
Text • Debt
• Cash Receipts ComplianceText Text
• Asset Impairment • Equity
• Property Management
• Loans Receivable
Entity-Level Control Testing
Completion Percentage on
Walk-Throughs 0% 25% 50% 75% 100%
Completion Percentage on
Testing 0% 25% 50% 75% 100%
70
GOALS UPDATE
• Continue to increase dialogue and the depth of discussions with the audit committee (AC) beyond regularly scheduled meetings.
− Progress: We have and will continue to inform the AC (through the chair) regarding development. Most recently, we corresponded with the AC chairman before the AC
date.
• Organize procedures to consider late-year transactions and proper application of internal controls.
− Progress: Our plans include monitoring for late-year closings and considering tracking control's operating effectiveness, particularly related to PPA.
• Provide (Insert Company X)-focused insights into technical areas and contribute to the board’s risk oversight process.
− Progress: None to date; however, the AC chair was provided insights on overall PCAOB activities.
• Suggest internal audit procedures beyond SOX, focusing on organizational improvement and areas crucial to corporate success.
− Progress: We began reviewing the financial statement close process in (Insert Date) and will report the results at the Q3 AC meeting.
• Continue to deepen interactions with the external auditor to encourage reliance on and alignment with areas of inquiry.
− Progress: We maintain a strong working relationship with the external auditor and continue to look for ways to align our procedures with their audit activities. We
conducted joint walk-throughs in (Insert Date).
• Provide ongoing clarity about budgets, schedules, and the impact of decisions related to the project approach.
− Progress: We have established a (Insert Date) budget of (Insert Figure). This compares to (Insert Date) actuals of (Insert Figure). Through (Insert Date), we have
incurred (Insert Figure) in professional fees. Our work is on schedule and budget to date.
• Continue to strive for efficiency and innovation while improving the internal audit workflow and offering process improvement ideas to the underlying
business when possible.
− Progress: Progress is ongoing.
71
SUMMARY OF INTERNAL AUDIT ACTIVITIES
COMPLETED/IN PROGRESS
The documentation of internal

The SOX steering committee meets
controls over financial reporting Round 1 testing for process SOX
weekly or as needed with the CFO,
(ICFR) for both business process controls are in progress. Round 1
VP/Corporate Controller, SVP –
and information technology general testing for ITGC controls is
Accounting and Business Operations
controls (ITGCs) related to the in- scheduled for (Insert Date).
and SVP – Finance.
scope processes was completed.
01 02 03
Management has remediated the

critical deficiency related to (Insert
Company) application
The scope, approach and access/segregation of duties and is Material weaknesses or significant
methodology were agreed upon with remediating the critical deficiency deficiencies have not been identified
the external auditor. related to evidence of ICFR by management to date.
performed. An internal audit is in the
process of validating the remediation
of these items.
04 05 06
73
(INSERT YEAR) PROCESS AND IT SOX COMPLIANCE
UPDATE
Scope and Status Snapshot
Documentation of
Round 1 Remediation/
Process Name Final Priority ICFR and Design
Validation
Testing Year-End Testing Process Walk-Throughs and Testing
Entity-Level Assessment
Entity-Level Assessment (COSO 2013)  l
Corporate • Internal audit has completed the ICFR documentation and
Cash Disbursements/Expenditures  l design validation and is in the process of Round 1 audit
Debt and Interest Capitalization  l controls testing.
Financial Reporting and Close the Books  l • Based on the procedures performed, no significant
Land Deposits and Acquisitions  l deficiencies or material weaknesses have been identified.
Joint Ventures  l
HR/Payroll  l
Real Estate Impairment  l
Tax Compliance  NA
Equity  l
IT Walk-Throughs and Testing
Fee Building – Fee Recognition, Billing and Cash Receipts  l
South California Division
Budgeting  l
• Completed walk-throughs for the in-scope IT areas. Round 1
Close the Books  l
testing is scheduled for mid – (Insert Date).
Procurement/Cost Capitalization  l
Revenue (Home Sales and Cash Receipts)  l • Based on the procedures performed, no significant
Real Estate Inventory (WIP) and Cost of Sales  l deficiencies or material weaknesses have been identified.
North California Division
Budgeting  l
Close the Books  l
Procurement/Cost Capitalization  l
Revenue (Home Sales and Cash Receipts)  l  = Completed l = In progress
Real Estate Inventory (WIP) and Cost of Sales  l
74
SOX PROJECT MILESTONES AND TIMELINE
Project Milestones Status
1 Financial reporting/process/application risk is assessed. Complete
Processes are documented and design effectiveness is evaluated (process

2 Complete
and ITGC).
3 Initial testing for ITGC control operational effectiveness is conducted. Scheduled for (Insert Date)
Initial testing for process control operational effectiveness and COSO 2013
4 In Progress
is facilitated.
Control operational effectiveness remediation and refresh testing (process

5 Scheduled for (Insert Date)
and ITGC).
6 Year-end/annual controls (process and ITGC) are tested. Scheduled for (Insert Date)
7 Management’s control deficiency is assessed. Ongoing (Evaluated At Each Phase of the Program)
75
NEXT STEPS
Complete testing for the IT controls process.
Provide ICFR documentation and testing results to the external auditor.
Monitor remediation related to all known deficiencies.
Coordinate year-end testing efforts with the external auditor and management.
76
OTHER ITEMS
We have drafted an internal audit charter. We are seeking the audit committee’s approval of this charter.
(Insert Charter)
77
AUDIT COMMITTEE REPORT - INTERNAL
FYXX QX INTERNAL AUDIT UPDATE
1 FYXX Initiatives 2 Plan Status 3 International Teams
• Completed risk analysis of (Insert Company). • X reports issued to date against the plan of X • (location) Internal Audit hub established in
• Refined Quarterly (system) review process. representing X% of the annual target. (insert location). Filled X of X targeted (insert
• Average reporting days and cycle time below location) positions with the following language
Assessing automated (system) reporting tools.
skills – (insert languages).
• Small Geography control assessment initiated the targeted range of X and X days,
respectively. • Dual (insert location) hub staffing initiated in
to improve (insert year) and FYXX Audit
strategy. • Quarterly Ethics Line review completed. (insert location and (insert location) with X of X
positions filled. Added (insert languages)
• Corporate functional coverage strategies under • Software installation with version upgrade language expertise.
development, including Treasury, Tax, and planned for (insert month year).
• Internal headcount is X versus FYXX target of
Pensions.
X. Actively recruiting to fill balance.
• Internal customer survey developed and placed
in service to assess the quality of audit
processes.
• IIA Quality Assurance Review preparation
initiated.
79
FYXX QX CALENDAR
Calendar FYXX QX
Months Activities
Jan (Insert Text)

Feb (Insert Text)
Mar (Insert Text)
Apr (Insert Text)
May (Insert Text)
Jun (Insert Text)
Jul (Insert Text)
Aug (Insert Text)
Sep (Insert Text)
Oct (Insert Text)
Nov (Insert Text)
Dec (Insert Text)
80
KEY ISSUE SUMMARY
The following slides summarize the significant, defined in red and yellow, issues identified between (Insert Date) and (Insert Date) as part of
the FYXX audit plan execution. Topics are grouped by status (Revised, Not Due or Closed) and report within the above categories.
As of (Insert Date), Internal Audit has issued the following reports or is in the process of issuing them.
S. No Audit report Date of Issue Status

Insert Text XX XX Insert Text
The above chart shows that the trend identified in previous communications continues as the percentage of red issues has decreased overtime (X%
(month), X% (month), X% (month) and X% currently).
X reports were issued this period bringing the FYXX total to X year-to-date.
81
KEY ISSUE STATUS AND REVISIONS
(Insert Text) (Insert Text) (Insert Text) (Insert Text) (Insert Text) (Insert Text)
Of the X issues identified in this period, X was categorized as either red or yellow, with the majority closed. Types of issues identified
continue to revolve around reconciliations and system access.
Internal Audit reported X issues in FYXX. Of the X issues:
• X Blue items were reported

• X Yellow items were reported
• X Red items were reported
• X of X or X% of the issues are closed
• Of the remaining X items, X is Yellow and X is Red
• The remaining issues are scheduled to be closed by the end of (Insert Date)
Revised - issues that have reached the due date but have yet to be satisfactorily addressed.
Not Due - issues that have not reached the original agreed-upon target date.
Closed - issues that local management has reported as appropriately remediated.
82
SIGNIFICANT ISSUE SUMMARY FYXX QX
Significant Issues
1. Account Reconciliations (insert location)
* Calculated as a percentage of pre-
− Certain accounts were not reconciled, or the form and
tax net income and defined as more
than a remote chance. substance of the reconciliation was not auditable.
*
Board
ct
pa
2. IT Access Security (insert location)

m
Si
tI
Disclosure
− Inappropriate administrator access to databases.
gn
en
i fi
m
> 5% Committee
ca
te
ta
nc
lS
e
3. Process Improvement – (insert location)
of
cia
Co
an
Executive Management − Lack of a formalized payroll system and corresponding

nt
in
1
ro
lF
4 documented procedures.
lF
ia
nt
ail
te
> 1% u
Po
re
2 3
Local Management
Insert Table
Significance Control Criteria
83
ISSUE TREND ANALYSIS – TOP TRENDS
Over the previous fiscal year, Internal Audit has reported X issues spanning all auditable areas (Revenue, Geographies, Information
Technology, Corporate Functions, and BPOs). The top X issue categories and the corresponding number of issues are presented in the
table.
*Note – While the causes have led to red and yellow Internal Audit issues, none have aggregated to Material Weaknesses or Significant
Deficiencies.
Top X Issues in FY XX
(Insert Text) (Insert Text) (Insert Text)
84
COVERAGE ENHANCEMENT
As Internal Audit continues to mature and expand risk coverage, the relative effort related to each audited function will shift. The charts below
depicts the current vision for FYXX.
Insert Chart
85
HIRING UPDATE
Since the (insert month) Committee meeting, Internal Audit has filled several additional positions increasing headcount to XX. A brief
background of each individual is provided below. Additional details are contained in the appendix.
Insert Table
86
FYXX PLANNED ORGANIZATION STRUCTURE
(Insert Diagram)
87
DEPARTMENT STATUS
The chart below depicts the X core infrastructure components of an Internal Audit department, and below each, lists the attributes that define a
mature function that links closely to the requirements of the QA review. The scale on the left is used to evaluate the current process maturity of
each component, along with the desired goal state.
Insert Table
88
APPENDIX
(Insert Text)
89
FYXX QX INTERNAL AUDIT TREND – REPORTS
X reports were issued over the previous X months (insert date – insert date). No reports were categorized as red.
(Insert Table) (Insert Chart)
Internal Audit also evaluates reports by function. The breakdown by function is:
Function # # #
Insert function X X X
90
FYXX QX INTERNAL AUDIT TREND – ISSUES
(Insert Table) (Insert Chart
Internal Audit has identified X issues over the previous X months.
(Insert Table)
91
FYXX OPEN ITEM DETAIL
The following table depicts additional detail related to the X remaining open FYXX issues.
(Insert Table)
92
HIRING UPDATE (1/3)
(insert name – IT Specialist (Insert Name) – Manager (Insert Name) – Specialist

1 2 3
(insert location) (insert location) (insert location)
(Insert Name) joined (insert date as IT (Insert Name) joined (Insert Date) as (Insert Name) joined (Insert Date) as a
specialist from (Insert Name), where she/he manager from (Insert Company), where specialist from (Insert Company), where
worked as a Senior Auditor. Experience: he/she served as the Corporate Compliance he/she worked as Senior Auditor.
Over X years of IT audit and internal audit and Internal Controls Manager. (Insert Experience: Over X years of external audit
experience. Education: (Insert Degree). Name) previously worked at (Insert experience. Education: (Insert Degree).
Certification: (Insert Degree). Company) in audit roles. Experience: Over
X years of audit and accounting experience.
Education: (Insert Degree). Certification:
(Insert Certification)
93
HIRING UPDATE (2/3)
(Insert Name) – Specialist (Insert Location) (Insert Name) – Analyst (Insert Location)
(Insert Name) joined (Insert Date) as a specialist (Insert Name) joined (Insert Date) as an analyst
from (Insert Company), where she/he worked as from the (Insert Company), where he/she worked
Senior Auditor. (Insert Name) previously worked as Accountant. Experience: Over X years of
at (Insert Company) as a Senior Auditor. accounting experience. Education: (Insert
Experience: Over X years of internal and Degree).
external audit experience. Education: (Insert
Degree). Certification: (Insert Certification)
(Insert Name – Senior Manager (Insert Location) (Insert Name) – Specialist (Insert Location)
(Insert Name) joined (Insert Date) as senior (Insert Name) will join (Insert Date) as specialist
manager from (Insert Company) where he/she from (Insert Company) where she/he worked as a
worked as a Senior Audit Manager. Experience: Specialist General Ledger Accounting. (Insert
Over X years of audit and finance experience. Name) previously worked at (Insert Company).
Education: (Insert Degree). Certification: Experience: Over X years of accounting
(Insert Certification). experience. Education: (Insert Degree).
94
HIRING UPDATE (3/3)
(Insert Name) – Specialist (Insert Name) – Specialist (Insert Name) – Specialist

1 2 3
(Insert Location) (Insert Location) (Insert Location)
(Insert Name) will join (Insert Date) as a (Insert Name) will join (insert location) as a (Insert Name) will join (Insert Date) as a
specialist from (Insert Company), where she specialist from (Insert Company), where she specialist from (insert company where he
worked as a Senior Internal Auditor. (Insert worked as a Country Controllership worked as Corporate Auditor. (Insert Name)
Name) previously worked at (Insert Specialist. (Insert Name) previously worked previously worked at (Insert Company) as
Company) in external auditing. Experience: as a Client Finance Management Specialist an Auditor and at (Insert Company) as a
Over five years of internal and external for (Insert Company) as a Senior External Senior Auditor. Experience: Over X years
auditing experience. Education: (Insert Auditor. Experience: Over X years of audit of auditing experience. Education: (Insert
Degree). Certification: (Insert Certification). and accounting experience. Education: Degree). Certifications: (Insert
(Insert Degree). Certification: (Insert Certification).
Certification).
95
CAPABILITY MATURITY MODEL DEFINED
Capability Maturity Model
The Capability Maturity Model (CMM) is a methodology used to develop and refine an organization's processes. The model describes a five-level
evolutionary path of increasingly organized and systematically more mature processes. CMM was developed and promoted by the Software
Engineering Institute (SEI), a research and development center sponsored by the U.S. Department of Defense (DoD). S EI was founded in 1984
to address software engineering issues and, broadly, advance software engineering methodologies. More specifically, SEI was established to
optimize developing, acquiring, and maintaining heavily software-reliant systems for the DoD. Because the processes involved are equally
applicable to the software industry, SEI advocates industry-wide adoption of the CMM. Since its inception, the CMM has been broadly applied as
a model to measure the operating efficiency of business processes through an organization.
CMM's Five Maturity Levels of Software Processes
• At the initial level, processes are disorganized, even chaotic. Success is likely to depend on individual efforts and is not considered repeatable because processes would
not be sufficiently defined and documented to allow them to be replicated.
• At the repeatable level, basic product management techniques are established, and successes could be repeated because the requisite processes would have been
established, defined, and documented.
• At the defined level, an organization has developed its standard process through greater attention to documentation, standardization, and integration.
• At the managed level, an organization monitors and controls its processes through data collection and analysis.
• At the optimizing level, processes are constantly being improved by monitoring feedback from current processes and introducing innovative approaches to better serve the
organization's needs.
96
SCHEDULE ACRONYM DEFINITIONS
ARTES Automated Remote Time Entry System GPS Global Personnel System
BOD Board of Directors GSPS Global Share Plan System
BPO Business Process Outsourcing GTM Global Treasury Management
CDL Comprehensive Download HRSP HR Systems Program
Consulting and Outsourcing Management

COMET LOCR Large Outsource Contract Review
Enhancement Tool
EFS Executive Finance System MFP Maximizing Financial Performance
FAS Fixed Asset System MRDR Master Reference Data Repository
ACTS Allocation & Cost Tracking PAC Political Action Committee
FF&P Forecasting and Financial Planning POC Percentage of Completion
GBDD Global Business Development Database RCC Revenue and Cost Calculator
GNOC Global Network Operations Center SOA Sarbanes Oxley Act
UDS User Data Security
97

Audit Committee Report - Internal Audit Plan - 0

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Audit Committee Report - Internal Audit Plan - 0

Uploaded by

Copyright:

Available Formats

AUDIT COMMITTEE REPORT –

INTERNAL AUDIT PLAN

Input Planning Process Output

Environment Risk Process Risk Information For Decision-Making Risk

Internal audit also gathered information from the following sources:

Integrated Audit Team Prior Internal Audit Results

Categorize Identify Create

• Budget and Planning • Technological Innovation • Liquidity: Cash Flow • Competitor

Infrastructure • Strategic Performance

• Shareholder Relations Measurement

• Business Portfolio • Outsourcing • Labor Availability

Likelihood (considering controls and inherent risks)

Categories Scope Timing Comments

• Interfaces Ensure data integrity issues and follow up on delays in modules

Categories Scope Timing Comments

• Access Controls Design Location 2 Q1 Participate in security structure redesign.

• Minority Interest Calculation Location 3 Q2

• Prior Audit Issues Follow-Up Worldwide

• Discretionary Projects Worldwide

Risk Audit Risk Audit

Accounting Process Review (Insert Hours)

Trading Practices Process Review

Compliance Process Review

• Overall Compliance Risk Assessment • Soft-Dollar Oversight

Net Asset Value (NAV) Valuation Process Review

Trade Execution Process Review

Accounting Process Review

Audit Issue Tracking/Audit Follow-Up

Audit Committee Meetings and Management Meetings (Insert Hours)

Understanding Board Expectations

• Internal audit department charter

Understanding Board Expectations

Typical audit committee reports will include a

The audit committee agenda will typically include discussion around:

• Internal Audit • Legal, Compliance and Regulatory

Budget, Staffing and Resources, Including Any Resource Constraints P

Scope, Procedures and Timing of Audits (Audit Plan) P

1 = Low and 5 = High • Finalize documentation of audit operating methodologies.

• Retail Channel: Location 4 2

Location 9 Location 4 Engagements/Audit Plan Activity for Q1

Reports Issued Q1 Scheduled Events

• Completed Activities • Audits scheduled for Q3

Audit Finding Remediation Status

Quarterly Accounts Payable Review

Timeliness: Effectiveness/Efficiency Rating Detailed Issues and Action Plans Reference

Strong Controls Moderate Controls Limited Control

Date 1 Report 1 COSO Level 4 Geographic 8 8N

Date 2 Report 2 COSO Level 2 Corp Function 0

Date 3 Report 3 COSO Level 1 Geographic 0

Date 5 Report 5 COSO Level 1 Revenue 0

Date 6 Report 6 COSO Level 1 Corp Function 0

Date 7 Report 7 COSO Level 2 Geographic 0

Date 8 Report 8 COSO Level 3 Geographic 2 2N

Date 9 Report 9 COSO Level 2 IT 0

Date 10 Report 10 COSO Level 2 Revenue 0

Date 11 Report 11 COSO Level 3 Geographic 2 1R and 1N

Date 12 Report 12 COSO Level 2 Geographic 0

Date 14 Report 14 COSO Level 2 Geographic 0

Date 15 Report 15 COSO Level 3 Process 1 1C

Tier 1 (Board) Tier 2 (Executive Mgmt) Tier 3 (Local Mgmt)

2 1 Region or Business Unit Function or Location

Internal Audit Summary

• Significant tax issue has been resolved.